Synology usage series 7 – Setup OpenVPN server (Routed mode) with dual authentication and Windows/DS/TomatoVPN OpenVPN Client


Added: Oct 27 2009

Dual authentication – Adding username and password verification

If other people stolen a copy of client’s private key, they gain the access of the vpn server. That’s dangerous. So it is also worth to add another layer of authentication to keep the vpn server safe.

There are various different method could be added, most commonly used is PAM. I’ve tried PAM and figured out that it is a little bit trouble to get it works with openvpn. I need a simple username and password authentication solution.

I decided to use an open source plugin called ‘OpenVPN Auth Passwd‘ instead.

The plugin is simple, once it is installed, it will validate the username/password against the unix account of the system directly, without the need of another layer of password store like MYSQL, LDAP, active domain or whatever. The drawback of this is that you need to create an system account for every vpn user. But since I’m the only vpn user here, it won’t be a problem for me at all.

To get the plugin works, the first thing is to compile the source code to produce a binary plugin.

Cross Compile Method

Cross compile is to compile things on linux PC to produce working binary copy for the DS.

  1. Firstly, we need a linux environment. Since I don’t have any spare machine. I downloaded the free VMWare Player and installed on my Vista. Then I downloaded Ubuntu 9 ISO and installed to the virtual machine.
  2. Download the 3rd Party Integration Guide PDF from Synology website, follow the instruction to setup the compile compilatoin environment on your Ubuntu virtual machine.
  3. Download the source package of the plugin and upload to the Ubuntu VM
  4. Extract the plugin package
  5. Modify the Makefile and change the path of the gcc compiler to the compiler provided by Synology
  6. Run make
  7. A binary copy of the plugin will be generated in the same directory

Native Compile (compile on DS207+)

Native compile is to compile things directly on the NAS.

  1. telnet/ssh as root
  2. # ipkg install gcc
    # ipkg install make

  3. Download the plugin/openvpn as root* hyperlinks is changing from time to time, check the website for correct download links of the plugin and openvpn source package.
    # cd
    # wget http://downloads.sourceforge.net/project/auth-passwd/openvpn-auth-passwd/1.1/openvpn-auth-passwd-1.1.tar.gz?use_mirror=nchc
    # wget http://openvpn.net/release/openvpn-2.1_rc20.tar.gz
    # tar xvzf openvpn-auth-passwd-1.1.tar.gz
    # tar xvzf openvpn-2.1_rc20.tar.gz
  4. Edit the make file

    #vi /root/auth-passwd/Makefile

    # This directory is where we will look for openvpn-plugin.h
    INCLUDE=-I/root/openvpn-2.1_rc20
  5. Ready to compile now, just type make
    # cd ~/auth-passwd
    # make
  6. the plugin openvpn-auth-passwd.so will be generated in the auth-passwd directory

Once the package of Auth Password is compiled, the installation is pretty simple.

VPN Server Setup

  1. Upload the plugin to whatever directory, e.g. /opt/etc/openvpn/lib
  2. Edit the config file of VPN server.
    
    
    # vi /opt/etc/openvpn/config/openvpn.conf
    

    Add the following lines to the config file:

    
    plugin /opt/etc/openvpn/lib/openvpn-auth-passwd.so
    

    Update the script-security to 2

    
    script-security 2
    
  3. Make sure the verb level is lower than 7, otherwise, the username and raw password will be logged in log files. Keep verb level to 7 or higher for debug only.
  4. Restart Openvpn server

VPN Client Setup

  1. Add the following line to the client’s config file

    auth-user-pass

    A popup window will be prompt to ask for username and password during connection.

    For non-interactive environment (e.g. linux, TomatoVPN, it is not possible to input username/password manually. The solution is to create a plain text file to store the username and password and then add the following line to client’s configuration instead.

    auth-user-pass /path/to/the/openvpn-passwd

    The format of the plain text file is simple:

    First line: username
    Second line: password





45 thoughts


  1. hi Ray, thanks,

    syno1> killall openvpn give me -> killall: openvpn: no process killed
    syno1> ps auxwww | grep openvpn -> 10757 root 788 S grep openvpn

    but a netstat -l give me :
    udp 0 0 *:1194 *:*

    Do you know if it’s possible to change the 1194 to other port? I tried to replace 1194 by 2294 in the openvpn.conf , but after restarting openvpn , I always have this line in the openvpn.log.
    – Sat Jan 30 15:27:05 2010 us=644490 TCP/UDP: Socket bind failed on local address
    – undef]:1194: Address already in use

    • Hello,

      There must be some application on your NAS working on the port 1194/udp. Can you try using other port or try tcp instead of udp?

      My NAS running two openvpn instances and both of them listening to two weird ports (something like 19010, 7890) without any issues.

      openvpn.conf
      —————–
      port 2294
      proto tcp

      good luck

  2. Hi Ray,
    Thanks for the tun.ko module.

    Openvpn is working now, but I still can’t access to others computers that are on the same network than the Syno. ip forwarding in on.
    I thought that ip forwarding isn’t enough and NAT is needed. I tried to add a rule in iptable, but I get “iptables v1.4.2: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)”.

    Thanks.
    Regards.

    • Hi Jief,

      1. Did you added the two static routes to the broadband router yet?
      2. You can’t browse other PC from network neighourhood, but you probably can access other PC from explorer \192.168.x.x
      3. I don’t need NAT to access other computers from server side network.
      4. I’m not netorking experts, I’m afraid I can’t help about iptables things, sorry about that.

      By the way, great to hear that the tun.ko here useful to you.

  3. Hi Ray.

    Thanks for this nice post.

    I am a bit stuck.

    When doing “./build-ca” i get

    ####################
    ./build-ca
    error on line 95 of /opt/etc/openvpn/easy-rsa/openssl.cnf
    10755:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 95
    ###################

    Any clue?

    Thanks in advance
    Regards

    Thomas

  4. ok, fixed it myself. the “vars file” needs two more entries:

    export KEY_SIZE=1024

    to fix the first “./build-ca” issue

    and

    export OPENSSL=/opt/bin/openssl

    to fix the “./build-dh” issue

  5. Hi Ray,

    I’ve successfully setup openVPN between DS207+ Server and DS110J Client using your great instructions. When I try to add a WinXP laptop as a second client its IP address clashes with the DS110J. Do you know how to get it a different IP address?

    thanks

    SteveP

    • Hello SteveP,

      My solution is adding the following line to the openvpn.conf

      ifconfig-pool-persist /opt/etc/openvpn/jail/ipp.txt

      That works for me.

      If that doesn’t works for you, then you may need to assign static IP for each VPN client.

      To assign static IP for each VPN client, edit the client-specific ccd files and add the ifconfig-push line to the files:

      For example

      client 1
      # vi …/openvpn/jail/ccd/client1
      ifconfig-push 192.168.30.1 192.168.30.2

      client 2
      # vi …/openvpn/jail/ccd/client2
      ifconfig-push 192.168.30.5 192.168.30.6

      Kindly lemme know which solutions working for you so that I might add the instruction to the article.

      Thanks in advance.

  6. hi Ray,

    i’m an almost newby in the linux world (and a french who didn’t practice his english for a long time :o)

    i own a DS207+ and i upgraded to DSM 2.3 yesterday. i’m happy to discover that tun.ko is provided by default in this version of firmware.

    i followed your instructions until the end…and could you tell me how to start openvpn in the bash command ?

    here is lsmod and ifconfig result :

    lsmod
    Module Size Used by
    tun 9312 0
    usbhid 26404 0
    usblp 11680 0
    usb_storage 32068 0
    uhci_hcd 28720 0
    ohci_hcd 15204 0
    ehci_hcd 30088 0
    ds107+_synobios 16536 0
    isofs 33308 0
    udf 85124 0
    zlib_inflate 16672 1 isofs
    fuse 45396 0
    nfsd 105316 0
    exportfs 4416 1 nfsd
    ppp_async 9504 0
    crc_ccitt 1568 1 ppp_async
    ppp_generic 22260 1 ppp_async
    slhc 6368 1 ppp_generic
    snd_pcm_oss 41728 0
    snd_mixer_oss 15616 1 snd_pcm_oss
    snd_usb_audio 85700 0
    snd_pcm 71976 2 snd_pcm_oss,snd_usb_audio
    snd_timer 21156 1 snd_pcm
    snd_hwdep 7844 1 snd_usb_audio
    snd_usb_lib 18016 1 snd_usb_audio
    snd_rawmidi 22176 1 snd_usb_lib
    snd_seq_device 7596 1 snd_rawmidi
    snd 53692 9 snd_pcm_oss,snd_mixer_oss,snd_usb_audio,snd_pcm,snd_timer,snd_hwdep,snd_usb_lib,snd_rawmidi,snd_seq_device
    snd_page_alloc 8072 1 snd_pcm
    soundcore 7620 1 snd
    quota_v2 9056 2
    usbcore 115752 9 usbhid,usblp,usb_storage,uhci_hcd,ohci_hcd,ehci_hcd,snd_usb_audio,snd_usb_lib
    sg 30464 0
    ntfs 115700 0
    vfat 10720 0
    fat 48444 1 vfat
    appletalk 32952 20
    psnap 2852 1 appletalk
    llc 5876 1 psnap
    GEOSTATION> ifconfig
    eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
    inet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:2454 errors:0 dropped:0 overruns:0 frame:0
    TX packets:2631 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:512
    RX bytes:476970 (465.7 KiB) TX bytes:1081992 (1.0 MiB)
    Interrupt:21

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:89 errors:0 dropped:0 overruns:0 frame:0
    TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:8643 (8.4 KiB) TX bytes:8643 (8.4 KiB)

    GEOSTATION>

    Thank you for the tutorial, hope you could help me.

    cheers from france

    victor

  7. oh, i forgot that line:

    insmod tun.ko
    insmod: error inserting ‘tun.ko’: -1 File exists

    think that’s the problem…

    victor

  8. me again…

    i have that ugly message

    #cd /opt/etc/init.d
    #./S20openvpn
    /opt/sbin/openvpn: error while loading shared libraries: liblzo2.so.2: cannot open shared object file: No such file or directory

    what do you think about that ? any ideas ?

    sorry for spamming :o(

    victor

    • Hi Victor,

      Sorry for the late reply, been busy with some real life stuff.

      I’m not sure if the lzo issue is introduced by firmware 2.3. My article is actually tested on firmware 2.1/2.2 only.

      Can you ssh to the box, sudo to root and then try the following command?

      # ipkg list_installed | grep lzo
      # ipkg list_installed | grep openvpn

      Lemme know the result.

  9. hi ray,

    thank you for the reply.

    here the result of

    # ipkg list_installed | grep lzo
    lzo – 1.08-2 –
    # ipkg list_installed | grep openvpn
    openvpn – 2.1.1-2 – SSL based VPN server with Windows client support

    Hope DSM 2.3 is ok :o)

    • Hi Victor,

      I’m not sure if reinstall lzo helps or not. wondering if you would like to give it a try?

      #ipkg -force-reinstall install lzo

  10. hi ray,

    you wondered right. I tried

    #ipkg -force-reinstall install lzo
    and then
    # cd /opt/etc/init.d
    # ./S20openvpn
    and no error message…

    However, if i try
    #ifconfig
    eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
    inet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:37034 errors:0 dropped:0 overruns:0 frame:0
    TX packets:28867 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:512
    RX bytes:8396226 (8.0 MiB) TX bytes:10737185 (10.2 MiB)
    Interrupt:21

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:137 errors:0 dropped:0 overruns:0 frame:0
    TX packets:137 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:11919 (11.6 KiB) TX bytes:11919 (11.6 KiB)

    no tun.ko appears ..is it normal doc ?
    anyway, thanks a lot for your replies.

  11. hi ray,

    thank you for replying.

    1. #insmod /lib/modules/tun.ko
    insmod: error inserting ‘tun.ko’: -1 File exists

    2. #ifconfig
    eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
    inet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:3851162 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4141320 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:512
    RX bytes:1022659548 (975.2 MiB) TX bytes:2515571688 (2.3 GiB)
    Interrupt:21

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:741 errors:0 dropped:0 overruns:0 frame:0
    TX packets:741 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:113702 (111.0 KiB) TX bytes:113702 (111.0 KiB)

    bizarre !

  12. Hi Ray,

    here is the result :

    #lsmod | grep tun
    tun 9312 0

    so the module tun is running, but not tun.ko…? can i kill that module..?

    I tried

    #rmmod tun

    then
    #lsmod | grep tun
    nothing appear (normal), then
    #insmod /lib/modules/tun.ko
    nothing appear, ok.
    #ifconfig
    nothing new :o( (just eth0 and lo)

    what’s the matter?

    • Hi Victor,

      the tun.ko is not good. Maybe you can compile your own tun driver and try again (refer to series 23 for compile instruction)

      Good luck

  13. Thank you very much for a very good and easy guide !

    I have one question: The connection seems to be VERY slow, in best case I get something like 100 Kbyte/sec. My internet connection is 100 Mbit down and 10 Mbit up. Normaly I can uplodad at least 1 Mbyte / sec., so I doubt that my internet connection is the problem.

    Any ideas ?

    • Hard to say in just a few words there are ways too many factors able to affect the perf. What I might guess maybe the processor power, available memory, ISP or country vpn traffic monitoring, tcp overhead (try udp instead), router qos setting …. a lots more and it do take quite some time figure it out

Leave a Reply

Your email address will not be published. Required fields are marked *