Question OpenVPN can't connect my iPhone (iOS 13.4) to RT2600ac

Currently reading
Question OpenVPN can't connect my iPhone (iOS 13.4) to RT2600ac

remote xxx.xxx.x.xx 1198

This needs to have the address or IP address that you are going to connect to. So that could be:
  • SRM's Internet/WAN IP address ... look in Network Center to find the current IP. But this will change if you don't have a static IP from your ISP.
  • A fully qualified domain name that resolves to your router, such as myopenvpn.mydomain.com or even mydomain.com
  • A Synology DDNS that you've registered, e.g. myrouter.synology.me
  • Another DDNS service domain name that points to the router, e.g. myrouter.dyndns.org
You can uncomment the #float config command to float which should enable packets from any address, not just the location specified by the remote command.

This shouldn't be so hard: you may find it easier to use Synology's SSL-VPN service as there is no config file but does need the SRM firewall to have a similar rule to OpenVPN (just select the VPN Plus (OpenVPN) application when creating the rule).

Here is the screenshot of the Network Center

1585826199676.png

All these 3 numbers are different from the public IP address
 
'IP Address' [1] should be the one that your xxxx.synology.me resolves to. It should be an Internet accessible IP address, meaning not in ranges:

10.0.0.0 - 10.255.255.255​
172.16.0.0 - 172.31.255.255​
192.168.0.0 - 192.168.255.255​

If xxxxx.synology.me does not resolve to 'IP Address' then that's where the problem lies. There is an issue between the Internet and your router's WAN interface.
 
My router's WAN port is connected to the Cable Modem

View attachment 1041
So's mine but I'm not sure that's the problem: Virgin Media in UK and the cable modem is in bridge/router mode. I get a main Internet IP plus, also on the WAN interface, a small subnet in the 192.168.x.x range that allows my LAN to access the management portal of the Virgin Media modem/router. Back to trying to get the info on your connection...

What's the Internet IP address of your SRM router? [you don't to say exactly what it is but is it one that can be accessed from the Internet or is it one that is in those ranges?]


One question if you'll answer: do you have any other services on the SRM router or a LAN device (e.g. web server) that you can access from the Internet?
 
I can access the router from the internet and the routers IP is 198.168.xx.xxx
I don't have any other services on my SRM router that can be accessed from the internet
Do I need to install DNS server package from the SRM?
 
So, just to make sure, the relevant line in your config file should say:
remote yourdomain.synology.me 1198
and not, for example
remote yourdomain.synology.me
or
remote yourdomain.synology.me :1198

(Sometimes it's easy to mess this up when editing...)

Also, suggest you include these lines in your config:
float
dhcp-option DNS 9.9.9.9
#or whatever your favorite DNS server is
 
@fredbert ,
I reset my Synology router, start from fresh..
I changed my modem to bridge mode and the WAN IP on the SRM is same as my public IP(y)
Add DDNS, setup open VPN, new config file and now I can connect my iPhone to the VPN in cellular mode
When I connect my iPhone to the SRM WiFI, then VPN failed. I didn't try from outside hotspot.
So I am one step closer.
Are you able to connect the VPN from the same WiFi network?
 
I changed my modem to bridge mode and the WAN IP on the SRM is same as my public IP(y)
OK so maybe you had a double NAT going on and this was causing the requests from getting to the router.

For OpenVPN you need to have either the float command in the .ovpn config or use a URL that resolves to the router no matter from where you are trying to connect. The SRM router should do a loopback from the LAN/WiFi to itself when using the synology.me DDNS.

To be complicated I run an internal DNS service for my personal domain and this resolves local devices and services to LAN IPs, whereas the Internet DNS service that resolves my domain to others will just send traffic to my router's WAN IP. I don't think you need to do this to get LAN/WiFi connections to OpenVPN to work ... but really you shouldn't need to make this connection from you LAN so if it's working from the Internet then that should be enough.


Now you've persevered with OpenVPN you can try to set up VPN Plus's SSL-VPN service. I have found it to be the easiest one to use on iOS: no config file (unlike OpenVPN; like L2TP/IPsec); persistent connections (like OpenVPN; unlike L2TP/IPsec).

Other observations on the VPN services (I'm willing to believe some of these are purely unique to me):
  • L2TP/IPsec
    • Fixed UDP ports 1701, 500, 4500
    • Connections from iOS to SRM's service seem to disconnect after around 20 seconds.
    • To DSM 6's VPN Server the connections are stable
    • L2TP/IPsec clients are built into all major OS platforms and generally any business controls blocking adding VPN applications will ignore use of the built-in support.
    • Number of connections limited by device
  • OpenVPN
    • Ports and protocol set are user configurable: defaults are TCP 1194 and UDP 1194.
    • You can run SRM OpenVPN service on, e.g., UDP 1194 and have a backup OpenVPN service port forwarded to a DSM on TCP 1194. ... provided the port forward is set using explicit details and not from the application list (which grabs both TCP and UDP).
    • Requires installation of application on all platforms
    • Number of connections limited by device
  • SSP-VPN
    • Only available in SRM's VPN Plus based
    • Requires a mobile application or desktop agent that is installed via web browser
    • Number of connections limited by device and licences
    • Licences are per user account not per connection: from testing, the same user can have a number of active connections and still only consume one licence
  • PPTP
    • Generally supported by Windows and considered the weakest, by far, of the VPN tunnelling service: best not to use it.
  • SSTP
    • Never used it as seems to be a Windows service
    • Uses the same licences as SSL-VPN
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Others here use Internet VPN services and may be able to help. I don't use SRM's VPN tunnel to Internet...
Replies
3
Views
2,467
I've configured the OpenVPN server in SRM (in vpn plus server), and I've checked the 'allow clients to...
Replies
0
Views
1,052
Well, the one thing I didn't try...It didn't like the DS name, but just entering the IP address in the...
Replies
13
Views
5,041
The thread when the RT6600ax was announced. Much talk about the one 2.5 GbE port...
Replies
4
Views
408
  • Question
Many IOT with fixed position in house seem to struggle to connect to the nearest AP. I solved it by...
Replies
3
Views
1,536
That’s what I have guessed as SRM changes the subnet if it detects any conflicts. Nice that it’s working...
Replies
5
Views
1,116
Oh that's a shame because it clearly is stupid in picking the way slower connection a fair amount of the...
Replies
2
Views
1,529

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top