Wednesday, September 24, 2014

Synology, StartSSL, OpenVPN and Tunnelblick

As I mentioned previously, I had switched my Synology box to have a real, live SSL cert from a trusted CA, StartSSL. That worked great for connecting via SSL to either the web console, or Chrome extension for Download Station. All worked swimmingly, until I discovered my OpenVPN connection wasn't functioning any longer. PPTP worked fine, but OpenVPN had issues. Turns out the Synology box, the OpenVPN server, and therefore, the OpenVPN client connection package, don't understand the StartSSL CA. Here was my process of discovery and resolution for this issue.


I tried re-exporting the config, changing the hostname to the new Internet-facing hostname. That didn't work. I re-exported the .crt files from the server and included them in the .tblk file to import into TunnelBlick. That didn't work.

Then I decided to go look at the client connection logs, which is where I should have started. Here's what they said:
2014-09-24 09:50:43 *Tunnelblick: openvpnstart starting OpenVPN
2014-09-24 09:50:44 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: /C=IL/O=StartCom_Ltd./OU=Secure_Digital_Certificate_Signing/CN=StartCom_Class_1_Primary_Intermediate_Server_CA
2014-09-24 09:50:44 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2014-09-24 09:50:44 TLS Error: TLS object > incoming plaintext read error
2014-09-24 09:50:44 TLS Error: TLS handshake failed

Researching this error, I found the following reference on the Synology forums:


Here's how I fixed this problem:
  1. Get the StartSSL root CA cert (ca.pem) and the StartSSL Class1 cert (sub.class1.server.ca.pem) from StartSSL's web site
  2. Concatenate the StartSSL root CA with the StartSSL Class1 cert and save it as a new file. You can use cat in *nix to do this or notepad in Windows, or TextEdit in OS X. Order doesn't matter. It will look something like this, except much longer:

-----BEGIN CERTIFICATE-----MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
NOsF/5oirpt9P/FlUQqmMGqz9IgcgA38corog14=

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1

-----END CERTIFICATE-----

On your Synology box, do the following: 


  1. In Control Panel > Security > Certificate, you may see that your StartSSL cert is already installed, which was the case in my situation. If this is true, export your certificates, so you have a known good copy of your server.crt and server.key. This will be needed on the next step.
  2. Import your server.key, server.crt and the new ca.crt (or whatever you called it) file generated above as the intermediate certificate.
  3. This took a bit to import and restart the web server. 
  4. Go into Package Center and find VPN Server. "Stop", then "Run" the VPN server.
  5. Re-export the OpenVPN config and fix your client .tblk package for the clients.
After this, I was able to successfully connect using OpenVPN to my Synology box again. Woo hoo!