Synology usage series 7 – Setup OpenVPN server (Routed mode) with dual authentication and Windows/DS/TomatoVPN OpenVPN Client


Update 2014-12-14

If you are using auth-user-pass-verify and a bash script to verify user password, it maybe vulnerable to Shellshock. Suggest to follow my articles to use auth-user-pass (authenticate against openldap or freeradius) and install corresponding plugin instead. This will avoid you using bash script.

I’ve owned four DS (101j, 207+, 213j, 213+), it seems to me that Synology keep having serious security flaw over the years. It is pretty sure that their software engineer/developer does not either have much sense on security or they just don’t care about it.

For the latest OpenVPN hardcoded password issue, it really sound insane to me for hardcoding login password for all user installed their pre-packaged OpenVPN component. This just make your DS widely open to the world.

It is lucky that I am using the OpenVPN from optware instead of the pre-package one. It is always wise to setup your own and have full control on security component. Follow this article and setup OpenVPN yourself for your own good.

This article describes all the steps to install OpenVPN in my environment so that I can access the resources (samba, ds207+ admin console, audio station..) on my DS207+ from any remote location in a secure way.

* I’ve tested and proved that OpenVPN even working on my DS101j for both server and client setup.

* Also working for DS107+ reported by user from synology forum


Tested platform:

DS213+ firmware version DSM 5.0-4493 Update 4

DS213j firmware version DSM 4.3-3827 Update 6

DS207+ firmware version DSM 2.1-0844 , 2.2-0959, 3.1-1613
ipkg source http://ipkg.nslu2-linux.org/feeds/optware/syno-x07/cross/unstable/

DS101j firmware version DSM 2.0-0731
ipkg source http://ipkg.nslu2-linux.org/feeds/optware/ds101/cross/stable

Table of Content

Page 1 Assumptions and Pre-requisites
Page 2-7Installing OpenVPN server on DS207+/DS101j
Page 8Installing OpenVPN client on Windows
Page 9Installing VPN Client on DS101j
Page 10Install TomatoVPN 3.4 as OpenVPN Client
Page 11Manually install OpenVPN Client on Nexus 5
Page 12How to allow vpn clients access all machines in the server network
Page 13Important Tips for Vista
 Advanced Implementation
Page 14VPN Server acting as internet gateway, and other useful TIPS
Page 15VPN Server failover
Page 16Dual authentication – Adding username and password verification
Page 17Revoke a client certificate

The environment

OpenVPN Sample Diagram

OpenVPN Sample Diagram

(click to enlarge the diagram)

OpenVPN Server network: 192.168.10.0/255.255.255.0
OpenVPN Server deployed on DiskStation with IP 192.168.10.5

OpenVPN Client network: 192.168.20.0/255.255.255.0
OpenVPN Client deployed on IBM X40 with IP 192.168.20.3

OpenVPN Virtual Subnet: 192.168.30.0/255.255.255.0

My DS207+ is located at my home in a network 192.168.10.0/255.255.255.0. My DS207+ has a fix internal IP address of 192.168.10.5. I’ll deploy OpenVPN server to the diskstation.

I’ve an IBM X40 notebook which required to access my diskstation from public environment such as internet cafe or even access via other country. The X40, however, mostly located in a network 192.168.20.0/255.255.255.0. I’ll deploy OpenVPN client (win32) to my x40 notebook.

A new VPN subnet will be created upon VPN connection is successfully established, I defined the virtual subnet as 192.168.30.0/255.255.255.0.

Replace the value above to your IP/network address.

Define the Server and Client ID

First we need to define the [Server ID] and [Client ID]. The ID must be a single word.

[Server ID] is the machine running the OpenVPN server.
[Client ID] is the machine running the OpenVPN client.

My example:
[Server ID] = server
[Client ID] = x40

Pre-requisites

  1. IMPORTANT! The two machines should be connected to the network with two unique subnets in order to avoid conflict of ip address. From the howto of OpenVPN, it is also suggested to consider using some uncommon subnet such as 10.30.40.0 rather than 192.168.0.1 which is very likely lead to IP conflict (example like public wifi network of airport and internet cafe).
  2. DS207+ is bootstrapped.
  3. SSH is enabled on DS207+.
  4. bash is already installed on ds207+, if not, run ‘ipkg install bash’




45 thoughts


  1. Pingback: Synology DS207+ usage series 10 – Truncate and backup Openvpn log file | BLoG of R@y

  2. What an excellent tutorial! Finally someone who understands the importance of not skipping steps and to give a detailed description of e.g. firmware levels. Also the updates after the walkthrough are very good. Thank you very much!

    • Sure, as long as you got the tun driver and the openvpn package installed on your diskstation. Check the ipkg feed for your diskstation model. Good Luck

    • It’s depends on what editor you’re using.

      If you are using vi, the save command is

      1. Press escape to exit from edit mode first
      2. Input :w then follow a enter to save

  3. I can connect with my VPN Client to my VPN Network, everything looks fine until I try to open a connection from Client to NAS! In the log I can see that the VPN server is always crashing at the same point (TUN WRITE [64]):
    Mon Nov 23 00:30:00 2009 us=253550 MULTI: REAP range 96 -> 112
    Mon Nov 23 00:30:02 2009 us=839483 MULTI: REAP range 112 -> 128
    Mon Nov 23 00:30:02 2009 us=839725 GET INST BY REAL: 193.247.250.13:48619 [succeeded]
    Mon Nov 23 00:30:02 2009 us=839897 RobVPNClient/193.247.250.13:48619 UDPv4 READ [101] from 193.247.250.13:48619: P_DATA_V1 kid=0 DATA len=100
    Mon Nov 23 00:30:02 2009 us=840048 RobVPNClient/193.247.250.13:48619 TLS: tls_pre_decrypt, key_id=0, IP=193.247.250.13:48619
    Mon Nov 23 00:30:02 2009 us=840393 RobVPNClient/193.247.250.13:48619 GET INST BY VIRT: 192.168.30.6 -> RobVPNClient/193.247.250.13:48619 via 192.168.30.6
    Mon Nov 23 00:30:02 2009 us=840614 RobVPNClient/193.247.250.13:48619 TUN WRITE [64]

    Does anybody has an Idea why and how I can solve this problem?
    Cheers
    Rob

  4. Hello there,

    I am a completely newbie at Linux, was able to do the steps 1 until 6 and try to run ./S20openvpn. However it is not running and come back with the folowwing reply:

    DiskStation_AvS> bash ./S20openvpn
    : command not found5:
    : No such file or directory/sys/net/ipv4/ip_forward
    : command not found8:
    ‘/S20openvpn: line 10: syntax error near unexpected token `then
    ‘/S20openvpn: line 10: `if ( [ ! -c /dev/net/tun ] ) then
    DiskStation_AvS> DiskStation_AvS> bash ./S20openvpn
    -ash: DiskStation_AvS: not found
    DiskStation_AvS> : command not found5:
    DiskStation_AvS> : No such file or directory/sys/net/ipv4/ip_forward
    DiskStation_AvS> : command not found8:
    DiskStation_AvS> ‘/S20openvpn: line 10: syntax error near unexpected token `then> ‘/S20openvpn: line 10: `if ( [ ! -c /dev/net/tun ] ) then
    >

    Please can you help me and tell me what is going wrong.

    Thnx,

    André van Stijn from Holland

    • Hello André ,

      I thinks your script is either messed up or not being saved in unix but dos mode.

      An easy way is edit your script in windows box, then copy to any share folder on your NAS, i.e. public share, then convert your script from dos to unix mode using dos2unix command

      # cd /root
      # cp /volume1/public/S20openvpn /root
      # /opt/bin/dos2unix -U /root/S20openvpn
      # cp /root/S20openvpn /opt/etc/init.d/S20openvpn
      # chmod 755 /opt/etc/init.d/S20openvpn

      The dos2unix command is provided by the hd2u ipkg package

      # ipkg update
      # ipkg install hd2u

      Hope this help.

  5. Dear Rob: It is confirmed that the tun driver out there (both from nas-forum and ipkg feed) *DO NOT* working with the kernel provided by Firmware 2.2.

    To other x07 users: If you do need openvpn on your x07 NAS box, DO NOT UPGRADE to FW 2.2 at the moment. Wait until someone compile a working tun.ko for the firmware 2.2.

  6. Hello Ray,

    Hope you can help me, I installed everything and it works the server is running, I cannot connect to it because I am stuck at the following,

    bash-3.2# openvpn -.genkey -.secret ta.key
    Options error: I’m trying to parse “-.genkey” as an –option parameter but I don’t see a leading ‘–‘
    Use –help for more information.

    Appreciate your help,

    André

  7. Hi André,

    I’m afraid you are using invalid command line. Correct command to generate the secret key is

    # openvpn --genkey --secret ta.key
    

    openvpn [double -]genkey [double -]secret ta.key

  8. Thank you very much for this hint it works, I am so close, maeby you can give me a hint. When connecting with the openVPN GUI I get the message underneath. And it keeps saining connecting to !!!

    [attached log removed]

    • Hi André,

      The clients log does not give any hints. Can you please using the steps below and send me the server logs?

      1. Edit server config file, i.e. openvpn.conf

      # vi /opt/etc/openvpn/config/openvpn.conf

      2. Change verb X to verb 7

      verb 7

      3. clean the log files

      # > /opt/etc/openvpn/jail/log/openvpn.log

      4. Restart openvpn server
      5. Connect the openvpn gui to the openvpn server
      6. Post the server log here (you may want to mask your real IP address before posting the log here)

  9. Hi Ray,

    Sorry to post here but I couldn’t find any other place to ask my query.
    Do you know if and how it is possible to install an ftp client on a DS209
    with the latest FW loaded on it ?

    Thanks a million.

    Yiannis

  10. Just an update for firmware 2.2 user, you can compile your own tun driver now using the newly released gpl source from synology, or you can download the tun.ko from here (for nas with mv5281 cpu only, sorry).

  11. I found the easy-rsa folder has sub-folders 1.0, 2.0 and Windows so needed to run the commands in one of those. Have tried 2.0.

  12. DS107+
    Used tun.ko downloaded from download tun-0944-mv5281.zip
    kernel 2.2-0959

    I have some error in the log:

    Fri Jan 29 16:24:07 2010 us=605989 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
    Fri Jan 29 16:24:07 2010 us=606165 Exiting

    Somebody knows how I can fix It? please

    • Two possible reason

      1. You either have another application running on port 1194 or
      2. openvpn is already running

      Try stopping openpvn and starting it again.

      # killall openvpn

      or

      following command will shows a list of process id of all existing openvpn instances

      # ps auxwww | grep openvpn

      then kill all the instances manually

      # kill -9 [process id]

Leave a Reply

Your email address will not be published. Required fields are marked *