Helping friend set up VPN on rt2600ac - DDNS vs actual domain (like namesilo)

[daptap]

So, I'm using openvpn set up on my NAS. I don't have an official domain (from namesilo or godaddy or anything); I just point the openvpn config file to the DDNS set up on synology (xxxxxx.synology.me). Things seem to work fine for me.

I've been helping a friend (good for me to learn again !, and good for him) to set up a VPN on his synology rt2600ac router. I would have set mine up this way too but when I did it LE certs were not on the router yet. Now they are. So, we are setting him up on the router.

Reading about this again has made me question the following: to use the Let's Encrypt certificate the "right way" do I need to have a domain name like this walk through shows (openvpn file points to domain name, which points to ddns, which points to my ip address -- I think)? Or can I set his the way I set mine up --- just pointing the config file to the DDNS address and not setting up a domain name? A little confused about the pros and cons here or which is the "right way".

Thanks,

Dale

 

[fredbert]

That guide looks to be [I skimmed it] for when you want to use a personal domain, that doesn’t have its own DDNS mechanism. It sounds like the certificate’s domain is a CNAME record that redirects to a synology.me DDNS.

The guide also skips the bit on adding SAN records to the certificate.

It sounds like you’ve gone straight to using synology.me DDNS name in the certificate. There’s no problem doing this.

 

[daptap]

It sounds like you’ve gone straight to using synology.me DDNS name in the certificate

That is correct. And thank you for confirming!

What would be the added benefit of using a personal domain to connect through via vpn? Just getting the actual green check in the browser or something?

 

[fredbert]

Don't you get a green tick when browsing to the NAS when using a server name that's covered by the certificate's domain or SAN list? Shouldn't matter whether the LE certificate is validated for a synology.me DDNS or personal domain.

It looked to me that the instructions you linked to would be when your domain services provider doesn't support a DDNS mechanism and you want to use your own domain. You could use a CNAME record to point to a DDNS domain name that you own/use and then it's two hops: personal domain name resolves to DDNS name, then DDNS resolves to your ISP's WAN IP. And you run a DDNS update agent to keep the DDNS records up to date.

From the VPN service's view I don't think it matters which server/domain name you are using. If the SSL certificate is valid then it's valid.

 

[daptap]

I do get a lock symbol and "connection is secure" when I enter my DDNS name in to either firefox or chrome browsers. I think it only goes green when it is a fully-qualified domain, but I don't know what I don't know. Learning little by little.

Generally, just wanted to make sure that I was secure in my VPN connection as that is the only way I allow access from the outside to my router/NAS. THanks!

 

[daptap]

One more related question for you: I've got a DDNS setup through synology for my Disk Station 718+ and for my synology router. I use the router DDNS (xxxxxx.synology.me) to point the openvpn config file too. I don't use the DS DDNS for anything at the moment. If I set the DS Let's Encrypt certificate to be the default certificate for the DS, would that just mean that I could type in my DS DDNS name and the browser would show it as secure? Right now, I have to put the DS DDNS address as an exception in the browser to go through.

For the VPN usage, do I just need the certificate on the router which then port forwards to the DS vpn server?

 

[fredbert]

LE requires ports 80/443 to be routed to the device that is requesting the certificate, whether that’s at initial creation or automated renewal. As such you only have one set of TCP 80 and 443 per IP address. So you’ll have to decide which device is going to get assigned these ports: direct to router or forwarded to the NAS.


You could use a self-signed certificate on the router’s OpenVPN or copy over the LE certificate from the NAS every 3 months.