Update OpenVPN Certificates on QNAP
Recently I encountered an unexpected issue when a customer reported that they were unable to connect to their OpenVPN server. Connection attempts were failing because the cert associated with the client opvn configuration file had reached its expiration date.
In this instance a QNAP NAS was acting as the OpenVPN Server. QNAP ships their devices with key-pairs that expire after 3650 days (10 years). In this instance the keys used to negotiate the OpenVPN connection had reached their expiration date. Resolving this problem meant figuring out how to generate new certs and keys for the OpenVPN service running on the QNAP.
Googling the problem resulted in links discussing how to update the certs associated with the QNAP’s Web SSL cert, but none of them provided any input on how to renew the Easy-RSA generated certs and keys associated with the device’s OpenVPN service.
By cross-referencing OpenVPN documentation with the cryptic failure messages my client was receiving, I was able to determine which files needed to be updated on the QNAP (and eventually on my client’s OpenVPN client).
I published this guide in an effort to help others who may face the same problem.
Enable SSH Access on QNAP
To accomplish this task you’ll need SSH access to your QNAP. Click here for a link on QNAP’s website describing the process (https://www.qnap.com/en/how-to/knowledge-base/article/how-do-i-access-my-qnap-nas-using-ssh) or follow these steps from within the QNAP’s Web interface…
Control Panel –> Network & File Services –> Telnet / SSH –> Allow SSH Access (checkbox) –> Apply
- An SSH client. Putty works great on Windows (https://www.putty.org/). On Mac, you can use the built-in Terminal app. Starting an SSH terminal connection with the QNAP will vary depending upon which SSH client you use. Ultimately, you’ll need to login using the ‘admin’ account and password.
- Knowledge of using the Linux text editor known as vim. Here’s a link to a VIM cheat-sheet to help you along… https://vim.rtorr.com/
Log in Via SSH
As mentioned above, SSH login steps will vary based on the SSH client you are using. I’m a Mac enthusiast, so I entered the following into the Terminal command line (where 192.168.1.200 is the fictional IP address of the QNAP on my network)…
Modify the above example to fit your scenario. When prompted, enter the password associated with the ‘admin’ account. After you’ve logged in to your QNAP as ‘admin’ via SSH, follow these steps…
Backup your expired OpenVPN keys (optional, but recommended)
cp -R /etc/openvpn/keys/ /etc/openvpn/keysold
Now that you have a solid backup of the expired keys it’s time to start the process of generating new keys. Start by changing into the easy-rsa directory…
Change the destination path for new certs and key-pairs (optional, but recommended)
Not having much experience with how this process works I decided not to chance overwriting any keys. Inside of the easy-rsa directory is a file that helps automate the process of generating a new key-pair. Within this file is a variable that specifies the directory into which the new keys will be saved. I chose to customize this line so that the keys would be placed in a completely new directory. Eventually I planned on copying these files into the ‘/etc/openvpn/keys’ directory backed-up above.
Begin editing the ‘vars’ file with…
Find the line that reads…
… and change it to read…
Save and exit vi. Using your computer’s keyboard, type/press the following (without the quotes):
1. Press 'Esc' key 2. Type ':wq' 3. Press 'Enter' key
Generate Keys and Certificates
Now it’s time to generate your new key-pair and certs. Note that the ‘build-dh’ step in this process can take quite a long time to complete. On my QNAP it took nearly 15 minutes before the process finished. Your mileage may vary depending on the performance of your QNAP device. Enter each line in your SSH terminal window:
. ./vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server myserver
Replace the expired files with the newly created ones
All the files you needed should now exist in the /etc/openvpn/easy-rsa/keysnew directory. These files now need to be copied into the /etc/openvpn/keys directory.
cp /etc/openvpn/easy-rsa/keysnew/* /etc/openvpn/keys
Restart your openvpn service
sh -c /etc/init.d/vpn_openvpn.sh restart 1>>/dev/null 2>&1
The client(s) from which you are connecting to your QNAP’s OpenVPN service now need to be updated to use the newly generated ca.crt. How you do this depends on what method you use integrate the contents of the ca.crt into your OpenVPN configuration. For simplicity’s sake I tend to include in the contents of the ca.crt file directly into the .ovpn configuration file. In the following example, the section colored red below needs to be replaced with the contents of the newly created ca.crt file. You can either copy the contents of this file directly from within your SSH session, or you can use the “Download Certificate” button found on the OpenVPN section of the QNAP control panel to save a copy to your computer (ca.crt is located inside the resulting ZIP file that’s downloaded).
client dev tun2001 script-security 3 proto udp remote foo.bar.com 1194 resolv-retry infinite nobind auth-user-pass reneg-sec 0 cipher AES-128-CBC tls-cipher TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA comp-lzo <ca> -----BEGIN CERTIFICATE----- MIIGKDCCBBCgAwIBAgIJAKFO3vqQ8q6BMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV BAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMM T3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4w HhcNMTQxMDIyMjE1OTUyWhcNMjQxMDE5MjE1OTUyWjBmMQswCQYDVQQGEwJLRzEL MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkq hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsJVPCqt3vtoDW2U0DII1QIh2Qs0dqh88 8nivxAIm2LTq93e9fJhsq3P/UVYAYSeCIrekXypR0EQgSgcNTvGBMe20BoHO5yvb GjKPmjfLj6XRotCOGy8EDl/hLgRY9efiA8wsVfuvF2q/FblyJQPR/gPiDtTmUiqF qXa7AJmMrqFsnWppOuGd7Qc6aTsae4TF1e/gUTCTraa7NeHowDaKhdyFmEEnCYR5 CeUsx2JlFWAH8PCrxBpHYbmGyvS0kH3+rQkaSM/Pzc2bS4ayHaOYRK5XsGq8XiNG KTTLnSaCdPeHsI+3xMHmEh+u5Og2DFGgvyD22gde6W2ezvEKCUDrzR7bsnYqqyUy n7LxnkPXGyvR52T06G8KzLKQRmDlPIXhzKMO07qkHmIonXTdF7YI1azwHpAtN4dS rUe1bvjiTSoEsQPfOAyvD0RMK/CBfgEZUzAB50e/IlbZ84c0DJfUMOm4xCyft1HF YpYeyCf5dxoIjweCPOoP426+aTXM7kqq0ieIr6YxnKV6OGGLKEY+VNZh1DS7enqV HP5i8eimyuUYPoQhbK9xtDGMgghnc6Hn8BldPMcvz98HdTEH4rBfA3yNuCxLSNow 4jJuLjNXh2QeiUtWtkXja7ec+P7VqKTduJoRaX7cs+8E3ImigiRnvmK+npk7Nt1y YE9hBRhSoLsCAwEAAaOB2DCB1TAdBgNVHQ4EFgQUK0DlyX319JY46S/jL9lAZMmO BZswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJ BgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UE 9w0BAQsFAAOCAgEABc77f4C4P8fIS+V8qCJmVNSDU44UZBc+D+J6ZTgW8JeOHUIj y3SLRgJXOw1QLXL2Y5abcuoBVr4gCOxxk2vBeVxOMRXNqSWZOFIF1bu/PxuDA+Sa hEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw= -----END CERTIFICATE----- </ca>
You should now be able to successfully establish a connection with your QNAP-hosted OpenVPN server.
Need further assistance? Contact Help-O-Matic.