Created
January 17, 2017 12:36
-
-
Save dcava/400848953426aa0235fe4735928e13b9 to your computer and use it in GitHub Desktop.
Setup OpenVPN on Synology DSM6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Personal reminder guide on how to more securely setup OpenVPN on Synology DSM 6.2+ (Jan 2017) | |
| Issues fixed: | |
| 1. Default OpenVPN is secured with auth-use-pass only | |
| 2. no HMAC | |
| 3. no client certificate | |
| 4. no DH | |
| Problems: | |
| 1. I'm not sure this will survive an update to the VPN server (not sure if the openvpn.conf is overwritten) or if the keys/certs are messed with | |
| 2. From what I can tell, the synology setup requires auth-use-pass even if you use a cert/key setup | |
| Steps: | |
| 1. Generate a CA | |
| 2. server cert + key + DH | |
| 3. client cert + key | |
| 4. ta.key (static VPN key for HMAC) | |
| {do this with easy-rsa on a client machine - just easy than stuffing around on syno although I suppose could all be done with openssl. Using the gui to generate a new CA/self-signed cert is ok, but then you have to create client certs and it is a pain} | |
| 5. Generate a combined .ovpn file including keys for ease of distribution | |
| (I used https://gist.github.com/trovao/18e428b5a758df24455b with a few changes) | |
| 6. Edit server openvpn configuration | |
| 7. edit client .ovpn file | |
| Acknowledgement: | |
| https://kingtut666.wordpress.com/2015/11/24/improving-openvpn-security-on-synology-nas/ has good info on where to find the syno openVPN config files and how to create ta.key (but doesn't do client certs) | |
| The important two paths are: | |
| /var/packages/VPNCenter/target/etc/openvpn/ is where synology will copy the keys if you setup certificates via the syno gui and has the templates for user ovpns | |
| /usr/syno/etc/packages/VPNCenter/openvpn is the main configuration directory. It also has a "keys" directory. I have a suspicion one of these is going to get overwritten on package update - will see. | |
| https://renatocunha.com/blog/2014/12/openvpn-android/ is a good openvpn setup guide with android specific parts and the nice script from before | |
| https://www.sparklabs.com/support/kb/article/creating-certificates-and-keys-for-your-openvpn-server/ has some info on using the recent version of easy-rsa | |
| Short version: | |
| 1,2,3 - Use the sparkle tutorial | |
| 4 - 'openvpn --genkey --secret ta.key' | |
| 5 - https://gist.github.com/trovao/18e428b5a758df24455b | |
| 6: set these correctly - i put all the server keys in /var/packages/VPNCenter/target/etc/openvpn/keys but could go anywhere (and maybe better to go to /usr/local somewhere to avoid overwrite) | |
| ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt # Path to the Certificate Authority's public certificate | |
| cert /var/packages/VPNCenter/target/etc/openvpn/keys/example.com.crt # This **server's** certificate | |
| key /var/packages/VPNCenter/target/etc/openvpn/keys/example.com.key # This **server's** private key | |
| dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh2048.pem # The Diffie-Hellman key-exchange parameters | |
| tls-auth keys/ta.key 0 # Shared secret, server mode | |
| you can adjust other parameters if desired | |
| 7 - I found i had to add back auth-user-pass even though I don't have it requested in the server setup?? Must be a config file I am missing on the syno somwhere or maybe the radius plugin is causing probs? |
#To start/stop
/var/packages/VPNCenter/scripts/./start-stop-status start
/var/packages/VPNCenter/scripts/./start-stop-status stop
#or perhaps this:
synoservice --restart pkgctl-VPNCenter
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Also,
enable log-append /var/log/openvpn.log
to see issues