Synology already released openvpn package for their NAS. If you are using model 209 or other more recent model than you can download and install official package and skip this lengthy article.
This article describes all the steps to install OpenVPN in my environment so that I can access the resources (samba, ds207+ admin console, audio station..) on my DS207+ from any remote location in a secure way.
* I’ve tested and proved that OpenVPN even working on my DS101j for both server and client setup.
* Also working for DS107+ reported by user from synology forum
Tested platform:
DS207+ firmware version DSM 2.1-0844 , 2.2-0959, 3.1-1613
ipkg source http://ipkg.nslu2-linux.org/feeds/optware/syno-x07/cross/unstable/
DS101j firmware version DSM 2.0-0731
ipkg source http://ipkg.nslu2-linux.org/feeds/optware/ds101/cross/stable
Table of Content
| Page 1 | Assumptions and Pre-requisites |
| Page 2-7 | Installing OpenVPN server on DS207+/DS101j |
| Page 8 | Installing OpenVPN client on Windows |
| Page 9 | Installing VPN Client on DS101j |
| Page 10 | Install TomatoVPN 3.4 as OpenVPN Client |
| Page 11 | How to allow vpn clients access all machines in the server network |
| Page 12 | Important Tips for Vista |
| Advanced Implementation | |
| Page 13 | VPN Server acting as internet gateway, and other useful TIPS |
| Page 14 | VPN Server failover |
| Page 15 | Dual authentication – Adding username and password verification |
| Page 16 | Revoke a client certificate |
The environment
OpenVPN Sample Diagram
(click to enlarge the diagram)
OpenVPN Server network: 192.168.10.0/255.255.255.0
OpenVPN Server deployed on DiskStation with IP 192.168.10.5
OpenVPN Client network: 192.168.20.0/255.255.255.0
OpenVPN Client deployed on IBM X40 with IP 192.168.20.3
OpenVPN Virtual Subnet: 192.168.30.0/255.255.255.0
My DS207+ is located at my home in a network 192.168.10.0/255.255.255.0. My DS207+ has a fix internal IP address of 192.168.10.5. I’ll deploy OpenVPN server to the diskstation.
I’ve an IBM X40 notebook which required to access my diskstation from public environment such as internet cafe or even access via other country. The X40, however, mostly located in a network 192.168.20.0/255.255.255.0. I’ll deploy OpenVPN client (win32) to my x40 notebook.
A new VPN subnet will be created upon VPN connection is successfully established, I defined the virtual subnet as 192.168.30.0/255.255.255.0.
Replace the value above to your IP/network address.
Define the Server and Client ID
First we need to define the [Server ID] and [Client ID]. The ID must be a single word.
[Server ID] is the machine running the OpenVPN server.
[Client ID] is the machine running the OpenVPN client.
My example:
[Server ID] = server
[Client ID] = x40
Pre-requisites
- IMPORTANT! The two machines should be connected to the network with two unique subnets in order to avoid conflict of ip address. From the howto of OpenVPN, it is also suggested to consider using some uncommon subnet such as 10.30.40.0 rather than 192.168.0.1 which is very likely lead to IP conflict (example like public wifi network of airport and internet cafe).
- DS207+ is bootstrapped.
- SSH is enabled on DS207+.
- bash is already installed on ds207+, if not, run ‘ipkg install bash’
hi Ray, thanks,
syno1> killall openvpn give me -> killall: openvpn: no process killed
syno1> ps auxwww | grep openvpn -> 10757 root 788 S grep openvpn
but a netstat -l give me :
udp 0 0 *:1194 *:*
Do you know if it’s possible to change the 1194 to other port? I tried to replace 1194 by 2294 in the openvpn.conf , but after restarting openvpn , I always have this line in the openvpn.log.
- Sat Jan 30 15:27:05 2010 us=644490 TCP/UDP: Socket bind failed on local address
- undef]:1194: Address already in use
Hello,
There must be some application on your NAS working on the port 1194/udp. Can you try using other port or try tcp instead of udp?
My NAS running two openvpn instances and both of them listening to two weird ports (something like 19010, 7890) without any issues.
openvpn.conf
—————–
port 2294
proto tcp
good luck
Hi Ray,
Thanks for the tun.ko module.
Openvpn is working now, but I still can’t access to others computers that are on the same network than the Syno. ip forwarding in on.
I thought that ip forwarding isn’t enough and NAT is needed. I tried to add a rule in iptable, but I get “iptables v1.4.2: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)”.
Thanks.
Regards.
Hi Jief,
1. Did you added the two static routes to the broadband router yet?
2. You can’t browse other PC from network neighourhood, but you probably can access other PC from explorer \192.168.x.x
3. I don’t need NAT to access other computers from server side network.
4. I’m not netorking experts, I’m afraid I can’t help about iptables things, sorry about that.
By the way, great to hear that the tun.ko here useful to you.
Hi Ray.
Thanks for this nice post.
I am a bit stuck.
When doing “./build-ca” i get
####################
./build-ca
error on line 95 of /opt/etc/openvpn/easy-rsa/openssl.cnf
10755:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 95
###################
Any clue?
Thanks in advance
Regards
Thomas
ok, fixed it myself. the “vars file” needs two more entries:
export KEY_SIZE=1024
to fix the first “./build-ca” issue
and
export OPENSSL=/opt/bin/openssl
to fix the “./build-dh” issue
on page 8 it should read …/keys/… and not …/key/…
Hi Ray,
I’ve successfully setup openVPN between DS207+ Server and DS110J Client using your great instructions. When I try to add a WinXP laptop as a second client its IP address clashes with the DS110J. Do you know how to get it a different IP address?
thanks
SteveP
Hello SteveP,
My solution is adding the following line to the openvpn.conf
ifconfig-pool-persist /opt/etc/openvpn/jail/ipp.txt
That works for me.
If that doesn’t works for you, then you may need to assign static IP for each VPN client.
To assign static IP for each VPN client, edit the client-specific ccd files and add the ifconfig-push line to the files:
For example
client 1
# vi …/openvpn/jail/ccd/client1
ifconfig-push 192.168.30.1 192.168.30.2
client 2
# vi …/openvpn/jail/ccd/client2
ifconfig-push 192.168.30.5 192.168.30.6
Kindly lemme know which solutions working for you so that I might add the instruction to the article.
Thanks in advance.
hi Ray,
i’m an almost newby in the linux world (and a french who didn’t practice his english for a long time
)
i own a DS207+ and i upgraded to DSM 2.3 yesterday. i’m happy to discover that tun.ko is provided by default in this version of firmware.
i followed your instructions until the end…and could you tell me how to start openvpn in the bash command ?
here is lsmod and ifconfig result :
lsmod
Module Size Used by
tun 9312 0
usbhid 26404 0
usblp 11680 0
usb_storage 32068 0
uhci_hcd 28720 0
ohci_hcd 15204 0
ehci_hcd 30088 0
ds107+_synobios 16536 0
isofs 33308 0
udf 85124 0
zlib_inflate 16672 1 isofs
fuse 45396 0
nfsd 105316 0
exportfs 4416 1 nfsd
ppp_async 9504 0
crc_ccitt 1568 1 ppp_async
ppp_generic 22260 1 ppp_async
slhc 6368 1 ppp_generic
snd_pcm_oss 41728 0
snd_mixer_oss 15616 1 snd_pcm_oss
snd_usb_audio 85700 0
snd_pcm 71976 2 snd_pcm_oss,snd_usb_audio
snd_timer 21156 1 snd_pcm
snd_hwdep 7844 1 snd_usb_audio
snd_usb_lib 18016 1 snd_usb_audio
snd_rawmidi 22176 1 snd_usb_lib
snd_seq_device 7596 1 snd_rawmidi
snd 53692 9 snd_pcm_oss,snd_mixer_oss,snd_usb_audio,snd_pcm,snd_timer,snd_hwdep,snd_usb_lib,snd_rawmidi,snd_seq_device
snd_page_alloc 8072 1 snd_pcm
soundcore 7620 1 snd
quota_v2 9056 2
usbcore 115752 9 usbhid,usblp,usb_storage,uhci_hcd,ohci_hcd,ehci_hcd,snd_usb_audio,snd_usb_lib
sg 30464 0
ntfs 115700 0
vfat 10720 0
fat 48444 1 vfat
appletalk 32952 20
psnap 2852 1 appletalk
llc 5876 1 psnap
GEOSTATION> ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
inet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:2454 errors:0 dropped:0 overruns:0 frame:0
TX packets:2631 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:512
RX bytes:476970 (465.7 KiB) TX bytes:1081992 (1.0 MiB)
Interrupt:21
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8643 (8.4 KiB) TX bytes:8643 (8.4 KiB)
GEOSTATION>
Thank you for the tutorial, hope you could help me.
cheers from france
victor
oh, i forgot that line:
insmod tun.ko
insmod: error inserting ‘tun.ko’: -1 File exists
think that’s the problem…
victor
damned…i didn’t see the other page.
dumb
) ahahah
salut !
me again…
i have that ugly message
#cd /opt/etc/init.d
#./S20openvpn
/opt/sbin/openvpn: error while loading shared libraries: liblzo2.so.2: cannot open shared object file: No such file or directory
what do you think about that ? any ideas ?
sorry for spamming
(
victor
Hi Victor,
Sorry for the late reply, been busy with some real life stuff.
I’m not sure if the lzo issue is introduced by firmware 2.3. My article is actually tested on firmware 2.1/2.2 only.
Can you ssh to the box, sudo to root and then try the following command?
Lemme know the result.
hi ray,
thank you for the reply.
here the result of
# ipkg list_installed | grep lzo
lzo – 1.08-2 -
# ipkg list_installed | grep openvpn
openvpn – 2.1.1-2 – SSL based VPN server with Windows client support
Hope DSM 2.3 is ok
)
Hi Victor,
I’m not sure if reinstall lzo helps or not. wondering if you would like to give it a try?
#ipkg -force-reinstall install lzo
hi ray,
you wondered right. I tried
#ipkg -force-reinstall install lzo
and then
# cd /opt/etc/init.d
# ./S20openvpn
and no error message…
However, if i try
#ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
inet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:37034 errors:0 dropped:0 overruns:0 frame:0
TX packets:28867 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:512
RX bytes:8396226 (8.0 MiB) TX bytes:10737185 (10.2 MiB)
Interrupt:21
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:137 errors:0 dropped:0 overruns:0 frame:0
TX packets:137 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11919 (11.6 KiB) TX bytes:11919 (11.6 KiB)
no tun.ko appears ..is it normal doc ?
anyway, thanks a lot for your replies.
Hi Victor,
No, it doesn’t seems that the tun driver is being loaded.
Can you try
1. insmod /path/to/your/tun.ko
2. ifconfig
hi ray,
thank you for replying.
1. #insmod /lib/modules/tun.ko
insmod: error inserting ‘tun.ko’: -1 File exists
2. #ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:32:04:0A:98
inet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:3851162 errors:0 dropped:0 overruns:0 frame:0
TX packets:4141320 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:512
RX bytes:1022659548 (975.2 MiB) TX bytes:2515571688 (2.3 GiB)
Interrupt:21
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:741 errors:0 dropped:0 overruns:0 frame:0
TX packets:741 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:113702 (111.0 KiB) TX bytes:113702 (111.0 KiB)
bizarre !
Hi Ray,
here is the result :
#lsmod | grep tun
tun 9312 0
so the module tun is running, but not tun.ko…? can i kill that module..?
I tried
#rmmod tun
then
( (just eth0 and lo)
#lsmod | grep tun
nothing appear (normal), then
#insmod /lib/modules/tun.ko
nothing appear, ok.
#ifconfig
nothing new
what’s the matter?
Hi Victor,
the tun.ko is not good. Maybe you can compile your own tun driver and try again (refer to series 23 for compile instruction)
Good luck
Thank you very much for a very good and easy guide !
I have one question: The connection seems to be VERY slow, in best case I get something like 100 Kbyte/sec. My internet connection is 100 Mbit down and 10 Mbit up. Normaly I can uplodad at least 1 Mbyte / sec., so I doubt that my internet connection is the problem.
Any ideas ?
Hard to say in just a few words there are ways too many factors able to affect the perf. What I might guess maybe the processor power, available memory, ISP or country vpn traffic monitoring, tcp overhead (try udp instead), router qos setting …. a lots more and it do take quite some time figure it out