Skip to content

Instantly share code, notes, and snippets.

@dcava
Created January 17, 2017 12:36
Show Gist options
  • Save dcava/400848953426aa0235fe4735928e13b9 to your computer and use it in GitHub Desktop.
Save dcava/400848953426aa0235fe4735928e13b9 to your computer and use it in GitHub Desktop.
Setup OpenVPN on Synology DSM6
Personal reminder guide on how to more securely setup OpenVPN on Synology DSM 6.2+ (Jan 2017)
Issues fixed:
1. Default OpenVPN is secured with auth-use-pass only
2. no HMAC
3. no client certificate
4. no DH
Problems:
1. I'm not sure this will survive an update to the VPN server (not sure if the openvpn.conf is overwritten) or if the keys/certs are messed with
2. From what I can tell, the synology setup requires auth-use-pass even if you use a cert/key setup
Steps:
1. Generate a CA
2. server cert + key + DH
3. client cert + key
4. ta.key (static VPN key for HMAC)
{do this with easy-rsa on a client machine - just easy than stuffing around on syno although I suppose could all be done with openssl. Using the gui to generate a new CA/self-signed cert is ok, but then you have to create client certs and it is a pain}
5. Generate a combined .ovpn file including keys for ease of distribution
(I used https://gist.github.com/trovao/18e428b5a758df24455b with a few changes)
6. Edit server openvpn configuration
7. edit client .ovpn file
Acknowledgement:
https://kingtut666.wordpress.com/2015/11/24/improving-openvpn-security-on-synology-nas/ has good info on where to find the syno openVPN config files and how to create ta.key (but doesn't do client certs)
The important two paths are:
/var/packages/VPNCenter/target/etc/openvpn/ is where synology will copy the keys if you setup certificates via the syno gui and has the templates for user ovpns
/usr/syno/etc/packages/VPNCenter/openvpn is the main configuration directory. It also has a "keys" directory. I have a suspicion one of these is going to get overwritten on package update - will see.
https://renatocunha.com/blog/2014/12/openvpn-android/ is a good openvpn setup guide with android specific parts and the nice script from before
https://www.sparklabs.com/support/kb/article/creating-certificates-and-keys-for-your-openvpn-server/ has some info on using the recent version of easy-rsa
Short version:
1,2,3 - Use the sparkle tutorial
4 - 'openvpn --genkey --secret ta.key'
5 - https://gist.github.com/trovao/18e428b5a758df24455b
6: set these correctly - i put all the server keys in /var/packages/VPNCenter/target/etc/openvpn/keys but could go anywhere (and maybe better to go to /usr/local somewhere to avoid overwrite)
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt # Path to the Certificate Authority's public certificate
cert /var/packages/VPNCenter/target/etc/openvpn/keys/example.com.crt           # This **server's** certificate
key /var/packages/VPNCenter/target/etc/openvpn/keys/example.com.key           # This **server's** private key
dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh2048.pem # The Diffie-Hellman key-exchange parameters
tls-auth keys/ta.key 0 # Shared secret, server mode
you can adjust other parameters if desired
7 - I found i had to add back auth-user-pass even though I don't have it requested in the server setup?? Must be a config file I am missing on the syno somwhere or maybe the radius plugin is causing probs?
@dcava
Copy link
Author

dcava commented Jan 17, 2017

Also,

enable log-append /var/log/openvpn.log

to see issues

@dcava
Copy link
Author

dcava commented Jul 1, 2018

#To start/stop
/var/packages/VPNCenter/scripts/./start-stop-status start
/var/packages/VPNCenter/scripts/./start-stop-status stop

#or perhaps this:
synoservice --restart pkgctl-VPNCenter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment