Synology usage series 7 – Setup OpenVPN server (Routed mode) with dual authentication and Windows/DS/TomatoVPN OpenVPN Client


Revoke a client certificate

Revoke the certificate

  1. SSH to DiskStation as root
  2. Edit the /opt/etc/openvpn/easy-rsa/revoke-full

    Looks at the first line


    #!/bin/bash

    Change it to


    #!/opt/bin/bash

    Save the file

  3. Initialize the environment
    
    # cd /opt/etc/openvpn/easy-rsa
    # . vars
    
  4. Revoke the client certificate
    
    # cd /opt/etc/openvpn/easy-rsa
    # ./revoke-full [client common name]
    

    A file crl.pem will be generated in the /opt/etc/openvpn/easy-rsa/keys directory.

Setup openvpn to verify revoked certificate

  1. Login to DS as root
  2. Create a keys directory under jail
    
    # mkdir /opt/etc/openvpn/jail/keys
    
  3. Edit openvpn config file /opt/etc/openvpn/config/openvpn.conf, add the following line to the end of the file.
    
    crl-verify keys/crl.pem
    
  4. IMPORTANT Everytime you revoke a client certificate, the crl.pem will be updated. You need to copy the update crl.pem to /opt/etc/openvpn/jail/keys directory.
    
    # cp /opt/etc/openvpn/easy-rsa/keys/crl.pem /opt/etc/openvpn/jail/keys
    




45 thoughts


  1. hi Ray, thanks,

    syno1> killall openvpn give me -> killall: openvpn: no process killed
    syno1> ps auxwww | grep openvpn -> 10757 root 788 S grep openvpn

    but a netstat -l give me :
    udp 0 0 *:1194 *:*

    Do you know if it’s possible to change the 1194 to other port? I tried to replace 1194 by 2294 in the openvpn.conf , but after restarting openvpn , I always have this line in the openvpn.log.
    – Sat Jan 30 15:27:05 2010 us=644490 TCP/UDP: Socket bind failed on local address
    – undef]:1194: Address already in use

    • Hello,

      There must be some application on your NAS working on the port 1194/udp. Can you try using other port or try tcp instead of udp?

      My NAS running two openvpn instances and both of them listening to two weird ports (something like 19010, 7890) without any issues.

      openvpn.conf
      —————–
      port 2294
      proto tcp

      good luck

  2. Hi Ray,
    Thanks for the tun.ko module.

    Openvpn is working now, but I still can’t access to others computers that are on the same network than the Syno. ip forwarding in on.
    I thought that ip forwarding isn’t enough and NAT is needed. I tried to add a rule in iptable, but I get “iptables v1.4.2: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)”.

    Thanks.
    Regards.

    • Hi Jief,

      1. Did you added the two static routes to the broadband router yet?
      2. You can’t browse other PC from network neighourhood, but you probably can access other PC from explorer \192.168.x.x
      3. I don’t need NAT to access other computers from server side network.
      4. I’m not netorking experts, I’m afraid I can’t help about iptables things, sorry about that.

      By the way, great to hear that the tun.ko here useful to you.

  3. Hi Ray.

    Thanks for this nice post.

    I am a bit stuck.

    When doing “./build-ca” i get

    ####################
    ./build-ca
    error on line 95 of /opt/etc/openvpn/easy-rsa/openssl.cnf
    10755:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 95
    ###################

    Any clue?

    Thanks in advance
    Regards

    Thomas

  4. ok, fixed it myself. the “vars file” needs two more entries:

    export KEY_SIZE=1024

    to fix the first “./build-ca” issue

    and

    export OPENSSL=/opt/bin/openssl

    to fix the “./build-dh” issue

  5. Hi Ray,

    I’ve successfully setup openVPN between DS207+ Server and DS110J Client using your great instructions. When I try to add a WinXP laptop as a second client its IP address clashes with the DS110J. Do you know how to get it a different IP address?

    thanks

    SteveP

    • Hello SteveP,

      My solution is adding the following line to the openvpn.conf

      ifconfig-pool-persist /opt/etc/openvpn/jail/ipp.txt

      That works for me.

      If that doesn’t works for you, then you may need to assign static IP for each VPN client.

      To assign static IP for each VPN client, edit the client-specific ccd files and add the ifconfig-push line to the files:

      For example

      client 1
      # vi …/openvpn/jail/ccd/client1
      ifconfig-push 192.168.30.1 192.168.30.2

      client 2
      # vi …/openvpn/jail/ccd/client2
      ifconfig-push 192.168.30.5 192.168.30.6

      Kindly lemme know which solutions working for you so that I might add the instruction to the article.

      Thanks in advance.

  6. hi Ray,

    i’m an almost newby in the linux world (and a french who didn’t practice his english for a long time :o)

    i own a DS207+ and i upgraded to DSM 2.3 yesterday. i’m happy to discover that tun.ko is provided by default in this version of firmware.

    i followed your instructions until the end…and could you tell me how to start openvpn in the bash command ?

    here is lsmod and ifconfig result :

    lsmod
    Module Size Used by
    tun 9312 0
    usbhid 26404 0
    usblp 11680 0
    usb_storage 32068 0
    uhci_hcd 28720 0
    ohci_hcd 15204 0
    ehci_hcd 30088 0
    ds107+_synobios 16536 0
    isofs 33308 0
    udf 85124 0
    zlib_inflate 16672 1 isofs
    fuse 45396 0
    nfsd 105316 0
    exportfs 4416 1 nfsd
    ppp_async 9504 0
    crc_ccitt 1568 1 ppp_async
    ppp_generic 22260 1 ppp_async
    slhc 6368 1 ppp_generic
    snd_pcm_oss 41728 0
    snd_mixer_oss 15616 1 snd_pcm_oss
    snd_usb_audio 85700 0
    snd_pcm 71976 2 snd_pcm_oss,snd_usb_audio
    snd_timer 21156 1 snd_pcm
    snd_hwdep 7844 1 snd_usb_audio
    snd_usb_lib 18016 1 snd_usb_audio
    snd_rawmidi 22176 1 snd_usb_lib
    snd_seq_device 7596 1 snd_rawmidi
    snd 53692 9 snd_pcm_oss,snd_mixer_oss,snd_usb_audio,snd_pcm,snd_timer,snd_hwdep,snd_usb_lib,snd_rawmidi,snd_seq_device
    snd_page_alloc 8072 1 snd_pcm
    soundcore 7620 1 snd
    quota_v2 9056 2
    usbcore 115752 9 usbhid,usblp,usb_storage,uhci_hcd,ohci_hcd,ehci_hcd,snd_usb_audio,snd_usb_lib
    sg 30464 0
    ntfs 115700 0
    vfat 10720 0
    fat 48444 1 vfat
    appletalk 32952 20
    psnap 2852 1 appletalk
    llc 5876 1 psnap
    GEOSTATION> ifconfig
    eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
    inet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:2454 errors:0 dropped:0 overruns:0 frame:0
    TX packets:2631 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:512
    RX bytes:476970 (465.7 KiB) TX bytes:1081992 (1.0 MiB)
    Interrupt:21

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:89 errors:0 dropped:0 overruns:0 frame:0
    TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:8643 (8.4 KiB) TX bytes:8643 (8.4 KiB)

    GEOSTATION>

    Thank you for the tutorial, hope you could help me.

    cheers from france

    victor

  7. oh, i forgot that line:

    insmod tun.ko
    insmod: error inserting ‘tun.ko’: -1 File exists

    think that’s the problem…

    victor

  8. me again…

    i have that ugly message

    #cd /opt/etc/init.d
    #./S20openvpn
    /opt/sbin/openvpn: error while loading shared libraries: liblzo2.so.2: cannot open shared object file: No such file or directory

    what do you think about that ? any ideas ?

    sorry for spamming :o(

    victor

    • Hi Victor,

      Sorry for the late reply, been busy with some real life stuff.

      I’m not sure if the lzo issue is introduced by firmware 2.3. My article is actually tested on firmware 2.1/2.2 only.

      Can you ssh to the box, sudo to root and then try the following command?

      # ipkg list_installed | grep lzo
      # ipkg list_installed | grep openvpn

      Lemme know the result.

  9. hi ray,

    thank you for the reply.

    here the result of

    # ipkg list_installed | grep lzo
    lzo – 1.08-2 –
    # ipkg list_installed | grep openvpn
    openvpn – 2.1.1-2 – SSL based VPN server with Windows client support

    Hope DSM 2.3 is ok :o)

    • Hi Victor,

      I’m not sure if reinstall lzo helps or not. wondering if you would like to give it a try?

      #ipkg -force-reinstall install lzo

  10. hi ray,

    you wondered right. I tried

    #ipkg -force-reinstall install lzo
    and then
    # cd /opt/etc/init.d
    # ./S20openvpn
    and no error message…

    However, if i try
    #ifconfig
    eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
    inet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:37034 errors:0 dropped:0 overruns:0 frame:0
    TX packets:28867 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:512
    RX bytes:8396226 (8.0 MiB) TX bytes:10737185 (10.2 MiB)
    Interrupt:21

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:137 errors:0 dropped:0 overruns:0 frame:0
    TX packets:137 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:11919 (11.6 KiB) TX bytes:11919 (11.6 KiB)

    no tun.ko appears ..is it normal doc ?
    anyway, thanks a lot for your replies.

  11. hi ray,

    thank you for replying.

    1. #insmod /lib/modules/tun.ko
    insmod: error inserting ‘tun.ko’: -1 File exists

    2. #ifconfig
    eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
    inet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:3851162 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4141320 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:512
    RX bytes:1022659548 (975.2 MiB) TX bytes:2515571688 (2.3 GiB)
    Interrupt:21

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:741 errors:0 dropped:0 overruns:0 frame:0
    TX packets:741 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:113702 (111.0 KiB) TX bytes:113702 (111.0 KiB)

    bizarre !

  12. Hi Ray,

    here is the result :

    #lsmod | grep tun
    tun 9312 0

    so the module tun is running, but not tun.ko…? can i kill that module..?

    I tried

    #rmmod tun

    then
    #lsmod | grep tun
    nothing appear (normal), then
    #insmod /lib/modules/tun.ko
    nothing appear, ok.
    #ifconfig
    nothing new :o( (just eth0 and lo)

    what’s the matter?

    • Hi Victor,

      the tun.ko is not good. Maybe you can compile your own tun driver and try again (refer to series 23 for compile instruction)

      Good luck

  13. Thank you very much for a very good and easy guide !

    I have one question: The connection seems to be VERY slow, in best case I get something like 100 Kbyte/sec. My internet connection is 100 Mbit down and 10 Mbit up. Normaly I can uplodad at least 1 Mbyte / sec., so I doubt that my internet connection is the problem.

    Any ideas ?

    • Hard to say in just a few words there are ways too many factors able to affect the perf. What I might guess maybe the processor power, available memory, ISP or country vpn traffic monitoring, tcp overhead (try udp instead), router qos setting …. a lots more and it do take quite some time figure it out

Leave a Reply

Your email address will not be published. Required fields are marked *