I tried re-exporting the config, changing the hostname to the new Internet-facing hostname. That didn't work. I re-exported the .crt files from the server and included them in the .tblk file to import into TunnelBlick. That didn't work.
Then I decided to go look at the client connection logs, which is where I should have started. Here's what they said:
2014-09-24 09:50:43 *Tunnelblick: openvpnstart starting OpenVPN
2014-09-24 09:50:44 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: /C=IL/O=StartCom_Ltd./OU=Secure_Digital_Certificate_Signing/CN=StartCom_Class_1_Primary_Intermediate_Server_CA
2014-09-24 09:50:44 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2014-09-24 09:50:44 TLS Error: TLS object > incoming plaintext read error
2014-09-24 09:50:44 TLS Error: TLS handshake failed
Researching this error, I found the following reference on the Synology forums:
Here's how I fixed this problem:
- Get the StartSSL root CA cert (ca.pem) and the StartSSL Class1 cert (sub.class1.server.ca.pem) from StartSSL's web site
- Concatenate the StartSSL root CA with the StartSSL Class1 cert and save it as a new file. You can use cat in *nix to do this or notepad in Windows, or TextEdit in OS X. Order doesn't matter. It will look something like this, except much longer:
-----BEGIN CERTIFICATE-----MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
NOsF/5oirpt9P/FlUQqmMGqz9IgcgA38corog14=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1
-----END CERTIFICATE-----
On your Synology box, do the following:
- In Control Panel > Security > Certificate, you may see that your StartSSL cert is already installed, which was the case in my situation. If this is true, export your certificates, so you have a known good copy of your server.crt and server.key. This will be needed on the next step.
- Import your server.key, server.crt and the new ca.crt (or whatever you called it) file generated above as the intermediate certificate.
- This took a bit to import and restart the web server.
- Go into Package Center and find VPN Server. "Stop", then "Run" the VPN server.
- Re-export the OpenVPN config and fix your client .tblk package for the clients.
No comments:
Post a Comment