AirVPN on Synology

[sundi 8]

Hi,

 

I have configured my synology NAS to connect to AirVPN. I have setup a script which checks for the VPN tunnel presence every 5 minutes. If VPN tunnel is not present the script will terminate the current stale session and recreate a new VPN connection. My router is configured to allow outgoing traffic from my NAS on VPN port 443 (UDP) only. Which means without VPN connection no port 443 will be opened and no outgoing/incoming traffic from/to my NAS. This setup was working fine till now.

 

Recently I have started facing a weird issue. If for some reason the VPN is disconnected the script tries to reconnect but it fails to add route, though later it says "Initialization Sequence Completed" in the log file. After several tries it connects properly. I do not know the reason for multiple failures in connection. I am attaching my log file for more clarity.

 

Also, once it connects properly it shows the following routing table.

 

Kernel IP routing table
Destination         Gateway        Genmask              Flags Metric Ref  Use  Iface
0.0.0.0                10.4.0.1         128.0.0.0              UG     0        0     0      tun0
0.0.0.0                192.168.0.1   0.0.0.0                  UG     0        0     0      eth0
10.1.2.3              192.168.0.1   255.255.255.255  UGH   0        0     0      eth0
10.4.0.0              0.0.0.0           255.255.0.0          U        0        0     0      tun0
128.0.0.0            10.4.0.1         128.0.0.0              UG     0        0     0      tun0
172.17.0.0          0.0.0.0           255.255.0.0          U        0        0     0      docker0
192.168.0.0        0.0.0.0           255.255.255.0      U        0        0     0      eth0
195.154.194.18  192.168.0.1   255.255.255.255  UGH   0        0     0      eth0

 

I want to know if this is the correct routing table or am I leaking some thing. I just want my NAS to send/receive all traffic through VPN only. An explanation of this routing table will also be very helpful as it has multiple gateways so I am not clear on this.

 

I would really appreciate if you all can help me.

 

VPN_Log.txt

[sundi 8]

Anyone??

[sundi 8]

I request anybody who can help me on this to help me as I am little bit worried to use VPN because of the possible leakage issue.

[go558a83nk 362]

have you opened a ticket with support since it seems nobody can help you here?

[zhang888 1066]

This is a correct configuration and routing table, but note that if the VPN will be disconnected you will have a "leak",

unless you don't apply iptables rules that prevent traffic on eth0 when the VPN is off.

 

See this thread for details:

https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/

[sundi 8]

have you opened a ticket with support since it seems nobody can help you here?

 

Hi go558a83nk,

 

Thanks for your reply. I actually opened a ticket with support, but was informed that Synology is not supported and I should check in forums. Hence I posted here.

[sundi 8]

This is a correct configuration and routing table, but note that if the VPN will be disconnected you will have a "leak",

unless you don't apply iptables rules that prevent traffic on eth0 when the VPN is off.

 

See this thread for details:

https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/

 

Hi zhang888,

 

Thanks a lot for your reply. It is a relief to know that this configuration and routing table is correct. I do need to understand it clearly though because of multiple gateway entries in the routing table.

Regarding the leak, as I mentioned in my original post I have configured my router Netgear R7000 (on xvortex) to allow connections from my Synology to outside world only on UDP port 443 (AirVPN Port). If there is not VPN connection, that port wont be open and hence no outgoing/incoming connections from/to Synology.

I would really appreciate if you can let me know if this router firewall/iptables config is correct or do you see any issue in the router configuration?

 

I have already used tracker torrents on Synology which shows my AirVPN IP address only. So, I assume no real IP is leaked to the outside world. But again I could be completely incorrect.

Is there some other way on how to check leaks on Synology?

[zhang888 1066]

A more complete solution would be setting the firewall on your router to allow connections on 443/udp only to the Air server

you are connecting to, using your Synology. Otherwise all traffic to 443/udp will be potentially allowed.

[sundi 8]

A more complete solution would be setting the firewall on your router to allow connections on 443/udp only to the Air server

you are connecting to, using your Synology. Otherwise all traffic to 443/udp will be potentially allowed.

 

Hi zhang888,

 

I completely agree & understand your point but how to implement it on the router when I connect to random AirVPN servers?

Do you suggest if I should create multiple entries in the router for all the AirVPN servers?

 

Also, I have attached my client config file, if you can take a look and suggest me if any changes are required in it.

Client_Config.txt

[zhang888 1066]

Your client config is fine.

I made a list for you with all the current entry IPs of Air servers.

 

The list was generated using the following steps, in case you wish to do

it by yourself in a later stage:

 

dig a earth.all.vpn.airdns.org > dig.txt

awk -F "\t" '{print $4}' dig.txt > air.txt

 

What you have to do next is adding them on your router's iptables, you can

use something like this:

 

for IP in $(cat air.txt); do iptables -A INPUT -s $IP/32 -d 0/0 -j ACCEPT; done

for IP in $(cat air.txt); do iptables -A OUTPUT -s $IP/32 -d 0/0 -j ACCEPT; done

 

This should read all the list from the file air.txt and add them to your iptables rules.

[sundi 8]

Your client config is fine.

I made a list for you with all the current entry IPs of Air servers.

 

The list was generated using the following steps, in case you wish to do

it by yourself in a later stage:

 

dig a earth.all.vpn.airdns.org > dig.txt

awk -F "\t" '{print $4}' dig.txt > air.txt

 

What you have to do next is adding them on your router's iptables, you can

use something like this:

 

for IP in $(cat air.txt); do iptables -A INPUT -s $IP/32 -d 0/0 -j ACCEPT; done

for IP in $(cat air.txt); do iptables -A OUTPUT -s $IP/32 -d 0/0 -j ACCEPT; done

 

This should read all the list from the file air.txt and add them to your iptables rules.

 

Hi zang888,

 

Thanks a ton for this. I am really grateful to you.

I will add these IP addresses in the router's IP tables access list.

 

I have few more questions and would be thankful to you if you can share your thoughts on them:

Why my VPN connection fails some time and gives "SIOCADDRT: Network is unreachable" as mentioned in my original post in the attached VPN_Log.txt file. Though after multiple retries it connects successfully? Why it fails and then connects after multiple retires with the same configuration. How can this be fixed?

 

During unsuccessful connection it does show as connected on the AirVPN site as well as Synology but routing table entries on Synology are not complete (few entries are missing because of above mentioned errors) during this connection. What will be the result during this incorrect connection? Will it leak my IP address to the outside world? What can possibly go wrong if I try to download something (using torrents, etc.) during this incorrect connection (when it shows connection is there and port is opened on the router but routing table is not complete on Synology)?

 

Waiting for your valuable advice.

Soon I will prepare a complete document on my setup so that other Synology users can also benefit from it.

[zhang888 1066]

I am not sure how the OpenVPN client on Synology behaves, and what is the Kernel/TCP network stack used there,

but in the majority of Linux distributions, which Synology is based on (probably Vanilla kernel with own patches),

the SIOCADDRT errors usually happen when the OS cannot find the routes for a command issued by the user.

In other words, if you have some routing conflict, your router has not assigned Synology the proper IP, or faulty

iptables rules, you might get SIOCADDRT errors.

This error has nothing to do with the VPN connection, since it usually means that your gateway is not ready.

You might want to check the connectivity between your router and your Synology first.

 

I cannot really reproduce it since I don't own such device, and they don't offer virtual images of it, so the suggestions

provided are only based on generic Linux issues. Hopefully they will apply to your case as well.

 

Since Synology is a closed source device and the OpenVPN support on it is not well documented, you should better

set the rules for it on your Linux router (Netgear) which has more predictable behavior.

This is why, when you apply the above mentioned "Network Lock" rules on your router, controlling traffic originating from

your Synology, you should not be worried about any potential leaks. Assuming you configured everything on the router,

any leak that could happen due to poor documentation and support from Synology's side would be prevented by the router.

[sundi 8]

Hi zhang888,

 

Thanks a lot for your input.

I agree that router's firewall should prevent all the issues which Synology can cause because of it's closed system and unclear documentation.

 

Synology has been assigned a static IP address (with DHCP reservation in the router) and this error can randomly occur any time if VPN connection drops or I try to reconnect for any reason. This error can occur sometime twice/thrice or sometimes not even once during reconnection (completely random with no pattern). During that time (when VPN connection drops and this error is thrown) Synology is completely and normally accessible from LAN without any issues. I have never seen any IP assignment / network related issue in Synology and router.

 

Could it be possible that it has something to do with DNS servers as I am using opennic DNS servers in my Synology?

 

My router only allows filter table either based on Black list or White list. I dont think it will be possible to add all AirVPN servers in the white list as enabling white list means only allow devices and ports in the white list. Creating a white list will be too difficult as I have so many devices in my network and adding entries for them with each allowed ports is not possible.

 

On the other hand black list means block access to the devices and ports in the black list.

I have attached a screenshot of my router to show current config of black list table. Here 192.168.0.100 is my Synology and black list table blocks everything on any destination from source (Synology) except TCP port 22 & UDP port 443.

 

I know it means allow UDP port 443 on ANY destination (not only restricted to AirVPN servers). But given all the options I have, do you think it is fine?

TCP port 22 is for SSH access to Synology from outside.

[zhang888 1066]

What I don't understand is why you don't use an open firmware on your router (OpenWRT/DD-WRT)

and make this process much more easy.

[sundi 8]

What I don't understand is why you don't use an open firmware on your router (OpenWRT/DD-WRT)

and make this process much more easy.

Hi zhang888,

 

The current router firmware is a Asus-Merlin fork by xvortex and it is stable and working wonderfully (performance wise as well as features wise).

I have been using it from last 2 years and it never gave me any chance of any complaints.

 

Do you think changing the router's firmware to openWRT/DD-wrt is absolutely required in order to fix this issue?

If there is no fix or workaround to fix this issue then I will try the other firmware.

Please suggest.

[zhang888 1066]

As far as I know the Merlin firmware should provide a raw access to the iptables management.

This is why you should have an easy way to configure the steps I mentioned above, without the GUI.

 

Please update on how this is going on, the easiest way to achieve the setup you are possibly looking forward

would be using SSH, and adding the above mentioned addresses in your iptables whitelist.

[sundi 8]

As far as I know the Merlin firmware should provide a raw access to the iptables management.

This is why you should have an easy way to configure the steps I mentioned above, without the GUI.

 

Please update on how this is going on, the easiest way to achieve the setup you are possibly looking forward

would be using SSH, and adding the above mentioned addresses in your iptables whitelist.

Hi zhang888,

 

I do have ssh access to the router. Actually I did add two entries for the first IP address in the air.txt file, then executed iptables-save and then nvram commit on the router. Though iptables --list was showing those two entries, but it was not showing those two entries anywhere in the GUI so I was not sure if they will survive the reboot of the router or not. Also was not sure what to do with current black list for UDP port 443.

 

Also the entry:

for IP in $(cat air.txt); do iptables -A OUTPUT -s $IP/32 -d 0/0 -j ACCEPT; done

Doesn’t this mean allow any outgoing connections from AirVPN server to any destination?

 

shouldn’t it be

for IP in $(cat air.txt); do iptables -A OUTPUT -s <Synology IP>/32 -d $IP/32 -j ACCEPT; done

Aren’t we allowing outgoing connection only from Synology to AirVPN servers.

[zhang888 1066]

Running the command:

iptables -L -n

 

should be your best way to know.

 

I don't know anything about surviving reboots on Merlin, but as a generic Linux fork

it should be easy to understand how to add these commands to your /etc/rc.local,

or doing some workarounds like:

 

iptables-save > /etc/iptables.conf

 

And adding a line like:

 

pre-up iptables-restore < /etc/iptables.conf

 

in your

/etc/network/interfaces

 

might be the best option.

 

 

But again, I never had Merlin, so your mileage may vary.
 

[sundi 8]

Hi zhang888,

 

Thanks for your valuable suggestions. I will implement them

 

Also the entry:

for IP in $(cat air.txt); do iptables -A OUTPUT -s $IP/32 -d 0/0 -j ACCEPT; done

Doesn’t this mean allow any outgoing connections from AirVPN server to any destination?

 

shouldn’t it be

for IP in $(cat air.txt); do iptables -A OUTPUT -s <Synology IP>/32 -d $IP/32 -j ACCEPT; done

Aren’t we allowing outgoing connection only from Synology to AirVPN servers?

[zhang888 1066]

You should allow both incoming and outgoing connections to the Air VPN servers

Unless you wish to send/receive traffic in only one direction, which will result in a very unusual experience

[sundi 8]

You should allow both incoming and outgoing connections to the Air VPN servers

Unless you wish to send/receive traffic in only one direction, which will result in a very unusual experience

 

hi zhang888,

 

Sorry for asking this again and please forgive me for my ignorance.

 

For example commands for a single AirVPN server like:

iptables -A INPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPT

Means allow incoming from source (AirVPN server) to any destination. It allows incoming connections from AirVPN server. This one looks fine to me.

iptables -A OUTPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPT

Means allow outgoing from source (AirVPN server) to any destination. How can an AirVPN server be a SOURCE for OUTGOING from my router?

 

shouldn’t it be

iptables -A OUTPUT -s <Synology IP>/32 -d 150.129.41.193/32 -j ACCEPT

 

Also, I don’t understand how these two entries will stop outgoing connection to any destination from my Synology except for AirVPN servers as these entries are only allowing and not rejecting anything from Synology.

[zhang888 1066]

These entries are only about allowing certain traffic thru your firewall.

The assumption is that you have a general "cleanup" rule at the end, which will

block all traffic that does not match the above rules.

In iptables, the rules are parsed in hierarchical level, from top to bottom, so you have

to first append (-A) the rules you want to allow, then to prepent, or Insert (-I) the rules

you want to add that are not matching anything above.

 

So you should basically have something like:

iptables -I INPUT -s IP -j DROP

iptables -I OUTPUT -s IP -j DROP

 

in the bottom of your router rules, where "IP" is the address of your Synology device.

 

Since the above (-A) rules will match some packets, like the outgoing Air servers,

they will be allowed, while other packets, like leaks, will not match any of the above

and then be dropped by the final -I rules.

[sundi 8]

These entries are only about allowing certain traffic thru your firewall.

The assumption is that you have a general "cleanup" rule at the end, which will

block all traffic that does not match the above rules.

In iptables, the rules are parsed in hierarchical level, from top to bottom, so you have

to first append (-A) the rules you want to allow, then to prepent, or Insert (-I) the rules

you want to add that are not matching anything above.

 

So you should basically have something like:

iptables -I INPUT -s IP -j DROP

iptables -I OUTPUT -s IP -j DROP

 

in the bottom of your router rules, where "IP" is the address of your Synology device.

 

Since the above (-A) rules will match some packets, like the outgoing Air servers,

they will be allowed, while other packets, like leaks, will not match any of the above

and then be dropped by the final -I rules.

 

Hi zang888,

 

Thanks a lot for clarifying my doubts. I will apply these rules and will see how it goes.

Thanks a lot. Really appreciate your help.

 

Also, I assume you have gone through my query:

iptables -A OUTPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPT

Means allow outgoing from source (AirVPN server) to any destination. How can an AirVPN server be a SOURCE for OUTGOING from my router?

[zhang888 1066]

Also, I assume you have gone through my query:

iptables -A OUTPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPT

Means allow outgoing from source (AirVPN server) to any destination. How can an AirVPN server be a SOURCE for OUTGOING from my router?

 

This was an obvious typo from my side, ofcourse it should be -d and not -s.

I copied the first line to the second to make an example and overlooked this completely.

Good that you were actually reading the rules and making corrections!

[sundi 8]

 

Also, I assume you have gone through my query:

iptables -A OUTPUT -s 150.129.41.193/32 -d 0/0 -j ACCEPT

Means allow outgoing from source (AirVPN server) to any destination. How can an AirVPN server be a SOURCE for OUTGOING from my router?

 

This was an obvious typo from my side, ofcourse it should be -d and not -s.

I copied the first line to the second to make an example and overlooked this completely.

Good that you were actually reading the rules and making corrections!

 

Hi zhang888,

 

Thanks a lot for helping me out.

I am really very grateful to you for this.

 

Soon, I will prepare a document for the setup like me so that others can benefit.