Solved VPN fails on Win10 PC and Android devices

Currently reading
Solved VPN fails on Win10 PC and Android devices

Telos

Subscriber
2,839
898
NAS
DS418play, DS213j, DS3622+, DSM 7.2.4-11091
Not sure what has happened, as I have no access access via my Win10 or Android users. Today nothing works... just something about expired cert... Here's a partial log that I see...

FWIW, I use LE Cert... still good.

Thu Feb 27 17:40:35 2020 VERIFY ERROR: depth=0, error=certificate has expired: CN=xxxxxxxx.synology.me Thu Feb 27 17:40:35 2020 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed Thu Feb 27 17:40:35 2020 TLS_ERROR: BIO read tls_read_plaintext error Thu Feb 27 17:40:35 2020 TLS Error: TLS object -> incoming plaintext read error Thu Feb 27 17:40:35 2020 TLS Error: TLS handshake failed Thu Feb 27 17:40:35 2020 SIGUSR1[soft,tls-error] received, process restarting Thu Feb 27 17:40:40 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Any ideas? This was working 2 weeks ago. Many thanks.
 

fredbert

Moderator
NAS Support
Subscriber
4,075
1,614
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
Has the certificate expired and renewal failed? Could be that revocation lists are actually being consulted. Does OpenVPN server cache the certificate and it hasn't loaded the new one?

In the OpenVPN config file is there a parameter that can be set to accept expired certificates, just as a test. One reason I keep SSL-VPN and OpenVPN gateways running is in case one fails. Also, I have a limited (users) access for L2TP as well.

All pure guesses but is where I'd start looking and Googling/DuckDuckGo-ing.
 

Telos

Subscriber
2,839
898
NAS
DS418play, DS213j, DS3622+, DSM 7.2.4-11091
Has the certificate expired and renewal failed? Could be that revocation lists are actually being consulted. Does OpenVPN server cache the certificate and it hasn't loaded the new one?
My LE cert doesn't expire until early-May. So this is all puzzling. My last VPN session was on Feb 18.

Your comments about caching got me thinking... so I changed the VPN server default cert to synology.com, and then back to the LE cert. That had no immediate affect. Next, I restarted the NAS (grumble, grumble...) and upon restart VPN access was restored.

So maybe there's now a Synology bug that doesn't update the cert. IDK.

But you got me thinking and for now this is resolved. Thank you. 🍪🍪🍪
 

fredbert

Moderator
NAS Support
Subscriber
4,075
1,614
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
Certainly sounds like a bug. But one of those difficult to repeat such that it gets fixed anytime soon.

instead of rebooting the whole NAS you could try disabling OpenVPN and then re-enabling it. Or restarting the daemon from CLI.
 
1
0
NAS
Synology 1819+
Operating system
  1. Windows
Hey guys,

I've tried the default synology certificate, my own self signed certificate and a let's encrypt certificate. None of which is working for me. I'm getting these errors:

Any ideas?
 

Rusty

Moderator
NAS Support
6,094
1,785
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hey guys,

I've tried the default synology certificate, my own self signed certificate and a let's encrypt certificate. None of which is working for me. I'm getting these errors:

Any ideas?

You did export the vpn file from your vpn server each time after you have changed your certificate?
 

Telos

Subscriber
2,839
898
NAS
DS418play, DS213j, DS3622+, DSM 7.2.4-11091
I've tried the default synology certificate, my own self signed certificate and a let's encrypt certificate. None of which is working for me.
You did export the vpn file from your vpn server each time after you have changed your certificate?
Relatedly, did you check the cert configured for your VPN server through all these changes...
oFKtoKe.png
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

No VPN client setup on the router is "one for all", not SSID specific.
Replies
1
Views
126
Update: ISP changed IP address and other issues on the router, problem solved.
Replies
6
Views
241
Thank you for your help ! Doesn't work with incognito, weird. At least I have other solutions....
Replies
10
Views
332
You are confusing what a VPN actually is with the way people often use it. People tend to use VPN to...
Replies
10
Views
359
  • Poll
I use SSL-VPN especially from mobile devices as there is no configuration file to import. It's also what...
Replies
2
Views
435
I just thought of something that makes no sense, at least to me. Ok, I can't connect on my phone using any...
Replies
8
Views
402
  • Question
Try and access your NAS via SSH as root and go to var/logs/messages. Check the content of that file at the...
Replies
1
Views
245

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top