Update OpenVPN Certificates on QNAP

Update OpenVPN Certificates on QNAP

Recently I encountered an unexpected issue when a customer reported that they were unable to connect to their OpenVPN server. Connection attempts were failing because the cert associated with the client opvn configuration file had reached its expiration date.

In this instance a QNAP NAS was acting as the OpenVPN Server. QNAP ships their devices with key-pairs that expire after 3650 days (10 years). In this instance the keys used to negotiate the OpenVPN connection had reached their expiration date. Resolving this problem meant figuring out how to generate new certs and keys for the OpenVPN service running on the QNAP.

Googling the problem resulted in links discussing how to update the certs associated with the QNAP’s Web SSL cert, but none of them provided any input on how to renew the Easy-RSA generated certs and keys associated with the device’s OpenVPN service.

By cross-referencing OpenVPN documentation with the cryptic failure messages my client was receiving, I was able to determine which files needed to be updated on the QNAP (and eventually on my client’s OpenVPN client).

I published this guide in an effort to help others who may face the same problem.


Enable SSH Access on QNAP

To accomplish this task you’ll need SSH access to your QNAP. Click here for a link on QNAP’s website describing the process (https://www.qnap.com/en/how-to/knowledge-base/article/how-do-i-access-my-qnap-nas-using-ssh) or follow these steps from within the QNAP’s Web interface…

Control Panel –> Network & File Services –> Telnet / SSH –> Allow SSH Access (checkbox) –> Apply


Other Requisites:

  • An SSH client. Putty works great on Windows (https://www.putty.org/). On Mac, you can use the built-in Terminal app. Starting an SSH terminal connection with the QNAP will vary depending upon which SSH client you use. Ultimately, you’ll need to login using the ‘admin’ account and password.
  • Knowledge of using the Linux text editor known as vim. Here’s a link to a VIM cheat-sheet to help you along… https://vim.rtorr.com/


Log in Via SSH

As mentioned above, SSH login steps will vary based on the SSH client you are using. I’m a Mac enthusiast, so I entered the following into the Terminal command line (where is the fictional IP address of the QNAP on my network)…

ssh admin@

Modify the above example to fit your scenario. When prompted, enter the password associated with the ‘admin’ account. After you’ve logged in to your QNAP as ‘admin’ via SSH, follow these steps…


Backup your expired OpenVPN keys (optional, but recommended)

cp -R /etc/openvpn/keys/ /etc/openvpn/keysold

Now that you have a solid backup of the expired keys it’s time to start the process of generating new keys. Start by changing into the easy-rsa directory…

cd /etc/openvpn/easy-rsa


Change the destination path for new certs and key-pairs (optional, but recommended)

Not having much experience with how this process works I decided not to chance overwriting any keys. Inside of the easy-rsa directory is a file that helps automate the process of generating a new key-pair. Within this file is a variable that specifies the directory into which the new keys will be saved. I chose to customize this line so that the keys would be placed in a completely new directory. Eventually I planned on copying these files into the ‘/etc/openvpn/keys’ directory backed-up above.

Begin editing the ‘vars’ file with…

vi vars

Find the line that reads…

export KEY_DIR="$EASY_RSA/keys"

… and change it to read…

export KEY_DIR="$EASY_RSA/keysnew"

Save and exit vi. Using your computer’s keyboard, type/press the following (without the quotes):

1. Press 'Esc' key
2. Type ':wq'
3. Press 'Enter' key


Generate Keys and Certificates

Now it’s time to generate your new key-pair and certs. Note that the ‘build-dh’ step in this process can take quite a long time to complete. On my QNAP it took nearly 15 minutes before the process finished. Your mileage may vary depending on the performance of your QNAP device. Enter each line in your SSH terminal window:

. ./vars
./pkitool --initca
./pkitool --server myserver


Replace the expired files with the newly created ones

All the files you needed should now exist in the /etc/openvpn/easy-rsa/keysnew directory. These files now need to be copied into the /etc/openvpn/keys directory.

cp /etc/openvpn/easy-rsa/keysnew/* /etc/openvpn/keys


Restart your openvpn service

sh -c /etc/init.d/vpn_openvpn.sh restart 1>>/dev/null 2>&1


Client-Side Change

The client(s) from which you are connecting to your QNAP’s OpenVPN service now need to be updated to use the newly generated ca.crt. How you do this depends on what method you use integrate the contents of the ca.crt into your OpenVPN configuration. For simplicity’s sake I tend to include in the contents of the ca.crt file directly into the .ovpn configuration file. In the following example, the section colored red below needs to be replaced with the contents of the newly created ca.crt file. You can either copy the contents of this file directly from within your SSH session, or you can use the “Download Certificate” button found on the OpenVPN section of the QNAP control panel to save a copy to your computer (ca.crt is located inside the resulting ZIP file that’s downloaded).

dev tun2001
script-security 3
proto udp
remote foo.bar.com 1194
resolv-retry infinite
reneg-sec 0
cipher AES-128-CBC


That’s it!

You should now be able to successfully establish a connection with your QNAP-hosted OpenVPN server.

Need further assistance? Contact Help-O-Matic.

Posted in
Avatar photo

Joe Peifer

Managing and maintaining workstations, servers, and networks for customers since 1989.

Update OpenVPN Certificates on QNAP

Update OpenVPN Certificates on QNAP Recently I encountered an unexpected issue when a customer reported that they were unable to connect to their OpenVPN server. Connection attempts were failing because the cert associated with the ...
Read More

QuickBooks Database Manager Won’t Start

QuickBooks Database Manager (QuickBooksDBXX) Service Conflicts with DNS Server Service A problem can occur when QuickBooks Database Manager (QBDM) is installed on a Windows Server that is also acting as a DNS server. In brief, ...
Read More

Stop Microsoft from Spying Your Search Data

Windows 10 has always wreaked of privacy intrusion. From the moment a Windows 10 computer is first christened users are peppered with questions about sharing data, actions, activities, and even biometrics with Microsoft. Even with ...
Read More

Practical Hints for Guarding Against Phishing and Ransomware

The new decade will bring with it a host of new security concerns for computer owners. The most aggressive and insidious of these concerns is Ransomware. Here's how to guard yourself against it. What is ...
Read More

Microsoft Windows 7 End-of-Life (end of support)

On January 14, 2020, Microsoft will end its support of one it's most popular and successful operating systems... Windows 7. On that date (and maybe before) there's a good chance that this notification will appear ...
Read More