Synology usage series 7 – Setup OpenVPN server (Routed mode) with dual authentication and Windows/DS/TomatoVPN OpenVPN Client


I’ve owned four DS (101j, 207+, 213j, 213+), it seems to me that Synology keep having serious security flaw over the years. It is pretty sure that their software engineer/developer does not either have much sense on security or they just don’t care about it.

For the latest OpenVPN hardcoded password issue, it really sound insane to me for hardcoding login password for all user installed their pre-packaged OpenVPN component. This just make your DS widely open to the world.

It is lucky that I am using the OpenVPN from optware instead of the pre-package one. It is always wise to setup your own and have full control on security component. Follow this article and setup OpenVPN yourself for your own good.

This article describes all the steps to install OpenVPN in my environment so that I can access the resources (samba, ds207+ admin console, audio station..) on my DS207+ from any remote location in a secure way.

* I’ve tested and proved that OpenVPN even working on my DS101j for both server and client setup.

* Also working for DS107+ reported by user from synology forum


Tested platform:

DS213+ firmware version DSM 5.0-4493 Update 4

DS213j firmware version DSM 4.3-3827 Update 6

DS207+ firmware version DSM 2.1-0844 , 2.2-0959, 3.1-1613
ipkg source http://ipkg.nslu2-linux.org/feeds/optware/syno-x07/cross/unstable/

DS101j firmware version DSM 2.0-0731
ipkg source http://ipkg.nslu2-linux.org/feeds/optware/ds101/cross/stable

Table of Content

Page 1 Assumptions and Pre-requisites
Page 2-7Installing OpenVPN server on DS207+/DS101j
Page 8Installing OpenVPN client on Windows
Page 9Installing VPN Client on DS101j
Page 10Install TomatoVPN 3.4 as OpenVPN Client
Page 11Manually install OpenVPN Client on Nexus 5
Page 12How to allow vpn clients access all machines in the server network
Page 13Important Tips for Vista
 Advanced Implementation
Page 14VPN Server acting as internet gateway, and other useful TIPS
Page 15VPN Server failover
Page 16Dual authentication – Adding username and password verification
Page 17Revoke a client certificate

The environment

OpenVPN Sample Diagram

OpenVPN Sample Diagram

(click to enlarge the diagram)

OpenVPN Server network: 192.168.10.0/255.255.255.0
OpenVPN Server deployed on DiskStation with IP 192.168.10.5

OpenVPN Client network: 192.168.20.0/255.255.255.0
OpenVPN Client deployed on IBM X40 with IP 192.168.20.3

OpenVPN Virtual Subnet: 192.168.30.0/255.255.255.0

My DS207+ is located at my home in a network 192.168.10.0/255.255.255.0. My DS207+ has a fix internal IP address of 192.168.10.5. I’ll deploy OpenVPN server to the diskstation.

I’ve an IBM X40 notebook which required to access my diskstation from public environment such as internet cafe or even access via other country. The X40, however, mostly located in a network 192.168.20.0/255.255.255.0. I’ll deploy OpenVPN client (win32) to my x40 notebook.

A new VPN subnet will be created upon VPN connection is successfully established, I defined the virtual subnet as 192.168.30.0/255.255.255.0.

Replace the value above to your IP/network address.

Define the Server and Client ID

First we need to define the [Server ID] and [Client ID]. The ID must be a single word.

[Server ID] is the machine running the OpenVPN server.
[Client ID] is the machine running the OpenVPN client.

My example:
[Server ID] = server
[Client ID] = x40

Pre-requisites

  1. IMPORTANT! The two machines should be connected to the network with two unique subnets in order to avoid conflict of ip address. From the howto of OpenVPN, it is also suggested to consider using some uncommon subnet such as 10.30.40.0 rather than 192.168.0.1 which is very likely lead to IP conflict (example like public wifi network of airport and internet cafe).
  2. DS207+ is bootstrapped.
  3. SSH is enabled on DS207+.
  4. bash is already installed on ds207+, if not, run ‘ipkg install bash’




45 thoughts


  1. hi Ray, thanks,

    syno1> killall openvpn give me -> killall: openvpn: no process killed
    syno1> ps auxwww | grep openvpn -> 10757 root 788 S grep openvpn

    but a netstat -l give me :
    udp 0 0 *:1194 *:*

    Do you know if it’s possible to change the 1194 to other port? I tried to replace 1194 by 2294 in the openvpn.conf , but after restarting openvpn , I always have this line in the openvpn.log.
    - Sat Jan 30 15:27:05 2010 us=644490 TCP/UDP: Socket bind failed on local address
    - undef]:1194: Address already in use

    • Hello,

      There must be some application on your NAS working on the port 1194/udp. Can you try using other port or try tcp instead of udp?

      My NAS running two openvpn instances and both of them listening to two weird ports (something like 19010, 7890) without any issues.

      openvpn.conf
      —————–
      port 2294
      proto tcp

      good luck

  2. Hi Ray,
    Thanks for the tun.ko module.

    Openvpn is working now, but I still can’t access to others computers that are on the same network than the Syno. ip forwarding in on.
    I thought that ip forwarding isn’t enough and NAT is needed. I tried to add a rule in iptable, but I get “iptables v1.4.2: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)”.

    Thanks.
    Regards.

    • Hi Jief,

      1. Did you added the two static routes to the broadband router yet?
      2. You can’t browse other PC from network neighourhood, but you probably can access other PC from explorer \192.168.x.x
      3. I don’t need NAT to access other computers from server side network.
      4. I’m not netorking experts, I’m afraid I can’t help about iptables things, sorry about that.

      By the way, great to hear that the tun.ko here useful to you.

  3. Hi Ray.

    Thanks for this nice post.

    I am a bit stuck.

    When doing “./build-ca” i get

    ####################
    ./build-ca
    error on line 95 of /opt/etc/openvpn/easy-rsa/openssl.cnf
    10755:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 95
    ###################

    Any clue?

    Thanks in advance
    Regards

    Thomas

  4. ok, fixed it myself. the “vars file” needs two more entries:

    export KEY_SIZE=1024

    to fix the first “./build-ca” issue

    and

    export OPENSSL=/opt/bin/openssl

    to fix the “./build-dh” issue

  5. Hi Ray,

    I’ve successfully setup openVPN between DS207+ Server and DS110J Client using your great instructions. When I try to add a WinXP laptop as a second client its IP address clashes with the DS110J. Do you know how to get it a different IP address?

    thanks

    SteveP

    • Hello SteveP,

      My solution is adding the following line to the openvpn.conf

      ifconfig-pool-persist /opt/etc/openvpn/jail/ipp.txt

      That works for me.

      If that doesn’t works for you, then you may need to assign static IP for each VPN client.

      To assign static IP for each VPN client, edit the client-specific ccd files and add the ifconfig-push line to the files:

      For example

      client 1
      # vi …/openvpn/jail/ccd/client1
      ifconfig-push 192.168.30.1 192.168.30.2

      client 2
      # vi …/openvpn/jail/ccd/client2
      ifconfig-push 192.168.30.5 192.168.30.6

      Kindly lemme know which solutions working for you so that I might add the instruction to the article.

      Thanks in advance.

  6. hi Ray,

    i’m an almost newby in the linux world (and a french who didn’t practice his english for a long time :o )

    i own a DS207+ and i upgraded to DSM 2.3 yesterday. i’m happy to discover that tun.ko is provided by default in this version of firmware.

    i followed your instructions until the end…and could you tell me how to start openvpn in the bash command ?

    here is lsmod and ifconfig result :

    lsmod
    Module Size Used by
    tun 9312 0
    usbhid 26404 0
    usblp 11680 0
    usb_storage 32068 0
    uhci_hcd 28720 0
    ohci_hcd 15204 0
    ehci_hcd 30088 0
    ds107+_synobios 16536 0
    isofs 33308 0
    udf 85124 0
    zlib_inflate 16672 1 isofs
    fuse 45396 0
    nfsd 105316 0
    exportfs 4416 1 nfsd
    ppp_async 9504 0
    crc_ccitt 1568 1 ppp_async
    ppp_generic 22260 1 ppp_async
    slhc 6368 1 ppp_generic
    snd_pcm_oss 41728 0
    snd_mixer_oss 15616 1 snd_pcm_oss
    snd_usb_audio 85700 0
    snd_pcm 71976 2 snd_pcm_oss,snd_usb_audio
    snd_timer 21156 1 snd_pcm
    snd_hwdep 7844 1 snd_usb_audio
    snd_usb_lib 18016 1 snd_usb_audio
    snd_rawmidi 22176 1 snd_usb_lib
    snd_seq_device 7596 1 snd_rawmidi
    snd 53692 9 snd_pcm_oss,snd_mixer_oss,snd_usb_audio,snd_pcm,snd_timer,snd_hwdep,snd_usb_lib,snd_rawmidi,snd_seq_device
    snd_page_alloc 8072 1 snd_pcm
    soundcore 7620 1 snd
    quota_v2 9056 2
    usbcore 115752 9 usbhid,usblp,usb_storage,uhci_hcd,ohci_hcd,ehci_hcd,snd_usb_audio,snd_usb_lib
    sg 30464 0
    ntfs 115700 0
    vfat 10720 0
    fat 48444 1 vfat
    appletalk 32952 20
    psnap 2852 1 appletalk
    llc 5876 1 psnap
    GEOSTATION> ifconfig
    eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
    inet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:2454 errors:0 dropped:0 overruns:0 frame:0
    TX packets:2631 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:512
    RX bytes:476970 (465.7 KiB) TX bytes:1081992 (1.0 MiB)
    Interrupt:21

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:89 errors:0 dropped:0 overruns:0 frame:0
    TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:8643 (8.4 KiB) TX bytes:8643 (8.4 KiB)

    GEOSTATION>

    Thank you for the tutorial, hope you could help me.

    cheers from france

    victor

  7. oh, i forgot that line:

    insmod tun.ko
    insmod: error inserting ‘tun.ko’: -1 File exists

    think that’s the problem…

    victor

  8. me again…

    i have that ugly message

    #cd /opt/etc/init.d
    #./S20openvpn
    /opt/sbin/openvpn: error while loading shared libraries: liblzo2.so.2: cannot open shared object file: No such file or directory

    what do you think about that ? any ideas ?

    sorry for spamming :o (

    victor

    • Hi Victor,

      Sorry for the late reply, been busy with some real life stuff.

      I’m not sure if the lzo issue is introduced by firmware 2.3. My article is actually tested on firmware 2.1/2.2 only.

      Can you ssh to the box, sudo to root and then try the following command?

      # ipkg list_installed | grep lzo
      # ipkg list_installed | grep openvpn

      Lemme know the result.

  9. hi ray,

    thank you for the reply.

    here the result of

    # ipkg list_installed | grep lzo
    lzo – 1.08-2 -
    # ipkg list_installed | grep openvpn
    openvpn – 2.1.1-2 – SSL based VPN server with Windows client support

    Hope DSM 2.3 is ok :o )

    • Hi Victor,

      I’m not sure if reinstall lzo helps or not. wondering if you would like to give it a try?

      #ipkg -force-reinstall install lzo

  10. hi ray,

    you wondered right. I tried

    #ipkg -force-reinstall install lzo
    and then
    # cd /opt/etc/init.d
    # ./S20openvpn
    and no error message…

    However, if i try
    #ifconfig
    eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
    inet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:37034 errors:0 dropped:0 overruns:0 frame:0
    TX packets:28867 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:512
    RX bytes:8396226 (8.0 MiB) TX bytes:10737185 (10.2 MiB)
    Interrupt:21

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:137 errors:0 dropped:0 overruns:0 frame:0
    TX packets:137 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:11919 (11.6 KiB) TX bytes:11919 (11.6 KiB)

    no tun.ko appears ..is it normal doc ?
    anyway, thanks a lot for your replies.

  11. hi ray,

    thank you for replying.

    1. #insmod /lib/modules/tun.ko
    insmod: error inserting ‘tun.ko’: -1 File exists

    2. #ifconfig
    eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
    inet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:3851162 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4141320 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:512
    RX bytes:1022659548 (975.2 MiB) TX bytes:2515571688 (2.3 GiB)
    Interrupt:21

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:741 errors:0 dropped:0 overruns:0 frame:0
    TX packets:741 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:113702 (111.0 KiB) TX bytes:113702 (111.0 KiB)

    bizarre !

  12. Hi Ray,

    here is the result :

    #lsmod | grep tun
    tun 9312 0

    so the module tun is running, but not tun.ko…? can i kill that module..?

    I tried

    #rmmod tun

    then
    #lsmod | grep tun
    nothing appear (normal), then
    #insmod /lib/modules/tun.ko
    nothing appear, ok.
    #ifconfig
    nothing new :o ( (just eth0 and lo)

    what’s the matter?

    • Hi Victor,

      the tun.ko is not good. Maybe you can compile your own tun driver and try again (refer to series 23 for compile instruction)

      Good luck

  13. Thank you very much for a very good and easy guide !

    I have one question: The connection seems to be VERY slow, in best case I get something like 100 Kbyte/sec. My internet connection is 100 Mbit down and 10 Mbit up. Normaly I can uplodad at least 1 Mbyte / sec., so I doubt that my internet connection is the problem.

    Any ideas ?

    • Hard to say in just a few words there are ways too many factors able to affect the perf. What I might guess maybe the processor power, available memory, ISP or country vpn traffic monitoring, tcp overhead (try udp instead), router qos setting …. a lots more and it do take quite some time figure it out

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>