What's new

Solved Unable to connect to VPN server with self-signed certificate

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


New Around Here
Hi all,

I want to connect a Asus RT-AC68U router at a remote location as a client to a VPN Server that I'm hosting on my Synology NAS.
The VPN server on the NAS uses the Synology DNS service (abc.synology.com redirects to my ISPs IP address), and has issued a self-signed certificate on that hostname.
Connecting via Windows, iPhones, even the Asus vanilla firmware always works, but on the Merlin firmware I cannot get it up and running.
On the other clients I only authenticate using the certificate and username/password.

My openvpn config is attached below.

What I've already tried:
- Manually filling in the servername abc.synology.com in Merlin, for some reason the .ovpn import does not pick this up
- Hardcoding the key "Certificate authority" in Merlin
- Additional parameter in custom configuration
verify-x509-name 'C=TW, L=Taipel, O=Synology Inc., CN=Synology Inc. CA' name
remote-cert-tls server`

I'm continuously running into TLS errors however:
error:1416F086:lib(20):func(367):reason(134):Jan 8 14:16:54 ovpn-client2[14977]: TLS_ERROR: BIO read tls_read_plaintext errorJan 8 14:16:54 ovpn-client2[14977]: TLS Error: TLS object -> incoming plaintext read errorJan 8 14:16:54 ovpn-client2[14977]: TLS Error: TLS handshake failed

Hope somebody can help me out!

dev tun

remote abc.synology.com 1194

#redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS DNS_IP_ADDRESS


# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2


reneg-sec 0

data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:CHACHA20-POLY1305

cipher AES-256-GCM

auth SHA512






Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!