How to use public certificates with OpenVPN on Synology DSM?

iBug

12/13/23, 6:18 PM

I have set up my Synology DSM to acquire and renew certificates from Let's Encrypt using acme.sh.

The problem is as follows:

Synology's VPN Center package automatically picks up the default certificate whenever it's changed
I can't find a way to make OpenVPN clients simply trust public certificates.
The certificate is renewed every 2 months and it's not feasible to let my users update their .ovpn config file this frequently.
Even though I have the necessary expertise in Linux, I prefer not to modify vendor software unless strictly necessary.

How should I go about this, to let my users connect to this OpenVPN server on Synology DSM?

1343

1 + 0

openvpn

ssl-certificate

synology

Score:1

Server

Nikita Kipriyanov

12/13/23, 6:52 PM

Don't do that.

First, OpenVPN own manuals suggest that it is not recommended to use a public CA. OpenVPN will trust any certificate which was published by that CA. I doubt you expect any holder of the certificate that was issued by the third party CA the to be able to connect to your VPN.

Second, there is no point in using public CA for private service. By the virtue of VPN, it is a private service which doesn't expect strangers to connect or trust your service. It has a valid and convenient root certificate distribution point — together with the VPN configuration file (probably, built into it), which you must distribute to clients anyway. Also it has a separate certificate store. All of this calls for a private VPN. So, there are no downsides of using private CA for VPN in comparison with, say, using it for public HTTPS, because you distribute the CA certificate. By the way, even HTTPS has a valid use for the private CA — in the same place as VPN, for client certificate validation; in that case you may still use public certificate for the server, but client certificates are signed with your private CA.

Third, Let's Encrypt issues domain validated certificates with TLS Web Server purpose. In correctly set up OpenVPN you only can install such certificate on the server. Client certificates must have reverse trait — TLS Web Client purpose. Let's Encrypt doesn't issue such certificates.

OpenVPN was designed with private, special CA in mind, purposed to this VPN only. They provide a set of scripts to create such a CA, it's called EasyRSA. It's really easy to use. If you don't want to use it (and you have a valid reason), you may use something else for creating this private CA, for instance, we once employed MS AD Certification Services for that.

+ 5

iBug

12/13/23, 6:54 PM

So you have your reasoning, and this is a plausible answer. It does not, however, solve my problem with using OpenVPN on Synology DSM.

Nikita Kipriyanov

12/13/23, 6:59 PM

Actually *that* is on the edge of being off topic here. I remember that DSM's OpenVPN configuration interface, that's web panel, and we dislike those panels "because they customise their systems so normal administration methods don't apply". The best thing you can do with DSM is to not to use its GUI configurator, but figure out how to run OpenVPN using the standard config file according to its manual. I don't have DSM at hand and can't explore that. Consider the answer as big fat warning that you're doing something wrong.

iBug

12/13/23, 7:03 PM

I cannot agree more with you that stuff like Synology are a nightmare for normal Linux SysAdmins. I guess I'll try to figure that out by myself. Thank you for your answer. (P.S. Talking about certificates, I do manage a private X.509 CA using XCA and `openssl` CLI, and I'm familiar with this.)

Nikita Kipriyanov

12/13/23, 7:10 PM

No, it's not a nightmare. Actually it is relief after other "NAS" solutions like produced by WD, Qnap and others. But, remember however advanced it is, it is still NAS. When you use it for what it is designed, it works pretty well, but for everything else it is mediocre. As soon you try to repurpose it without serous thinking, it will begin failing you.

iBug

12/13/23, 7:22 PM

I've given your deserved upvote. This Synology is not my personal asset, but lab machine that I only took over to manage recently. I would have built a Proxmox VE cluster for all this kind of infrastructure if I had the chance to rebuild this from scratch.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to use public certificates with OpenVPN on Synology DSM?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.