DS VPN Server OpenVPN configuration

Tutorial DS VPN Server OpenVPN configuration

2,279
957
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
WST16 submitted a new resource:

DS VPN Server OpenVPN configuration - OpenVPN to access LAN

Difficulty: medium
Prerequisites: router port forwarding knowledge and a high-level understanding of the DS firewall is recommended.

Hi,

In this guide I’ll share how I configured my VPN Server package to allow access to my DS and LAN (with the firewall enabled).

If you’ve enabled remote access (via DDNS) and haven’t enabled the firewall, forget about this. Go work on configuring the firewall first. That’s by far, more important...

Read more about this resource...
 
In the DSM OpenVPN setup page there's a setting (which you've enabled) to permit VPN clients to access the servers LAN. Does this get blocked by the DSM firewall, hence the need for the second FW rule? I'm asking because I remember having to try something or other when setting up OpenVPN or L2TP/IPsec VPN on DSM, but I can't remember what it was and I use VPN Plus on SRM now.

For the OVPN client file:
  • I think the certificate is at the end of the file (is for SRM).
  • I add a domain name command to resolve non-FQDN requests from the LAN DNS: 'dhcp-option DOMAIN myds.synology.com'
  • on iOS the .ovpn file extension gets registered to the OpenVPN app. I keep my OVPN file on a NAS share and install straight from Syno Drive or DS file using open-in/send-a-copy type of thing.
 
In the DSM OpenVPN setup page there's a setting (which you've enabled) to permit VPN clients to access the servers LAN. Does this get blocked by the DSM firewall, hence the need for the second FW rule?
Like you, I thought checking that option will grant me LAN access. Not the case. According to my tests, the LAN access gets blocked (even with that option ticked). I needed a firewall rule to enable LAN access.
Something I didn’t try, is to disable the firewall and check/uncheck that option and see what happens. Am I going to gain/lose access accordingly. Didn’t bother since I want the firewall to be up all the time.
I might try it when I have time, just to see the behavior. Curiosity killed the NAS :)

So I didn’t give it much thought, but that option might be enabling some kind of routing between the dynamic IP addresses subnet and the LAN subnet to enable/disable access to the LAN. But the firewall rules rule :)
I add a domain name command to resolve non-FQDN requests from the LAN DNS: 'dhcp-option DOMAIN myds.synology.com'
I think I read somewhere (DSM VPN Server help maybe) that this is taken care of already. Maybe I’m mistaken. Didn’t mess with it as it seems that everything is working fine (so far) for me. I’ll keep it in mind. Thanks.
on iOS the .ovpn file extension gets registered to the OpenVPN app. I keep my OVPN file on a NAS share and install straight from Syno Drive or DS file using open-in/send-a-copy type of thing.
That’s a pro tip that I’ll take note of. Thank you.
 
I think you're right on the firewall rule even with the LAN access setting. It was one bit of non-obvious complexity I wanted to avoid when moving to the SRM VPN servers.

The dhcp-option DOMAIN command may be in the server now. I don't think it was when I first set it up and also I had a few dhcp-option DNS commands to force use of my local DNS server that are now not needed on SRM (these are commented out for posterity).
 
So I didn’t give it much thought, but that option might be enabling some kind of routing between the dynamic IP addresses subnet and the LAN subnet to enable/disable access to the LAN. But the firewall rules rule :)

Well you have to add a static route of the OpenVPN subnet into your router anyway for your LAN devices to be able to communicate with the OpenVPN subnet. Otherwise, your router wouldn't know that the OpenVPN subnet is 'behind' the NAS.
 
Well you have to add a static route of the OpenVPN subnet into your router anyway for your LAN devices to be able to communicate with the OpenVPN subnet. Otherwise, your router wouldn't know that the OpenVPN subnet is 'behind' the NAS.
That’s a point one might consider if the VPN connections are more persistent rather than my occasional “one direction” need to access my LAN remotely to quickly check on something. Thanks.
 
I had some time to quickly test the behavior and relationship of the firewall and the “allow clients to access LAN” option.

A4400E38-1279-436A-9EBC-6EAFAAA211F6.jpeg


Firewall enabled (with correct rules) / Allow clients to access LAN enabled.
Can access LAN clients.

Firewall enabled (with correct rules) / Allow clients to access LAN disabled.
Can’t access LAN clients.

Firewall completely disabled / Allow clients to access LAN enabled
Can access LAN clients.

Firewall completely disabled / Allow clients to access LAN disabled
Can’t access LAN clients.

Important
With “allow clients to access LAN” enabled, you’ll be able to access your DS (the one you’re connected to via OpenVPN) by using its IP address on its subnet, like if you’re sitting on the same LAN.

However, once you choose to disable “allow clients to access LAN”, that option is gone. You’ll be able to access your DS by using the dynamic address assigned to it. In our configuration example it’s going to be 192.168.5.1 (the first IP address in the dynamic range is assigned to the DS apparently).
 
Is anyone using the OpenVPN client for windows? Connections & config is all good after import, but I'm getting a "missing external certificate" message. If I continue anyway the connection is fine, however I want this to be seamless for my end users.

I found two solutions and I'm looking for opinions/input on best practice. The first was to add the following to the config file:

add the following line before <ca>
client-cert-not-required

I'm a little concerned with this, since the capability of using the cert is there and I'd rather use it for security. So the second option I found is the following:

the issue is that you need to inform OpenVPN which client certificate it should use. You'd be able to do this by editing the profile in OpenVPN, selecting it from the "Certificate" drop-down. The issue is that you can't just browse your certificate here; you need to add it to your PC/User:
  • Windows key -> write "Certificate" -> select "Manage user certificates" -> from the list of certificates stores select "OpenVPN Certificate Store" -> right-click -> "All Tasks" -> "Import" -> and just now you can browse to your client certificate.
I did this second option and I was able to select the lets encrypt certificate dropdown in the OpenVPN windows client app. I'm thinking I'll have to keep importing the cert when it expires (another maintenance task that adds to work load).


So what is the best practice of using the OpenVPN windows 10 client app. Previously we used the an OpenVPN GUI which existed on the taskbar, but it isn't seamless with updating it and a bit complex as to where the config files were being stored.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top