pfSense OpenVPN server and Synology OpenVPN client


  • It's a PITA to set up Synology NAS units as clients to pfSense OpenVPN because Synology simply rejects the .ovpn config files without any meaningful error message, it just asks to try with a different config - but doesn't give any clue what's the reason for that.

    After lots of googling and trial-and-error work, I've finally managed to set this up, I'm sharing below for anybody interested, just to save some days of research:

    On pfSense, you need to create an OpenVPN server in "Remote Access (SSL/TLS + User Auth)" mode (need to set up a CA, a server certificate and a user/password with a client certificate prior to creating the server).
    You should choose an UDP port.
    Make sure you use a TLS Key (let pfSense generate the key).
    TLS Key usage mode is "TLS Authentication".
    TLS Key dir is default.
    Set Encryption Algorithm first to AES-128-CBC for compatibility but you may want to try others too (don't know which is suppprted by Synology). NCP algorythm also set to AES-128-GCM at first. Since Synology NASes vary from very modest embedded CPUs to Xeons, I assume not all algorythms are supported on all platforms, so this really depends on the hardware in Synology.
    Auth digest is SHA256.
    Cert Depth: Do not check.
    UDP Fast I/O and Gateway Creation IPv4 Only.

    Go to Client Export and choose Inline Configuration -> Most Clients. It will export you an .ovpn file with the keys/certs built-in.
    Before uploading to Synology NAS, open this file in a text editor and comment out "ncp-disable" directive, and remove "udp4" from the remote directive, instead add new directive "proto udp". Save it.

    After that, go to Synology control panel, Network Interface, create VPN profile, choose OpenVPN. Input your username and password you've created just for this and browse for your modified .ovpn file. Make sure you select to restart connection if breaks. It should accept it immediately. Right-click > Connect, should work.

    You might also want to follow Benoit Blanchon's guide to automatically start up OpenVPN connection on Synology boot:
    https://blog.benoitblanchon.fr/synology-auto-connect-vpn-at-startup/

    Cheers!


  • Working on pfSense 2.4.5-RELEASE-p1 and Synology DSM 6.2.3-25426 Update 3.