Synology NAS with OpenVPN with client certificate

For a Synology NAS to setup OpenVPN is not as easy as I thought it would be. Specifically when you enable client site certificate checking it’s not a tick in the box. Below the steps I follow to get it working.

PKI settings

first thing is to setup my own CA so I can create and sign my own server and client certificates. I used an awesome tool for this on github. clone it, then change variables as needed.

git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3/
cp vars.example vars
vi vars

in the vars I updates for example the following fields;

set_var EASYRSA_DN    "org"
set_var EASYRSA_REQ_COUNTRY  "NL"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY     "San Francisco"
set_var EASYRSA_REQ_ORG      "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL    "me@example.net"
set_var EASYRSA_REQ_OU       "My Organizational Unit"
set_var EASYRSA_CA_EXPIRE    3650
set_var EASYRSA_CERT_EXPIRE  825

After changing the vars you can create your own PKI CA. Following commands initialize PKI and generate the CA. The CA is important so choose your passphrase wise! If this gets compromised, other certificates can be used to sign client certificates.

./easyrsa init-pki
./easyrsa build-ca

Generate Server Certificate and key

Generate a server certificate and key.

./easyrsa build-server-full synology_NAS_OpenVPN nopass

Two files will be generated, you need these later to upload to your NAS.

easy-rsa/easyrsa3/pki/issued/synology_NAS_OpenVPN.crt
easy-rsa/easyrsa3/pki/private/synology_NAS_OpenVPN.key

Generate Client Certificate and key

Generate a client certificate and key. Or more when you need more devices to connect to the VPN.

./easyrsa build-client-full client_peter nopass

Two files will be generated, you need these later to upload to your device which will connect to the laptop.

easy-rsa/easyrsa3/pki/issued/client_peter.crt
easy-rsa/easyrsa3/pki/private/client_peter.key

Install VPNServer package on Synology NAS

Now you need VPN Server package on your Synology NAS. Go the the admin page, e.g. https://192.168.1.1:5001/ and go to Package Center > All Packages. Search for VPN Server and click install when found. After installing, don’t run it yet. If already running, click stop. If your remote working on current VPN, please don’t ;)

Now you also need to SSH to you NAS to manual set OpenVPN to listen only to clients with certificate. Otherwise this whole extra certificate (2FA) can just be bypassed.

SSH to you NAS and edit the file below

vi /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf

remove the line or comment it with a #

#client-cert-not-required

Upload Certificate to Synology NAS

To upload them to you NAS, go the the admin page, e.g. https://192.168.1.1:5001/ and go to Control Pannel > Security > Certificate. then click Add

  • Add a new certificate
  • Import certificate
    • Private key: use file easy-rsa/easyrsa3/pki/private/synology_NAS_OpenVPN.key
    • Certificate: use file easy-rsa/easyrsa3/pki/issued/synology_NAS_OpenVPN.crt
    • Intermediate certificate: use file easy-rsa/easyrsa3/pki/ca.crt
  • click OK

then again in Control Pannel > Security > Certificate. but now click Configure. select the correct just uploaded certificate behind VPN Server. Now, go back to the package center and click Run for the VPN Server package. If you skip this (restarting VPN Server) you might will talk the VPN Server which is still serving previous certificate.

VPN Server settings on Synology NAS

Now the correct certificate is uploaded and VPN Server is started, you can change some last setting if needed, like;

  • Privilege: Use for a specific VPN user might be a wise Idea, and only give that uses privilegse to OpenVPN
  • OpenVPN: tick Enable OpenVPN server and change setting if wanted.

You now could click Export Configuration but this configuration is incomplete/incorrect. Therefor I generated my own OpenVPN config.

Generate Client OpenVPN config

I used the following configuration for the client. named it VPNConfig-client-peter.ovpn. Be aware this file contains your private key (so this is your 2FA), store it securely or trough it away after setting up the OpenVPN.

dev tun
tls-client
remote <YOUR PUBLIC IP> 1194
redirect-gateway def1  # if you want all traffic tunneled
pull
proto udp
script-security 2
comp-lzo
reneg-sec 0
cipher AES-256-CBC
auth SHA512
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
... input from easy-rsa/easyrsa3/pki/ca.crt
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
... input from easy-rsa/easyrsa3/pki/issued/client_peter.crt
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
... input from easy-rsa/easyrsa3/pki/private/client_peter.crt
-----END PRIVATE KEY-----
</key>

Install OpenVPN Connect

Download https://openvpn.net/vpn-client/ and use the above file to connect. and login with user credentials you have given privileges to use OpenVPN (see above)

That should do it. Good luck!

Installing Nortel VPNC on Ubuntu

I’m running Ubuntu 12.04.1 wheezy/sid and I needed a way to connect to the office Nortel VPN server. On a Windows machine you normally use Nortel Contivity Client. But this is not available for Linux. There is a nortel branch available of vpnc which you can find here.

The first step is to install svn-buildpackage, use the command below for this. There some extra packages coming with this install, but this is OK.

apt-get install svn-buildpackage

Now you can do a check-out on the SVN repository:

svn co -r517 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel

This downloads the files in a new directory (vpnc-nortel) in the location you are at this moment.

Now it is time to install the vpnc client. go to the vpnc-nortel directory you just downloaded and perform the command:

make

This should make the compile the files for your OS, but the first time this failed form me with the error message:

root@ubuntu:~/vpnc-nortel# make
Package gnutls was not found in the pkg-config search path.
Perhaps you should add the directory containing `gnutls.pc'
to the PKG_CONFIG_PATH environment variable
No package 'gnutls' found
...

To solve this issue you should first install libgnutls-dev:

apt-get install libgnutls-dev

Then you can try again:

make
make install

The make install should give an output like this:

root@ubuntu:~/vpnc-nortel# make install
install -d /etc/vpnc /usr/local/bin /usr/local/sbin /usr/local/share/man/man1 /usr/local/share/man/man8 /usr/local/share/doc/vpnc
if [ "`uname -s | cut -c-6`" = "CYGWIN" ]; then \
		install vpnc-script-win /etc/vpnc/vpnc-script; \
		install vpnc-script-win.js /etc/vpnc; \
	else \
		install vpnc-script /etc/vpnc; \
	fi
install -m600 vpnc.conf /etc/vpnc/default.conf
install -m755 vpnc-disconnect /usr/local/sbin
install -m755 pcf2vpnc /usr/local/bin
install -m644 vpnc.8 /usr/local/share/man/man8
install -m644 pcf2vpnc.1 /usr/local/share/man/man1
install -m644 cisco-decrypt.1 /usr/local/share/man/man1
install -m644 COPYING /usr/local/share/doc/vpnc
install -m755 vpnc /usr/local/sbin
install -m755 cisco-decrypt /usr/local/bin

The last thing to do is to edit the configuration file to the settings of your company. In my case this configuration file (/etc/vpnc/default.conf) looks like:

IPSec gateway 
IPSec ID 
IPSec secret 
Xauth username 
Vendor nortel
IKE Authmode gpassword
Enable Single DES
IKE DH Group dh1

Now your ready!
To start vpnc perfrom:

vpnc

en to stop vpnc:

vpnc-disconnect