Question Multi-factor authentication for VPN server on DSM?

Currently reading
Question Multi-factor authentication for VPN server on DSM?

10
2
NAS
DS218+ with 2*6TB WD Red 5400rpm
Last edited:
HI all - loving this unofficial forum, and new NAS DS218+ with DSM 6.2 :)

Would anyone know how to set up multiple-factor authentication for a VPN server (whichever VPN works, really) on DSM, please? Ideally, from most preferred to less preferred:
  • Hardware token like Yubikey
  • TOTP like Google Authenticator, Authy, or Duo
  • Client certificate (I'm not the biggest fan, as distribution is a pain -- would wish to avoid the hoops of installing the certificate on my wife's Android phone or mine ;-) )
User-friendly CLI or GUI would be ideal (a man can dream ;-) ). I used to be a sysadmin, but sadly now have much less time to have fun with many config files (family man with young baby...)

OpenVPN server from Synology's package manage seems to only use passwords, not even client certificates. I have not much choice but to run the VPN on the NAS -- old Zyxel router from ISP, not much point updating it because of bad broadband anyway.

Thanks for any help!
 
10
2
NAS
DS218+ with 2*6TB WD Red 5400rpm
HI @atakcs. Sadly no, sorry, I didn't. I'm still using OpenVPN using Synology's package on the NAS, without client certificate nor 2FA :(
If you find any pointer, please do update this thread too! Maybe some heavily tweaked OpenVPN setup might work, but all I found on the topic was indeed very heavy.

I've been thinking of switching to Wireguard instead of OpenVPN for its lighterweight clients and protocol, ideally with Tailscale which adds 2FA, but haven't had the time to fiddle with getting it to run on DSM. Likely going to stay stuck in the current config, for lack of a better solution.

Sorry, and good luck!
 
Interesting - will give it a try, although my current approach would be to run an OpenVPN container (in lieu of the built in openvpn) and to customise it to support 2FA... Not working yet, though
 
10
2
NAS
DS218+ with 2*6TB WD Red 5400rpm
I thought about customised OpenVPN in Docker when I first looked for 2FA, but getting it to work was more time than I could afford spending on it, plus the OpenVPN clients were battery suckers back then -- it might have changed, I don't know.

Tailscale so far is really remarkable of ease of use, I must say -- and their technical blog on how it works under the hood is a treat. The only two downsides of the package for Synology created by a kind fan:
- because DSM is missing some iptables modules, the latest version to work is Tailscale 0.95, whereas 1.0.5 is out. The team are looking into it: compile netfilter modules for every platform · Issue #17 · nirev/synology-tailscale
- It occasionnally crashes on DS218+ without auto-respawn: the maintainer has a simple idea to make it work (an upstart job): 218+ SEGFAULT with no restart of daemon · Issue #22 · nirev/synology-tailscale

Then of course your love for Tailscale will depend on how comfortable you have having the control layer hosted by them. I was hesitant at first, but ended up thinking the tradeoff was worth it. YMMV :)
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top