Solved [Newbie] OpenVPN and MAC, not working at all, how to config?

Currently reading
Solved [Newbie] OpenVPN and MAC, not working at all, how to config?

18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
Yeah I made thanks to you!!!

In regard your first question you mean the first 2nd rule or the "second second rule" related to the VPN rule (Screenshot I will figure it out hoping to not ruin all :)

I don't know how to fake that i'm in the UK to test all you have ask me. I tried with my Purevpn account connecting to UK and start Tunnelblick but it doesn't worked (of course i add GB to my Firewall on the NAS). But before i tested my ip when i was on iPhone connection and i could surf the web and access my NAS all with the same IP (95...) that is situated in Italy. It's ok right?
 
2,238
945
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
In regard your first question you mean the first 2nd rule or the "second second rule" related to the VPN rule (Screenshot I will figure it out hoping to not ruin all :)

Do you have any services that you’re accessing (or need to access) remotely without a VPN?

B9DFDF1F-FFA9-4474-A08D-48DE7E78D551.jpeg


I don't know how to fake that i'm in the UK to test all you have ask me.

No need to be in the UK. Not at this time anyway :)
It was an example.

You can test it this way:
Tether your Mac to your phone
Visit ipleak.net
You should see the IP address assigned by the telco provider and their DNS servers.

Now connect to your VPN using Tunnelblick
Visit ipleak.net again

If you’re routing all traffic then at least the IP address should be different than when you tried without Tunnelblick. It should be the same address that you get when you visit ipleak.net when on your LAN (without any VPN connection of course). The public IP address assigned by your ISP.

If your telco is not your ISP provider then most likely, you’ll see different DNS servers too.

But do you want or need to route all traffic through the VPN tunnel?
 
18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
Well i tested all you asked and here it is:

with my tethered connection I see this --> Screenshot
with Tunnelblick and VPN I see this --> Screenshot (and i can surf the web and join my NAS)
with my LAN connection --> Screenshot

I assume then that all went fine right? Well about your question "But do you want or need to route all traffic through the VPN tunnel?" i don't know i mean...i think that is more secure or maybe i'm wrong what can you tell me?

About the "Do you have any services that you’re accessing (or need to access) remotely without a VPN?" i don't think so but maybe i think about download manager or dropbox sync and so on...will I mess something if i block all? If you want just tell me the best settings with screenshot and i will do the trick :)

BEST BEST BEST HELP ON ALL FORUMS GUYS!!!!

PS: just want that you assure me about the security of all these actions with my VPN, i'm ok now and secure right?
 
2,238
945
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
with my tethered connection I see this --> Screenshot
with Tunnelblick and VPN I see this --> Screenshot (and i can surf the web and join my NAS)
with my LAN connection --> Screenshot
I believe yes, you’re routing all traffic.
From what little I can see, it looks like your tethered+vpn ip address matches your LAN’s public IP address. But you can tell, you have the full picture.

What you can do is use the duplicate option in the settings to duplicate the current configuration and remove (or hash to comment) :

redirect-gateway def1
dhcp-option DNS [IP address]

This way, only the traffic directed to your DS and home LAN will be routed through the tunnel, while the rest will go over the default connection. You’ll have both and you can choose which one to use depending on the situation.

I assume then that all went fine right? Well about your question "But do you want or need to route all traffic through the VPN tunnel?" i don't know i mean...i think that is more secure or maybe i'm wrong what can you tell me?
No, it does not increase the security. Unless you think of application security (for instance accessing your online banking over public WiFi vs going through your tunnel out of your home’s gateway). The traffic to your NAS and LAN is already secured with the VPN. Routing all traffic will make other services go through the VPN too. For example, web traffic when browsing the internet, your browser will go through the tunnel and use your home’s gateway (router) and DNS services (that’s why ipleak.net showed your home’s public IP address, because the page request went out of your home).
Usually, that’s not needed (unless you want to “fake” your location, or for application security as mentioned above). Another example is your email client fetching or sending mail. Do you want that to go through the tunnel? I don’t think so.
They will just add more traffic to your VPN tunnel.

PS: just want that you assure me about the security of all these actions with my VPN, i'm ok now and secure right?
Implement other security measures discussed in the forum too. Like account blocking and 2FA. Just understand them first so you don’t lock yourself out.
There’s no 100% sure thing but this is as good as it gets with only one port open on your router and VPN for remote access.
(Talking about home use of course).

About the "Do you have any services that you’re accessing (or need to access) remotely without a VPN?" i don't think so but maybe i think about download manager or dropbox sync and so on...will I mess something if i block all?
Just uncheck the “All, All, Italy, allow” rule for now. You’ll end up with VPN only for remote access (only from Italy for now according to your rule).
You’ll know when you need it. Besides, if all you’ve forwarded is the single UDP port (for VPN) on your router, then this rule (“All, All, Italy, allow”) is useless for now.

If you want just tell me the best settings with screenshot and i will do the trick :)
There’s no best or worst. It all depends on what you’re trying to accomplish and the compromises you’re willing to take to achieve it.

BEST BEST BEST HELP ON ALL FORUMS GUYS!!!!
At SynoForum we aim to please. Welcome aboard. We occasionally have some cookies too, but you know, with this cowardly virus roaming the globe, we ran out. We have some🧴100ML hand sanitizer though. Enjoy :)
 

fredbert

Moderator
NAS Support
Subscriber
4,188
1,667
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
I assume then that all went fine right? Well about your question "But do you want or need to route all traffic through the VPN tunnel?" i don't know i mean...i think that is more secure or maybe i'm wrong what can you tell me?
No, it does not increase the security. Unless you think of application security (for instance accessing your online banking over public WiFi vs going through your tunnel out of your home’s gateway). The traffic to your NAS and LAN is already secured with the VPN. Routing all traffic will make other services go through the VPN too. For example, web traffic when browsing the internet, your browser will go through the tunnel and use your home’s gateway (router) and DNS services (that’s why ipleak.net showed your home’s public IP address, because the page request went out of your home).
Usually, that’s not needed (unless you want to “fake” your location, or for application security as mentioned above). Another example is your email client fetching or sending mail. Do you want that to go through the tunnel? I don’t think so.
They will just add more traffic to your VPN tunnel.

Well done for getting this working. Why would you send all your traffic down the VPN tunnel?

If you're using public WiFi then I would tunnel everything to home (assuming iOS bug is fixed!). With public WiFi you have no relationship to the WiFi provider and cannot be 100% certain what they are doing: in the not so distant past most email was using unsecured SMTP, IMAP, and POP and even now there's enough information that can be gleaned from headers and cleartext portions of traffic (think marketing and tracking).

If you're using mobile data then you will have presumably selected a provider and are more comfortable with them, in which case you don't have to send everything down the tunnel.

Likewise from a trust point of view is that you may trust your home ISP that whoever's ISP you'd be using without the VPN tunnel. Finally, if you are travelling abroad then tunnelling back home will give your Internet requests a home country geo-location rather than your current country: you may be blocked from streaming services etc... Netflix, BBC, etc

You should consider what bandwidth you have at home. I have 100Mbps coming in but only 6Mbps going out. So all traffic sent back to your VPN client will be constrained by your outbound bandwidth limit ... and if you hammer it then people at home may get a degraded connection if they can't resolve URLs using an Internet DNS, and can't send out their web requests.
 
18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
C'mon man!!! I don't know your job but YOU HAVE TO WRITE a damn book about Synology and security o_O:):):):):)

Let's deep and see if I understand all (i'm little bit newbie about so be patient like you already was eheh)

I duplicate my VPN profile and done what you suggest me so that only the NAS will be redirect into the tunnel. I can say this because I tested while tethering that without VPN I can't access my NAS but i can surf the web, when connected to my VPN (with the dupplicate profile) i can go on the internet and join my local lan and NAS and my ip is the one that i have with my mobile carrier. So amazing right? (Screenshot). The only advise I receive with Tunnelblick in this situation is this but i think it's ok --> Screenshot (the dns address is not a pubblic ip and will not be routed through the VPN)

Instead, if i want to go "full tunnel" I will use the other profile

What you can do is use the duplicate option in the settings to duplicate the current configuration and remove (or hash to comment) :

redirect-gateway def1
dhcp-option DNS [IP address]

This way, only the traffic directed to your DS and home LAN will be routed through the tunnel, while the rest will go over the default connection. You’ll have both and you can choose which one to use depending on the situation.

Well, sincerly i always tought that route all the traffic into the VPN was synonymous of security compared to surf the web with my ISP and in general with normal connection

No, it does not increase the security. Unless you think of application security (for instance accessing your online banking over public WiFi vs going through your tunnel out of your home’s gateway). The traffic to your NAS and LAN is already secured with the VPN. Routing all traffic will make other services go through the VPN too. For example, web traffic when browsing the internet, your browser will go through the tunnel and use your home’s gateway (router) and DNS services (that’s why ipleak.net showed your home’s public IP address, because the page request went out of your home).
Usually, that’s not needed (unless you want to “fake” your location, or for application security as mentioned above). Another example is your email client fetching or sending mail. Do you want that to go through the tunnel? I don’t think so.
They will just add more traffic to your VPN tunnel.

Already did all the security measures that i have read here in the forum and online. So 2fa, account blocking (Screenshot), disable user admin and so on ;)
Implement other security measures discussed in the forum too. Like account blocking and 2FA. Just understand them first so you don’t lock yourself out.
There’s no 100% sure thing but this is as good as it gets with only one port open on your router and VPN for remote access.
(Talking about home use of course).

Just uncheck the “All, All, Italy, allow” rule for now. You’ll end up with VPN only for remote access (only from Italy for now according to your rule).
You’ll know when you need it. Besides, if all you’ve forwarded is the single UDP port (for VPN) on your router, then this rule (“All, All, Italy, allow”) is useless for now.

Ok, I will uncheck this for sure

At SynoForum we aim to please. Welcome aboard. We occasionally have some cookies too, but you know, with this cowardly virus roaming the globe, we ran out. We have some🧴100ML hand sanitizer though. Enjoy :)

I know? Don't tell me if I know ehehe, I'm italian and in Italy so you can understand how I feel in this period but i will wait patiently for some fresh cookies when available 🌈☀
 
18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
Thanks also to you my friend for this explanation :) Well, as i was saiyng I always tought that VPN is more secure then ISP or of course public WIFI. I have a strong connection at home, 1000Mbps so I hope I will never ever have connection problems!

What I'm also think now is that with this type of service (openVPN into the Synology) well, it's also possible to not buying some private VPN like NordVPN and so on right?

I'm so happy i have made it all thanks to you guys!!!!!

Well done for getting this working. Why would you send all your traffic down the VPN tunnel?

If you're using public WiFi then I would tunnel everything to home (assuming iOS bug is fixed!). With public WiFi you have no relationship to the WiFi provider and cannot be 100% certain what they are doing: in the not so distant past most email was using unsecured SMTP, IMAP, and POP and even now there's enough information that can be gleaned from headers and cleartext portions of traffic (think marketing and tracking).

If you're using mobile data then you will have presumably selected a provider and are more comfortable with them, in which case you don't have to send everything down the tunnel.

Likewise from a trust point of view is that you may trust your home ISP that whoever's ISP you'd be using without the VPN tunnel. Finally, if you are travelling abroad then tunnelling back home will give your Internet requests a home country geo-location rather than your current country: you may be blocked from streaming services etc... Netflix, BBC, etc

You should consider what bandwidth you have at home. I have 100Mbps coming in but only 6Mbps going out. So all traffic sent back to your VPN client will be constrained by your outbound bandwidth limit ... and if you hammer it then people at home may get a degraded connection if they can't resolve URLs using an Internet DNS, and can't send out their web requests.
 
2,238
945
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
C'mon man!!! I don't know your job but YOU HAVE TO WRITE a damn book about Synology and security
I don’t know anything about security. I kill people and dump them into the river. But since the virus I’m unemployed 🤣

Just kidding. Not a book writer. I like to read them though :)

So amazing right? (Screenshot). The only advise I receive with Tunnelblick in this situation is this but i think it's ok --> Screenshot (the dns address is not a pubblic ip and will not be routed through the VPN)
Sorry, my Italian (screenshots) is extremely lacking (unlike you excellent English). Trust your heart, Jedi. You should be fine.

What I'm also think now is that with this type of service (openVPN into the Synology) well, it's also possible to not buying some private VPN like NordVPN and so on right?
I don’t know! What do you use VPN services for?
You can’t use your Synology VPN to be in Japan for instance. That’s what a VPN service provides (among other things). Unless you’re planing on distributing a lot of Synology boxes allover the world :)

I know? Don't tell me if I know ehehe, I'm italian and in Italy so you can understand how I feel in this period but i will wait patiently for some fresh cookies when available 🌈☀
May the force be with you, @Jedi82. Use your lightsaber if you have to. The end of the world is on April 6th.
 
18
4
NAS
DS116
Operating system
  1. macOS
Mobile operating system
  1. iOS
Dammit :) I can definitly check this thread solved! Are you ready for my post on how to backup (the best decisions)??? Because i need maybe an help there ;):):) Hope you will be there. See ya man!
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
It's not that core VPN client/server principles are fundamentally different, rather it's how the person...
Replies
7
Views
1,481
  • Question
This is an incoming VPN not outgoing. This VPN server package can't connect to 3rd party VPNs, it is not...
Replies
1
Views
1,268
Have you made sure that the Synology firewall has a rule to allow the IP range of the VPN through? ie...
Replies
20
Views
791
If I use ssh or webdav I connect directly to the IP address that OpenVPN provides. As for Plex, I just...
Replies
2
Views
647
In the end I was able to resolve the issue. First of all I added a static route on my NAS: VPN IP's subnet...
Replies
3
Views
802
So from this, it looks like that VPN works fine while outside your lan. That is the whole point. In this...
Replies
7
Views
883
I was able to resolve this issue by switching back to OpenVPN gui (or the app that is developed by OpenVPN...
Replies
1
Views
1,073

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top