If you are using auth-user-pass-verify and a bash script to verify user password, it maybe vulnerable to Shellshock. Suggest to follow my articles to use auth-user-pass (authenticate against openldap or freeradius) and install corresponding plugin instead. This will avoid you using bash script.
I’ve owned four DS (101j, 207+, 213j, 213+), it seems to me that Synology keep having serious security flaw over the years. It is pretty sure that their software engineer/developer does not either have much sense on security or they just don’t care about it.
For the latest OpenVPN hardcoded password issue, it really sound insane to me for hardcoding login password for all user installed their pre-packaged OpenVPN component. This just make your DS widely open to the world.
It is lucky that I am using the OpenVPN from optware instead of the pre-package one. It is always wise to setup your own and have full control on security component. Follow this article and setup OpenVPN yourself for your own good.
This article describes all the steps to install OpenVPN in my environment so that I can access the resources (samba, ds207+ admin console, audio station..) on my DS207+ from any remote location in a secure way.
* I’ve tested and proved that OpenVPN even working on my DS101j for both server and client setup.
* Also working for DS107+ reported by user from synology forum
DS213+ firmware version DSM 5.0-4493 Update 4
DS213j firmware version DSM 4.3-3827 Update 6
DS207+ firmware version DSM 2.1-0844 , 2.2-0959, 3.1-1613
ipkg source http://ipkg.nslu2-linux.org/feeds/optware/syno-x07/cross/unstable/
DS101j firmware version DSM 2.0-0731
ipkg source http://ipkg.nslu2-linux.org/feeds/optware/ds101/cross/stable
Table of Content
|Page 1||Assumptions and Pre-requisites|
|Page 2-7||Installing OpenVPN server on DS207+/DS101j|
|Page 8||Installing OpenVPN client on Windows|
|Page 9||Installing VPN Client on DS101j|
|Page 10||Install TomatoVPN 3.4 as OpenVPN Client|
|Page 11||Manually install OpenVPN Client on Nexus 5|
|Page 12||How to allow vpn clients access all machines in the server network|
|Page 13||Important Tips for Vista|
|Page 14||VPN Server acting as internet gateway, and other useful TIPS|
|Page 15||VPN Server failover|
|Page 16||Dual authentication – Adding username and password verification|
|Page 17||Revoke a client certificate|
(click to enlarge the diagram)
OpenVPN Server network: 192.168.10.0/255.255.255.0
OpenVPN Server deployed on DiskStation with IP 192.168.10.5
OpenVPN Client network: 192.168.20.0/255.255.255.0
OpenVPN Client deployed on IBM X40 with IP 192.168.20.3
OpenVPN Virtual Subnet: 192.168.30.0/255.255.255.0
My DS207+ is located at my home in a network 192.168.10.0/255.255.255.0. My DS207+ has a fix internal IP address of 192.168.10.5. I’ll deploy OpenVPN server to the diskstation.
I’ve an IBM X40 notebook which required to access my diskstation from public environment such as internet cafe or even access via other country. The X40, however, mostly located in a network 192.168.20.0/255.255.255.0. I’ll deploy OpenVPN client (win32) to my x40 notebook.
A new VPN subnet will be created upon VPN connection is successfully established, I defined the virtual subnet as 192.168.30.0/255.255.255.0.
Replace the value above to your IP/network address.
Define the Server and Client ID
First we need to define the [Server ID] and [Client ID]. The ID must be a single word.
[Server ID] is the machine running the OpenVPN server.
[Client ID] is the machine running the OpenVPN client.
[Server ID] = server
[Client ID] = x40
- IMPORTANT! The two machines should be connected to the network with two unique subnets in order to avoid conflict of ip address. From the howto of OpenVPN, it is also suggested to consider using some uncommon subnet such as 10.30.40.0 rather than 192.168.0.1 which is very likely lead to IP conflict (example like public wifi network of airport and internet cafe).
- DS207+ is bootstrapped.
- SSH is enabled on DS207+.
- bash is already installed on ds207+, if not, run ‘ipkg install bash’