Solved [Newbie] OpenVPN and MAC, not working at all, how to config?

Currently reading
Solved [Newbie] OpenVPN and MAC, not working at all, how to config?

18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
Last edited:
Hy guys. What i would love to do is config OpenVPN on my NAS so that i can reach it from outside and be safe. I already search tons of guide and this amazing post from WST16 but still no success from me. Little newbie about VPN and less about NAS but i will explain all i have done since now so that help me will be I hope easy.

My NAS is a DS116 model - I live in Italy - I'm working with a Macbook Pro with macOS Catalina
Before, some security settings and info about my configuration (red here in this amazing forum)

Code:
Nas in on 192.168.XX.XX
Changed hte default port 5000 e 5001
UDP 1194 opened (and others) in my router --> https://prnt.sc/rowggg
Firewall global rules --> https://prnt.sc/row6lf
Firewall VPN rules --> https://prnt.sc/row6t9
Access with user that have 2af authentication

1) Installed VPN Server on my Nas and set OpenVPN like this --> Screenshot | Screenshot
My user as privileges --> Screenshot

2) Export my configuration and try to import on Tunnelblick with success --> Screenshot (are these settings on the right ok?)(sorry for the language but you can write me in english the exact settings that i have to set and i will figure it out)

3) For what i know, i have to change something on the .ovpn file, something like this (DDNS works perfect for me):

Code:
dev tun
tls-client

remote myddnsaddress 1194

But about the other settings i have to set? Maybe DNS or this? --> Screenshot

4) Can't connect (disabling wifi and connect via tethered connection on my iPhone) and receive tons of errors. Tunnelblick ask me for user and password when access and if i understand it right i have to put the user and pass of my user account on the NAS right? Ok but then i can't connect because of some errors or "waiting for password..."

Please beg for your help!!!
 

Rusty

Moderator
NAS Support
2,856
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
You can remove # from the redirect line. This will push all your traffic inside the tunnel. But I fear you are still one or 2 steps behind that. By the looks of it your are not getting to your vpn server in the 1st place.

Are you sure you are visible from the internet on that port and protocol? Any chance to test this from a different device and not move via your tether connection?

have to put the user and pass of my user account on the NAS right
Correct.

Add some DNS servers in your config file as well. Lets say some public dns like 1.1.1.1
 
18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hy Rusty and thanks for the reply. Well I made the changes you write for: Screenshot and hope it will be fine.
About the fact that i'm sure that i'm visible how can I check? What I see is this but i don't understand how is it possible --> Screenshot
 
1,678
716
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Last edited:
I have Tunnelblick configured to redirect all traffic to VPN (using OpenVPN server on the DS). It works.

Try checking:
You should see your DS’ public IP and DNS servers if all your traffic is being directed through the VPN connection.

EDIT:
I’m assuming that you’ve successfully connected to your VPN server (you can already reach your DS over VPN). And what you’re trying to do now is redirect ALL traffic to go through the VPN tunnel. Is this where you are now?
 
18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
Last edited:
Nope. I'm not here now sadly. But what's new now is that i discovered that connecting my iPhone via tethering on Mac doesn't works well but with cable all is fine so i can be on the internet without issues. Then, i reconnect my VPNprofile via Tunnelblick and now all went fine, no errors at all and connection is green but...i can't reach my DS netiher go on the internet :( I receive this error (Screenshot) that is like "there was an issue while checking your public IP of this computer". And of course i can't go to your link to verify my DS' pubblic IP.

Maybe you can share all your screenshot on how you set all in the DS, port forwards and connection maybe? Or I really don't know what is the problem now :( I set all good :(

PS: can maybe be this the problem? Here (Screenshot) where i see my assigned ip, is it correct?
 
1,678
716
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
I misunderstood :)

Let’s try to fix it. It’s been a long time and I seldom use this Mac but I don’t recall that I’ve changed much of the default configuration when I set it up at the time and it worked! I’ve updated to the latest stable Tunnelblick version too (3.8.2 build 5480).

Save your configuration to a TXT file and try mine after editing it with your settings. If no success, we’ll go back a few steps and try again.

This is configured on an old MacBook Pro running High Sierra 10.13.6

6EBF99AF-965C-47FA-BD89-51BE240DB41D.jpeg


Configuration file (minus the server’s address and the certificate). This configuration redirects ALL traffic through the tunnel.
Code:
dev tun
tls-client

remote [your VPN server address/URL] [Port]
# [EDIT THE ABOVE WITH YOUR DETAILS]

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

dhcp-option DNS 192.168.1.1
# [THIS IS MY DNS SERVER]
pull


# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2
comp-lzo
reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass
<ca>

</ca>
 
18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
Thanks for your precious effort but no luck. Still like this --> Screenshot and no internet at all. Maybe the problem is the DNS (1.1.1.1)? Ummmm.
I don't know what to say.... Hope to have some screenshot from your DS just to have a double check with mine. (did you see my firewall screenshot if are all ok? I create them with your amazing guide on how to protect the NAS)
 
1,678
716
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Can you try accessing your NAS’ DSM via the browser. Use the dynamic IP address?
That would be the first assigned address in the dynamic pool.
 
1,678
716
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Ok. Let’s go back a few steps (dividing the tasks):
  • Make sure the DS’s VPN port you’ve used is successfully forwarded on the router. UDP/TCP?
  • Firewall allows VPN inbound traffic to the DS. Check firewall rules. If in doubt, turn off the firewall briefly to test.
  • Use a port checker (while on your LAN, or enter the public address manually if outside) such as this and this. Try both.
  • Check Tunnelblick configuration file. HASH (make it inactive/comment it) the “redirect-gateway def1” if you have it at this time. We’ll revisit this later.
  • Make sure the user privilege is correct (on the DS, VPN server > privilege)
  • Give it a try. We want to be able to connect to the DS at least at this step. You can try accessing your DS’ DSM via the dynamic IP address that is assigned (according to your settings on the VPN server package).
  • Check the VPN servers’s connection list and log.
 
18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
Edit: wait, i will do all what WST16 say and will tell you just one minute


Nope, doesn't work (Screenshot). Guys i don't want you to waste time, maybe i will give up i don't know...
 
18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
Ok. Let’s go back a few steps (dividing the tasks):
  • Make sure the DS’s VPN port you’ve used is successfully forwarded on the router. UDP/TCP?
  • Firewall allows VPN inbound traffic to the DS. Check firewall rules. If in doubt, turn off the firewall briefly to test.
  • Use a port checker (while on your LAN, or enter the public address manually if outside) such as this and this. Try both.
  • Check Tunnelblick configuration file. HASH (make it inactive/comment it) the “redirect-gateway def1” if you have it at this time. We’ll revisit this later.
  • Make sure the user privilege is correct (on the DS, VPN server > privilege)
  • Give it a try. We want to be able to connect to the DS at least at this step. You can try accessing your DS’ DSM via the dynamic IP address that is assigned (according to your settings on the VPN server package).
  • Check the VPN servers’s connection list and log.

1) Well i think yes (Screenshot). And i can say yes because (my idea of course) if i check the Download Station app, opening ports for emule give me this --> Screenshot so i think is perfect and port frw worked no?

2) These are my 3 firewall rules --> Screenshot

3) If i check all my "open ports" always CLOSED. How the * is possible? (Screenshot) :(

4) Ok

5) Yep :( Screenshot

Will know make a new test without firewall active wait for it :)
 

Rusty

Moderator
NAS Support
2,856
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Ok so you can connect now but you can't access the internet that way or get to your local LAN. Just as a suggestion, try with Viscosity VPN client (SparkLabs - Explosively Great Apps).

In Networking section of your imported ovpn set DNS settings to disable and all traffic to send all traffic via vpn (picture below):

Screenshot 2020-03-30 at 11.46.43.png
 

Rusty

Moderator
NAS Support
2,856
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
1) Well i think yes (Screenshot). And i can say yes because (my idea of course) if i check the Download Station app, opening ports for emule give me this --> Screenshot so i think is perfect and port frw worked no?

2) These are my 3 firewall rules --> Screenshot

3) If i check all my "open ports" always CLOSED. How the * is possible? (Screenshot) :(

4) Ok

5) Yep :( Screenshot

Will know make a new test without firewall active wait for it :)
Make sure to Allow all traffic on all ports for your VPN network range. Add that as well.
 
18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
Wait wait wait...maybe we are near the solution thanks of course to you amazing guys! :) I'm now connected with my iPhone connection / VPN connected (Screenshot) / i can surf the web / and i can reach my NAS locally or at leat i think (Screenshot)

Well...wow but i disable the firewall now...so the problem is there and i will give you all the screeshot to solve the problem and so so so strange, if i make a port check i receive this (i think that if my IP now is the same to the one i have when i'm home when connected with VPN i can't think is ok right?):

BUT....https://prnt.sc/rpc96p (how!!!!!)

Here is the rules of my firewall:

Rule 1


Rule 2

And choose IT Italy

Rule 3


VPN entries is empty

 

Rusty

Moderator
NAS Support
2,856
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Not sure what you are trying to do with all those rules apart from limit access from Italy. But, be sure to allow access for your VPN range as well access to your LAN (10.8.0.0). This might be the rule you are missing here.
 
18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
Last edited:
Well i was triyng to protect my NAS following the rules i red here in this thread (i found the 3 rules here). You are saying then that they are wrong and i can delete them? I retry with setting some rules for my VPN profile but still no success. Please can you provide me the best fw rules for the NAS and the correct one (and from where) for the VPN?

 
1,678
716
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Last edited:
You are saying then that they are wrong and i can delete them?
They’re not wrong. They’re blocking the service we need.
You can use all interfaces instead of the VPN interface.

This is what I have on ”all interfaces”. Nothing else.

C67CDEE1-4D47-4691-B034-B1D4286ABACF.jpeg


First rule is for the local subnet (LAN).
Second rule is for the VPN service.
Third rule is for the VPN dynamic IP address pool.
 
18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
What can I say...finally...with these FW settings I made my day thanks to you guys!!!!!! --> Screenshot

Finally i can reach via VPN my NAS and browse the web without problem and of course in a safe way right?
Just to understand it well and be sure about my privacy etc:

1) When home, have all the security settings made will prevent my NAS to be attacked
2) When outside home, i
 
1,678
716
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Great. You did it :)

You might consider constraining the 2nd rule to be more specific instead of “all“ according to the services that you want to access remotely. Or even disabling it altogether (uncheck it), if you’re going to only use VPN for remote access.

Are you routing all traffic?
If so, check ipleak.net. When connected via VPN, you should see the Public IP address of your NAS and the local DNS servers. In other words, if you’re in the UK and connect to your NAS via this VPN (of course by adding UK to the allowed rule) and you check with ipleak.net, you should see Italy.
Is that how you want it? All traffic?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Trending threads

Top