I went to openvpn application > exported certificates > copied the .ovpn and .crt through iTunes to my phone and logged in. To my surprise, everything worked perfectly fine!
There was an anonymous commenter on this post that pointed out a recent fix to be implemented in openvpn and its likely the case that this fix has finally been implemented in the DiskStation. This means no more managing your own root certificate, maintaining a certificate revocation list, or signing keys! Things now work how they're supposed to work.
Update: I've spoken with Synology support, they let me know that Synology currently does not support mobile clients connecting to OpenVPN.
I have put in a feature request to allow for such functionality, whether it be using client based keys, or password authentication for mobile devices.
In the meantime, the only way you're going to get your mobile devices working with OpenVPN on a Synology NAS is to follow the instructions on how to make your own keys for certificate based authentication. The following blogs will help with configuring your keys.
I've been having some difficulty wrapping my head around how the Synology DiskStation implementation of OpenVPN functions.
Below is my take on what it's doing and what it's missing in terms of functionality/documentation:
Default Connection and Security MethodBy default all synology servers will generate a root CA certificate signed by synology themselves. I'm unsure if these are unique certificates. But I would hope they are, or else every synology server would act as a root CA for everyone else. Which I believe would allow any user to authenticate with the server if they have user credentials and allow them to begin transferring encrypted data using the server certificate provided upon successful login.
All client login using default settings is accomplished by using a password based login to the synology server. Whether or not the password transmission is encrypted, I do not know. The synology server has a certificate called server.crt and a private key called server.key which should be used for the encryption and decryption of traffic going towards the server. I'm guessing once the client has the "ca.crt" they are able to authenticate themselves with the CA using it's public key to encrypt the traffic and then grab the desired server.crt to start encrypting traffic to the server (I'm still fuzzy on how this occurs)
I'm currently uncertain of how transmission of encrypted data happens in the other direction though (from synology server -> client) , as no public and private key for the client are included in the openvpn.zip file that was exported. It is possible that there is a hidden client certificate and key on the server, that is transferred to the client upon successful authorization to the CA but I can't be sure.
Mobile Client SupportOne of the problems with the default implementation of Synology DiskStation's implementation of OpenVPN is that all of the mobile clients that are available require some kind of client certificate. Which to me, makes sense as you need to be able to provide secure transport both ways. There is no documentation from Synology that I could find that states how to perform this. Meaning, the only supported method of connecting to your VPN is on a desktop machine which is very limiting to anyone who travels a lot and uses a mobile device.
Below are the methods that I have tried to connect using my iPhone using the official OpenVPN Application. All files were put on the phone using iTunes app file sharing method.
Using openvpn.ovpn and ca.crt:
Finds the profile:
Cannot find ca.crt even though I added it:
Using iOS.ovpn (includes client.crt, client.key, ca.crt all in the same ovpn file)
Detects it as a "standard" profile (whatever that means).
But I end up hitting the following SSL errors for reasons which I do not understand:
2013-03-23 13:30:29 ----- OpenVPN Start ----- 2013-03-23 13:30:29 LZO-ASYM init swap=0 asym=0 2013-03-23 13:30:29 EVENT: RESOLVE 2013-03-23 13:30:30 EVENT: WAIT 2013-03-23 13:30:30 Connecting to (removed):1194 (18.104.22.168) via UDPv4 2013-03-23 13:30:39 Server poll timeout, trying next remote entry... 2013-03-23 13:30:39 EVENT: RECONNECTING 2013-03-23 13:30:39 LZO-ASYM init swap=0 asym=0 2013-03-23 13:30:39 EVENT: RESOLVE 2013-03-23 13:30:39 EVENT: WAIT 2013-03-23 13:30:39 Connecting to (removed):1194 (22.214.171.124) via UDPv4 2013-03-23 13:30:49 Server poll timeout, trying next remote entry... 2013-03-23 13:30:49 EVENT: RECONNECTING 2013-03-23 13:30:49 LZO-ASYM init swap=0 asym=0 2013-03-23 13:30:49 EVENT: RESOLVE 2013-03-23 13:30:49 EVENT: WAIT 2013-03-23 13:30:49 Connecting to (removed):1194 (126.96.36.199) via UDPv4 2013-03-23 13:30:59 EVENT: CONNECTION_TIMEOUT [ERR] 2013-03-23 13:30:59 EVENT: DISCONNECTED 2013-03-23 13:30:59 Raw stats on disconnect: BYTES_OUT : 210 PACKETS_OUT : 15 CONNECTION_TIMEOUT : 1 N_RECONNECT : 2 2013-03-23 13:30:59 Performance stats on disconnect: CPU usage (microseconds): 90686 Network bytes per CPU second: 2315 Tunnel bytes per CPU second: 0 2013-03-23 13:30:59 ----- OpenVPN Stop ----- 2013-03-23 13:30:59 EVENT: DISCONNECT_PENDING 2013-03-23 13:31:34 ----- OpenVPN Start ----- 2013-03-23 13:31:34 LZO-ASYM init swap=0 asym=0 2013-03-23 13:31:34 EVENT: RESOLVE 2013-03-23 13:31:34 EVENT: WAIT 2013-03-23 13:31:34 Connecting to (removed):1194 (188.8.131.52) via UDPv4 2013-03-23 13:31:44 Server poll timeout, trying next remote entry... 2013-03-23 13:31:44 EVENT: RECONNECTING 2013-03-23 13:31:44 LZO-ASYM init swap=0 asym=0 2013-03-23 13:31:44 EVENT: RESOLVE 2013-03-23 13:31:44 EVENT: WAIT 2013-03-23 13:31:44 Connecting to (removed):1194 (184.108.40.206) via UDPv4 2013-03-23 13:31:52 UDP send error: send: Can't assign requested address 2013-03-23 13:31:54 Server poll timeout, trying next remote entry... 2013-03-23 13:31:54 EVENT: RECONNECTING 2013-03-23 13:31:54 LZO-ASYM init swap=0 asym=0 2013-03-23 13:31:54 EVENT: RESOLVE 2013-03-23 13:31:55 EVENT: WAIT 2013-03-23 13:31:55 Connecting to (removed):1194 (220.127.116.11) via UDPv4 2013-03-23 13:31:55 EVENT: CONNECTING 2013-03-23 13:31:55 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client 2013-03-23 13:31:55 Peer Info: IV_VER=1.0 IV_PLAT=ios IV_NCP=1 IV_LZO=1 2013-03-23 13:31:56 VERIFY OK: depth=0 cert. version : 3 serial number : (removed) issuer name : C=TW, ST=Taiwan, L=Taipei, O=Synology Inc., OU=Certificate Authority, CN=Synology Inc. CA, emailAddressfirstname.lastname@example.org subject name : C=TW, ST=Taiwan, L=Taipei, O=Synology Inc., OU=FTP Team, CN=synology.com, emailAddressemail@example.com issued on : 2011-04-29 18:07:16 expires on : 2031-01-14 18:07:16 signed using : RSA+SHA1 RSA key size : 1024 bits 2013-03-23 13:31:56 VERIFY FAIL: depth=1 cert. version : 3 serial number : (removed) issuer name : C=TW, ST=Taiwan, L=Taipei, O=Synology Inc., OU=Certificate Authority, CN=Synology Inc. CA, emailAddressfirstname.lastname@example.org subject name : C=TW, ST=Taiwan, L=Taipei, O=Synology Inc., OU=Certificate Authority, CN=Synology Inc. CA, emailAddressemail@example.com issued on : 2011-04-29 18:07:15 expires on : 2031-01-14 18:07:15 signed using : RSA+SHA1 RSA key size : 1024 bits 2013-03-23 13:31:56 Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed 2013-03-23 13:31:56 EVENT: CERT_VERIFY_FAIL PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed [ERR] 2013-03-23 13:31:56 EVENT: DISCONNECTED 2013-03-23 13:31:56 Raw stats on disconnect: BYTES_IN : 2112 BYTES_OUT : 606 PACKETS_IN : 20 PACKETS_OUT : 29 NETWORK_SEND_ERROR : 1 SSL_ERROR : 1 CERT_VERIFY_FAIL : 1 N_RECONNECT : 2 2013-03-23 13:31:56 Performance stats on disconnect: CPU usage (microseconds): 101768 Network bytes per CPU second: 26707 Tunnel bytes per CPU second: 0 2013-03-23 13:31:56 ----- OpenVPN Stop ----- 2013-03-23 13:31:56 EVENT: DISCONNECT_PENDING
Alternatives to the Default Authenticaiton Method?You have the ability in the DiskStation Manager interface to create your own root CA, public and private keys, or alternatively ask for one of your certificates to be signed by the current root CA.
This method of generating your own certificates might end up being better, as we will actually be sure that the client has a valid certificate for synology to encrypt data to it as well.
The above method may work for the creation of certificates for mobile applications but I am unsure of how the config is structured so that when you create the keys. I'm unsure they will actually used for VPN, and override the previous Synology-Signed certificates.
Synology FeedbackI would appreciate if Synology would provide additional information as to how their specific implementation of OpenVPN functions so there is no longer confusion among owners of the DiskStation products. The current documentation offering does not go into enough detail as to how this setup works.
Most importantly, I believe that instructions on how to make Synology's implementation of OpenVPN work with mobile applications is most important. In this manor, if mobile clients work by default additional documentation may not be required.
NotesIf I ever find out an easy/straight forward way of allowing OpenVPN on Synology Diskstation I will be sure to post instructions. But for now, it seems like a fairly convoluted and confusing task that most people will not be inclined to perform or attempt.
If you want to make an attempt at generating your own keys the best resource I could find is the following: http://forum.synology.com/wiki/index.php?title=How_to_use_your_own_certificates_for_connecting&printable=yes
But I am almost positive it is not supported or recommended as you could end up breaking your device if you're not careful