PfSense OpenVPN server compability with QNAP (QVPN Service)

kroko

As per http://docs.qnap.com/nas/4.3/cat2/en/index.html?qvpn.htm
Connect a VPN server via OpenVPN section
QVPN Service expects .ovpn and ca.crt

Yes, I have to load OVPN file.

I tried .ovp generated by

• Inline Configurations : Most Clients (I use this export option for desktop clients, works)
• Viscosity : Viscosity Inline Config (I use this export option for desktop clients, works)
• Bundled Configurations : Config File Only
• Bundled Configurations : Archive (used .ovpn from archive)
• Viscosity : Viscosity Bubdle (used .ovpn from archive)

QNAP is OpenVPN 2.4.3. + OpenSSL 1.0.2k

[~] # openvpn --version
OpenVPN 2.4.3 x86_64-QNAP-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug  1 2017
library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.05
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no</sales@openvpn.net>

The working clients I use are OpenVPN 2.4.4 + LibreSSL 2.6.2 and OpenVPN 2.4.4 + OpenSSL 1.0.2m.

Assuming that there is clent-server OpenVPN version incompatibility (which it seems is not there: 2.4.x matches, 1.0.2 matches)… I really doubt, that simply on config file upload it is trying to establish connection automatically, that would be so wrong (& connection fails & goes into retry loop). IMHO it fails for some other reason.

johnpoz

what does the log say?

From reading that doesn't seem like it supports any sort of cert auth.. So would have to set it up for password only I would take it?

kroko

If I could find any logs I'd sure be posting them. I can't.  :'(

Your comment on cert auth is a good point.

I am using SSL/TSL + User Auth mode. Therefore "Enter the connection configuration settings, including the profile name, and the username and password of the VPN server." in manual did not rise any suspicions, I am used to enter uname and pw.

Just changed it to User Auth for a test. Checked to be working on other systems.
When using inline (ca block in ovpn file) or bundled (ca as separate file) ovpn config for User Auth only mode… nothing changes, QNAP still stalls on ovpn file upload (of course I'm updating QNAP ticket with the findings along the way).

johnpoz

You could always just manually create the ovpn file.. If the export tool is not putting it in the format that your qnap likes.. I fail to understand why they wouldn't like you just manually create the info needed for the connection..

kroko

I fail to understand why they wouldn't like you just manually create the info needed for the connection..

I hope they will explain why and what. Ticket still unanswered.
I have sent them what ovpn structure looks like for SL/TSL + User Auth mode (both inline and certs separated) as well as User Auth mode (both inline and certs separated) when exporting via pfSense Client Export Package.
This thread was not meant to be troubleshooting the issue which seems to be QNAP bug, I just thought both that QNAP is something quite popular (isn't it?) and somebody surely must have already gone through this and has working OpenVPN setup (because other QNAP supported options PPTP and IKEv1(L2TP/IPsec) are not the best ones).

johnpoz

that it still supports pptp shows you how far behind they are ;)

As to popular.. Hmmm its possible the type of user that would use qnap doesn't always mean same type of user that would use pfsense.  Or use try and use qnap as vpn client..

Why exactly would you want your nas as a vpn client?  Why not just create a site to site vpn between your routers is what normal pfsense users might do ;)

kroko

QNAP is a new offsite backup, w/o guaranteed static IP, and behind a router (n-level cascade) I cannot touch.
I could spend some extra and put midrange off the shelf consumer grade router in front of QNAP within that offsite LAN to create site to site (I have good experience with OpenWRT on TP-LINKS for site to site OpenVPN), but midrange means low throughput (backups are big). Highend means costs. I do not like either option, current goal is to QNAP answer the ticket and sort this out as QNAP is hardware that should be capable of delivering what's needed (and what their product manual "promises") ;)

johnpoz

I was just bringing up those sorts of scenarios to point out why there might not be a lot of people running into such issues.. I really don't think the nas being a vpn client is going to be a large use case to be honest.  Server is prob more common for your typical user not having something at the edge like pfsense that can be the vpn server endpoint into the network.

kroko

Right.

So the issue was with the web interface. Trivial, but cost time and nerves.  :-\

• OpenVPN works on QNAP as client when connecting to pfSense.
• Did UPS powerloss simulation, QNAP automatically reconnects after powercycle, great.
• It is only username/password based (+ca.crt).
• I have addressed auth method issue to QNAP, citing https://community.openvpn.net/openvpn/wiki/Concepts-Authentication#Certificatesvs.usernames and https://community.openvpn.net/openvpn/wiki/Hardening as an argument for security practices in late 2017, let's see what they will reply about plans implementing them.
• It seems that there is issue - drops connection - when "Use default gateway on remote network" is on in QNAP. Which I do not need for QNAP (use on every desktop client though) and have unchecked, but nice to have. However I will inspect it in some spare time - many possible reasons why this is happening (client, network, server).
• Due to auth stuff I will also look at possibility to run extra OpenVPN server process just for QNAP as hardware easily allows that.

kroko

Just a followup to those who think about cert based OpenVPN from QNAP (client) to pfSense (server). In foreseeable future - password only.

From their tech support:

I have received information from PM that there are currently no plans for improving QVPN OpenVPN client security. However, I have created a feature request regarding this, so it will be considered and possibly implemented in future.