DS VPN Server OpenVPN configuration

Tutorial DS VPN Server OpenVPN configuration

Currently reading
Tutorial DS VPN Server OpenVPN configuration

1,423
613
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
WST16 submitted a new resource:

DS VPN Server OpenVPN configuration - OpenVPN to access LAN

Difficulty: medium
Prerequisites: router port forwarding knowledge and a high-level understanding of the DS firewall is recommended.

Hi,

In this guide I’ll share how I configured my VPN Server package to allow access to my DS and LAN (with the firewall enabled).

If you’ve enabled remote access (via DDNS) and haven’t enabled the firewall, forget about this. Go work on configuring the firewall first. That’s by far, more important...
Read more about this resource...
 

fredbert

Moderator
NAS Support
Subscriber
1,468
625
NAS
DS1520+, DS218+, DS215j
Router
RT2600ac, MR2200ac
Operating system
macOS
Mobile operating system
iOS
In the DSM OpenVPN setup page there's a setting (which you've enabled) to permit VPN clients to access the servers LAN. Does this get blocked by the DSM firewall, hence the need for the second FW rule? I'm asking because I remember having to try something or other when setting up OpenVPN or L2TP/IPsec VPN on DSM, but I can't remember what it was and I use VPN Plus on SRM now.

For the OVPN client file:
  • I think the certificate is at the end of the file (is for SRM).
  • I add a domain name command to resolve non-FQDN requests from the LAN DNS: 'dhcp-option DOMAIN myds.synology.com'
  • on iOS the .ovpn file extension gets registered to the OpenVPN app. I keep my OVPN file on a NAS share and install straight from Syno Drive or DS file using open-in/send-a-copy type of thing.
 
1,423
613
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
In the DSM OpenVPN setup page there's a setting (which you've enabled) to permit VPN clients to access the servers LAN. Does this get blocked by the DSM firewall, hence the need for the second FW rule?
Like you, I thought checking that option will grant me LAN access. Not the case. According to my tests, the LAN access gets blocked (even with that option ticked). I needed a firewall rule to enable LAN access.
Something I didn’t try, is to disable the firewall and check/uncheck that option and see what happens. Am I going to gain/lose access accordingly. Didn’t bother since I want the firewall to be up all the time.
I might try it when I have time, just to see the behavior. Curiosity killed the NAS :)

So I didn’t give it much thought, but that option might be enabling some kind of routing between the dynamic IP addresses subnet and the LAN subnet to enable/disable access to the LAN. But the firewall rules rule :)
I add a domain name command to resolve non-FQDN requests from the LAN DNS: 'dhcp-option DOMAIN myds.synology.com'
I think I read somewhere (DSM VPN Server help maybe) that this is taken care of already. Maybe I’m mistaken. Didn’t mess with it as it seems that everything is working fine (so far) for me. I’ll keep it in mind. Thanks.
on iOS the .ovpn file extension gets registered to the OpenVPN app. I keep my OVPN file on a NAS share and install straight from Syno Drive or DS file using open-in/send-a-copy type of thing.
That’s a pro tip that I’ll take note of. Thank you.
 

fredbert

Moderator
NAS Support
Subscriber
1,468
625
NAS
DS1520+, DS218+, DS215j
Router
RT2600ac, MR2200ac
Operating system
macOS
Mobile operating system
iOS
I think you're right on the firewall rule even with the LAN access setting. It was one bit of non-obvious complexity I wanted to avoid when moving to the SRM VPN servers.

The dhcp-option DOMAIN command may be in the server now. I don't think it was when I first set it up and also I had a few dhcp-option DNS commands to force use of my local DNS server that are now not needed on SRM (these are commented out for posterity).
 
417
147
NAS
DS216+II, DS118, DS718+
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
Android
So I didn’t give it much thought, but that option might be enabling some kind of routing between the dynamic IP addresses subnet and the LAN subnet to enable/disable access to the LAN. But the firewall rules rule :)
Well you have to add a static route of the OpenVPN subnet into your router anyway for your LAN devices to be able to communicate with the OpenVPN subnet. Otherwise, your router wouldn't know that the OpenVPN subnet is 'behind' the NAS.
 
1,423
613
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Well you have to add a static route of the OpenVPN subnet into your router anyway for your LAN devices to be able to communicate with the OpenVPN subnet. Otherwise, your router wouldn't know that the OpenVPN subnet is 'behind' the NAS.
That’s a point one might consider if the VPN connections are more persistent rather than my occasional “one direction” need to access my LAN remotely to quickly check on something. Thanks.
 
1,423
613
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
I had some time to quickly test the behavior and relationship of the firewall and the “allow clients to access LAN” option.

A4400E38-1279-436A-9EBC-6EAFAAA211F6.jpeg


Firewall enabled (with correct rules) / Allow clients to access LAN enabled.
Can access LAN clients.

Firewall enabled (with correct rules) / Allow clients to access LAN disabled.
Can’t access LAN clients.

Firewall completely disabled / Allow clients to access LAN enabled
Can access LAN clients.

Firewall completely disabled / Allow clients to access LAN disabled
Can’t access LAN clients.

Important
With “allow clients to access LAN” enabled, you’ll be able to access your DS (the one you’re connected to via OpenVPN) by using its IP address on its subnet, like if you’re sitting on the same LAN.

However, once you choose to disable “allow clients to access LAN”, that option is gone. You’ll be able to access your DS by using the dynamic address assigned to it. In our configuration example it’s going to be 192.168.5.1 (the first IP address in the dynamic range is assigned to the DS apparently).
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top