Create your own SSL CA and certificate for your Synology VPN server to be able to make use of the openvpn client for iPhone.

ssh to your Synology disk station:

mkdir /usr/local/ssl
cd /usr/local/ssl

Generate your CA:

openssl genrsa -des3 -out ca.key 1024
openssl req -config ca.config -new -key ca.key -out ca.csr
openssl x509 -days 3650 -signkey ca.key -in ca.csr -req -extfile extfile.cnf -out ca.crt

Generate the server certificate:

openssl genrsa -out server.key 1024
openssl req -config server.config -new -key server.key -out server.csr //Common name represents your DNS name
openssl x509 -days 3650 -CA ca.crt -CAkey ca.key -set_serial 01 -in server.csr -req -extfile extfile.cnf -out server.crt

vi /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf and replace with your new certificate and restart your VPN server:

[sourcecode language=”css”]
push route 192.168.1.0 255.255.255.0
push route 192.168.3.0 255.255.255.0
duplicate-cn
dev tun
management 127.0.0.1 1195
server 192.168.3.0 255.255.255.0
dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh1024.pem
#ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
#cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
#key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key
ca /usr/local/ssl/ca.crt
cert /usr/local/ssl/server.crt
key /usr/local/ssl/server.key
max-clients 5
comp-lzo
persist-tun
persist-key
verb 3
log-append /var/log/openvpn.log
keepalive 10 60
reneg-sec 3600
plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
client-cert-not-required
username-as-common-name
[/sourcecode]

Export your configuration

201303071829.jpg

vi openvpn.ovpn file and add certificate information in the appropriate sections

[sourcecode]
dev tun
tls-client
remote bhensler.dyndns.org 1194
pull
proto udp
script-security 2
comp-lzo
reneg-sec 3600</pre>
# openVPN client v.1.0.1 !
setenv CLIENT_CERT 0
auth-user-pass
#ca.crt
—–BEGIN CERTIFICATE—–
—–END CERTIFICATE—–
#server.crt
—–BEGIN CERTIFICATE—–
—–END CERTIFICATE—–
#server.key
—–BEGIN RSA PRIVATE KEY—–
—–END RSA PRIVATE KEY—–
[/sourcecode]

Transfer the client openvpn configuration (openvpn.ovpn and ca.crt) to your iPhone / iPad using iTunes:

201303071831.jpg

References:

http://forum.synology.com/wiki/index.php/How_to_generate_custom_SSL_certificates
http://frednotes.wordpress.com/2013/02/09/synology-dsm4-2-and-vpn/