Synology usage series 40 – Avoid Deep Packet Inspection for OpenVPN with Stunnel


Pre-requistics

  • OpenSSL is required.
  • Your ISP does not block incoming SSL traffic (TCP port 443), some ISP does.

Server side configuration

Perform all operations below as root.

Install Stunnel

#sudo su
#ipkg install stunnel

/opt/etc/init.d # ipkg install stunnel
Installing stunnel (4.26-2) to root…
Downloading http://ipkg.nslu2-linux.org/feeds/optware/syno-e500/cross/unstable/stunnel_4.26-2_powerpc.ipk
Installing zlib (1.2.5-1) to root…
Downloading http://ipkg.nslu2-linux.org/feeds/optware/syno-e500/cross/unstable/zlib_1.2.5-1_powerpc.ipk
Configuring stunnel

Creating /opt/etc/stunnel/stunnel.pem (server certificate) …
Generating a 1024 bit RSA private key
………….++++++
……………………………………………………………++++++
writing new private key to ‘/opt/etc/stunnel/stunnel.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [PL]:KK
State or Province Name (full name) [Some-State]:Your City
Locality Name (eg, city) []:Your Location
Organization Name (eg, company) [Stunnel Developers Ltd]:deadcode.net
Organizational Unit Name (eg, section) []:stunnel
Common Name (FQDN of your server) [localhost]:stunnel
subject= /C=KK/ST=Your City/L=You Location/O=deadcode.net/OU=stunnel/CN=stunnel
notBefore=May 19 13:57:47 2015 GMT
notAfter=May 18 13:57:47 2016 GMT
SHA1 Fingerprint=04:E0:55:BF:53:05:43:02:8C:07:A0:56:95:58:71:01:9C:BE:D4:18
postinst script returned status 1
ERROR: stunnel.postinst returned 1
Configuring zlib
Successfully terminated.

Configuring Stunnel

By default, the SSL cert generated only valid for 1 year. That mean you might failed one year later. To avoid a yearly fix for the certificate issue, we modify the config and generate a new cert again.

# vi /opt/etc/stunnel/stunnel-cert.cnf

add following line to the top of the file

default_days = 3650

Then generate a new cert again

# cd /opt/etc/stunnel
# mv stunnel.pem stunnel.pem.bak
# /opt/bin/openssl req -new -x509 -newkey rsa:2048 -keyout key.pem -out stunnel.pem -config /opt/etc/stunnel/stunnel-cert.cnf
Generating a 2048 bit RSA private key
…………………………………………………..+++
……………………………………………………………+++
writing new private key to ‘key.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [PL]:HK
State or Province Name (full name) [Some-State]:Hong-Kong
Locality Name (eg, city) []:Hong-Kong
Organization Name (eg, company) [Stunnel Developers Ltd]:deadcode.net
Organizational Unit Name (eg, section) []:stunnel
Common Name (FQDN of your server) [localhost]:stunnel

Remove passpharse from key file

# cd /opt/etc/stunnel
# /opt/bin/openssl rsa -in key.pem -out newkey.pem
# cat newkey.pem >> stunnel.pem
# chmod 400 stunnel.pem

Edit stunnel.conf

# vi /opt/etc/stunnel/stunnel.conf

Comment all [pop3s], [imaps], [ssmtp] sections.

Also comment chroot, setuid, setgid, socket
Add following lines to the end of the file

[openvpn]
accept = 443
connect = 1194

Modify OpenVPN server

Edit your openvpn config file,

port 1194
proto tcp

OpenVPN must run TCP. UDP does not works for STunnel.

Configure Diskstation

Now disable HTTPS. Login DSM, click Control Panel, Web Services.

Uncheck the “Enable HTTPS connection for web services.

Disable HTTPS from Synology DSM

Client Side Configuration

  1. Install stunnel client
  2. Edit stunnel.conf

    output = c:\….\stunnel.log
    sslVersion=TLSv1
    [openvpn]
    client=yes
    accept=127.0.0.1:1194
    connect=nas.yourdomin:443

  3. Edit openvpn.conf

    proto tcp
    remote localhost 1194

  4. In case openvpn client connected over stunnel, then disconnected within 1 minute, try adding lines below to the client’s openvpn config

    allow-pull-fqdn
    route nas.yourdomain 255.255.255.255 192.168.0.1 #192.168.0.1 is the internet gateway of your current internet connection of the openvpn client machine

    If redirect-gateway is enabled, the two lines above must be added. Otherwise, add them only when you have problem maintaining the openvpn connection.





Leave a Reply

Your email address will not be published. Required fields are marked *