VPN server issue - no local network access

[michaelgeorge001]

This a DS718+ server belonging to a client, running DSM 7.2.2-72806 Update 2.

Yesterday, VPN clients could access VPN server's LAN. Today, VPN clients can only establish connection to the VPN server but can't access the LAN nor any of the server's SMB services. Absolutely nothing was changed on the server.

The Network Interface and Account Type fields are both empty and no choices are available. It has been working fine for years though many SW upgrades, and then out of the blue - not working.

Any suggestions would be appreciated.

Thanks, Mike

 

[Rusty]

Absolutely nothing was changed on the server

Don't get this the wrong way, but something, somewhere, had to change. The attached image that you attached, is there an issue with the local network interface not being selected for some reason?

Also, these SMB clients that have issues after they connect, what are those? Windows machines, macOS machines? What version of OS?

Can we get a bit more info on the overall setup

 

[Birdy]

The attached image that you attached, is there an issue with the local network interface not being selected for some reason?

Correct, the standard is that these fields are filled in and if there are choices, you can select, you have no the choice to select empty.
So, something strange has been happend.

 

[Gerard]

Is the NAS setup for automatic DSM updates?

 

[michaelgeorge001]

Don't get this the wrong way, but something, somewhere, had to change. The attached image that you attached, is there an issue with the local network interface not being selected for some reason?

Also, these SMB clients that have issues after they connect, what are those? Windows machines, macOS machines? What version of OS?

Can we get a bit more info on the overall setup

Hi Rusty,

Ha ha, I didn't take it the wrong way. I've been doing tech support since 1986 and I know I should have added more details.

I'm the one answering clients questions, and telling them I need more details no matter how inconsequential they may seem. Very rarely over the years have I been the one asking for help, and when I do I act just a typical client needing tech support, LOL.

My poor excuse is that it was a long day, surprise e-mail from the client that was sent at 4:30 which I didn't see for another 3 hours, etc.

Yes, something definitely has changed. But it wasn't a change myself (as administrator of the server) or the singular VPN user initiated, and nobody else has access to administration of the server. Neither reboots of the NAS nor re-installation of the VPN server software resolved the issue.

Both computers accessing the VPN are Macs running macOS Ventura. They are not accessing any services on the NAS outside of VPN access to the local network which then allows access to a FileMaker server. Normally I would run the VPN server on the router hardware but didn't have that option when this was setup years ago.

The issue is that the local network interface or account type can not be selected - the dropdown fields are empty and have no selectable choices. The choices should be Network Interface: 'Lan 1'; Account Type: 'Local User'.

Update: I also have the same model NAS with the same DSM version, in my office that has never had the VPN server setup. As I was editing this message I figured I should enable it for comparison. Interestedly enough, it gives me the exact same blank dropdown menus.

They are both set to automatic DSM Updates, so I'm speculating that Synology offered up a software update that may be interacting with VPN Server.

After further digging, I have found that the VPN LAN connection issue is limited to L2TP/IPSec clients, OpenVPN clients can access the local networks without issue. It doesn't fully address the problem but I may be able to use it as a bandaid solution until I move the VPN service off to different piece of hardware.

To quote "Roger Murtaugh" - “I'm too old for this shit.”

 

[Rusty]

Both computers accessing the VPN are Macs running macOS Ventura.

This is the reason why I asked for the client OS. In the latest versions of macOS (still Ventura is not the latest but ok) there seems to be issues with SMB in general, including with v15, Sequoia (not personally but there are).

With this and the fact that on L2 protocol is the issue (the one supported by macOS nativly) and not OpenVPN, raises the question is this really a Synology issue?

As you said there were no changes on the DSM side of things, but what about client side OS?

Are there maybe some iphones about that might be used for L2/IPSec test as well? Just to try and isolate this to a protocol and/or OS platform level?

 

[michaelgeorge001]

Since we are not using the VPN for SMB connections, that doesn't really play a part in this particular issue. The VPN is used specifically for routing to a specific machine on the internal network.

I used L2TP for this particular VPN user because it is built-in to the macOS and only required simple instructions for them to setup since it would have been a 1200 km road trip for me otherwise.

I'm inclined to believe it is a Synology issue since the VPN Server package looks like a GUI interface with 3 different VPN server modules, and at least one of them doesn't work correctly. I didn't bother configuring the PPTP module because of its inherent insecurities from the get-go.

I update OS'es reluctantly because I like stability and hate surprises. No system or security updates took place on the Macs, within the timeframe of this particular issue.

I have an iPad setup with VPN profiles setup for L2TP and OpenVPN.

Using the L2TP profile for the VPN connection will not route past the VPN Server. Using the OpenVPN profile for the VPN connection routes correctly to the FileMaker Server.

It has the appearance of an internal routing issue within the L2TP module.

-Mike-

 

[michaelgeorge001]

[Update]

1. It turns out that the blank 'Network interface' and 'Account type' under 'General Settings' in the VPN Server window was a red herring. If you have "Container Manager" running a container that attaches to the host network, it appears to lock down those 2 fields in the VPN Server settings. Stop the container and the dropdown fields will be populated with the correct choices. Start the container back up and the fields go blank.

2. What appears to be stopping the L2TP VPN from routing to the internal LAN is routing table conflicts. If the VPN client happens to be using on the same subnet range or the client computer has the same subnets in its routing tables, as the target LAN, then the traffic will never go out over the VPN but will be stuck looking for that IP address on the local network. Why it doesn't cause problems for openVPN, I can't explain.
Easy but dirty fix - set all traffic to route over VPN for the duration of the session. Long term fix - change the target LAN subnet, and put in a proper router with VPN capabilities.

I apologize for suggesting it may be a Synology related software problem. Hope I didn't offend anyone too much.

Thank you all for the dialog.

-Mike-

 

[Rusty]

Glad you got it sorted. With the ipad info you provided my next through was routing issues and was just wondering myself if the two local subnets on both end are the same. That is usually something that is avoided as vpn server does its own NAT.

In any event, you got it sorted and that’s what matters.

Tnx for the update, much appreciated!