DEV Community: A. Kayes

Connect to an OpenVPN server running on Synology DSM 7

A. Kayes — Wed, 05 Oct 2022 15:37:08 +0000

Introduction

This is the second part of the series "Configure OpenVPN on Synology DSM 7". In the first part we've set up an OpenVPN server on Synology DSM 7, configured port forwarding and firewall on our router and NAS.

In this part we'll see how we can connect to that OpenVPN server using the OpenVPN Connect client in Windows 10 and iOS.

The setup

The setup remains the same as what we've used in the first part:

NAS: Synology DS920+, DSM 7.1-42661 Update 4
OpenVPN server app: VPN Server package (1.4.7-2901) by Synology Inc.
Router: Ubiquiti UniFi DreamMachine

OpenVPN clients:

OpenVPN Connect 3.3.6.2752 on Windows 10
OpenVPN Connect 3.3.2.5086 on iOS 16.0.2

The OpenVPN Connect client is an official client developed and maintained by OpenVPN Inc. It can be downloaded from here:
https://openvpn.net/client-connect-vpn-for-windows/

There's another client called OpenVPN GUI. This is a community project and can also be used on Windows. It can be downloaded from here:
https://openvpn.net/community-downloads/

We'll use the official OpenVPN Connect client as the UX is pretty identical on both Windows and iOS.

Exporting the configuration file:

First we have to export the configuration .ovpn file to be used with the clients. Clicking the Export Configuration will export the configuration and initiate a file download. The exported file is a .zip file that contains a VPNConfig.ovpn file (a configuration file for the client) and a README.txt file (simple instruction on how to set up OpenVPN connection for the client).

Following is how the .ovpn file looks like.



dev tun
tls-client

remote YOUR_SERVER_IP 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS DNS_IP_ADDRESS

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2



reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
MIIF...hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF...GCc=
-----END CERTIFICATE-----

</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
c78b6...6c58c2
-----END OpenVPN Static key V1-----

</tls-auth>
verify-x509-name 'myhostname.synology.me' name

Let's talk about the configuration file a little.

We basically have to change one thing in the above config file. At line #4, we have to replace YOUR_SERVER_IP with the DDNS hostname, myhostname.synology.me, which we've configured in the first part. Or we can use the static IP address if we have one.

The other directive of note is redirect-gateway def1. This is what determines whether we configure a split-tunnel or full-tunnel VPN. If we want full-tunneling then we have to uncomment the directive. This means that all connection requests, including the ones for websites on the public internet, will go through the VPN server. But we're only interested in accessing the Synology apps like DS Photo, DS Video, DS File etc. (which are only available within our home network and not exposed to the public internet). So, we'll leave this commented out.

Note that:

OpenVPN allows VPN server to issue an authentication certificate to the clients.

Each time VPN Server runs, it will automatically copy and use the certificate shown at Control Panel > Security > Certificate. This is the certificate which we got from Let's Encrypt while configuring DDNS using Synology provider.

If we want to use a third-party certificate, we have to import the certificate at Control Panel > Security > Certificate > Add and restart VPN Server. We'll explore this in the third part of this tutorial.

VPN Server will automatically restart each time the certificate file shown at Control Panel > Security > Certificate is modified. We will also have to export the new .opvn file to all clients.

More info on Certificates can be found here: https://kb.synology.com/en-br/DSM/help/DSM/AdminCenter/connection_certificate?version=7

Let's check firewall settings on Windows 10

Since we'll be using Windows 10 as our client OS, it's a good idea to check its firewall settings before we try to connect. We need to check whether outgoing UDP requests are allowed on remote port 1194 in Windows Firewall. I've found that it works without having to add any additional rule.

Connect using OpenVPN Connect in Windows 10

I've already installed the OpenVPN Connect 3.3.6.2752 client from the link mentioned above under 'The setup'. I've also disconnected from my home Wi-Fi network in Windows and switched to mobile hotspot so that I connect from 'outside' of my home network.

When we first launch the app, it lets us import a config file via an URL or a file upload. We'll use the file upload option.

After selecting the .ovpn config file, we're prompted to enter the VPN Username and Password. This is the same vpnuser that we've configured in part one.

We're also being asked to assign a Certificate and Key for the client but we'll skip them. Because we're not concerned with Certificate Authentication in this part. We'll look at that in the third part.

Note that we can also customize the profile name at the top.

After we've entered the Username and Password, let's click the big orange CONNECT button.

But we're presented with an info dialog that says that the external certificate is missing. It also says that we can still continue if our profile allows connection without client certificate. It does, so we'll click CONTINUE.

Note:

By default the OpenVPN sever doesn't require a client certificate.

In the config file for the OpenVPN server, openvpn.conf, there is a directive, verify-client-cert none, which dictates that.

The config file is located here on the NAS: usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf.

In order to access that file, we have to SSH into the NAS.

It's possible to tell the client to not expect a client Certificate and Key because it's a bit annoying to skip it everytime. This can be done by adding this directive to the .ovpn file: setenv CLIENT_CERT 0.

It's documented here: https://openvpn.net/faq/how-to-make-the-app-work-with-profiles-that-lack-a-client-certificate-key/

Anyway, after clicking CONTINUE, we're hit with another roadblock. This time the connection failed, and the error message read "Peer certificate verification failure".

The culprit is on the last line in the VPNConfig.ovpn file above:
verify-x509-name 'myhostname.synology.me' name

This is the issue that I've mentioned about in the first part. That last line got added when we ticked the Verify server CN checkbox.

When the .ovpn file was exported, the myhostname.synology.me was wrapped within single quotes (''). And because of this, the client couldn't connect when the .ovpn file was imported to it. It seems like this issue only appeared in OpenVPN Connect client since version 3.3.x.

Fortunately, after a little googling around I've found a fix, which was provided by the user called DreamCypher in this OpenVPN Support Forum topic:
https://forums.openvpn.net/viewtopic.php?p=106554#p106554

The fix is very simple. We just need to wrap myhostname.synology.me within double-quotes (""):
verify-x509-name "myhostname.synology.me" name

So let's do that, import the updated .ovpn file to the client and try connecting again. It works!

Connect using OpenVPN Connect in iOS

Let's search for the OpenVPN Connect client in App Store and install it. The client UI is pretty identical to the Windows client.

Now we have to import the VPNConfig.ovpn file. There's no need to change anything, just import the exact same file that we've imported to the Windows client.

I've put it on my Synology NAS home directory and will now open it in the DS File app in iOS.

DS File is a file manager app developed by Synology.

Then tap the ... menu and tap on Share.

Tap the OpenVPN app icon to import the .ovpn file to it.

The UI we're presented with next is already familiar with us by now. We can customize the profile name, enter the VPN Username and Password and tap CONNECT.

We will leave the Certificate and Key field with the default value None as we're not going to use client-side Certificate Authentication. We'll look at how to do that in part three of this tutorial.

iOS now prompts us to allow the OpenVPN app to add a VPN configuration to the OS. We will allow it.

We're asked to enter our iPhone passcode. Let's do that.

Et voilà! We're connected.

If we go to Settings > General > VPN & Device Management > VPN, we can see the configuration added by the OpenVPN app.

Summary

So that's about it. Configuring the client is pretty straight forward (when it works of course ;)). There are tons of very good tutorial videos and posts on OpenVPN all over the internet. And the OpenVPN docs are also very helpful. Hope this tutorial also comes in handy for some.

Configure OpenVPN server on Synology DSM 7

A. Kayes — Wed, 05 Oct 2022 15:36:14 +0000

Prologue

I use my Synology DS920+ mainly for the storage of family photos and videos and I have a ton of them. I also have documents, eBooks etc. stored on it. The NAS is not exposed to internet, and I usually access it through an L2TP VPN connection, which I'd configured on my Ubiquiti UniFi DreamMachine in the past, from outside of my home network. It's usually documents that I've accessed from outside so far and never really accessed photos and videos.

Last week I went on a family weekend getaway trip where I needed to look for some old family photos and videos. I flipped the VPN switch on my iPhone and got connected almost immediately. But not for long. It was frequently disconnecting while watching videos. Usually the L2TP connection works fine for me but something happened that day. I really wished that I had OpenVPN set up as an alternative. And that's exactly what I did first thing after returning home from the trip.

What we're doing

This tutorial will be split into 3 parts. In the first part, which is this post, we'll set up the OpenVPN server on our Synology NAS.

In the second part, we'll connect to the VPN server from Windows 10 and iOS, without using client-side Certificate Authentication.

And in the last part, we'll connect from Windows 10 and iOS using client-side Certificate Authentication.

The setup

It's critical to mention the details of the hardware and software being used because in the world of tech, the way of doing things can often change with the changes in hardware or software. So, following are our setup:

NAS: Synology DS920+, DSM 7.1-42661 Update 4
OpenVPN server app: VPN Server package (1.4.7-2901) by Synology Inc.
Router: Ubiquiti UniFi DreamMachine

OpenVPN clients:

OpenVPN Connect 3.3.6.2752 on Windows 10
OpenVPN Connect 3.3.2.5086 on iOS 16.0.2

The OpenVPN Connect client is an official client developed and maintained by OpenVPN Inc. It can be downloaded from here:
https://openvpn.net/client-connect-vpn-for-windows/

There's another client called OpenVPN GUI. This is a community project and can also be used on Windows. It can be downloaded from here:
https://openvpn.net/community-downloads/

We'll use the official OpenVPN Connect client as the UX is pretty identical on both Windows and iOS.

DDNS

For OpenVPN to work, we need a static IP address for our server. Like most people, I have dynamic external IP address, so creating a DDNS (Dynamic Domain Name System) hostname is required so that even if the external IP address changes, the server can be reached using the DDNS hostname. DDNS allows connection to the Synology NAS over the internet by mapping a hostname to its IP address. I've already configured DDNS using the free synology.me DDNS provider. It's beyond the scope of this post how to do it, but this doc from Synology may be followed: https://kb.synology.com/en-us/DSM/help/DSM/AdminCenter/connection_ddns?version=7

Let's say our DDNS hostname is myhostname.synology.me.

Note: if we have a static external IP address, which never changes, then we can simply use that and we do not have to configure DDNS.

Also note that configuring DDNS using Synology provider will require us to get a certificate from Let's Encrypt and set it as default. This certificate will be automatically used when we export the configuration to be used with the client in the second part.

Installing the VPN Server package

It's probably the easiest task. We just search for it and install. That's it.

Creating a user to use with OpenVPN server

Any existing user we have on our NAS would work just fine. We only need to grant it the required privilege. But we should really create a separate user just for the purpose of connecting to the VPN server. In doing so, we can restrict the VPN user from pretty much everything else on the NAS. So, in case it gets compromised, it can't be used to access other apps or shared folders.

Let's open up Control Panel, select User & Group from the left-hand-side panel and hit the Create button.

The User Creation Wizard will pop up. On the first screen, we fill in the required details like Name and Password and hit Next.

On the next screen, we can add the user to any group we want. By default, the user is added to the System default group users. In case we want to create multiple VPN users for different members of the family, we may want to create a dedicated group, say 'vpnusers', with the required privileges or restrictions and assign all VPN users to that group. That way we wouldn't have to restrict or grant the same privileges to individual users manually. For the purpose of this tutorial, we'll leave this as-is and assign the restrictions/ privileges manually on the next screens.

On the following screen, we can assign permission to access different shared folders. We don't want to assign any. So let's tick the No Access checkbox at the top to deny access to all shared folders.

We'll leave the next step as-is.

Next screen is for assigning application permissions and we want to deny access to all.

We'll leave the next step as-is.

The last step is for reviewing the settings and confirm.

Configuring the OpenVPN server

Let's open up the VPN Server app and head straight to the Privilege screen. We'll grant our newly created vpnuser the privilege to connect to the VPN Server.

Next, we'll go to the screen for configuring OpenVPN and tick Enable OpenVPN server checkbox. On this screen we can customize each of the settings. We'll leave the dropdowns as-is, with the default values selected. Then we'll check only the first 4 checkboxes.

If we want to enable IPv6 server mode, we can check the last one too. But in order to enable OpenVPN server to send IPv6 addresses, we have to first get a prefix via 6in4/6to4/DHCP-PD in Control Panel > Network > Network Interface, then select the prefix on this screen.

If we don't want the clients to be able to access the server's LAN, we can untick the second checkbox Allow clients to access server's LAN.

Also, take note of the second-to-last checkbox Verify server CN. We can leave it unticked. But if we tick it, then it creates an issue for the OpenVPN Connect client, which we'll see when we configure the client in the second part of this tutorial.

Now we have to click Apply for the changes to take effect first before we export the configuration. After clicking the Apply button, we are shown an information dialog which tells us to check port forwarding and firewall settings on both the NAS and the router. We'll talk about those settings shortly.

Note that it's a security best practice to not use any default configured port (like 1194 here) and instead use a different available port.

Enable port forwarding on the router

Before the VPN server connection request could reach the Synology NAS (where the VPN server runs), it reaches our router using the external IP address on port 1194. This is the default configured port, whcih we saw earlier. The router then forwards the request to the same port at the NAS' local IP address. But this does not happen automatically. That's why we need to enable port forwarding on the router. The process to do it is pretty much same on most routers and can easily be found online by searching with the router model name. Following is how it looks like on our Ubiquiti UniFi DreamMachine.

Check firewall settings on the router

Most of the time any connection attempt on port 1194 will be blocked by default on the routers. So we need to allow this by creating a firewall rule.

Luckily on our DreamMachine, a rule is automatically created once the port forwarding has been set up.

Check firewall settings on the NAS

We need to make sure that port 1194 is allowed to receive UDP connection requests in the Synology firewall. I already have firewall enabled with the default profile and found that the VPN connection can be established without having to add any additional rule. But if it's not the case then we have to add a rule to enable port 1194 (or whatever port we've configured).

Summary

That's basically it as far as configuring the OpenVPN server on Synology NAS is concerned. It's not too difficult but we do need to take care to check the firewall settings on both the NAS and the router as most of the time VPN connection issues are caused by misconfigured firewalls.

In the next part, we'll look at how to connect to the OpenVPN server we've just configured.