VPN SSL Certificate error

[Gerard]

Currently using Synology’s quickconnect method to remotely connect to my nas. We’ll use DS File for this example.

I am able to connect with no issues using quickconnect. However, when I turn on OpenVPN to vpn into the nas and then try to log into ds file I receive a message stating “the ssl cert. of the Synology Nas is not trusted. This may mean it’s a self signed cert. or someone maybe trying to intercept your connection.”

Is there anyway to prevent this? Currently I cannot log in to ds file while connected to openvpn

 

[Rusty]

Have you tried to use local nas ip to log into ds file while logged via vpn? There is really no need to use qc name while in local network via the tunnel.

Also that error is caused by a cert error especially if you are accessing via https protocol.

 

[Gerard]

Same error when using the local ip over vpn.

It’s just a pain to have to keep switching the connection names and/or turning vpn on/off to do things. I would connect my phone to vpn to use Remote Desktop or browsing to local network. Then when have to work on synology Some access can be quickly done through the apps. However, at times I don’t need the vpn for the other stuff and just need to connect to the synology apps, in which I would have to use the quickconnect (or ddns).

For the record I think this just has to do only with the cert error using the native synology apps. I can access normally by going to the local nas ip in a web browser on vpn. If I uncheck https on the ds file login screen, it will connect with no cert error popping up. So, is there anyway to connect using https?

 

[Gerard]

Alright sorry another update. If I use the synology ddns name it will connect without throwing the certificate issue. I guess this makes sense since the LE cert is connected to the synology.me ddns name.

 

[Rusty]

Alright sorry another update. If I use the synology ddns name it will connect without throwing the certificate issue. I guess this makes sense since the LE cert is connected to the synology.me ddns name.

As I said before, using https in any case without the exact name covered by the cert you will get a cert error.

 

[Gerard]

As I said before, using https in any case without the exact name covered by the cert you will get a cert error.

Is there anyway to include the synology quickconnect name into the cert along with the ddns name?

Is there anyway to include the LAN ip as well?

 

[Rusty]

Is there anyway to include the synology quickconnect name into the cert along with the ddns name?

Is there anyway to include the LAN ip as well?

Not using the qc name, no. Still using a ddns domain name LE cert you can add anything you want to SAN field while creating a cert.

 

[fredbert]

The certificate error happens when the client detects an issue with the authorised names covered by the certifcate present by the immediate server with which it is communicating. The end-server (your NAS) is hidden from the client when using QC and QC uses a certificate that names itself.

QC will determine the best connectivity method for accessing the NAS, sometimes this is using the QC proxy and sometimes it's a redirect to the NAS. Within the VPN tunnel it would seem that you are getting a redirect.

If you are not directly exposing the NAS to the Internet, for the services you are using (e.g. File Station), then you can use DS file's setting to ignore certificate messages .. and the other apps have the same setting.

Otherwise, if the services are directly accessible from the Internet, you could run an internal DNS that resolves your domain itself and forwards resolving for everything else. Use this for VPN and local devices and set it to mimic your Internet DNS resolution, but for local IPs.