Page 1 of 1

Synology Let's authenticate authentication failure

Posted: Tue Aug 13, 2019 4:09 am
by russcus
I am inexperienced with server certificates, so please be gentle.
I set up an OpenVPN server on my Synology NAS and set up Viscosity Mac according to your guide. I double-checked all settings and everything looks OK.
Connections to the VPN Server fail immediately. The problem seems to be with verifying my Let's Authenticate server certificate. The certificate is valid, as indicated in the Synology Security control panel. I attached a screen shot of that.

I tried Viscosity configurations with both the IP address and the domain name on the certificate <russcusimano.com>

The referenced <http://openvpn.net/howto.html#mitm> is incomprehensible to me. :(

Can you point me in the right direction to get this running.

Thanks in advance.

Here is the synology log:
2019-08-12 10:34:46: Viscosity Mac 1.7.16 (1491)
2019-08-12 10:34:46: Viscosity OpenVPN Engine Started
2019-08-12 10:34:46: Running on macOS 10.14.5
2019-08-12 10:34:46: ---------
2019-08-12 10:34:46: State changed to Connecting
2019-08-12 10:34:46: Checking reachability status of connection...
2019-08-12 10:34:46: Connection is reachable. Starting connection attempt.
2019-08-12 10:34:46: OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on May 29 2019
2019-08-12 10:34:46: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
2019-08-12 10:34:58: Valid endpoint found: 35.132.171.123:1194:udp
2019-08-12 10:34:59: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2019-08-12 10:34:59: TCP/UDP: Preserving recently used remote address: [AF_INET]35.132.171.123:1194
2019-08-12 10:34:59: UDP link local: (not bound)
2019-08-12 10:34:59: UDP link remote: [AF_INET]35.132.171.123:1194
2019-08-12 10:34:59: State changed to Authenticating
2019-08-12 10:34:59: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2019-08-12 10:34:59: VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2019-08-12 10:34:59: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2019-08-12 10:34:59: TLS_ERROR: BIO read tls_read_plaintext error
2019-08-12 10:34:59: TLS Error: TLS object -> incoming plaintext read error
2019-08-12 10:34:59: TLS Error: TLS handshake failed
2019-08-12 10:34:59: SIGTERM[soft,tls-error] received, process exiting
2019-08-12 10:34:59: State changed to Disconnected
2019-08-12 10:35:00: Viscosity Mac 1.7.16 (1491)
2019-08-12 10:35:00: Viscosity OpenVPN Engine Started
2019-08-12 10:35:00: Running on macOS 10.14.5
2019-08-12 10:35:00: ---------

Re: Synology Let's authenticate authentication failure

Posted: Tue Aug 13, 2019 10:18 am
by Eric
Hi russcus,

You should not be using your let's encrypt certificate as the CA for your connection. Please go back to the OpenVPN Server settings on your server and click Export Configuration to get the CA you should be using.

If you're stuck where to find this, I recommend going through our guide once more to double check all your settings - https://sparklabs.com/support/kb/article/setting-up-an-openvpn-server-with-synology-and-viscosity/#openvpn-server-setup
Before doing anything else, click the Export configuration button to download the necessary information for your client to connect to this server. This should download the file openvpn.zip which we will use later in the guide.
Regards,
Eric

Re: Synology Let's authenticate authentication failure

Posted: Wed Aug 14, 2019 2:24 am
by russcus
Hi, Eric:

Thank you for the fast reply. It was very helpful. I created a self-signed SSL certificate and assigned that to the VPN server, leaving all other services assigned to the lets' encrypt certificate.
Then I exported the vpn configuration and added a new connection to Viscosity.

Problem solved.

Thanks again.