help with setting up open vpn

[sartis-glenn]

For the past 8 hours, I have been trying to set up OpenVPN on my trueNAS scale system, and I have everything up and running, and my client can even connect to the server.

HOWEVER, Upon connecting, OpenVPN states: “peer certificate verification failure” and doesn't let me in.

I have remade my certificates several times, like stated in this:, this: and this:

I can't figure out what I am doing wrong, I am new to true NAS, so it might be a really obvious mistake, any help, at this point, would be appreciated.

I linked the configs for my certificates below, let me know if you need any more files

thanks for the help.

 

[Nick2253]

From your second link:

The DOWNLOAD CLIENT CONFIG button does not produce valid client configuration. The remote line in the configuration (e.g. remote "10.1.0.100") needs to be edited to the FQDN of the OpenVPN server as seen by the client, so that it can match an OpenVPN server certificate Subject Alternative Name. When the button is pressed, TrueNAS should ask for the user certificate and also provide a list of FQDNs from the OpenVPN server certificate Subnect Alternative Names so that the configuration can be generated correctly automatically.

Is this being done correctly?

 

[sartis-glenn]

From your second link:


Is this being done correctly?

Yes, I changed it in the file to feyframe.ddns.net, I doubt I would reach the server without the ddns being correct, so it must be, right?

 

[Nick2253]

Yes and no. You're confusing two different things.

You are correct that DDNS must be set up correctly to reach your system. However, that config setting is doing something more. You must connect to your OpenVPN server using a FQDN that matches the certificates. So, for example, if you put your IP address in there, you'd still connect, but you'd get a certificate error similar to what you're seeing.

Put another way, if you try to connect at keyframe.ddns.net, your client will be looking for a trusted and signed certificate for keyframe.ddns.net.

Which actually raises a good question: did you properly import your CA certificate to your client?

 

[sartis-glenn]

Yes and no. You're confusing two different things.

You are correct that DDNS must be set up correctly to reach your system. However, that config setting is doing something more. You must connect to your OpenVPN server using a FQDN that matches the certificates. So, for example, if you put your IP address in there, you'd still connect, but you'd get a certificate error similar to what you're seeing.

Put another way, if you try to connect at keyframe.ddns.net, your client will be looking for a trusted and signed certificate for keyframe.ddns.net.

Which actually raises a good question: did you properly import your CA certificate to your client?

I think you might have found the problem, because I don't remember ever importing any CA to my client. Think I set up the FQND properly though