pfSense OpenVPN server and Synology OpenVPN client

robi · Jan 6, 2021, 4:43 PM

It's a PITA to set up Synology NAS units as clients to pfSense OpenVPN because Synology simply rejects the .ovpn config files without any meaningful error message, it just asks to try with a different config - but doesn't give any clue what's the reason for that.

After lots of googling and trial-and-error work, I've finally managed to set this up, I'm sharing below for anybody interested, just to save some days of research:

On pfSense, you need to create an OpenVPN server in "Remote Access (SSL/TLS + User Auth)" mode (need to set up a CA, a server certificate and a user/password with a client certificate prior to creating the server).
You should choose an UDP port.
Make sure you use a TLS Key (let pfSense generate the key).
TLS Key usage mode is "TLS Authentication".
TLS Key dir is default.
Set Encryption Algorithm first to AES-128-CBC for compatibility but you may want to try others too (don't know which is suppprted by Synology). NCP algorythm also set to AES-128-GCM at first. Since Synology NASes vary from very modest embedded CPUs to Xeons, I assume not all algorythms are supported on all platforms, so this really depends on the hardware in Synology.
Auth digest is SHA256.
Cert Depth: Do not check.
UDP Fast I/O and Gateway Creation IPv4 Only.

Go to Client Export and choose Inline Configuration -> Most Clients. It will export you an .ovpn file with the keys/certs built-in.
Before uploading to Synology NAS, open this file in a text editor and comment out "ncp-disable" directive, and remove "udp4" from the remote directive, instead add new directive "proto udp". Save it.

After that, go to Synology control panel, Network Interface, create VPN profile, choose OpenVPN. Input your username and password you've created just for this and browse for your modified .ovpn file. Make sure you select to restart connection if breaks. It should accept it immediately. Right-click > Connect, should work.

You might also want to follow Benoit Blanchon's guide to automatically start up OpenVPN connection on Synology boot:
https://blog.benoitblanchon.fr/synology-auto-connect-vpn-at-startup/

Cheers!

robi · Jan 7, 2021, 7:05 AM

Working on pfSense 2.4.5-RELEASE-p1 and Synology DSM 6.2.3-25426 Update 3.

robi · Feb 2, 2021, 11:06 AM

This post is deleted!

robi · Mar 7, 2021, 5:54 PM

OK I've noticed that there's a bug maybe in Synology's synovpnc client as after some reconnect commands issued the connection becomes unstable and keys go out of sync. To fix either reconnect manually or reboot Synology is required.

So avoid using reconnet, but instead go with Benoit Blanchon's guide above, and use this in the /root/connect-vpn script:

#!/bin/sh

ID=o1481981647

cat >/usr/syno/etc/synovpnclient/vpnc_connecting <<END
conf_id=$ID
conf_name=MyVpnConnection
proto=openvpn
END

if synovpnc get_conn | grep "No connection"; then
   echo "Re-establishing VPN"
   synovpnc connect --id=$ID
fi

And schedule /root/connect-vpn in Synology as a daily task. It will call the connection only if it is down for any reason. Also at boot.

selfjc · Mar 7, 2021, 5:54 PM

@robi Would you be able to upload your ovpn file (after removing the key text, etc.)?

I am trying this as well but am having no luck.

robi · Mar 7, 2021, 6:04 PM

@selfjc https://community.synology.com/enu/forum/1/post/140054

dgall · Mar 19, 2022, 9:14 PM

@robi your right it is a PITA I have been messing with this for 2 hours and still cant get it to work

robi · Oct 26, 2022, 7:24 PM

Update, for DSM7:

The steps to configure the OpenVPN server in pfSense (v2.6.0) remain the same as described above in the OP.

When exporting: go to Client Export and choose "Do not include OpenVPN 2.5 settings in the client configuration."
Select Inline Configuration -> Most Clients. It will export you an .ovpn file with the keys/certs built-in.
Before uploading to Synology NAS, open this file in a text editor and comment out "ncp-disable" directive, and change "udp4" to "udp" (if present).

On Synology DSM7 side, subtle changes:

In Synology NAS, go to Control Panel > Network > General > Advanced Settings button. Check "Enable Multiple Gateways".
After that go to, Network Interface > Create > Create VPN profile, choose OpenVPN. Input your username and password you've created just for this and browse for your .ovpn file. Make sure you select to restart connection if breaks. It should accept it immediately. Select the new VPN Connection and click Connect button.

As far as I noticed, there's no need to trick around anymore with starting the connection at boot, DSM 7 will automatically restart the VPN connection after it reboots, as long as you have ticked the option to reconnect when connection is lost.