OpenVPN connect 3.4.0.3121 error Peer certificate verification failure

[zaxatron]

Hi,

I am using a QNAP NAS to run the OpenVPN server that comes with the QNAP QVPN app.

Therefore I downloaded the configuration from the QVPN server for OPENVPN server, imported it into the client but when I try to connect I get:

Peer certificate verification failure

It used to work with the community OpenVPN client version 2.65.

What has changed?

Here is my config file from the QNAP OPENVPN server which is generated by the system:

## How to setup OpenVPN client?
## 1. Install OpenVPN software on your platform.
## 2. Double click NAS1.ovpn file to create new connection profile.
## 3. Type username and password while connection.

client
dev tun
script-security 3
remote XXX.XXX.XXX.XXX 1194 (The xxx.xxx.xxx.xxx represents my WANIP)
resolv-retry infinite
nobind
auth-nocache
auth-user-pass
remote-cert-tls server
reneg-sec 0
cipher AES-256-CBC
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
comp-lzo
proto udp
explicit-exit-notify 1
<ca>
-----BEGIN CERTIFICATE-----
MIIDxTCCAy6gAwIBAgIJAKyaf+vEFScxMA0GCSqGSIb3DQEBBQUAMIGeMQswCQYD
VQQGEwJUVzEPMA0GA1UECBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWlwZWkxGjAYBgNV
BAoTEVFOQVAgU3lzdGVtcyBJbmMuMQwwCgYDVQQLEwNOQVMxFjAUBgNVBAMTDVRT
IFNlcmllcyBOQVMxDDAKBgNVBCkTA05BUzEdMBsGCSqGSIb3DQEJARYOYWRtaW5A
cW5hcC5jb20wHhcNMTUxMjI5MDY0OTIyWhcNMjUxMjI2MDY0OTIyWjCBnjELMAkG
A1UEBhMCVFcxDzANBgNVBAgTBlRhaXdhbjEPMA0GA1UEBxMGVGFpcGVpMRowGAYD
VQQKExFRTkFQIFN5c3RlbXMgSW5jLjEMMAoGA1UECxMDTkFTMRYwFAYDVQQDEw1U
UyBTZXJpZXMgTkFTMQwwCgYDVQQpEwNOQVMxHTAbBgkqhkiG9w0BCQEWDmFkbWlu
QHFuYXAuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNtjKp3Ww81qCk
sbpwcXKdlb3SXKhAGNGfHo3fBakW91h6UL/1nPRIv4+VpJftBeoFvAKgVqstALIC
j1UP5at72kHgJ6ISYGbXecWsrOUDGCElPPmMyjqMjpG9zwbm7xtyvaJeJHT3xHIy
W0EguNd6CqCcRr91lBVVwhfKHtJdFwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFP7D
HROoDDuvBog5JJ056oYPYXFWMIHTBgNVHSMEgcswgciAFP7DHROoDDuvBog5JJ05
6oYPYXFWoYGkpIGhMIGeMQswCQYDVQQGEwJUVzEPMA0GA1UECBMGVGFpd2FuMQ8w
DQYDVQQHEwZUYWlwZWkxGjAYBgNVBAoTEVFOQVAgU3lzdGVtcyBJbmMuMQwwCgYD
VQQLEwNOQVMxFjAUBgNVBAMTDVRTIFNlcmllcyBOQVMxDDAKBgNVBCkTA05BUzEd
MBsGCSqGSIb3DQEJARYOYWRtaW5AcW5hcC5jb22CCQCsmn/rxBUnMTAMBgNVHRME
BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBACCozImtQAZj71sj+HTjlZUfdFW4LQ8Z
ImDtsK/iLG/MEBY6GyWb7ipudewcqN6vVgx7zbYn6BQK9vV/h789hRUic0NyAfeb
6RcSjCPw10b1KjwEW9GUm0oM4dMFFn+8QzqMzy5HhxLg9e+IxlZGmJNzFmV1DfAo
HIl6dWQQ3+zy
-----END CERTIFICATE-----
</ca>

Can someone explain how to get this working properly? I spent the last 3 days to figure it out. I am exhausted.

Thank you.

Best regards

[trifu7]

I have the same issue. Not working on Windows, but it works on Android.

What happened? What changed? How can we make it work?

[zSaltar]

Hey guys,
Also have the same problem... Doesn't work since few weeks,

I added this line in config file : " tls-cipher "DEFAULT:@SECLEVEL=0" " juste below the tls-cipher line, and it works with "OpenVPN GUI", but not with "OpenVPN Connect"...
I have this error with OpenVPN Connect :

Code: Select all

[Aug 7, 2023, 18:21:37] OpenVPN core 3.8connect1 win x86_64 64-bit OVPN-DCO built on Jun 26 2023 16:08:41
⏎[Aug 7, 2023, 18:21:37] Frame=512/2112/512 mssfix-ctrl=1250
⏎[Aug 7, 2023, 18:21:37] NOTE: This configuration contains options that were not used:
⏎[Aug 7, 2023, 18:21:37] Unsupported option (ignored)
⏎[Aug 7, 2023, 18:21:37] 4 [resolv-retry] [infinite]
⏎[Aug 7, 2023, 18:21:37] 6 [auth-nocache]
⏎[Aug 7, 2023, 18:21:37] 14 [explicit-exit-notify] [1]
⏎[Aug 7, 2023, 18:21:37] EVENT: RESOLVE ⏎[Aug 7, 2023, 18:21:37] Contacting XX.XX.XX.XXX:1194 via UDP
⏎[Aug 7, 2023, 18:21:37] EVENT: WAIT ⏎[Aug 7, 2023, 18:21:37] WinCommandAgent: transmitting bypass route to XX.XX.XX.XXX
{
	"host" : "XX.XX.XX.XXX",
	"ipv6" : false
}

⏎[Aug 7, 2023, 18:21:37] Connecting to [XX.XX.XX.XXX]:1194 (XX.XX.XX.XXX) via UDP
⏎[Aug 7, 2023, 18:21:37] EVENT: CONNECTING ⏎[Aug 7, 2023, 18:21:37] Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client
⏎[Aug 7, 2023, 18:21:37] Creds: Username/Password
⏎[Aug 7, 2023, 18:21:37] Peer Info:
IV_VER=3.8connect1
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_LZO=1
IV_GUI_VER=OCWindows_3.4.0-3121
IV_SSO=webauth,openurl,crtext

⏎[Aug 7, 2023, 18:21:37] Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2640 status=-1: error:0A000086:SSL routines::certificate verify failed
⏎[Aug 7, 2023, 18:21:37] EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2640 status=-1: error:0A000086:SSL routines::certificate verify failed⏎[Aug 7, 2023, 18:21:37] EVENT: DISCONNECTED ⏎

But i have some customers who have only MacOS, and "OpenVPN GUI" doesn't exist on it...

Here is the file work on "GUI" but not on "Connect" :

Code: Select all

## How to setup OpenVPN client?
## 1. Install OpenVPN software on your platform.
## 2. Double click NAS-CNACIM.ovpn file to create new connection profile.
## 3. Type username and password while connection.

client
dev tun
script-security 3
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
nobind
auth-nocache
auth-user-pass
remote-cert-tls server
reneg-sec 0
cipher AES-128-CBC
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
tls-cipher "DEFAULT:@SECLEVEL=0"
comp-lzo
proto udp
explicit-exit-notify 1
<ca>
-----BEGIN CERTIFICATE-----
MIIDxTCCAy6gAwIBAgIJALZXRwHMy+FqMA0GCSqGSIb3DQEBBQUAMIGeMQswCQYD
VQQGEwJUVzEPMA0GA1UECBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWlwZWkxGjAYBgNV
BAoTEVFOQVAgU3lzdGVtcyBJbmMuMQwwCgYDVQQLEwNOQVMxFjAUBgNVBAMTDVRT
IFNlcmllcyBOQVMxDDAKBgNVBCkTA05BUzEdMBsGCSqGSIb3DQEJARYOYWRtaW5A
cW5hcC5jb20wHhcNMjEwMzI1MTMyMzA0WhcNMzEwMzIzMTMyMzA0WjCBnjELMAkG
A1UEBhMCVFcxDzANBgNVBAgTBlRhaXdhbjEPMA0GA1UEBxMGVGFpcGVpMRowGAYD
VQQKExFRTkFQIFN5c3RlbXMgSW5jLjEMMAoGA1UECxMDTkFTMRYwFAYDVQQDEw1U
UyBTZXJpZXMgTkFTMQwwCgYDVQQpEwNOQVMxHTAbBgkqhkiG9w0BCQEWDmFkbWlu
QHFuYXAuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCh5kv6LT6PAc0v
6jv/T3wwVkZzoXsvLsY5Ec2cIh5J+1zojmzrmteYIljir+Ztzc9d6ZhSzr1HOGB6
Qfxw2BNB72Pj/3u5uNXHFXtLwtzjz8wWtIrPGtP1kpCi5DQSgajo7qRX0kHAtLJH
KSV18P1z8OcI9kV06QS5HVDBxkyGMQIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFDK/
aTeUgyy6frVvvrHMYvx4J3FoMIHTBgNVHSMEgcswgciAFDK/aTeUgyy6frVvvrHM
Yvx4J3FooYGkpIGhMIGeMQswCQYDVQQGEwJUVzEPMA0GA1UECBMGVGFpd2FuMQ8w
DQYDVQQHEwZUYWlwZWkxGjAYBgNVBAoTEVFOQVAgU3lzdGVtcyBJbmMuMQwwCgYD
VQQLEwNOQVMxFjAUBgNVBAMTDVRTIFNlcmllcyBOQVMxDDAKBgNVBCkTA05BUzEd
MBsGCSqGSIb3DQEJARYOYWRtaW5AcW5hcC5jb22CCQC2V0cBzMvhajAMBgNVHRME
BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBADo4tSkMjt6yLPIqu+yVH66yN5I3wfc2
uj5Cgc1XY85O5Qqx5YoUpSKhw/ZdV5Ov0ZeFJ59iz5fgGUV+ZDvWIOf0appVJ+48
FTFmFjY7UTNAyfIOv/38J9UrbVG0Chu3xFHllxAHTBKuLrSXopzBqTZDCZuSa0+e
z8Tk1e/+9q/e
-----END CERTIFICATE-----
</ca>

If someone can help me, very urgent... I need a solution to use this VPN with MacOS

[never-stop-learning]

Hey man, do you have the entire log of your Openvpn GUI that is working and Openvpn Connect which is not working to compare?

[zSaltar]

Here is the log with GUI :

Code: Select all

2023-08-11 17:26:37 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-08-11 17:26:37 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations. 
2023-08-11 17:26:37 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
2023-08-11 17:26:37 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-08-11 17:26:37 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-08-11 17:26:37 DCO version: v0
2023-08-11 17:26:39 TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XXX.XXX.XXX:1194
2023-08-11 17:26:39 UDPv4 link local: (not bound)
2023-08-11 17:26:39 UDPv4 link remote: [AF_INET]XX.XXX.XXX.XXX:1194
2023-08-11 17:26:40 [TS Series NAS] Peer Connection Initiated with [AF_INET]XX.XXX.XXX.XXX:1194
2023-08-11 17:26:41 open_tun
2023-08-11 17:26:41 tap-windows6 device [OpenVPN TAP-Windows6] opened
2023-08-11 17:26:41 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {63D910D5-C9E6-4B29-9138-3BCD6BDA2BE2} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
2023-08-11 17:26:41 Successful ARP Flush on interface [10] {63D910D5-C9E6-4B29-9138-3BCD6BDA2BE2}
2023-08-11 17:26:41 IPv4 MTU set to 1500 on interface 10 using service
2023-08-11 17:26:46 Initialization Sequence Completed

And with OpenVPN Connect (and exactly the same .ovpn config file) :

Code: Select all

[Aug 11, 2023, 17:31:11] OpenVPN core 3.8connect1 win x86_64 64-bit OVPN-DCO built on Jun 26 2023 16:08:41
⏎[Aug 11, 2023, 17:31:11] Frame=512/2112/512 mssfix-ctrl=1250
⏎[Aug 11, 2023, 17:31:11] NOTE: This configuration contains options that were not used:
⏎[Aug 11, 2023, 17:31:11] Unsupported option (ignored)
⏎[Aug 11, 2023, 17:31:11] 4 [resolv-retry] [infinite]
⏎[Aug 11, 2023, 17:31:11] 6 [auth-nocache]
⏎[Aug 11, 2023, 17:31:11] 15 [explicit-exit-notify] [1]
⏎[Aug 11, 2023, 17:31:11] Unused options, probably specified multiple times in the configuration file
⏎[Aug 11, 2023, 17:31:11] 11 [tls-cipher] [TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-2...]
⏎[Aug 11, 2023, 17:31:11] EVENT: RESOLVE ⏎[Aug 11, 2023, 17:31:11] Contacting XX.XXX.XXX.XXX:1194 via UDP
⏎[Aug 11, 2023, 17:31:11] EVENT: WAIT ⏎[Aug 11, 2023, 17:31:11] WinCommandAgent: transmitting bypass route to XX.XXX.XXX.XXX
{
	"host" : "XX.XXX.XXX.XXX",
	"ipv6" : false
}

⏎[Aug 11, 2023, 17:31:11] Connecting to [XX.XXX.XXX.XXX]:1194 (XX.XXX.XXX.XXX) via UDP
⏎[Aug 11, 2023, 17:31:11] EVENT: CONNECTING ⏎[Aug 11, 2023, 17:31:11] Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
⏎[Aug 11, 2023, 17:31:11] Creds: Username/Password
⏎[Aug 11, 2023, 17:31:11] Peer Info:
IV_VER=3.8connect1
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_LZO=1
IV_GUI_VER=OCWindows_3.4.0-3121
IV_SSO=webauth,openurl,crtext

⏎[Aug 11, 2023, 17:31:11] Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2640 status=-1: error:0A000086:SSL routines::certificate verify failed
⏎[Aug 11, 2023, 17:31:11] EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2640 status=-1: error:0A000086:SSL routines::certificate verify failed⏎[Aug 11, 2023, 17:31:11] EVENT: DISCONNECTED ⏎

Obviously, i replace public adress by XX.XXX.XXX.XXX

Thanks for help dude

[zSaltar]

Hey man, do you have the entire log of your Openvpn GUI that is working and Openvpn Connect which is not working to compare?

Hi, update here...

[Cynyster]

I ran into the same issue with my Synology.
The new version requires an updated command in your config
(unfortunately it does not seem to be honoring the change)

I reverted back to OpenVPNConnect version 3.3.7 (2979)

The line that I needed was --client-cert-not-required
and the replacement line should have been --verify-client-cert none

not sure what the actual issue might be...

[never-stop-learning]

@zSaltar, the line provided by @Cynyster will help you. Otherwise, you can revert back to the older version of the OpenVPN Connect client.

If in case you are currently using the latest version of the OpenVPN Connect client, you may TRY to change the setting under Security Level to "Insecure" or "Legacy" and then test.

[trifu7]

Hi guys,

The workaround that worked for me was to install an older version: OpenVPN connect version 3.3.7.

The support of QNAP works to find a solution for the latest version, but no luck yet. At least it was reproduced on their side too.

Yours,
trifu

[ToniBeMac]

Hi guys,
Sam Problem Using MacOS Sonoma or Ventura
Client is OpenVPN 3.4.4. for silicon And for Intel (Not Work)
"error Peer certificate verification failure"

After many tests and reading your comments, it is clear that the bug is from the new client.
Unfortunately, I can't wait for this to be resolved, so I'm staying in the thread for information on changes.
If I can make progress on this I will be happy to inform you.

Thank you

[ToniBeMac]

Hi Guys
This Work for me !!
Add <ca> <cert> <key>
https://www.qnap.com/en/how-to/faq/arti ... penvpn-app

[ToniBeMac]

Sorry , not Work

Hi Guys
This Work for me !!
Add <ca> <cert> <key>
https://www.qnap.com/en/how-to/faq/arti ... penvpn-app

[doctmn]

SOLVED!
Same problem in all iOS devices (iPhone/iPad).
This workaround works, although it's not exactly elegant

Go to OpenVPN client settings (settings, down to advanced) and change security level to "insecure". OpenVPN client from v. 2.6 doesn't accept encryption used by QNAP.

that`s all folks

[cybergull]

QNAP OpenVPN server works on a SHA1 digest, insecure.
OpenVPN clients (all OS) expect a secure digest, on SHA256.
Therefore, clients are refusing the connection.

Unless you set your client to "accept insecure / legacy connection", it won't work.

Does anyone know how to set QNAP OpenVPN Server to use SHA256 instead ?

[wkagerer]

My configuration on encrypition in the QNAP NAS is set to AES256.
Is it not correct or does QNAP have to implement another encryption?
Is QNAP working on it? Does anybody know?

Regards