Open VPN setup

Currently reading
Open VPN setup

79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Last edited:
Hi there

I was trying to setup Open VPN for my Syno in the office so I can remotely access my files also from home and I am at the step where I need to edit the VPNConfig.ovpn file. In the specific this -> "replace YOUR_SERVER_IP with public IP of your DiskStation." I am using MacOS

It's "YOUR_SERVER_IP with public IP of your DiskStation" my IP address? I mean my public IP? Link

I am following this guide and to setup the VPN server I followed this guide guide.

This is my network configuration:
- The Synology is connected to a switch adapter using LAN 1.
- I have created Firewall rules for the port 1194
- I have port forwarding in my Router's settings
- I have assigned a Static IP to my LAN 1 (under Control Panel -> Network -> Network Interface)
- I have created a Let's Encrypt Certificate but I am NOT using DDNS

Many thanks in advance :)
 

Shadow

Subscriber
608
209
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
It's "YOUR_SERVER_IP with public IP of your DiskStation" my IP address? I mean my public IP? Link
Correct.


Don't forget to add a static route on your Router. Otherwise your router doesn't know 'where' your OpenVPN subnet is.
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Last edited:
Correct.


Don't forget to add a static route on your Router. Otherwise your router doesn't know 'where' your OpenVPN subnet is.
Thanks!

Do you mean this?

Screenshot 2020-11-30 at 12.18.36.png


I was able to connect the VPN.

Tunnelblick however shows me a warning

  • DNS server address XXX.XXX.XX.XX is not a public IP address and is not being routed through the VPN

Am I suppose to to set something else? Or did I maybe forgot something?
 

Shadow

Subscriber
608
209
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Do you mean this?

No. This appears to be your DHCP settings.
Unless there is no need to, but your VPN client is probaly not able to 'talk' to other devices in your network. Did you notice that when connected to the VPN? I assume you couldn't connect to the internet.

Now, let me just take an example because I do not know how your network setup looks like.
Imagen your network subnet ID is 192.168.0.0/24
Your NAS has an IP address of 192.168.0.20
You setup OpenVPN server on the NAS, and you've givin the OpenVPN the following subnet:

192.168.245.0/24

This subnet is unknown to your router. At the moment in threats everything outside of 192.168.0.0/24 to be non-internal. So if a network packet arrives at this router for this OpenVPN subnnet, your router doesn't know where to send the network traffic...

So in order for the router to know that your OpenVPN subnet clients in the 192.168.245.0/24 network that is 'behind' your NAS, you should somewhere in the settings of the router create a static route so your router knows how to 'talk' to your clients connected to OpenVPN.

If we had the above scenario as I took for example, I would have to set this up in my Synology RT2600AC router:
1606740649872.png


Tunnelblick however shows me a warning

  • DNS server address XXX.XXX.XX.XX is not a public IP address and is not being routed through the VPN
I think it's helpfull if you post your openvpn config file here (carefull not to post any passwords and public P addresses).
 
1,693
721
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
See if anything helps here…

and here…
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Last edited:
Did you notice that when connected to the VPN? I assume you couldn't connect to the internet.

No, Internet was working properly (slow because I was testing the VPN using my Smartphone as Hotspot).

I think it's helpfull if you post your openvpn config file here (carefull not to post any passwords and public P addresses).

dev tun
tls-client

remote XX.XX.XX.XX 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS DNS_IP_ADDRESS

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2


comp-lzo

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
Xxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Xxx
-----END CERTIFICATE-----

</ca>
 

Shadow

Subscriber
608
209
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
I think the problem here is that there is no DNS server specified in the OVPN file, and I know from previous experience the Synology OVPN server doesn't push DNS server configuration for VPN clients. So I'm suspecting your client will then use the DNS configured in your normal NIC. But at the same time, that should not be possible because redirect-gateway def1 disables split-tunnel traffic.... How odd....

Still, maybe it's worth a shot to try and configure a DNS server in the OVPN file..
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
I think the problem here is that there is no DNS server specified in the OVPN file, and I know from previous experience the Synology OVPN server doesn't push DNS server configuration for VPN clients. So I'm suspecting your client will then use the DNS configured in your normal NIC. But at the same time, that should not be possible because redirect-gateway def1 disables split-tunnel traffic.... How odd....

Still, maybe it's worth a shot to try and configure a DNS server in the OVPN file..
Thanks for the hint.

BTW I switched to OpenVPN Connect (so the official client from OpenVPN). This error does not show up there.

Regarding the static route: I did not specified one but when connected to the VPN my Internet works properly.

Is a static route "mandatory" in this case?
 

Shadow

Subscriber
608
209
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Regarding the static route: I did not specified one but when connected to the VPN my Internet works properly.

Is a static route "mandatory" in this case?

Apparently not then. But I had to do this to be able to communicate with other devices on my LAN.
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Apparently not then. But I had to do this to be able to communicate with other devices on my LAN.
I see. No in m case we will use the VPN only in certain cases (i.g a colleague needs access to some files on the NAS while at home).
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Last edited:
Another question:

With the OpenVPN Connect client (for Mac) I am asked for a certificate every time I connect to VPN. I saw a lot of videos online and there this step is always skipped. Is that necessary / suggested for a security point ov view?
 

Shadow

Subscriber
608
209
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Another question:

With the OpenVPN Connect client (for Mac) I am asked for a certificate every time I connect to VPN. I saw a lot of videos online and there this step is always skipped. Is that necessary / suggested for a security point ov view?
From what I can remember this is recommended.
Have something to do with some kind of dual SSL match Verification as a method to prevent MITM-attack risks within OpenVPN. I don't have deep details atm about why this works like this and why it can't Work like most other protocols like HTTPS, IMAPS , SMTP SSL/TLS , LDAPS etc..
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Last edited:
From what I can remember this is recommended.
Have something to do with some kind of dual SSL match Verification as a method to prevent MITM-attack risks within OpenVPN. I don't have deep details atm about why this works like this and why it can't Work like most other protocols like HTTPS, IMAPS , SMTP SSL/TLS , LDAPS etc..
I see. I could I set this on the machines where open VPN is installed? Is maybe the certificate file I get when I extract it through OpenVPN on my NAS? I mean the one in the .zip file where the openvpn.config file is?

Another question: I just realized that my OpenVPN.config file at the end has 2 declared certificates. Is that normal? It ends Iike this:

<ca>
-----BEGIN CERTIFICATE-----
Xxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Xxx
-----END CERTIFICATE-----

</ca>
 

Shadow

Subscriber
608
209
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
I just realized that my OpenVPN.config file at the end has 2 declared certificates. Is that normal? It ends Iike this:
Actually yes that is normal (altough you can also specify an external certificate file). Is this OpenVPN.config generated out of the Syno VPN server? If yes, that then automatically includes the certificate file from your Syno. So i'm not sure why you are getting cert warning.. Do you have a valid cert from a valid CA like Let's Encrypt, or it is something self-signed?
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Last edited:
Actually yes that is normal (altough you can also specify an external certificate file). Is this OpenVPN.config generated out of the Syno VPN server? If yes, that then automatically includes the certificate file from your Syno. So i'm not sure why you are getting cert warning.. Do you have a valid cert from a valid CA like Let's Encrypt, or it is something self-signed?
Yes, the config file is the one generated from the Syno VPN Server. I generated one using Let's Encrypt.

I attach here some screens of the files in the zip file and how my config file looks like.

I saw that there are 2 <ca></ca> tags in the config file

Just a note: when I created the Let's Encrypt certificate I then deleted for mistake the DDNS domain used to generate it. I then re-created it giving the same Hostname. Could be this the issue?

Zip file
Screenshot 2020-12-02 at 08.01.55.png


Config file
Screenshot 2020-12-02 at 08.02.26.png


OpenVPN Connect that asks for the certificate
Screenshot 2020-12-02 at 08.09.47.png


My DDNS
Screenshot 2020-12-02 at 09.17.57.png


Certificate(s)
Screenshot 2020-12-02 at 09.39.57.png
 

Shadow

Subscriber
608
209
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Add this to your openvpn.config:

remote-cert-tls server

Does that still give the warning?
 

Shadow

Subscriber
608
209
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Hmm. If I want to assist any more I have to setup an OpenVPN server myself again and see if I can find what is causing this error/warning. Been a bit too long for me I guess.. Maybe I'll have time later this week..
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Hmm. If I want to assist any more I have to setup an OpenVPN server myself again and see if I can find what is causing this error/warning. Been a bit too long for me I guess.. Maybe I'll have time later this week..
Many thanks! this would be appreciated! :)
 
262
51
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Is anyone using the OpenVPN client for windows? Connections & config is all good after import, but I'm getting a "missing external certificate" message. If I continue anyway the connection is fine, however I want this to be seamless for my end users.

I found two solutions and I'm looking for opinions/input on best practice. The first was to add the following to the config file:

add the following line before <ca>
client-cert-not-required

I'm a little concerned with this, since the capability of using the cert is there and I'd rather use it for security. So the second option I found is the following:

the issue is that you need to inform OpenVPN which client certificate it should use. You'd be able to do this by editing the profile in OpenVPN, selecting it from the "Certificate" drop-down. The issue is that you can't just browse your certificate here; you need to add it to your PC/User:
  • Windows key -> write "Certificate" -> select "Manage user certificates" -> from the list of certificates stores select "OpenVPN Certificate Store" -> right-click -> "All Tasks" -> "Import" -> and just now you can browse to your client certificate.
I did this second option and I was able to select the lets encrypt certificate dropdown in the OpenVPN windows client app. I'm thinking I'll have to keep importing the cert when it expires (another maintenance task that adds to work load).


So what is the best practice of using the OpenVPN windows 10 client app. Previously we used the an OpenVPN GUI which existed on the taskbar, but it isn't seamless with updating it and a bit complex as to where the config files were being stored.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top