This name will be the public name used by VPN clients to connect to your Access Serve, and it should also be specified as the “Hostname or IP Address:' on the “Server Network Settings' page in the Access Server Admin Web UI. The hostname will be encoded in your certificate from the CA, so it will not be changable.
While installing and managing an SSL certificate for your Access Server may seem overly complex, this article tries to cover all the basics so you can get your Access Server secured in a snap! It’s important to note that SSL certificates only work when you are using an FQDN name for your OpenVPN Access Server installation. In short: OpenVPN Access Server is 'almost free' and 'just OpenVPN' (Community Edition) is totally free However, they are configured in different ways. Open AS has indeed a web interface that simplifies (a lot) the tasks for setting it up. Open CE on the other hand, has to be configured by editing some configuration files OpenVPN Access Server. The first step in Setup a Secure VPN (SSTP) is Adding the Remote Access Server Role on the server. The remote access server role to be installed by going to the Server Manager Dashboard. Once the Server Manager windows would open, click on the Add Roles and Features, and the ‘Add Roles and Features’ wizard would start, and we can go through. Jun 25, 2017 Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server.;push 'route 192.168.10.0 255.255.255.0';push 'route 192.168.20.0 255.255.255.0' # To assign specific IP addresses to specific # clients or if a connecting client has a private.
Overview
The first step in building an OpenVPN 2.x configuration is to establish a PKI (public key infrastructure). The PKI consists of:
- a separate certificate (also known as a public key) and private key for the server and each client, and
- a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established.
Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type (client or server).
This security model has a number of desirable features from the VPN perspective:
- The server only needs its own certificate/key — it doesn’t need to know the individual certificates of every client which might possibly connect to it.
- The server will only accept clients whose certificates were signed by the master CA certificate (which we will generate below). And because the server can perform this signature verification without needing access to the CA private key itself, it is possible for the CA key (the most sensitive key in the entire PKI) to reside on a completely different machine, even one without a network connection.
- If a private key is compromised, it can be disabled by adding its certificate to a CRL (certificate revocation list). The CRL allows compromised certificates to be selectively rejected without requiring that the entire PKI be rebuilt.
- The server can enforce client-specific access rights based on embedded certificate fields, such as the Common Name.
Note that the server and client clocks need to be roughly in sync or certificates might not work properly.
Generate the master Certificate Authority (CA) certificate & key
In this section we will generate a master CA certificate/key, a server certificate/key, and certificates/keys for 3 separate clients.
![Openvpn Access Server Certificate Openvpn Access Server Certificate](https://blog.stefcho.eu/wp-content/uploads/2011/04/OpenVPN-Server-Certificate-Creation.png)
For PKI management, we will use easy-rsa 2, a set of scripts which is bundled with OpenVPN 2.2.x and earlier. If you’re using OpenVPN 2.3.x, you need to download easy-rsa 2 separately from here.
For PKI management, we will use easy-rsa 2, a set of scripts which is bundled with OpenVPN 2.2.x and earlier. If you’re using OpenVPN 2.3.x, you may need to download easy-rsa 2 separately from the easy-rsa-old project page. An easy-rsa 2 package is also available for Debian and Ubuntu in the OpenVPN software repos. On *NIX platforms you should look into using easy-rsa 3instead; refer to its own documentation for details.
If you are using Linux, BSD, or a unix-like OS, open a shell and cd to the easy-rsa subdirectory. If you installed OpenVPN from an RPM or DEB file, the easy-rsa directory can usually be found in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn(it’s best to copy this directory to another location such as /etc/openvpn, before any edits, so that future OpenVPN package upgrades won’t overwrite your modifications). If you installed from a .tar.gz file, the easy-rsa directory will be in the top level directory of the expanded source tree.
If you are using Windows, open up a Command Prompt window and cd to Program FilesOpenVPNeasy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files):
Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don’t leave any of these parameters blank.
Next, initialize the PKI. On Linux/BSD/Unix: Adobe muse widget torrent.
On Windows:
The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive opensslcommand:
Note that in the above sequence, most queried parameters were defaulted to the values set in the varsor vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used “OpenVPN-CA”.Generate certificate & key for serverNext, we will generate a certificate and private key for the server. On Linux/BSD/Unix: On Windows: As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter “server”. Two other queries require positive responses, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”. Generate certificates & keys for 3 clientsGenerating client certificates is very similar to the previous step. On Linux/BSD/Unix: On Windows: If you would like to password-protect your client keys, substitute the build-key-pass script. Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1”, “client2”, or “client3”. Always use a unique common name for each client. Generate Diffie Hellman parametersDiffie Hellman parameters must be generated for the OpenVPN server. On Linux/BSD/Unix: On Windows: Output: |
Key FilesNow we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:
The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel. Now wait, you may say. Shouldn’t it be possible to set up the PKI without a pre-existing secure channel? The answer is ostensibly yes. In the example above, for the sake of brevity, we generated all private keys in the same place. With a bit more effort, we could have done this differently. For example, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. This could have been done without ever requiring that a secret .key file leave the hard drive of the machine on which it was generated. |
Set up VPN Server
With the VPN Server package, you can easily turn your Synology NAS into a VPN server to allow DSM users to remotely and securely access resources shared within the local area network of your Synology NAS. By integrating common VPN protocols - PPTP, OpenVPN and L2TP/IPSec - VPN Server provides options to establish and manage VPN services tailored to your individual needs. To choose any of the following types of VPN server and to enable VPN services on your Synology NAS, install and launch VPN Server.
Note:
- Enabling VPN service affects the network performance of the system.
- Only DSM users belonging to the administrators group can install and set up VPN Server.
PPTP
PPTP (Point-to-Point Tunneling Protocol) is a commonly used VPN solution supported by most clients (including Windows, Mac, Linux, and mobile devices). For more information about PPTP, refer to here.
To enable PPTP VPN server:
- Open VPN Server and then go to Settings > PPTP on the left panel.
- Tick Enable PPTP VPN server.
- Specify a virtual IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
- Set Maximum connection number to limit the number of concurrent VPN connections.
- Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.
- Choose either of the following from the Authentication drop-down menu to authenticate VPN clients:
- PAP: VPN clients' passwords will not be encrypted during authentication.
- MS-CHAP v2: VPN clients' passwords will be encrypted during authentication using Microsoft CHAP version 2.
- If you selected MS-CHAP v2 for authentication above, choose any of the following from the Encryption drop-down menu to encrypt VPN connection:
- No MPPE: VPN connection will not be protected with Microsoft Point-to-Point Encryption(MPPE) mechanism.
- Optional MPPE: If the client enables MPPE mechanism, VPN connection will be protected with MPPE mechanism. Otherwise, VPN connection will not be protected.
- Require MPPE: VPN connection will be protected with MPPE mechanism.
- Set MTU (Maximum Transmission Unit) to limit data packet size transmitted via the VPN.
- Tick Use manual DNS and specify the IP address of a DNS server to push DNS to PPTP clients. If this option is disabled, the DNS server used by the Synology NAS will be pushed to clients.
- Click Apply for the changes to take effect.
Note:
- When connecting to the VPN, the authentication and encryption settings of VPN clients must be identical to the settings specified on VPN Server, or else clients will not be able to connect successfully.
- To be compatible with most PPTP clients running Windows, Mac OS, iOS and Android operating systems, the default MTU is set to 1400. For more complicated network environments, a smaller MTU might be required. Try to reduce the MTU size if you keep receiving timeout error or experience unstable connections.
- Please check the port forwarding and firewall settings on your Synology NAS and router to make sure the TCP port 1723 is open.
- PPTP VPN service is built-in on some routers, the port 1723 might be occupied. To ensure VPN Server works properly, you might need to disable the built-in PPTP VPN service through the router's management interface to have the PPTP of VPN Server work. In addition, some old routers block the GRE protocol (IP protocol 47), which will result in VPN connection failure. It is recommended using a router that supports VPN pass-through connections.
OpenVPN
OpenVPN is an open source solution for implementing VPN service. It protects the VPN connection with the SSL/TLS encryption mechanism. For more information about OpenVPN, visit here.
To enable OpenVPN VPN server:
- Open VPN Server and then go to Settings > OpenVPN on the left panel.
- Tick Enable OpenVPN server.
- Specify a virtual internal IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
- Set Maximum connection number to limit the number of concurrent VPN connections.
- Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.
- Tick Enable compression on the VPN link if you want to compress data during transfer. This option can increase transmission speed, but might consume more system resources.
- Tick Allow clients to access server's LAN to permit clients to access the server's LAN.
- Tick Enable IPv6 server mode to enable OpenVPN server to send IPv6 addresses. You will first need to get a prefix via 6in4/6to4/DHCP-PD in Control Panel > Network > Network Interface. Then select the prefix in this page.
- Click Apply for the changes to take effect.
Note:
- VPN Server does not support bridge mode for site-to-site connections.
- Please check the port forwarding and firewall settings on your Synology NAS and router to make sure the UDP port 1194 is open.
- When running OpenVPN GUI on Windows Vista or Windows 7, please note that UAC (User Account Control) is enabled by default. If enabled, you need to use the Run as administrator option to properly connect with OpenVPN GUI.
- When enabling IPv6 server mode in Windows with OpenVPN GUI, please note the following:
- The interface name used by the VPN cannot have a space, e.g., LAN 1 needs to be changed to LAN1.
- The option redirect-gateway has to be set in the openvpn.ovpn file at the client side. If you do not want to set this option, you should set the DNS of the VPN interface manually. You may use Google IPv6 DNS: 2001:4860:4860::8888.
- When Allow clients to access server's LAN is not ticked, VPN clients will still be able to access your server's LAN in the following situations:
- VPN server is set as the default gateway at the client side.
- Related routing rules are added manually at the client side.
To export configuration file:
Click Export Configuration. OpenVPN allows VPN server to issue an authentication certificate to the clients. The exported file is a zip file that contains ca.crt (certificate file for VPN server), openvpn.ovpn (configuration file for the client), and README.txt (simple instruction on how to set up OpenVPN connection for the client). For more information, refer to here.
Note:
- Each time VPN Server runs, it will automatically copy and use the certificate shown at Control Panel > Security > Certificate. If you need to use a third-party certificate, please import the certificate at Control Panel > Security > Certificate > Action and restart VPN Server.
- VPN Server will automatically restart each time the certificate file shown at Control Panel > Security > Certificate is modified.
L2TP/IPSec
L2TP (Layer 2 Tunneling Protocol) over IPSec provides virtual private networks with increased security and is supported by most clients (such as Windows, Mac, Linux, and mobile devices). For more information about L2TP, refer to here.
Note:
- To use L2TP/IPSec, make sure your Synology NAS is running DSM 4.3 or later.
To enable L2TP/IPSec VPN server:
- Open VPN Server and then go to Settings > L2TP/IPSec on the left panel.
- Tick Enable L2TP/IPSec VPN server.
- Specify a virtual IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
- Set Maximum connection number to limit the number of concurrent VPN connections.
- Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.
- Choose either of the following from the Authentication drop-down menu to authenticate VPN clients:
- PAP: VPN clients' passwords will not be encrypted during authentication.
- MS-CHAP v2: VPN clients' passwords will be encrypted during authentication using Microsoft CHAP version 2.
- Set MTU (Maximum Transmission Unit) to limit data packet size transmitted via the VPN.
- Tick Use manual DNS and specify the IP address of a DNS server to push DNS to L2TP/IPSec clients. If this option is disabled, the DNS server used by the Synology NAS will be pushed to clients.
- Enter and confirm a pre-shared key. This secret key should be given to your L2TP/IPSec VPN user to authenticate the connection.
- Click Apply for the changes to take effect.
Note:
- When connecting to the VPN, the authentication and encryption settings of VPN clients must be identical to the settings specified on VPN Server, or else clients will not be able to connect successfully.
- To be compatible with most L2TP/IPSec clients running Windows, Mac OS, iOS, and Android operating systems, the default MTU is set to 1400. For more complicated network environments, a smaller MTU might be required. Try to reduce the MTU size if you keep receiving timeout error or experience unstable connection.
- Please check the port forwarding and firewall settings on your Synology NAS and router to make sure the UDP port 1701, 500, and 4500 are open.
- L2TP or IPSec VPN service is built-in on some routers, the port 1701, 500 or 4500 might be occupied. To ensure VPN Server works properly, you might need to disable the built-in L2TP or IPSec VPN service through the router's management interface to have the L2TP/IPSec of VPN Server work. It is recommended using a router that supports VPN pass-through connections.
About Dynamic IP Address
Depending on the number you entered in Dynamic IP address, VPN Server will choose from a range of virtual IP addresses while assigning IP addresses to VPN clients. For example, if the dynamic IP address of VPN server is set as '10.0.0.0', a VPN client's virtual IP address could range from '10.0.0.1' to '10.0.0.[maximum connection number]' for PPTP, and from '10.0.0.2' to '10.0.0.255' for OpenVPN.
Important:Before specifying the dynamic IP address of VPN server, please note:
![Openvpn access server certificate authentication Openvpn access server certificate authentication](https://www.aaflalo.me/wp-content/uploads/2015/01/OpenVPN-Layer-2-Bridging-Site-1.png)
- Dynamic IP addresses allowed for VPN server should be any of the following:
- From '10.0.0.0' to '10.255.255.0'
- From '172.16.0.0' to '172.31.255.0'
- From '192.168.0.0' to '192.168.255.0'
- The specified dynamic IP address of VPN server and the assigned virtual IP addresses for VPN clients should not conflict with any IP addresses currently used within your local area network.
About Client's Gateway Setting for VPN Connection
Openvpn Access Server Certificate Download
Before connecting to the local area network of Synology NAS via VPN, the clients might need to change their gateway setting for VPN connection. Otherwise, they might not be able to connect to the Internet when VPN connection is established. For detailed information, refer to here.