Multi-factor authentication for VPN server on DSM?

Currently reading
Multi-factor authentication for VPN server on DSM?

19
2
NAS
DS218+ with 2*6TB WD Red 5400rpm
Last edited:
HI all - loving this unofficial forum, and new NAS DS218+ with DSM 6.2 :)

Would anyone know how to set up multiple-factor authentication for a VPN server (whichever VPN works, really) on DSM, please? Ideally, from most preferred to less preferred:
  • Hardware token like Yubikey
  • TOTP like Google Authenticator, Authy, or Duo
  • Client certificate (I'm not the biggest fan, as distribution is a pain -- would wish to avoid the hoops of installing the certificate on my wife's Android phone or mine ;-) )
User-friendly CLI or GUI would be ideal (a man can dream ;-) ). I used to be a sysadmin, but sadly now have much less time to have fun with many config files (family man with young baby...)

OpenVPN server from Synology's package manage seems to only use passwords, not even client certificates. I have not much choice but to run the VPN on the NAS -- old Zyxel router from ISP, not much point updating it because of bad broadband anyway.

Thanks for any help!
 
Solution
Updating for anyone interested: 5 months with Tailscale, couldn't be happier.
-- post merged: --

(now if only I could find how to edit this thread title to add "[Solved]")...
19
2
NAS
DS218+ with 2*6TB WD Red 5400rpm
HI @atakcs. Sadly no, sorry, I didn't. I'm still using OpenVPN using Synology's package on the NAS, without client certificate nor 2FA :(
If you find any pointer, please do update this thread too! Maybe some heavily tweaked OpenVPN setup might work, but all I found on the topic was indeed very heavy.

I've been thinking of switching to Wireguard instead of OpenVPN for its lighterweight clients and protocol, ideally with Tailscale which adds 2FA, but haven't had the time to fiddle with getting it to run on DSM. Likely going to stay stuck in the current config, for lack of a better solution.

Sorry, and good luck!
 
Upvote 0
Interesting - will give it a try, although my current approach would be to run an OpenVPN container (in lieu of the built in openvpn) and to customise it to support 2FA... Not working yet, though
 
Upvote 0
19
2
NAS
DS218+ with 2*6TB WD Red 5400rpm
I thought about customised OpenVPN in Docker when I first looked for 2FA, but getting it to work was more time than I could afford spending on it, plus the OpenVPN clients were battery suckers back then -- it might have changed, I don't know.

Tailscale so far is really remarkable of ease of use, I must say -- and their technical blog on how it works under the hood is a treat. The only two downsides of the package for Synology created by a kind fan:
- because DSM is missing some iptables modules, the latest version to work is Tailscale 0.95, whereas 1.0.5 is out. The team are looking into it: compile netfilter modules for every platform · Issue #17 · nirev/synology-tailscale
- It occasionnally crashes on DS218+ without auto-respawn: the maintainer has a simple idea to make it work (an upstart job): 218+ SEGFAULT with no restart of daemon · Issue #22 · nirev/synology-tailscale

Then of course your love for Tailscale will depend on how comfortable you have having the control layer hosted by them. I was hesitant at first, but ended up thinking the tradeoff was worth it. YMMV :)
 
Upvote 0
19
2
NAS
DS218+ with 2*6TB WD Red 5400rpm
Updating for anyone interested: 5 months with Tailscale, couldn't be happier.
-- post merged: --

(now if only I could find how to edit this thread title to add "[Solved]")...
 
Upvote 0
Solution
19
2
NAS
DS218+ with 2*6TB WD Red 5400rpm
Thanks @Rusty ! I've accepted the update as solution - this didn't seem to edit the topic, but maybe I'm just not used to how the forum works :)
I don't see an edit button for topic, but I'm on mobile, will try on full site later today.
 
Upvote 0

SynoMan

Administrator
Moderator
Founder
710
405
www.synoforum.com
NAS
DS720+, DS418play
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I've accepted the update as solution - this didn't seem to edit the topic, but maybe I'm just not used to how the forum works :)
Mark as solution is the right way. I've removed the thread title prefix so all is good now. On the thread list you can see the green checkmark:
Screenshot 2021-02-25 at 9.35.32.png
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top