Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    pfSense OpenVPN server and Synology OpenVPN client

    OpenVPN
    1
    4
    348
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robi last edited by

      It's a PITA to set up Synology NAS units as clients to pfSense OpenVPN because Synology simply rejects the .ovpn config files without any meaningful error message, it just asks to try with a different config - but doesn't give any clue what's the reason for that.

      After lots of googling and trial-and-error work, I've finally managed to set this up, I'm sharing below for anybody interested, just to save some days of research:

      On pfSense, you need to create an OpenVPN server in "Remote Access (SSL/TLS + User Auth)" mode (need to set up a CA, a server certificate and a user/password with a client certificate prior to creating the server).
      You should choose an UDP port.
      Make sure you use a TLS Key (let pfSense generate the key).
      TLS Key usage mode is "TLS Authentication".
      TLS Key dir is default.
      Set Encryption Algorithm first to AES-128-CBC for compatibility but you may want to try others too (don't know which is suppprted by Synology). NCP algorythm also set to AES-128-GCM at first. Since Synology NASes vary from very modest embedded CPUs to Xeons, I assume not all algorythms are supported on all platforms, so this really depends on the hardware in Synology.
      Auth digest is SHA256.
      Cert Depth: Do not check.
      UDP Fast I/O and Gateway Creation IPv4 Only.

      Go to Client Export and choose Inline Configuration -> Most Clients. It will export you an .ovpn file with the keys/certs built-in.
      Before uploading to Synology NAS, open this file in a text editor and comment out "ncp-disable" directive, and remove "udp4" from the remote directive, instead add new directive "proto udp". Save it.

      After that, go to Synology control panel, Network Interface, create VPN profile, choose OpenVPN. Input your username and password you've created just for this and browse for your modified .ovpn file. Make sure you select to restart connection if breaks. It should accept it immediately. Right-click > Connect, should work.

      You might also want to follow Benoit Blanchon's guide to automatically start up OpenVPN connection on Synology boot:
      https://blog.benoitblanchon.fr/synology-auto-connect-vpn-at-startup/

      Cheers!

      1 Reply Last reply Reply Quote 0
      • R
        robi last edited by

        Working on pfSense 2.4.5-RELEASE-p1 and Synology DSM 6.2.3-25426 Update 3.

        1 Reply Last reply Reply Quote 0
        • R
          robi last edited by

          This post is deleted!
          R 1 Reply Last reply Reply Quote 0
          • R
            robi @robi last edited by robi

            OK I've noticed that there's a bug maybe in Synology's synovpnc client as after some reconnect commands issued the connection becomes unstable and keys go out of sync. To fix either reconnect manually or reboot Synology is required.

            So avoid using reconnet, but instead go with Benoit Blanchon's guide above, and use this in the /root/connect-vpn script:

            #!/bin/sh
            
            ID=o1481981647
            
            cat >/usr/syno/etc/synovpnclient/vpnc_connecting <<END
            conf_id=$ID
            conf_name=MyVpnConnection
            proto=openvpn
            END
            
            if synovpnc get_conn | grep "No connection"; then
               echo "Re-establishing VPN"
               synovpnc connect --id=$ID
            fi
            

            And schedule /root/connect-vpn in Synology as a daily task. It will call the connection only if it is down for any reason. Also at boot.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy