OpenVPN export configuration - files?

Currently reading
OpenVPN export configuration - files?

6
0
NAS
DS218
Router
  1. RT2600ac
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
What is the purpose of each of the files I get when exporting the OpenVPN configuration from a RT2600ac router?
  1. Ca.crt
  2. Ca.key
  3. Server-ca.crt
  4. Server.crt
  5. Server.key
Which file(s) do I use to import the certificate on a NAS running local web sites? I will only use a VPN to remotely connect to the local network. Please advise. Thanks!
 

Shadow

Subscriber
554
179
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Well actually u'd want to include the entire cert chain. Does any if these files include the entire chain if u check the contents? My full chain files have which looks like 3 certificates.
 
Upvote 0
6
0
NAS
DS218
Router
  1. RT2600ac
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
Last edited:
Hello Shadow - The content of the .key files read "RSA private key" and the .crt read "Certificate". Which ones are you referring to with "the entire cert chain"? I may be asking the obvious but I am a newbie here...

More context. My router has a certificate from Let's encrypt, I am using synology DDNS. To avoid the certificate mismatch browser error, should I get the Let's encrypt certificate on the NAS or a self-signed certificate? And which one (from the 5 I get exporting the configuration) is which?
Note I will only be connecting remotely (once in a blue moon) via VPN, otherwise the local web site will be accessed via LAN only.

thanks
 
Upvote 0

Shadow

Subscriber
554
179
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Sorry I was a bit confused because this doesn't make much sense to be initially:

  1. Ca.crt
  2. Ca.key
  3. Server-ca.crt
  4. Server.crt
  5. Server.key

I did an export on my own RT2600AC and I also got the files presented like this... This messy...

I also cannot find 1 .crt file that holds the content of al the other .crt files...
And then there are 2 seperate .key files......

I don't know what to do with this...

What did you use to import the certificate into your RT2600AC ...?
 
Upvote 0

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
If you are using OpenVPN client application on PC/Android/iOS (Tunnelblick on Mac) to connect back to your SRM router or DSM NAS then what you need is the .ovpn configuration file that can be exported from VPN Plus or VPN Server OpenVPN page.

The .ovpn configuration file will contain the necessary certificate. The export will be a ZIP archive containing a readme.txt, certificate, and the .ovpn. You should edit the .ovpn with the Internet IP or domain name of you Internet connection.

To set up an OpenVPN client on Windows:

1. Install OpenVPN client on Windows
*An OpenVPN client on Windows is called OpenVPN GUI.
*Download it from Community Downloads | OpenVPN and install the client.
*The default installation directory is C:\ProgramFiles\OpenVPN.

2. Run OpenVPN GUI as administrator.

3. Edit VPNConfig.ovpn and replace YOUR_SERVER_IP with public IP of your DiskStation.
*If your DiskStation is behind a router, replace YOUR_SERVER_IP with the router's IP.
*Remove # before "redirect-gateway def1" to route all client traffic (including web-traffic) through this VPN Server.

4. Put VPNConfig.ovpn into the config subdirectory under OpenVPN directory
(ie. C:\Program Files\OpenVPN\config\).

==============================================================================

To set up an OpenVPN client on Mac:

1. Install OpenVPN client on MAC
*An OpenVPN client on Mac OS X is called Tunnelblick.
*Download it from Google Code Archive - Long-term storage for Google Code Project Hosting. and install the client.

2. Launch Tunnelblick.

3. Click Create and open configuration folder button; a Finder window will appear with the configuration folder.

4. Edit VPNConfig.ovpn and replace YOUR_SERVER_IP with public IP of your DiskStation.
*If your DiskStation is behind a router, replace YOUR_SERVER_IP with the router's IP.
*Remove # before "redirect-gateway def1" to route all client traffic (including web-traffic) through this VPN Server.

5. Put the files of VPNConfig.ovpn into the configuration folder.

==============================================================================

To set up an OpenVPN client on Linux:

Please refer to the official documentation provided by
OpenVPN Community Resources | OpenVPN for more information.
 
Upvote 0
6
0
NAS
DS218
Router
  1. RT2600ac
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
Thank you both for replying. I am indeed using Tunnelblick on a Mac after editing the .ovpn file to look for DDNS. This is working good, as you described.
My issue is that --I think-- I need to import a certificate from the router so that the NAS knows that my local web site is trusted. This is why:
1. Firefox/Safari tell me "you are not securely connected tot his site".
2. NAS/Control Panel/Security/Certificate shows a default certificate from synology.com applied to my local web site(s).
3. If on the same screen I try to add a certificate,
- should I add a new certificate or replace the existing certificate?
- What is the right option? and with which file, private key, certificate, intermediate?
- set it as default?

I am trying to avoid creating a mess for myself... Please advise. Thanks much!
 
Upvote 0

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
It sounds more to be a web browser alert raised on the SSL certificate use by the HTTPS web server. Not an OpenVPN connectivity issue.
 
Upvote 0
6
0
NAS
DS218
Router
  1. RT2600ac
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
Last edited:
It sounds more to be a web browser alert raised on the SSL certificate use by the HTTPS web server. Not an OpenVPN connectivity issue.
Where did you get the idea we are talking about an OpenVPN issue in this topic...?


Still waiting for the answer on this question.
I went through the steps to first get a self-signed certificate and then after I setup the DDNS with synology, I requested a certificate from Let's encrypt - all of these was done on the router. Does that make sense?
-- post merged: --

If I may add, I do see this thread being related to OpenVPN. The 5 files I referred to in the beginning of the post are generated exporting the OpenVPN configuration from the RT2600ac router.

I appreciate the comments and any help will be greatly appreciated.
 
Upvote 0

Shadow

Subscriber
554
179
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
I went through the steps to first get a self-signed certificate and then after I setup the DDNS with synology, I requested a certificate from Let's encrypt - all of these was done on the router. Does that make sense?

Still weird. I would expect only 2 files:

- fullchain.pem -> which contains all the certificates, from CA to your domain (= the full chain :))
- key.pem -> the key file for your domain certificate

I'd say try the combo of these 2 files:

server-ca.crt
server.key
 
Upvote 0
6
0
NAS
DS218
Router
  1. RT2600ac
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
ok - I'll give it a try and post results as an update. Thank you.
 
Upvote 0

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Where did you get the idea we are talking about an OpenVPN issue in this topic...?
The subject line "OpenVPN export configuration - files?". And if a configuration file has issues then there's no connection.

Have just exported the OpenVPN configuration archive from RT2600ac's VPN Plus and there are only two files:
  • README.txt
  • VPNConfig.ovpn
The certificate is embedded in the .ovpn file.

In SRM Control Panel / Services / Certificate you can 'Export Certificate' which, for me just now, generates an archive with four files:
  • ca.crt
  • ca.key
  • server.crt
  • server.key
You must keep the .key files safe and not distribute them as they contain the private keys that secure the router. The two .crt are ok to install on Mac/PC. The server.crt is the certificate file that the router uses for HTTPS. It's unlikely that the ca.crt/ca.key will be used to sign other server certificates but you could install ca.crt to browsers so that anything it signs will be recognised as trusted ... so long as the server certificate domain name and SANs match the web server's domain name.

On Mac you can use Keychain Access to change a certificate's trust profile so that whenever it is served it will be seen as a trusted connection. Not sure about Windows.
 
Upvote 0
6
0
NAS
DS218
Router
  1. RT2600ac
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
Got it - Thank you very much. This is the first time I read a clear explanation/summary on this issue.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Trending threads

Top