Cannot access DSM via OpenVPN

[Jerry1188]

Hi,

I set up and enabled OpenVPN on my Synology NAS but I am not able to access the DSM when connecting from a device which is outside the NAS local network.
The VPN connection is correctly established, I am able to see the NAS shared folder when digiting the NAS local IP address in Windows File Explorer, but when I digit it inside the browser I am not reaching the login screen.

My NAS is a DS920+, DSM 6.2.4

Any suggestion for solving this issue?
Thank you in advance!

Giacomo

 

[WST16]

Hi,

Did you try the virtual IP address, or is that what you’re using?

 

[Rusty]

Any suggestion for solving this issue?

This could be a firewall (NAS) problem

 

[Jerry1188]

Did you try the virtual IP address, or is that what you’re using?

Yes, I can access Shared Folder both with NAS static local IP address and NAS virtual IP address in File Explorer, but both do not work in the browser.

This could be a firewall (NAS) problem

This is the list of Ports and services currently allowed by NAS firewall. Should I add something?

 

[Rusty]

Yes, I can access Shared Folder both with NAS static local IP address and NAS virtual IP address in File Explorer, but both do not work in the browser.


This is the list of Ports and services currently allowed by NAS firewall. Should I add something?

View attachment 3599

I have seen situations where even though Management UI was listed as allow until I actually set up and opened a specific DSM port (5000/5001 or any other that DSM ui might be running on) there was no way for the VPN subnet clients to reach it.

So, try and add it manually to the list regardless and see if that will help. Also, you could try and add your VPN network range (that you have configured) to the "source IP" just to be certain that it will be picked up.

 

[Jerry1188]

Now it works! Thank you very much!

 

[WST16]

@Jerry1188

A minor remark on your firewall rules (unless I’m missing the big picture). The source in all the rules is set to “All”. I would revisit this if I were you and limit the sources. As it is now, you might as well disable the firewall.
At the top, I’d have a rule to allow the local subnet (LAN). Currently, You’re not locked out because everything is set to “All”.

 

[Jerry1188]

@Jerry1188

A minor remark on your firewall rules (unless I’m missing the big picture). The source in all the rules is set to “All”. I would revisit this if I were you and limit the sources. As it is now, you might as well disable the firewall.
At the top, I’d have a rule to allow the local subnet (LAN). Currently, You’re not locked out because everything is set to “All”.

Thank you for the suggestion, @WST16 !
In the "Management UI" line I already set as Source IP the VPN network range, and I could do the same with all the services which should not be reachable by devices outside the network. By adding a top rule to allow the local subnet (192.168.X.X if I understood well), could this conflict with the Source IP of the other rules?

I would like to host a website on the NAS, how would you suggest me to set up the firewall rules?

 

[Rusty]

would like to host a website on the NAS, how would you suggest me to set up the firewall rules?

Push it behind a reverse proxy and control it via port 443 on the firewall.

 

[Jerry1188]

Push it behind a reverse proxy and control it via port 443 on the firewall.

You mean VPN network range in the Source IP of all the services apart from port 443 which should have "all" in the Source IP?

 

[WST16]

I would like to host a website on the NAS, how would you suggest me to set up the firewall rules?

Hi,

@Rusty suggestion is the best. If you're not sure about Reverse Proxies, you can check @NAS Newbie guide here. Part 2 covers reverse proxies and references a guide by @Rusty. But I'd recommend starting at the beginning (part 1) if you’re new to all of this.

Keep in mind that the firewall rules are processed sequentially, top to bottom. Once a rule matches, it's processed and no further rules below it are examined.
We had a thread on this a long time ago that you might find useful.

 

[Jerry1188]

Hi,

@Rusty suggestion is the best. If you're not sure about Reverse Proxies, you can check @NAS Newbie guide here. Part 2 covers reverse proxies and references a guide by @Rusty. But I'd recommend starting at the beginning (part 1) if you’re new to all of this.

Keep in mind that the firewall rules are processed sequentially, top to bottom. Once a rule matches, it's processed and no further rules below it are examined.
We had a thread on this a long time ago that you might find useful.

Thank you, I read all this very useful material!

Then, if I understood correctly, I should do these:
- In the Router port-forwarding to the NAS only port 443
- In the NAS firewall enable port 443 to everyone as a first rule, disable all to everyone as second rule
- Enable Reverse Proxy for each service, adding the Source IP rules in each of them depending on their target.

At this point, would VPN Server in the NAS still be useful? I installed it only because from my understanding this could have been the safest way not to expose the public IP address, am I wrong in this?

 

[WST16]

In the Router port-forwarding to the NAS only port 443

Yes, 443 for now. Keep in mind that not every service can go through the reverse proxy, only http/https. So for the VPN server for example, you'll need to forward a port for it.

In the NAS firewall enable port 443 to everyone as a first rule, disable all to everyone as second rule

The first rule should be "allow your local subnet". You should always have this at the top.
Then 2nd rule, your reverse proxy for All or to certain geographies. You'll find a rule called "https, reverse proxy". The last rule should always be a deny all.

Enable Reverse Proxy for each service, adding the Source IP rules in each of them depending on their target.

You just add the reverse proxy rule to the firewall as mentioned above. You define the target services under the reverse proxy rules (Control Panel > Application Portal > Reverse Proxy).

At this point, would VPN Server in the NAS still be useful?

You can create a proxy rule for your DSM for example (like mydsm.mynas.synology.me)
However, the VPN server brings other benefits with it like allowing internal access to your LAN devices like if you're on your LAN (if you need something like that).

Since you've already opened up the NAS to the internet, the "not to expose the public IP address" does not apply. It works (in that sense) only if you have nothing else but a VPN port forwarded to the NAS and the VPN service running (IMHO).

 

[Jerry1188]

Ok, I allowed on my Router 3 ports: one for VPN, 443 for Revers Proxy, one for DSM (port XXXX).

While these are my Firewall settings now:

I temporarily left Management UI rule for port XXXX since the Reverse Proxy is not working.
I created in Control Panel > Application Portal > Reverse Proxy a rule following @Rusty tutorial.
Source is:
- Protocol: HTTPS
- Hostname: dsm.mydomain.com
- Port: 443
Destination:
- Protocol: HTTPS
- Hostname: 192.168.178.31
- Port: XXXX
I have a SSL certificate issued to mydomain.com by Let's Encrypt and connected to dsm.mydomain.com.

If I go to the browser, https://dsm.mydomain.com shows: "DNS_PROBE_FINISHED_NXDOMAIN".
If I visit https://mydomain.com:XXXX I can reach the login screen.
If I visit https://192.168.178.31:XXXX when connected via VPN I can reach the login screen too.

I would like to remove XXXX port from Router and Firewall list, ut if Reverse Proxy is not working is the only way I have for remote connection. Which could be the cause of Reverse Proxy not working?

 

[WST16]

Is this how you have it on the proxy rule? Of course in your case it will be dsm.mydomain.com in the source.
Edit: and whatever port you have in the destination.

-- post merged: 15. May 2021 --

Here’s something about "DNS_PROBE_FINISHED_NXDOMAIN". I’ve never encountered this error before!
Although if it works for the other reverse proxy rules, I don’t see why it won’t work for DSM.

DNS_PROBE_FINISHED_NXDOMAIN: What It Is and 9 Ways to Fix the Problem

It's annoying to see the DNS_PROBE_FINISHED_NXDOMAIN error when you're trying to access a website. Read our guide on how to fix this issue.

www.hostinger.com

Can you try something other than DSM. Like mydsm.mydonain.com and see.

 

[Jerry1188]

Yes, correct:

 

[WST16]

Hmm!
This is how I have my DSM settings under network.
Also, can you try “localhost” instead of IP address and see.

 

[Jerry1188]

Can you try something other than DSM. Like mydsm.mydonain.com and see.

Even with mydsm.mydomain.com I obtain the same error.

Also, can you try “localhost” instead of IP address and see.

Same result.

Although if it works for the other reverse proxy rules, I don’t see why it won’t work for DSM.

Actually I created only this reverse proxy rule, so I don't know if others would work.

 

[WST16]

Actually I created only this reverse proxy rule, so I don't know if others would work.

Now that you‘ve said this, it (might) make more sense now. Your domain is not under Synology?
That also might explain the “NXDOMAIN” error.

I think you’ll need to create a CNAME in your DNS records (with your domain registerer) with “dsm” or whatever you choose the subdomain to be. Do you know how to do that?

Edit:
See if you have an option to “enable wildcard” instead of the above. It’s easier.

-- post merged: 15. May 2021 --

Here’s what no-ip says about wild cards:
“A wild card allows anything typed before your hostname to be resolved to your IP address. For example if you enable wild cards for hostname myhostname.no-ip.com, hostnames like www.myhostname.no-ip.comor blah.myhostname.no-ip.com would resolve to the same IP address as myhostname.no-ip.com.”

Usually this is enabled by default.

 

[Jerry1188]

The attempt with wildcard was unsuccessful (it seems that my domain registerer doesn't allow to use it), but I manually created a CNAME record with "mydsm.mydomain.com" as Name and "mydomain.com" as Value.
And now it works!

If I digit https://mydsm.mydomain.com in the browser, I reach the DSM login page.
I removed Router and Firewall rules for Port XXXX since I have no more need to leave it open.
Thank you very much @WST16 !