VPN SSL Certificate error

Currently reading
VPN SSL Certificate error

Gerard

Active member
NAS
DS718+
Currently using Synology’s quickconnect method to remotely connect to my nas. We’ll use DS File for this example.

I am able to connect with no issues using quickconnect. However, when I turn on OpenVPN to vpn into the nas and then try to log into ds file I receive a message stating “the ssl cert. of the Synology Nas is not trusted. This may mean it’s a self signed cert. or someone maybe trying to intercept your connection.”

Is there anyway to prevent this? Currently I cannot log in to ds file while connected to openvpn
 

Rusty

Staff member
Moderator
NAS Support
Website
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
Have you tried to use local nas ip to log into ds file while logged via vpn? There is really no need to use qc name while in local network via the tunnel.

Also that error is caused by a cert error especially if you are accessing via https protocol.
 

Gerard

Active member
NAS
DS718+
Same error when using the local ip over vpn.

It’s just a pain to have to keep switching the connection names and/or turning vpn on/off to do things. I would connect my phone to vpn to use Remote Desktop or browsing to local network. Then when have to work on synology Some access can be quickly done through the apps. However, at times I don’t need the vpn for the other stuff and just need to connect to the synology apps, in which I would have to use the quickconnect (or ddns).

For the record I think this just has to do only with the cert error using the native synology apps. I can access normally by going to the local nas ip in a web browser on vpn. If I uncheck https on the ds file login screen, it will connect with no cert error popping up. So, is there anyway to connect using https?
 
Last edited:

Gerard

Active member
NAS
DS718+
Alright sorry another update. If I use the synology ddns name it will connect without throwing the certificate issue. I guess this makes sense since the LE cert is connected to the synology.me ddns name.
 

Rusty

Staff member
Moderator
NAS Support
Website
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
Alright sorry another update. If I use the synology ddns name it will connect without throwing the certificate issue. I guess this makes sense since the LE cert is connected to the synology.me ddns name.
As I said before, using https in any case without the exact name covered by the cert you will get a cert error.
 

Gerard

Active member
NAS
DS718+
As I said before, using https in any case without the exact name covered by the cert you will get a cert error.
Is there anyway to include the synology quickconnect name into the cert along with the ddns name?

Is there anyway to include the LAN ip as well?
 

Rusty

Staff member
Moderator
NAS Support
Website
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
Is there anyway to include the synology quickconnect name into the cert along with the ddns name?

Is there anyway to include the LAN ip as well?
Not using the qc name, no. Still using a ddns domain name LE cert you can add anything you want to SAN field while creating a cert.
 

fredbert

Well-known member
The certificate error happens when the client detects an issue with the authorised names covered by the certifcate present by the immediate server with which it is communicating. The end-server (your NAS) is hidden from the client when using QC and QC uses a certificate that names itself.

QC will determine the best connectivity method for accessing the NAS, sometimes this is using the QC proxy and sometimes it's a redirect to the NAS. Within the VPN tunnel it would seem that you are getting a redirect.

If you are not directly exposing the NAS to the Internet, for the services you are using (e.g. File Station), then you can use DS file's setting to ignore certificate messages .. and the other apps have the same setting.

Otherwise, if the services are directly accessible from the Internet, you could run an internal DNS that resolves your domain itself and forwards resolving for everything else. Use this for VPN and local devices and set it to mimic your Internet DNS resolution, but for local IPs.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.


Top