Configuring OpenVPN on a Synology NAS device

 

Deploying this configuration without configuring proper iptables firewall rules on the Synology command line is not recommended. The stock GUI firewall configuration panel does not provide sufficient configuration options to secure your device.

This Howto describes the setup of an OpenVPN connection on a Synology NAS device and is based on DSM 4.2.

The Synology NAS device provides OpenVPN support, but lacks configuration options in the GUI to define a static TLS key to do basic tunnel authentication. A static TLS key is needed to connect to the IPredator OpenVPN service.

First you need to configure a basic OpenVPN connection from the GUI. Then you tweak this configuration to work with a static TLS key via the command line.

 

Whenever you change the settings for the IPredator VPN connection from the GUI, the configuration tweaks will be overwritten. You always need to redo the steps to tweak your settings from the command line if you alter the VPN connection in the GUI.

Requirements

  • DSM 4.2
  • Web access to the Synology NAS device
  • Enable SSH to access the command line interface of your Synology NAS device. This can be done from the Control Panel in the Terminal settings.
  • IPredator.se.ca.crt

Save IPredator.se.ca.crt to your Downloads or temporay folder by right-clicking on the link and selecting Save as...

GUI configuration

Open the Control Panel and select VPN.

openvpn_synology_01.png

Create a new VPN connection.

openvpn_synology_02.png

Check the OpenVPN connection type and click Next.

openvpn_synology_03.png

Enter IPredator as the Profile name and pw.openvpn.ipredator.se as the Server address. Type in your Username and Password in the appropriate fields. Click Browse and provide the path name to the previously downloaded IPredator.se.ca.crt CA certificate. Click Next.

openvpn_synology_04.png

Check Enable compression on the VPN link, Route all client traffic through the VPN server and Reconnect when the VPN connection is lost.
Click Apply.

openvpn_synology_05.png

You are presented with the overview of the new OpenVPN connection. Do not connect now. Keep this window open.

openvpn_synology_06.png

Command line tweaks

Use Putty on Windows or plain ssh on BSD, Linux or Mac OS X from a terminal to connect to your Synology NAS device. Change into the /usr/syno/etc/synovpnclient/openvpn directory and create a new subdirectory keys to store the TLS key.

DS411> cd /usr/syno/etc/synovpnclient/openvpn
DS411> mkdir keys
DS411> cd keys
DS411>

Download the static TLS key IPredator.se.ta.key via wget into the newly created keys directory.

DS411> wget --no-check-certificate https://ipredator.se/static/downloads/openvpn/ubuntu/IPredator.se.ta.key
--23:48:13-- https://ipredator.se/static/downloads/openvpn/ubuntu/IPredator.se.ta.key
=> `IPredator.se.ta.key'
Resolving ipredator.se... 93.182.132.40, 2a03:6b80:6b80:40::1
Connecting to ipredator.se|93.182.132.40|:443... connected.  
WARNING: Certificate verification error for ipredator.se: unable to get local issuer certificate
WARNING: certificate common name `www.ipredator.se' doesn't match requested host name `ipredator.se'.
HTTP request sent, awaiting response... 200 OK
Length: 636 [text/plain]
           
100%[=======================================================>] 636 --.--K/s             
           
23:48:23 (3.84 MB/s) - `IPredator.se.ta.key' saved [636/636]

DS411>

Change back into the /usr/syno/etc/synovpnclient/openvpn directory and look at the files in it. There is a file named client_XXXXXXXXXXX (in the following examples client_o1368699719) storing those OpenVPN configuration parameters which cannot be changed in the GUI.

DS411> cd ..
DS411> ls -la
drwxr-xr-x    3 root     root          4096 Fri 13 23:42 .
drwxr-xr-x    6 root     root          4096 Fri 13 23:42 ..
-rwxr-xr-x    1 root     root          1846 Fri 13 23:42 ca_o1368699719.crt
-rw-r--r--    1 root     root           268 Fri 13 23:42 client_o1368699719
drwxr-xr-x    2 root     root          4096 Fri 13 23:42 keys
-rw-r--r--    1 root     root           390 Fri 13 23:42 ovpn_o1368699719.conf
DS411>

Append the following lines to client_XXXXXXXXXXX issuing:

DS411> cat >> client_o1368699719 << EOF
tls-auth keys/IPredator.se.ta.key                        
tls-cipher TLSv1:!ADH:!SSLv2:!NULL:!EXPORT:!DES:!LOW:!MEDIUM:@STRENGTH
cipher AES-256-CBC                                                    
keepalive 10 30                                                       
resolv-retry infinite                                                 
persist-tun                                                           
persist-key                                                           
ns-cert-type server
EOF
DS411>                                                

Output the content of client_XXXXXXXXXXX with the following command and compare the result.

DS411> cat client_o1368699719
dev tun
tls-client
remote pw.openvpn.ipredator.se 1194
pull                               
proto udp                          
ca ca_o1368699719.crt              
comp-lzo                           
redirect-gateway                   
script-security 2                  
float                              
reneg-sec 0                        
explicit-exit-notify               
plugin /lib/openvpn/openvpn-down-root.so /etc/ppp/ip-down
auth-user-pass /tmp/ovpn_client_up                       
tls-auth keys/IPredator.se.ta.key                        
tls-cipher TLSv1:!ADH:!SSLv2:!NULL:!EXPORT:!DES:!LOW:!MEDIUM:@STRENGTH
cipher AES-256-CBC                                                    
keepalive 10 30                                                       
resolv-retry infinite                                                 
persist-tun                                                           
persist-key                                                           
ns-cert-type server
DS411>                                            

Keep the SSH session open.

Test run

Back in the GUI, you can now click Connect and test your OpenVPN connection.

openvpn_synology_07.png

After successfully connecting to the IPredator service, the connection icon switches to green. The connection Status, IP address as well as Sent and Received bytes get updated.

openvpn_synology_08.png

Verification

To verify that the VPN connection came up correctly, first execute ifconfig -a on the command line and see if you got a tun interface in the network device list.

DS411> ifconfig -a
[..]
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:46.246.35.71  P-t-P:46.246.35.71  Mask:255.255.255.0           
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1    
          RX packets:105 errors:0 dropped:0 overruns:0 frame:0      
          TX packets:312 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:9595 (9.3 KiB)  TX bytes:242967 (237.2 KiB)

DS411>

Issue ip route to see if the the routing table got altered correctly. The following entries are essential:

  • A host route to the VPN server (in this example 46.246.35.2).
  • A new split default route (destinations 0.0.0.0/1 and 128.0.0.0/1).
DS411> ip route
46.246.35.2 via 192.168.1.1 dev eth0
208.67.222.222 via 192.168.1.1 dev eth0 
46.246.35.0/24 dev tun0  src 46.246.35.71 
192.168.1.0/24 dev eth0  src 192.168.1.119 
0.0.0.0/1 via 46.246.35.1 dev tun0 
128.0.0.0/1 via 46.246.35.1 dev tun0 
default via 192.168.1.1 dev eth0
DS411>

Firewall

 

The Firewall and QOS application from the Control Panel only offers limited functionality. It does not support the configuration of rules specifically for tun VPN interfaces.

 

Deploying this configuration without configuring proper iptables firewall rules on the Synology command line is not recommended. The stock GUI firewall configuration panel does not provide sufficient configuration options to secure your device.