Synology usage series 7 – Setup OpenVPN server (Routed mode) with dual authentication and Windows/DS/TomatoVPN OpenVPN Client

Edit server configuration

vi /opt/etc/openvpn/config/openvpn.conf and copy the following to the file:

## define openvpn port number, default 1194, change to your favourite port
port 1194

## running openvpn using tcp or udp, change to your prefer protocol
proto udp

## running openvpn as routed mode
dev tun

## define cerificate and keys location, replace [Server ID] with your
## value
ca /opt/etc/openvpn/config/ca.crt
cert /opt/etc/openvpn/config/[Server ID].crt
key /opt/etc/openvpn/config/[Server ID].key
dh /opt/etc/openvpn/config/dh1024.pem

## define the virtual subnet used by the vpn tunnel

## in order to let vpn client access the LAN of the vpn server,
## we need to push the server's network address and subnet mask to the client,
## VPN client will add route to the client's routing table accordingly.
## Can push more than one LAN data.
push "route"

## specific the directory contains the client specific configuration.
## This is used to tell vpn server where to route data to/from the
## vpn client's network,
## otherwise tcp/ip packets from client network may be discarded
## Update: Nov 06, 2009
## Previously, I wrongly assigned absolute path here
## (/full/path/to/ccd).
## This avoid the openvpn runtime to locate the ccd directory because
## 'chroot' command is also used here.
## So, do NOT assign abs path for client-config-dir if 'chroot' is used
client-config-dir ccd

## define the client network below

## optional, push dns server for windows vpn client,
## to push more than one DNS server to client ,
## just duplicate the lines below
## exampe below tell vpn client to use name server from
## to resolve domain name.
push "dhcp-option DNS"
push "dhcp-option DNS"

## line below will keep the vpn connection alive even the client is idle
keepalive 10 120

tls-auth /opt/etc/openvpn/config/ta.key 0

## using the default blowfish cipher, you may change to other cipher
cipher BF-CBC

## define maximum number of concurrent vpn clients
max-clients 5

## run vpn server as nobody instead of root
## ** For DSM 5, running the daemon as nobody no longer works, comment the lines below.
user nobody
group nobody


## defines the location of status file. This file showing active connections
## noted: this file updates every minute, thus breaking HD hibernation
status /opt/etc/openvpn/jail/log/openvpn-status.log

## defines how details we need in the log, from 0 to 9 (most details).
## verb 7 is pretty good for debug, reduce the value for production
verb 7

## let vpn server run under chroot mode.
## To restrict the vpn server runtimes able to access the jail directory only.
## * Files need to access during runtime must reside in the chroot directory,
## such as log files and ccd directory.
chroot jail

# Update: 2011-11-15
# optware have update the openvpn version to like 2.2.0, if you want to
# run external plugins to introduce two-factor authentication to openvpn 
# as mentioned in later part of this article, you need to assign 2 to 
# script-security, otherwise leave it as 1.
script-security 1

45 thoughts

  1. hi Ray, thanks,

    syno1> killall openvpn give me -> killall: openvpn: no process killed
    syno1> ps auxwww | grep openvpn -> 10757 root 788 S grep openvpn

    but a netstat -l give me :
    udp 0 0 *:1194 *:*

    Do you know if it’s possible to change the 1194 to other port? I tried to replace 1194 by 2294 in the openvpn.conf , but after restarting openvpn , I always have this line in the openvpn.log.
    – Sat Jan 30 15:27:05 2010 us=644490 TCP/UDP: Socket bind failed on local address
    – undef]:1194: Address already in use

    • Hello,

      There must be some application on your NAS working on the port 1194/udp. Can you try using other port or try tcp instead of udp?

      My NAS running two openvpn instances and both of them listening to two weird ports (something like 19010, 7890) without any issues.

      port 2294
      proto tcp

      good luck

  2. Hi Ray,
    Thanks for the tun.ko module.

    Openvpn is working now, but I still can’t access to others computers that are on the same network than the Syno. ip forwarding in on.
    I thought that ip forwarding isn’t enough and NAT is needed. I tried to add a rule in iptable, but I get “iptables v1.4.2: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)”.


    • Hi Jief,

      1. Did you added the two static routes to the broadband router yet?
      2. You can’t browse other PC from network neighourhood, but you probably can access other PC from explorer \192.168.x.x
      3. I don’t need NAT to access other computers from server side network.
      4. I’m not netorking experts, I’m afraid I can’t help about iptables things, sorry about that.

      By the way, great to hear that the tun.ko here useful to you.

  3. Hi Ray.

    Thanks for this nice post.

    I am a bit stuck.

    When doing “./build-ca” i get

    error on line 95 of /opt/etc/openvpn/easy-rsa/openssl.cnf
    10755:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 95

    Any clue?

    Thanks in advance


  4. ok, fixed it myself. the “vars file” needs two more entries:

    export KEY_SIZE=1024

    to fix the first “./build-ca” issue


    export OPENSSL=/opt/bin/openssl

    to fix the “./build-dh” issue

  5. Hi Ray,

    I’ve successfully setup openVPN between DS207+ Server and DS110J Client using your great instructions. When I try to add a WinXP laptop as a second client its IP address clashes with the DS110J. Do you know how to get it a different IP address?



    • Hello SteveP,

      My solution is adding the following line to the openvpn.conf

      ifconfig-pool-persist /opt/etc/openvpn/jail/ipp.txt

      That works for me.

      If that doesn’t works for you, then you may need to assign static IP for each VPN client.

      To assign static IP for each VPN client, edit the client-specific ccd files and add the ifconfig-push line to the files:

      For example

      client 1
      # vi …/openvpn/jail/ccd/client1

      client 2
      # vi …/openvpn/jail/ccd/client2

      Kindly lemme know which solutions working for you so that I might add the instruction to the article.

      Thanks in advance.

  6. hi Ray,

    i’m an almost newby in the linux world (and a french who didn’t practice his english for a long time :o)

    i own a DS207+ and i upgraded to DSM 2.3 yesterday. i’m happy to discover that tun.ko is provided by default in this version of firmware.

    i followed your instructions until the end…and could you tell me how to start openvpn in the bash command ?

    here is lsmod and ifconfig result :

    Module Size Used by
    tun 9312 0
    usbhid 26404 0
    usblp 11680 0
    usb_storage 32068 0
    uhci_hcd 28720 0
    ohci_hcd 15204 0
    ehci_hcd 30088 0
    ds107+_synobios 16536 0
    isofs 33308 0
    udf 85124 0
    zlib_inflate 16672 1 isofs
    fuse 45396 0
    nfsd 105316 0
    exportfs 4416 1 nfsd
    ppp_async 9504 0
    crc_ccitt 1568 1 ppp_async
    ppp_generic 22260 1 ppp_async
    slhc 6368 1 ppp_generic
    snd_pcm_oss 41728 0
    snd_mixer_oss 15616 1 snd_pcm_oss
    snd_usb_audio 85700 0
    snd_pcm 71976 2 snd_pcm_oss,snd_usb_audio
    snd_timer 21156 1 snd_pcm
    snd_hwdep 7844 1 snd_usb_audio
    snd_usb_lib 18016 1 snd_usb_audio
    snd_rawmidi 22176 1 snd_usb_lib
    snd_seq_device 7596 1 snd_rawmidi
    snd 53692 9 snd_pcm_oss,snd_mixer_oss,snd_usb_audio,snd_pcm,snd_timer,snd_hwdep,snd_usb_lib,snd_rawmidi,snd_seq_device
    snd_page_alloc 8072 1 snd_pcm
    soundcore 7620 1 snd
    quota_v2 9056 2
    usbcore 115752 9 usbhid,usblp,usb_storage,uhci_hcd,ohci_hcd,ehci_hcd,snd_usb_audio,snd_usb_lib
    sg 30464 0
    ntfs 115700 0
    vfat 10720 0
    fat 48444 1 vfat
    appletalk 32952 20
    psnap 2852 1 appletalk
    llc 5876 1 psnap
    GEOSTATION> ifconfig
    eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
    inet addr: Bcast: Mask:
    RX packets:2454 errors:0 dropped:0 overruns:0 frame:0
    TX packets:2631 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:512
    RX bytes:476970 (465.7 KiB) TX bytes:1081992 (1.0 MiB)

    lo Link encap:Local Loopback
    inet addr: Mask:
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:89 errors:0 dropped:0 overruns:0 frame:0
    TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:8643 (8.4 KiB) TX bytes:8643 (8.4 KiB)


    Thank you for the tutorial, hope you could help me.

    cheers from france


  7. oh, i forgot that line:

    insmod tun.ko
    insmod: error inserting ‘tun.ko’: -1 File exists

    think that’s the problem…


  8. me again…

    i have that ugly message

    #cd /opt/etc/init.d
    /opt/sbin/openvpn: error while loading shared libraries: cannot open shared object file: No such file or directory

    what do you think about that ? any ideas ?

    sorry for spamming :o(


    • Hi Victor,

      Sorry for the late reply, been busy with some real life stuff.

      I’m not sure if the lzo issue is introduced by firmware 2.3. My article is actually tested on firmware 2.1/2.2 only.

      Can you ssh to the box, sudo to root and then try the following command?

      # ipkg list_installed | grep lzo
      # ipkg list_installed | grep openvpn

      Lemme know the result.

  9. hi ray,

    thank you for the reply.

    here the result of

    # ipkg list_installed | grep lzo
    lzo – 1.08-2 –
    # ipkg list_installed | grep openvpn
    openvpn – 2.1.1-2 – SSL based VPN server with Windows client support

    Hope DSM 2.3 is ok :o)

    • Hi Victor,

      I’m not sure if reinstall lzo helps or not. wondering if you would like to give it a try?

      #ipkg -force-reinstall install lzo

  10. hi ray,

    you wondered right. I tried

    #ipkg -force-reinstall install lzo
    and then
    # cd /opt/etc/init.d
    # ./S20openvpn
    and no error message…

    However, if i try
    eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
    inet addr: Bcast: Mask:
    RX packets:37034 errors:0 dropped:0 overruns:0 frame:0
    TX packets:28867 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:512
    RX bytes:8396226 (8.0 MiB) TX bytes:10737185 (10.2 MiB)

    lo Link encap:Local Loopback
    inet addr: Mask:
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:137 errors:0 dropped:0 overruns:0 frame:0
    TX packets:137 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:11919 (11.6 KiB) TX bytes:11919 (11.6 KiB)

    no tun.ko appears it normal doc ?
    anyway, thanks a lot for your replies.

  11. hi ray,

    thank you for replying.

    1. #insmod /lib/modules/tun.ko
    insmod: error inserting ‘tun.ko’: -1 File exists

    2. #ifconfig
    eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
    inet addr: Bcast: Mask:
    RX packets:3851162 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4141320 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:512
    RX bytes:1022659548 (975.2 MiB) TX bytes:2515571688 (2.3 GiB)

    lo Link encap:Local Loopback
    inet addr: Mask:
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:741 errors:0 dropped:0 overruns:0 frame:0
    TX packets:741 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:113702 (111.0 KiB) TX bytes:113702 (111.0 KiB)

    bizarre !

  12. Hi Ray,

    here is the result :

    #lsmod | grep tun
    tun 9312 0

    so the module tun is running, but not tun.ko…? can i kill that module..?

    I tried

    #rmmod tun

    #lsmod | grep tun
    nothing appear (normal), then
    #insmod /lib/modules/tun.ko
    nothing appear, ok.
    nothing new :o( (just eth0 and lo)

    what’s the matter?

    • Hi Victor,

      the tun.ko is not good. Maybe you can compile your own tun driver and try again (refer to series 23 for compile instruction)

      Good luck

  13. Thank you very much for a very good and easy guide !

    I have one question: The connection seems to be VERY slow, in best case I get something like 100 Kbyte/sec. My internet connection is 100 Mbit down and 10 Mbit up. Normaly I can uplodad at least 1 Mbyte / sec., so I doubt that my internet connection is the problem.

    Any ideas ?

    • Hard to say in just a few words there are ways too many factors able to affect the perf. What I might guess maybe the processor power, available memory, ISP or country vpn traffic monitoring, tcp overhead (try udp instead), router qos setting …. a lots more and it do take quite some time figure it out

Leave a Reply

Your email address will not be published. Required fields are marked *