Open VPN setup

Currently reading
Open VPN setup

aGraphicz

aGraphicz

Media
113
4
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Last edited:
Hi there

I was trying to setup Open VPN for my Syno in the office so I can remotely access my files also from home and I am at the step where I need to edit the VPNConfig.ovpn file. In the specific this -> "replace YOUR_SERVER_IP with public IP of your DiskStation." I am using MacOS

It's "YOUR_SERVER_IP with public IP of your DiskStation" my IP address? I mean my public IP? Link

I am following this guide and to setup the VPN server I followed this guide guide.

This is my network configuration:
- The Synology is connected to a switch adapter using LAN 1.
- I have created Firewall rules for the port 1194
- I have port forwarding in my Router's settings
- I have assigned a Static IP to my LAN 1 (under Control Panel -> Network -> Network Interface)
- I have created a Let's Encrypt Certificate but I am NOT using DDNS

Many thanks in advance :)
 
Last edited:
Shadow said:
Correct.


Don't forget to add a static route on your Router. Otherwise your router doesn't know 'where' your OpenVPN subnet is.
Click to expand...
Thanks!

Do you mean this?

Screenshot 2020-11-30 at 12.18.36.png


I was able to connect the VPN.

Tunnelblick however shows me a warning

  • DNS server address XXX.XXX.XX.XX is not a public IP address and is not being routed through the VPN

Am I suppose to to set something else? Or did I maybe forgot something?
 
aGraphicz said:
Do you mean this?
Click to expand...

No. This appears to be your DHCP settings.
Unless there is no need to, but your VPN client is probaly not able to 'talk' to other devices in your network. Did you notice that when connected to the VPN? I assume you couldn't connect to the internet.

Now, let me just take an example because I do not know how your network setup looks like.
Imagen your network subnet ID is 192.168.0.0/24
Your NAS has an IP address of 192.168.0.20
You setup OpenVPN server on the NAS, and you've givin the OpenVPN the following subnet:

192.168.245.0/24

This subnet is unknown to your router. At the moment in threats everything outside of 192.168.0.0/24 to be non-internal. So if a network packet arrives at this router for this OpenVPN subnnet, your router doesn't know where to send the network traffic...

So in order for the router to know that your OpenVPN subnet clients in the 192.168.245.0/24 network that is 'behind' your NAS, you should somewhere in the settings of the router create a static route so your router knows how to 'talk' to your clients connected to OpenVPN.

If we had the above scenario as I took for example, I would have to set this up in my Synology RT2600AC router:
1606740649872.png


aGraphicz said:
Tunnelblick however shows me a warning

  • DNS server address XXX.XXX.XX.XX is not a public IP address and is not being routed through the VPN
Click to expand...
I think it's helpfull if you post your openvpn config file here (carefull not to post any passwords and public P addresses).
 
See if anything helps here…
www.synoforum.com

Tutorial - DS VPN Server OpenVPN configuration

Difficulty: medium Prerequisites: router port forwarding knowledge and a high-level understanding of the DS firewall is recommended. Hi, In this guide I’ll share how I configured my VPN Server package to allow access to my DS and LAN (with the...
www.synoforum.com www.synoforum.com

and here…
www.synoforum.com

Solved - [Newbie] OpenVPN and MAC, not working at all, how to config?

Hy guys. What i would love to do is config OpenVPN on my NAS so that i can reach it from outside and be safe. I already search tons of guide and this amazing post from WST16 but still no success from me. Little newbie about VPN and less about NAS but i will explain all i have done since now so...
www.synoforum.com www.synoforum.com
 
Last edited:
Shadow said:
Did you notice that when connected to the VPN? I assume you couldn't connect to the internet.
Click to expand...

No, Internet was working properly (slow because I was testing the VPN using my Smartphone as Hotspot).

Shadow said:
I think it's helpfull if you post your openvpn config file here (carefull not to post any passwords and public P addresses).
Click to expand...

dev tun
tls-client

remote XX.XX.XX.XX 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS DNS_IP_ADDRESS

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2


comp-lzo

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
Xxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Xxx
-----END CERTIFICATE-----

</ca>
 
I think the problem here is that there is no DNS server specified in the OVPN file, and I know from previous experience the Synology OVPN server doesn't push DNS server configuration for VPN clients. So I'm suspecting your client will then use the DNS configured in your normal NIC. But at the same time, that should not be possible because redirect-gateway def1 disables split-tunnel traffic.... How odd....

Still, maybe it's worth a shot to try and configure a DNS server in the OVPN file..
 
Shadow said:
I think the problem here is that there is no DNS server specified in the OVPN file, and I know from previous experience the Synology OVPN server doesn't push DNS server configuration for VPN clients. So I'm suspecting your client will then use the DNS configured in your normal NIC. But at the same time, that should not be possible because redirect-gateway def1 disables split-tunnel traffic.... How odd....

Still, maybe it's worth a shot to try and configure a DNS server in the OVPN file..
Click to expand...
Thanks for the hint.

BTW I switched to OpenVPN Connect (so the official client from OpenVPN). This error does not show up there.

Regarding the static route: I did not specified one but when connected to the VPN my Internet works properly.

Is a static route "mandatory" in this case?
 
Shadow said:
Apparently not then. But I had to do this to be able to communicate with other devices on my LAN.
Click to expand...
I see. No in m case we will use the VPN only in certain cases (i.g a colleague needs access to some files on the NAS while at home).
 
Last edited:
Another question:

With the OpenVPN Connect client (for Mac) I am asked for a certificate every time I connect to VPN. I saw a lot of videos online and there this step is always skipped. Is that necessary / suggested for a security point ov view?
 
aGraphicz said:
Another question:

With the OpenVPN Connect client (for Mac) I am asked for a certificate every time I connect to VPN. I saw a lot of videos online and there this step is always skipped. Is that necessary / suggested for a security point ov view?
Click to expand...
From what I can remember this is recommended.
Have something to do with some kind of dual SSL match Verification as a method to prevent MITM-attack risks within OpenVPN. I don't have deep details atm about why this works like this and why it can't Work like most other protocols like HTTPS, IMAPS , SMTP SSL/TLS , LDAPS etc..
 
Last edited:
Shadow said:
From what I can remember this is recommended.
Have something to do with some kind of dual SSL match Verification as a method to prevent MITM-attack risks within OpenVPN. I don't have deep details atm about why this works like this and why it can't Work like most other protocols like HTTPS, IMAPS , SMTP SSL/TLS , LDAPS etc..
Click to expand...
I see. I could I set this on the machines where open VPN is installed? Is maybe the certificate file I get when I extract it through OpenVPN on my NAS? I mean the one in the .zip file where the openvpn.config file is?

Another question: I just realized that my OpenVPN.config file at the end has 2 declared certificates. Is that normal? It ends Iike this:

<ca>
-----BEGIN CERTIFICATE-----
Xxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Xxx
-----END CERTIFICATE-----

</ca>
 
aGraphicz said:
I just realized that my OpenVPN.config file at the end has 2 declared certificates. Is that normal? It ends Iike this:
Click to expand...
Actually yes that is normal (altough you can also specify an external certificate file). Is this OpenVPN.config generated out of the Syno VPN server? If yes, that then automatically includes the certificate file from your Syno. So i'm not sure why you are getting cert warning.. Do you have a valid cert from a valid CA like Let's Encrypt, or it is something self-signed?
 
Last edited:
Shadow said:
Actually yes that is normal (altough you can also specify an external certificate file). Is this OpenVPN.config generated out of the Syno VPN server? If yes, that then automatically includes the certificate file from your Syno. So i'm not sure why you are getting cert warning.. Do you have a valid cert from a valid CA like Let's Encrypt, or it is something self-signed?
Click to expand...
Yes, the config file is the one generated from the Syno VPN Server. I generated one using Let's Encrypt.

I attach here some screens of the files in the zip file and how my config file looks like.

I saw that there are 2 <ca></ca> tags in the config file

Just a note: when I created the Let's Encrypt certificate I then deleted for mistake the DDNS domain used to generate it. I then re-created it giving the same Hostname. Could be this the issue?

Zip file
Screenshot 2020-12-02 at 08.01.55.png


Config file
Screenshot 2020-12-02 at 08.02.26.png


OpenVPN Connect that asks for the certificate
Screenshot 2020-12-02 at 08.09.47.png


My DDNS
Screenshot 2020-12-02 at 09.17.57.png


Certificate(s)
Screenshot 2020-12-02 at 09.39.57.png
 
Shadow said:
Hmm. If I want to assist any more I have to setup an OpenVPN server myself again and see if I can find what is causing this error/warning. Been a bit too long for me I guess.. Maybe I'll have time later this week..
Click to expand...
Many thanks! this would be appreciated! :)
 
Is anyone using the OpenVPN client for windows? Connections & config is all good after import, but I'm getting a "missing external certificate" message. If I continue anyway the connection is fine, however I want this to be seamless for my end users.

I found two solutions and I'm looking for opinions/input on best practice. The first was to add the following to the config file:

add the following line before <ca>
client-cert-not-required
Click to expand...

I'm a little concerned with this, since the capability of using the cert is there and I'd rather use it for security. So the second option I found is the following:

the issue is that you need to inform OpenVPN which client certificate it should use. You'd be able to do this by editing the profile in OpenVPN, selecting it from the "Certificate" drop-down. The issue is that you can't just browse your certificate here; you need to add it to your PC/User:
  • Windows key -> write "Certificate" -> select "Manage user certificates" -> from the list of certificates stores select "OpenVPN Certificate Store" -> right-click -> "All Tasks" -> "Import" -> and just now you can browse to your client certificate.
Click to expand...
I did this second option and I was able to select the lets encrypt certificate dropdown in the OpenVPN windows client app. I'm thinking I'll have to keep importing the cert when it expires (another maintenance task that adds to work load).


So what is the best practice of using the OpenVPN windows 10 client app. Previously we used the an OpenVPN GUI which existed on the taskbar, but it isn't seamless with updating it and a bit complex as to where the config files were being stored.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

K
Remote Access Quick Connect Open VPN or both
Also, Quick Connect isn't available for all services... especially if you are going to be relying on the...
Replies
3
Views
1,181
fredbert
fredbert
T
SMB Access Delay to NAS Share over Open VPN, 1 min 30-45 secs
Running the latest DSM with VPN Server. OpenVPN connections connect fine and straight away. Accessing a...
Replies
0
Views
1,651
thor_mdk
T
M
Do I have the correct ports open on my router?
Don't forget to run the Security Advisor, regularly. Default ports used by DSM and its packages. Some may...
Replies
2
Views
1,338
fredbert
fredbert
C
VMM, Open vSwitch and Bonded Interface
All four 1 GbE interfaces of my DS1520+ are bonded together and I have VMM running with the mandated...
Replies
2
Views
5,470
fredbert
fredbert
J
Open up communication with IFTTT
Can anyone help me with instructions on how to open up communication from IFTTT to my Synology NAS...
Replies
0
Views
3,792
Joakim
J
R
  • Question
Setup VPN with name server to access resources on LAN (DS 918+)
It sounds that the main focus is a LAN reconfiguration of DHCP and DNS services so that dynamically...
Replies
1
Views
561
fredbert
fredbert
J
How to install ExpressVPN to RT2600ac to allow all site-to-site to remote RT2600ac and protect all devices on each router over vpn for streaming?
Are those devices not part of either LAN segment in this site-to-site setup? If so, then you will not need...
Replies
10
Views
999
Rusty
Rusty

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top