Solved VPN fails on Win10 PC and Android devices

Currently reading
Solved VPN fails on Win10 PC and Android devices

1,199
397
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
Not sure what has happened, as I have no access access via my Win10 or Android users. Today nothing works... just something about expired cert... Here's a partial log that I see...

FWIW, I use LE Cert... still good.

Thu Feb 27 17:40:35 2020 VERIFY ERROR: depth=0, error=certificate has expired: CN=xxxxxxxx.synology.me
Thu Feb 27 17:40:35 2020 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Thu Feb 27 17:40:35 2020 TLS_ERROR: BIO read tls_read_plaintext error
Thu Feb 27 17:40:35 2020 TLS Error: TLS object -> incoming plaintext read error
Thu Feb 27 17:40:35 2020 TLS Error: TLS handshake failed
Thu Feb 27 17:40:35 2020 SIGUSR1[soft,tls-error] received, process restarting
Thu Feb 27 17:40:40 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.


Any ideas? This was working 2 weeks ago. Many thanks.
 

fredbert

Moderator
NAS Support
Subscriber
1,838
750
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Has the certificate expired and renewal failed? Could be that revocation lists are actually being consulted. Does OpenVPN server cache the certificate and it hasn't loaded the new one?

In the OpenVPN config file is there a parameter that can be set to accept expired certificates, just as a test. One reason I keep SSL-VPN and OpenVPN gateways running is in case one fails. Also, I have a limited (users) access for L2TP as well.

All pure guesses but is where I'd start looking and Googling/DuckDuckGo-ing.
 
1,199
397
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
Has the certificate expired and renewal failed? Could be that revocation lists are actually being consulted. Does OpenVPN server cache the certificate and it hasn't loaded the new one?
My LE cert doesn't expire until early-May. So this is all puzzling. My last VPN session was on Feb 18.

Your comments about caching got me thinking... so I changed the VPN server default cert to synology.com, and then back to the LE cert. That had no immediate affect. Next, I restarted the NAS (grumble, grumble...) and upon restart VPN access was restored.

So maybe there's now a Synology bug that doesn't update the cert. IDK.

But you got me thinking and for now this is resolved. Thank you. 🍪🍪🍪
 

fredbert

Moderator
NAS Support
Subscriber
1,838
750
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Certainly sounds like a bug. But one of those difficult to repeat such that it gets fixed anytime soon.

instead of rebooting the whole NAS you could try disabling OpenVPN and then re-enabling it. Or restarting the daemon from CLI.
 
1
0
NAS
Synology 1819+
Operating system
  1. Windows
Hey guys,

I've tried the default synology certificate, my own self signed certificate and a let's encrypt certificate. None of which is working for me. I'm getting these errors:
Any ideas?
 

Rusty

Moderator
NAS Support
2,856
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hey guys,

I've tried the default synology certificate, my own self signed certificate and a let's encrypt certificate. None of which is working for me. I'm getting these errors:
Any ideas?
You did export the vpn file from your vpn server each time after you have changed your certificate?
 
1,199
397
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
I've tried the default synology certificate, my own self signed certificate and a let's encrypt certificate. None of which is working for me.
You did export the vpn file from your vpn server each time after you have changed your certificate?
Relatedly, did you check the cert configured for your VPN server through all these changes...
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Trending threads

Top