• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

pfSense OpenVPN server and Synology OpenVPN client

Scheduled Pinned Locked Moved OpenVPN
8 Posts 3 Posters 2.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    robi
    last edited by Jan 6, 2021, 4:43 PM

    It's a PITA to set up Synology NAS units as clients to pfSense OpenVPN because Synology simply rejects the .ovpn config files without any meaningful error message, it just asks to try with a different config - but doesn't give any clue what's the reason for that.

    After lots of googling and trial-and-error work, I've finally managed to set this up, I'm sharing below for anybody interested, just to save some days of research:

    On pfSense, you need to create an OpenVPN server in "Remote Access (SSL/TLS + User Auth)" mode (need to set up a CA, a server certificate and a user/password with a client certificate prior to creating the server).
    You should choose an UDP port.
    Make sure you use a TLS Key (let pfSense generate the key).
    TLS Key usage mode is "TLS Authentication".
    TLS Key dir is default.
    Set Encryption Algorithm first to AES-128-CBC for compatibility but you may want to try others too (don't know which is suppprted by Synology). NCP algorythm also set to AES-128-GCM at first. Since Synology NASes vary from very modest embedded CPUs to Xeons, I assume not all algorythms are supported on all platforms, so this really depends on the hardware in Synology.
    Auth digest is SHA256.
    Cert Depth: Do not check.
    UDP Fast I/O and Gateway Creation IPv4 Only.

    Go to Client Export and choose Inline Configuration -> Most Clients. It will export you an .ovpn file with the keys/certs built-in.
    Before uploading to Synology NAS, open this file in a text editor and comment out "ncp-disable" directive, and remove "udp4" from the remote directive, instead add new directive "proto udp". Save it.

    After that, go to Synology control panel, Network Interface, create VPN profile, choose OpenVPN. Input your username and password you've created just for this and browse for your modified .ovpn file. Make sure you select to restart connection if breaks. It should accept it immediately. Right-click > Connect, should work.

    You might also want to follow Benoit Blanchon's guide to automatically start up OpenVPN connection on Synology boot:
    https://blog.benoitblanchon.fr/synology-auto-connect-vpn-at-startup/

    Cheers!

    D 1 Reply Last reply Mar 19, 2022, 9:14 PM Reply Quote 0
    • R
      robi
      last edited by Jan 7, 2021, 7:05 AM

      Working on pfSense 2.4.5-RELEASE-p1 and Synology DSM 6.2.3-25426 Update 3.

      1 Reply Last reply Reply Quote 0
      • R
        robi
        last edited by Feb 2, 2021, 11:06 AM

        This post is deleted!
        R 1 Reply Last reply Feb 9, 2021, 12:24 PM Reply Quote 0
        • R
          robi @robi
          last edited by robi Feb 9, 2021, 12:37 PM Feb 9, 2021, 12:24 PM

          OK I've noticed that there's a bug maybe in Synology's synovpnc client as after some reconnect commands issued the connection becomes unstable and keys go out of sync. To fix either reconnect manually or reboot Synology is required.

          So avoid using reconnet, but instead go with Benoit Blanchon's guide above, and use this in the /root/connect-vpn script:

          #!/bin/sh
          
          ID=o1481981647
          
          cat >/usr/syno/etc/synovpnclient/vpnc_connecting <<END
          conf_id=$ID
          conf_name=MyVpnConnection
          proto=openvpn
          END
          
          if synovpnc get_conn | grep "No connection"; then
             echo "Re-establishing VPN"
             synovpnc connect --id=$ID
          fi
          

          And schedule /root/connect-vpn in Synology as a daily task. It will call the connection only if it is down for any reason. Also at boot.

          S 1 Reply Last reply Mar 7, 2021, 5:54 PM Reply Quote 0
          • S
            selfjc @robi
            last edited by Mar 7, 2021, 5:54 PM

            @robi Would you be able to upload your ovpn file (after removing the key text, etc.)?

            I am trying this as well but am having no luck.

            R 1 Reply Last reply Mar 7, 2021, 6:04 PM Reply Quote 0
            • R
              robi @selfjc
              last edited by Mar 7, 2021, 6:04 PM

              @selfjc https://community.synology.com/enu/forum/1/post/140054

              1 Reply Last reply Reply Quote 0
              • D
                dgall @robi
                last edited by Mar 19, 2022, 9:14 PM

                @robi your right it is a PITA I have been messing with this for 2 hours and still cant get it to work

                1 Reply Last reply Reply Quote 0
                • R
                  robi
                  last edited by robi Oct 26, 2022, 7:24 PM Oct 26, 2022, 7:17 PM

                  Update, for DSM7:

                  The steps to configure the OpenVPN server in pfSense (v2.6.0) remain the same as described above in the OP.

                  When exporting: go to Client Export and choose "Do not include OpenVPN 2.5 settings in the client configuration."
                  Select Inline Configuration -> Most Clients. It will export you an .ovpn file with the keys/certs built-in.
                  Before uploading to Synology NAS, open this file in a text editor and comment out "ncp-disable" directive, and change "udp4" to "udp" (if present).

                  On Synology DSM7 side, subtle changes:

                  In Synology NAS, go to Control Panel > Network > General > Advanced Settings button. Check "Enable Multiple Gateways".
                  After that go to, Network Interface > Create > Create VPN profile, choose OpenVPN. Input your username and password you've created just for this and browse for your .ovpn file. Make sure you select to restart connection if breaks. It should accept it immediately. Select the new VPN Connection and click Connect button.

                  As far as I noticed, there's no need to trick around anymore with starting the connection at boot, DSM 7 will automatically restart the VPN connection after it reboots, as long as you have ticked the option to reconnect when connection is lost.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received