How-to: AirVPN on Synology DSM6 and DSM7 complete guide

[p123456 0]

OK The router route as mentioned above worked so i get connected.
But open ports is stil closed. (checked with yougetsignal)
Any one get a idea to make open ports work?
rtorrent.rc contains:
network.port_range.set = 44xx3-44xx4
network.port_random.set = no
ip = 79.xxx.xx.xxx

Shall try glutene container if i get time for it.

Edited ... by p123456

[TToD 1]

I'm running DSM 7.2.1 and with the recent OpenVPN Certificate expiry issue I thought I would take the opportunity to reload my full VPN config with one generated for OpenVPN 2.5.
(I was running a config for < 2.4 installed on DSM 6 before I upgraded)

So I deleted my existing VPN config so I could create a new one - Big Mistake.

I chose a server of Europe.
The config generator gave me - remote europe3.vpn.airdns.org 443
But this didn't work, I had to change it to - remote europe.vpn.airdns.org 443

The config generator no longer provided a ta.key file, but provided tls-crypt.key instead.
I used this in place of the ta.key file in the instructions.
But I kept getting a connection failure on the Synology.

Reviewing the different .opvm files showed:
New from config generator
tls-crypt "tls-crypt.key"
auth SHA512
Old
tls-auth "ta.key" 1
So I reverted these two lines to the single old one.
But I still kept getting a connection failure on the Synology.

Finally, I still had a ta.key file from an old run of the config generator, so I used that instead of the tls-crypt.key file.
And lo, my Synology was now connecting correctly.

My concern is, having changed those two lines to tls-auth "ta.key" 1 and using the old ta.key file, does this have a negative effect on my security.
Would anyone care to wade in on whether there is a negative impact, or if I coulkd have done anything better.
Thank you

 

[Staff 9971]

@TToD

Hello!

To clarify, be aware that europe.vpn.airdns.org will resolve into entry-IP address 1 of some VPN server in Europe. Entry-IP address 1 accepts only TLS Auth. You must have europe3.vpn.airdns.org for TLS Crypt with tls-crypt.key, and europe.vpn.airdns.org for TLS Auth and ta.key.
TLS Crypt encrypts completely the whole OpenVPN Control Channel and therefore it is superior in its ability to bypass specific blocks against OpenVPN when TLS Auth may fail.

Kind regards
 

[TToD 1]

21 minutes ago, Staff said:

@TToD

Hello!

To clarify, be aware that europe.vpn.airdns.org will resolve into entry-IP address 1 of some VPN server in Europe. Entry-IP address 1 accepts only TLS Auth. You must have europe3.vpn.airdns.org for TLS Crypt with tls-crypt.key, and europe.vpn.airdns.org for TLS Auth and ta.key.
TLS Crypt encrypts completely the whole OpenVPN Control Channel and therefore it is superior in its ability to bypass specific blocks against OpenVPN when TLS Auth may fail.

Kind regards
 

Thank you for that.
Yet when configuring with tls-crypt.key and using remote europe3.vpn.airdns.org 443 (basically just using everything supplied by the config generator unchanged) my synology kept getting connection failure messages.
So, while TLS Crypt provides better security than TLS Auth, have the changes I made compromised the security I previously had (given that previously it was also TLS Auth)?
From what you said, I would prefer to run TLS Crypt if I could get it to work on my Synology.

[Staff 9971]

@TToD

Hello!

Please feel free to open a ticket and the support team will examine the problem and suggest a possible solution. Make sure to include the OpenVPN log showing the connection attempt failure. On the client side TLS Crypt improves ability to circumvent blocks because in the first phase of the TLS negotiation the "client hello" and the "server hello" are already encrypted by the pre-shared TLS key, therefore the OpenVPN initialization remains hidden from the ISP. All the other steps are the same. You have no urgent reason to switch to TLS Crypt since your ISP does not block OpenVPN.

Kind regards
 

[bbqsquirrel 1]

Having same problem as the user above. I have had AirVPN setup on my Synology for multiple years and it has been working flawlessly. 5 days ago it stopped working and I cannot get it to reconnect no matter what I do. I've followed all the instructions here to the T and also still have my previous VPN configs that were workig fine for years and now it is not connecting. What happened?



EDIT:
OKAY I FIGURED IT OUT.

Follow the original guide but pay close attention to which protocol you're picking in the config generator. The top options are now UDP 443, look at the Specs column, it says " tls-crypt, tls1.2". This will NOT work. Scroll down a bit half way through the list of available options (You will have to enable the "advanced" toggle at the very top of the page). Scroll down so you see UDP 443 (or whatever else you prefer), there will be repeated ports and protcols but the specs column now says " tls-auth, for 2.3 " . That's the one you want. This will give you the ta.key that you need to import.

Edited ... by bbqsquirrel

[Mikeyy 49]

Finally upgraded to DSM 7.2.1 so I edited first post with your comments. Adapted it to new AirVPN config generator look.

Also added last part if you want to have faster connection to AirVPN.

[kjbxcrzb 3]

Hi All,

Regarding the kill-switch mentioned in the instructions, it says that it must be implemented on the router, not the NAS. I have also seen various statements elsewhere that a kill-switch is in general not reliable. Can someone explain this to me? I would have thought that either a static route could be created on the NAS which would prevent outward traffic on the LAN to none local addresses, or some firewall rules could be created. Why are these approaches not possible?

Thanks!

[Mikeyy 49]

Script in first post just implements firewall rules which block ALL communication from your internal IP (NAS) to Internet, except on UDP port 443. Those rules are ALWAYS active, not just when VPN tunnel fails.
NAS can still reach Internet, but just on allowed port and protocol.

As mentioned, you could make it even more secure by just using one fixed AirVPN server, and allowing internet connection to just that server on selected port and protocol.

[kjbxcrzb 3]

On 5/10/2024 at 3:00 PM, Mikeyy said:

Script in first post just implements firewall rules which block ALL communication from your internal IP (NAS) to Internet, except on UDP port 443. Those rules are ALWAYS active, not just when VPN tunnel fails.
NAS can still reach Internet, but just on allowed port and protocol.

As mentioned, you could make it even more secure by just using one fixed AirVPN server, and allowing internet connection to just that server on selected port and protocol.

Do you mean section 4 (Prevent leaks when VPN connection on Synology fails)? But that section says it's specifically for the router level. I'd like to create routing rules on the Synology NAS. Is that not possible?

[Mikeyy 49]

1 hour ago, kjbxcrzb said:

Do you mean section 4 (Prevent leaks when VPN connection on Synology fails)? But that section says it's specifically for the router level. I'd like to create routing rules on the Synology NAS. Is that not possible?

Yes, it's on router setup. I don't know how to make openvpn kill switch on nas.

[rhorho 0]

Hi,

The VPN connection on my Synology stopped working. I tried to create a new VPN profile using this guide. However after entering the files/keys and specifying the advanced setting, when I press Apply I get an error message stating that the .ovpn files contains invalid parameters...

Any help or suggestions would be greately appreciated!

I'm using a Synology running DSM 6.2.4-25556 Update 7.
My .ovpn file looks like this:

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Saturday 1st of June 2024 01:01:06 PM
# OpenVPN Client Configuration
# AirVPN_Europe_UDP-443
# --------------------------------------------------------

client
dev tun
remote europe.vpn.airdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 3
explicit-exit-notify 5
push-peer-info
setenv UV_IPV6 yes
ca ca.crt
cert user.crt
key user.key
remote-cert-tls server
comp-lzo no
data-ciphers AES-128-GCM
data-ciphers-fallback AES-256-CBC
proto udp
tls-auth "ta.key" 1

 

[Staff 9971]

1 hour ago, rhorho said:

I'm using a Synology running DSM 6.2.4-25556 Update 7.

Hello!

Probably this old version runs OpenVPN 2.4 which does not support some directives implemented in OpenVPN 2.5 and later versions (for example "data-ciphers"). DSM 6.2 reached the End of Life about a year ago. You may either upgrade to DSM 7 or tell the Configuration Generator to generate a configuration file for OpenVPN 2.4:

• on the CG page turn on the "Advanced" switch
• set the "OpenVPN profile" combo box to "2.4"
• generate, download and import as usual

Kind regards
 

[rhorho 0]

On 6/1/2024 at 4:47 PM, Staff said:

…

• set the "OpenVPN profile" combo box to "2.4"
• generate, download and import as usual

Kind regards
 

Re-reading the original guide the comment to use v 2.4 for older DSM's was already there, so I should have read it more carefully.
Anyway I generated the files again and it now works, so many thanks!

[Mikeyy 49]

If this is true ( https://community.synology.com/enu/forum/1/post/160585 ) then 6.2.4 is running OpenVPN 2.3.