For a Synology NAS to setup OpenVPN is not as easy as I thought it would be. Specifically when you enable client site certificate checking it’s not a tick in the box. Below the steps I follow to get it working.
PKI settings
first thing is to setup my own CA so I can create and sign my own server and client certificates. I used an awesome tool for this on github. clone it, then change variables as needed.
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3/
cp vars.example vars
vi vars
in the vars I updates for example the following fields;
set_var EASYRSA_DN "org"
set_var EASYRSA_REQ_COUNTRY "NL"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 825
After changing the vars you can create your own PKI CA. Following commands initialize PKI and generate the CA. The CA is important so choose your passphrase wise! If this gets compromised, other certificates can be used to sign client certificates.
./easyrsa init-pki
./easyrsa build-ca
Generate Server Certificate and key
Generate a server certificate and key.
./easyrsa build-server-full synology_NAS_OpenVPN nopass
Two files will be generated, you need these later to upload to your NAS.
easy-rsa/easyrsa3/pki/issued/synology_NAS_OpenVPN.crt
easy-rsa/easyrsa3/pki/private/synology_NAS_OpenVPN.key
Generate Client Certificate and key
Generate a client certificate and key. Or more when you need more devices to connect to the VPN.
./easyrsa build-client-full client_peter nopass
Two files will be generated, you need these later to upload to your device which will connect to the laptop.
easy-rsa/easyrsa3/pki/issued/client_peter.crt
easy-rsa/easyrsa3/pki/private/client_peter.key
Install VPNServer package on Synology NAS
Now you need VPN Server package on your Synology NAS. Go the the admin page, e.g. https://192.168.1.1:5001/ and go to Package Center > All Packages. Search for VPN Server and click install when found. After installing, don’t run it yet. If already running, click stop. If your remote working on current VPN, please don’t ;)
Now you also need to SSH to you NAS to manual set OpenVPN to listen only to clients with certificate. Otherwise this whole extra certificate (2FA) can just be bypassed.
SSH to you NAS and edit the file below
vi /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf
remove the line or comment it with a #
#client-cert-not-required
Upload Certificate to Synology NAS
To upload them to you NAS, go the the admin page, e.g. https://192.168.1.1:5001/ and go to Control Pannel > Security > Certificate. then click Add
- Add a new certificate
- Import certificate
- Private key: use file
easy-rsa/easyrsa3/pki/private/synology_NAS_OpenVPN.key
- Certificate: use file
easy-rsa/easyrsa3/pki/issued/synology_NAS_OpenVPN.crt
- Intermediate certificate: use file
easy-rsa/easyrsa3/pki/ca.crt
- Private key: use file
- click OK
then again in Control Pannel > Security > Certificate. but now click Configure. select the correct just uploaded certificate behind VPN Server. Now, go back to the package center and click Run for the VPN Server package. If you skip this (restarting VPN Server) you might will talk the VPN Server which is still serving previous certificate.
VPN Server settings on Synology NAS
Now the correct certificate is uploaded and VPN Server is started, you can change some last setting if needed, like;
- Privilege: Use for a specific VPN user might be a wise Idea, and only give that uses privilegse to OpenVPN
- OpenVPN: tick Enable OpenVPN server and change setting if wanted.
You now could click Export Configuration but this configuration is incomplete/incorrect. Therefor I generated my own OpenVPN config.
Generate Client OpenVPN config
I used the following configuration for the client. named it VPNConfig-client-peter.ovpn
. Be aware this file contains your private key (so this is your 2FA), store it securely or trough it away after setting up the OpenVPN.
dev tun
tls-client
remote <YOUR PUBLIC IP> 1194
redirect-gateway def1 # if you want all traffic tunneled
pull
proto udp
script-security 2
comp-lzo
reneg-sec 0
cipher AES-256-CBC
auth SHA512
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
... input from easy-rsa/easyrsa3/pki/ca.crt
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
... input from easy-rsa/easyrsa3/pki/issued/client_peter.crt
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
... input from easy-rsa/easyrsa3/pki/private/client_peter.crt
-----END PRIVATE KEY-----
</key>
Install OpenVPN Connect
Download https://openvpn.net/vpn-client/ and use the above file to connect. and login with user credentials you have given privileges to use OpenVPN (see above)
That should do it. Good luck!
Thank you so much for thoroughly documenting this process — it was enormously helpful. I’d been meaning to set this up for a while, but all the other tutorials I found require too much mucking around in the Linux system for my tastes. Much better to use the features already built in to Synology’s apps!
I should also mention I first tried following instructions on the Dutch Synology forum ( https://www.synology-forum.nl/vpn-server/beter-beveiligde-openvpn/ ) but ran into issues transferring the certificates with WinSCP. However, the first section of that guide is still quite useful for setting up XCA as a certificate authority.
How can you revoke the created Certificate ? RSA revoke script is missing ….
… just a minor editorial comment
near the end of your text for the Client OpenVPN config
“client_peter.crt” should instead be “client_peter.key”
I think most folks wouldn’t have a problem getting it right just the same.
Regards,
Mike Amaral
As an Update a very similar feature is now built-in to the VPNServer. It’s called TLS-Auth. You can enable it in the Synology ->VPN Server-> OpenVPN -> Verify TLS auth key.
Without the TLS-Auth key in the config file. The server will ignore the connection from the very first packet. With UDP that means unless you have the tls-auth key it won’t respond at all making it harder to catch in a port scan.
The downside is that you can’t make multiple tls-auth key for each user and if you want to completely revoke a user besides just disabling the account. You’ll have to reissue new config files to all the users as the TLS-Auth key is the same for every user.
In general, it seems much more secure and I like that it makes the server appear stealthy now.
https://openvpn.net/community-resources/hardening-openvpn-security/
Thank you for the information, it has been very useful and I have got it to work. May I add the following instruction as well:
1. On the DSM Synology OpenVPN setting:
uncheck “Verify TLS auth key”
uncheck “verify Server CN”
2. On the DSM Control Panel->Security->Certificate->Settings
select the self certt that you just generated and added to DSM
3. on DSM modify file /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf
# verify-client-cert none
# modified to:
verify-client-cert require
For 2. above, I meant set the VPNserver cert to the self signed cert that you just added!