How to setup Synology to use VPN with SSL (stunnel)?

[trok79200foe 0]

Trying to setup my diskstation to use SSL with AirVPN as it seems like my ISP is heavily throttling VPN traffic. I successfully got VPN working by following these directions: https://airvpn.org/topic/2487-how-to-configure-a-synology-device/

 

I then tried to setup ssl by following these directions: https://airvpn.org/ssl/

Installed stunnel and generated the certificate but ran into the following error when trying to start stunnel:

 

> stunnel /volume1/files/AirVPN/AirVPN_443_SSL/AirVPN__SSL-443.ssl
: RAND_status claims sufficient entropy for the PRNG
2015.12.26 18:22:19 LOG7[]: PRNG seeded successfully
2015.12.26 18:22:19 LOG7[]: Configuration SSL options: 0x01000000
2015.12.26 18:22:19 LOG7[]: SSL options set: 0x01000004
2015.12.26 18:22:19 LOG3[]: Error loading verify certificates from stunnel.crt
2015.12.26 18:22:19 LOG3[]: error stack: B084002 : error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
2015.12.26 18:22:19 LOG3[]: error stack: 2006D080 : error:2006D080:BIO routines:BIO_new_file:no such file
2015.12.26 18:22:19 LOG3[]: SSL_CTX_load_verify_locations: 2001002: error:02001002:system library:fopen:No such file or directory

 

To be honest I don't really know what is needed here or how to get ssl working. I googled around and found this link: http://nas.deadcode.net/2015/05/20/avoid-deep-packet-inspection-for-openvpn-with-stunnel/ although im not sure if i need to follow all the steps outlined in his post?

 

Any ideas? Has anyone been able to get this working? 

 

Thx

[trok79200foe 0]

Ok so it turns out i wasn't running the command from the same dir so it couldnt find the stunnel.crt file

 

Still having issues running both commands however. Running the first command seems fine but when i run the second one (openvpn) it seems like the two are causing issues with each other.

 

Should i be disabling the VPN connection in the Synology interface i setup using the link above or does stunnel & openvpn run on top of the VPN connection?

 

Logs

Ran the first command:

 

> stunnel AirVPN_US-_SSL-443.ssl

2015.12.28 06:18:39 LOG5[9553:4147721920]: stunnel 4.26 on i686-pc-linux-gnu with OpenSSL 0.9.8v 19 Apr 2012

2015.12.28 06:18:39 LOG5[9553:4147721920]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP

2015.12.28 06:18:39 LOG6[9553:4147721920]: file ulimit = 1024 (can be changed with 'ulimit -n')

2015.12.28 06:18:39 LOG6[9553:4147721920]: poll() used - no FD_SETSIZE limit for file descriptors

2015.12.28 06:18:39 LOG5[9553:4147721920]: 500 clients allowed

 

then ran the second:

> openvpn AirVPN_US-_SSL-443.ovpn

Mon Dec 28 06:20:52 2015 OpenVPN 2.3.6 i686-pc-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [MH] [iPv6] built on Nov 11 2015

Mon Dec 28 06:20:52 2015 library versions: OpenSSL 1.0.1p-fips 9 Jul 2015, LZO 2.08

Mon Dec 28 06:20:52 2015 Control Channel Authentication: tls-auth using INLINE static key file

Mon Dec 28 06:20:52 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Dec 28 06:20:52 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Dec 28 06:20:52 2015 Socket Buffers: R=[87380->131072] S=[16384->131072]

Mon Dec 28 06:20:52 2015 Attempting to establish TCP connection with [AF_INET]127.0.0.1:1413 [nonblock]

Mon Dec 28 06:20:52 2015 TCP connection established with [AF_INET]127.0.0.1:1413

Mon Dec 28 06:20:52 2015 TCPv4_CLIENT link local: [undef]

Mon Dec 28 06:20:52 2015 TCPv4_CLIENT link remote: [AF_INET]127.0.0.1:1413

Mon Dec 28 06:20:53 2015 Connection reset, restarting [-1]

Mon Dec 28 06:20:53 2015 SIGUSR1[soft,connection-reset] received, process restarting

Mon Dec 28 06:20:53 2015 Restart pause, 5 second(s)

Mon Dec 28 06:20:58 2015 Socket Buffers: R=[87380->131072] S=[16384->131072]

Mon Dec 28 06:20:58 2015 Attempting to establish TCP connection with [AF_INET]127.0.0.1:1413 [nonblock]

Mon Dec 28 06:20:58 2015 TCP connection established with [AF_INET]127.0.0.1:1413

Mon Dec 28 06:20:58 2015 TCPv4_CLIENT link local: [undef]

Mon Dec 28 06:20:58 2015 TCPv4_CLIENT link remote: [AF_INET]127.0.0.1:1413

Mon Dec 28 06:20:58 2015 Connection reset, restarting [-1]

Mon Dec 28 06:20:58 2015 SIGUSR1[soft,connection-reset] received, process restarting

Mon Dec 28 06:20:58 2015 Restart pause, 5 second(s)

Mon Dec 28 06:21:03 2015 Socket Buffers: R=[87380->131072] S=[16384->131072]

Mon Dec 28 06:21:03 2015 Attempting to establish TCP connection with [AF_INET]127.0.0.1:1413 [nonblock]

Mon Dec 28 06:21:03 2015 TCP connection established with [AF_INET]127.0.0.1:1413

Mon Dec 28 06:21:03 2015 TCPv4_CLIENT link local: [undef]

Mon Dec 28 06:21:03 2015 TCPv4_CLIENT link remote: [AF_INET]127.0.0.1:1413

Mon Dec 28 06:21:03 2015 Connection reset, restarting [-1]

Mon Dec 28 06:21:03 2015 SIGUSR1[soft,connection-reset] received, process restarting

Mon Dec 28 06:21:03 2015 Restart pause, 5 second(s)

 

 

First command output after starting openvpn:

2015.12.28 06:20:52 LOG5[9553:4147719024]: openvpn accepted connection from 127.0.0.1:33465

2015.12.28 06:20:53 LOG5[9553:4147719024]: openvpn connected remote server from 10.8.0.76:52159

2015.12.28 06:20:53 LOG3[9553:4147719024]: SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

2015.12.28 06:20:53 LOG5[9553:4147719024]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

2015.12.28 06:20:58 LOG5[9553:4147719024]: openvpn accepted connection from 127.0.0.1:33468

2015.12.28 06:20:58 LOG5[9553:4147719024]: openvpn connected remote server from 10.8.0.76:52162

2015.12.28 06:20:58 LOG3[9553:4147719024]: SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

2015.12.28 06:20:58 LOG5[9553:4147719024]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

2015.12.28 06:21:03 LOG5[9553:4147719024]: openvpn accepted connection from 127.0.0.1:33471

2015.12.28 06:21:03 LOG5[9553:4147719024]: openvpn connected remote server from 10.8.0.76:52165

2015.12.28 06:21:03 LOG3[9553:4147719024]: SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

2015.12.28 06:21:03 LOG5[9553:4147719024]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

2015.12.28 06:21:08 LOG5[9553:4147719024]: openvpn accepted connection from 127.0.0.1:33475

2015.12.28 06:21:08 LOG5[9553:4147719024]: openvpn connected remote server from 10.8.0.76:52169

2015.12.28 06:21:08 LOG3[9553:4147719024]: SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

2015.12.28 06:21:08 LOG5[9553:4147719024]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

2015.12.28 06:21:12 LOG5[9553:4147719024]: openvpn accepted connection from 127.0.0.1:33480

2015.12.28 06:21:12 LOG5[9553:4147719024]: openvpn connected remote server from 10.8.0.76:52174

2015.12.28 06:21:12 LOG3[9553:4147719024]: SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

2015.12.28 06:21:12 LOG5[9553:4147719024]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

2015.12.28 06:21:17 LOG5[9553:4147719024]: openvpn accepted connection from 127.0.0.1:33486

2015.12.28 06:21:17 LOG5[9553:4147719024]: openvpn connected remote server from 10.8.0.76:52180

2015.12.28 06:21:17 LOG3[9553:4147719024]: SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

2015.12.28 06:21:17 LOG5[9553:4147719024]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

^C2015.12.28 06:21:26 LOG3[9553:4147721920]: Received signal 2; terminating

[Anonymous_13 31]

I had issues with my synology NAS and VPN too. Then I've started to enable VPN on my router instead of on every device. If thats a solution you can think of, go for it.

[trok79200foe 0]

Thx for the response. I actually started off with using the VPN client of my router however my ISP heavily throttles VPN traffic which is why i am trying to add SSL which dramatically improves my speeds.

 

Problem is a) my router is much slower than my synology diskstation and it seems even more difficult to setup VPN with SSL on my router although if i cant get this going I will give that a try.

[rango 0]

Did you get this to work? Going through the same process as you and not sure how to proceed.

[trok79200foe 0]

Not yet unfortunately, still working on it.

 

Will post back if I do, please do the same

[TeranFethril 0]

Hello all,

 

You need sslVersion = all in your config file.

 

(16:17:03)-(root)-(108)-> cat AirVPN_NL-Alblasserdam_Zibal_SSL-443.ssl
# --------------------------------------------------------
# Air VPN | https://airvpn.org | Monday 18th of January 2016 11:09:50 AM
# STunnel Client Configuration
# AirVPN_NL-Alblasserdam_Zibal_SSL-443
# --------------------------------------------------------

options = NO_SSLv2
sslVersion = all

client = yes
debug = 7
output = /var/log/stunnel.log

[openvpn]
accept = 127.0.0.1:1413
connect = 213.152.161.150:443
TIMEOUTclose = 0
verify = 3
CAfile = stunnel.crt

Then you will get this output:

 

2016.01.18 16:03:19 LOG7[11903:4147873472]: PRNG seeded successfully
2016.01.18 16:03:19 LOG7[11903:4147873472]: Configuration SSL options: 0x01000000
2016.01.18 16:03:19 LOG7[11903:4147873472]: SSL options set: 0x01000004
2016.01.18 16:03:19 LOG7[11903:4147873472]: Loaded verify certificates from stunnel.crt
2016.01.18 16:03:19 LOG7[11903:4147873472]: Loaded stunnel.crt revocation lookup file
2016.01.18 16:03:19 LOG7[11903:4147873472]: SSL context initialized for service openvpn
2016.01.18 16:03:19 LOG5[11903:4147873472]: stunnel 4.26 on i686-pc-linux-gnu with OpenSSL 0.9.8v 19 Apr 2012
2016.01.18 16:03:19 LOG5[11903:4147873472]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2016.01.18 16:03:19 LOG6[11903:4147873472]: file ulimit = 1024 (can be changed with 'ulimit -n')
2016.01.18 16:03:19 LOG6[11903:4147873472]: poll() used - no FD_SETSIZE limit for file descriptors
2016.01.18 16:03:19 LOG5[11903:4147873472]: 500 clients allowed
2016.01.18 16:03:19 LOG7[11903:4147873472]: FD 10 in non-blocking mode
2016.01.18 16:03:19 LOG7[11903:4147873472]: FD 11 in non-blocking mode
2016.01.18 16:03:19 LOG7[11903:4147873472]: FD 12 in non-blocking mode
2016.01.18 16:03:19 LOG7[11903:4147873472]: SO_REUSEADDR option set on accept socket
2016.01.18 16:03:19 LOG7[11903:4147873472]: openvpn bound to 127.0.0.1:1413
2016.01.18 16:03:19 LOG7[11909:4147873472]: Created pid file /opt/var/run/stunnel/stunnel.pid
2016.01.18 16:03:57 LOG7[11909:4147873472]: openvpn accepted FD=13 from 127.0.0.1:45809
2016.01.18 16:03:57 LOG7[11909:4147870576]: openvpn started
2016.01.18 16:03:57 LOG7[11909:4147870576]: FD 13 in non-blocking mode
2016.01.18 16:03:57 LOG7[11909:4147870576]: Waiting for a libwrap process
2016.01.18 16:03:57 LOG7[11909:4147870576]: Acquired libwrap process #0
2016.01.18 16:03:57 LOG7[11909:4147870576]: Releasing libwrap process #0
2016.01.18 16:03:57 LOG7[11909:4147870576]: Released libwrap process #0
2016.01.18 16:03:57 LOG7[11909:4147870576]: openvpn permitted by libwrap from 127.0.0.1:45809
2016.01.18 16:03:57 LOG5[11909:4147870576]: openvpn accepted connection from 127.0.0.1:45809
2016.01.18 16:03:57 LOG7[11909:4147870576]: FD 14 in non-blocking mode
2016.01.18 16:03:57 LOG7[11909:4147870576]: openvpn connecting 213.152.161.150:443
2016.01.18 16:03:57 LOG7[11909:4147870576]: connect_wait: waiting 10 seconds
2016.01.18 16:03:57 LOG7[11909:4147870576]: connect_wait: connected
2016.01.18 16:03:57 LOG5[11909:4147870576]: openvpn connected remote server from 192.168.2.6:33572
2016.01.18 16:03:57 LOG7[11909:4147870576]: Remote FD=14 initialized
2016.01.18 16:03:57 LOG7[11909:4147870576]: SSL state (connect): before/connect initialization
2016.01.18 16:03:57 LOG7[11909:4147870576]: SSL state (connect): SSLv2/v3 write client hello A
2016.01.18 16:03:57 LOG7[11909:4147870576]: SSL state (connect): SSLv3 read server hello A
2016.01.18 16:03:57 LOG5[11909:4147870576]: CRL: verification passed
2016.01.18 16:03:57 LOG5[11909:4147870576]: VERIFY OK: depth=0, /C=IT/ST=Italy/L=Perugia/O=AirVPN/OU=stunnel/CN=stunnel.airvpn.org/emailAddress=info@airvpn.org
2016.01.18 16:03:57 LOG7[11909:4147870576]: SSL state (connect): SSLv3 read server certificate A
2016.01.18 16:03:57 LOG7[11909:4147870576]: SSL state (connect): SSLv3 read server key exchange A
2016.01.18 16:03:57 LOG7[11909:4147870576]: SSL state (connect): SSLv3 read server done A
2016.01.18 16:03:57 LOG7[11909:4147870576]: SSL state (connect): SSLv3 write client key exchange A
2016.01.18 16:03:57 LOG7[11909:4147870576]: SSL state (connect): SSLv3 write change cipher spec A
2016.01.18 16:03:57 LOG7[11909:4147870576]: SSL state (connect): SSLv3 write finished A
2016.01.18 16:03:57 LOG7[11909:4147870576]: SSL state (connect): SSLv3 flush data
2016.01.18 16:03:57 LOG7[11909:4147870576]: SSL state (connect): SSLv3 read server session ticket A
2016.01.18 16:03:57 LOG7[11909:4147870576]: SSL state (connect): SSLv3 read finished A
2016.01.18 16:03:57 LOG7[11909:4147870576]:    1 items in the session cache
2016.01.18 16:03:57 LOG7[11909:4147870576]:    1 client connects (SSL_connect())
2016.01.18 16:03:57 LOG7[11909:4147870576]:    1 client connects that finished
2016.01.18 16:03:57 LOG7[11909:4147870576]:    0 client renegotiations requested
2016.01.18 16:03:57 LOG7[11909:4147870576]:    0 server connects (SSL_accept())
2016.01.18 16:03:57 LOG7[11909:4147870576]:    0 server connects that finished
2016.01.18 16:03:57 LOG7[11909:4147870576]:    0 server renegotiations requested
2016.01.18 16:03:57 LOG7[11909:4147870576]:    0 session cache hits
2016.01.18 16:03:57 LOG7[11909:4147870576]:    0 session cache misses
2016.01.18 16:03:57 LOG7[11909:4147870576]:    0 session cache timeouts
2016.01.18 16:03:57 LOG6[11909:4147870576]: SSL connected: new session negotiated
2016.01.18 16:03:57 LOG6[11909:4147870576]: Negotiated ciphers: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1