p123456 0 Posted ... (edited) OK The router route as mentioned above worked so i get connected. But open ports is stil closed. (checked with yougetsignal) Any one get a idea to make open ports work? rtorrent.rc contains: network.port_range.set = 44xx3-44xx4 network.port_random.set = no ip = 79.xxx.xx.xxx Shall try glutene container if i get time for it. Edited ... by p123456 Quote Share this post Link to post
TToD 1 Posted ... I'm running DSM 7.2.1 and with the recent OpenVPN Certificate expiry issue I thought I would take the opportunity to reload my full VPN config with one generated for OpenVPN 2.5. (I was running a config for < 2.4 installed on DSM 6 before I upgraded) So I deleted my existing VPN config so I could create a new one - Big Mistake. I chose a server of Europe. The config generator gave me - remote europe3.vpn.airdns.org 443 But this didn't work, I had to change it to - remote europe.vpn.airdns.org 443 The config generator no longer provided a ta.key file, but provided tls-crypt.key instead. I used this in place of the ta.key file in the instructions. But I kept getting a connection failure on the Synology. Reviewing the different .opvm files showed: New from config generator tls-crypt "tls-crypt.key" auth SHA512 Old tls-auth "ta.key" 1 So I reverted these two lines to the single old one. But I still kept getting a connection failure on the Synology. Finally, I still had a ta.key file from an old run of the config generator, so I used that instead of the tls-crypt.key file. And lo, my Synology was now connecting correctly. My concern is, having changed those two lines to tls-auth "ta.key" 1 and using the old ta.key file, does this have a negative effect on my security. Would anyone care to wade in on whether there is a negative impact, or if I coulkd have done anything better. Thank you Quote Share this post Link to post
Staff 10014 Posted ... @TToD Hello! To clarify, be aware that europe.vpn.airdns.org will resolve into entry-IP address 1 of some VPN server in Europe. Entry-IP address 1 accepts only TLS Auth. You must have europe3.vpn.airdns.org for TLS Crypt with tls-crypt.key, and europe.vpn.airdns.org for TLS Auth and ta.key. TLS Crypt encrypts completely the whole OpenVPN Control Channel and therefore it is superior in its ability to bypass specific blocks against OpenVPN when TLS Auth may fail. Kind regards Quote Share this post Link to post
TToD 1 Posted ... 21 minutes ago, Staff said: @TToD Hello! To clarify, be aware that europe.vpn.airdns.org will resolve into entry-IP address 1 of some VPN server in Europe. Entry-IP address 1 accepts only TLS Auth. You must have europe3.vpn.airdns.org for TLS Crypt with tls-crypt.key, and europe.vpn.airdns.org for TLS Auth and ta.key. TLS Crypt encrypts completely the whole OpenVPN Control Channel and therefore it is superior in its ability to bypass specific blocks against OpenVPN when TLS Auth may fail. Kind regards Thank you for that. Yet when configuring with tls-crypt.key and using remote europe3.vpn.airdns.org 443 (basically just using everything supplied by the config generator unchanged) my synology kept getting connection failure messages. So, while TLS Crypt provides better security than TLS Auth, have the changes I made compromised the security I previously had (given that previously it was also TLS Auth)? From what you said, I would prefer to run TLS Crypt if I could get it to work on my Synology. Quote Share this post Link to post
Staff 10014 Posted ... @TToD Hello! Please feel free to open a ticket and the support team will examine the problem and suggest a possible solution. Make sure to include the OpenVPN log showing the connection attempt failure. On the client side TLS Crypt improves ability to circumvent blocks because in the first phase of the TLS negotiation the "client hello" and the "server hello" are already encrypted by the pre-shared TLS key, therefore the OpenVPN initialization remains hidden from the ISP. All the other steps are the same. You have no urgent reason to switch to TLS Crypt since your ISP does not block OpenVPN. Kind regards Quote Share this post Link to post
bbqsquirrel 1 Posted ... (edited) Having same problem as the user above. I have had AirVPN setup on my Synology for multiple years and it has been working flawlessly. 5 days ago it stopped working and I cannot get it to reconnect no matter what I do. I've followed all the instructions here to the T and also still have my previous VPN configs that were workig fine for years and now it is not connecting. What happened? EDIT: OKAY I FIGURED IT OUT. Follow the original guide but pay close attention to which protocol you're picking in the config generator. The top options are now UDP 443, look at the Specs column, it says " tls-crypt, tls1.2". This will NOT work. Scroll down a bit half way through the list of available options (You will have to enable the "advanced" toggle at the very top of the page). Scroll down so you see UDP 443 (or whatever else you prefer), there will be repeated ports and protcols but the specs column now says " tls-auth, for 2.3 " . That's the one you want. This will give you the ta.key that you need to import. Edited ... by bbqsquirrel 1 c69c7kfrv48fuJ8Re44C reacted to this Quote Share this post Link to post
Mikeyy 49 Posted ... Finally upgraded to DSM 7.2.1 so I edited first post with your comments. Adapted it to new AirVPN config generator look. Also added last part if you want to have faster connection to AirVPN. 2 c69c7kfrv48fuJ8Re44C and Staff reacted to this Quote Share this post Link to post
kjbxcrzb 3 Posted ... Hi All, Regarding the kill-switch mentioned in the instructions, it says that it must be implemented on the router, not the NAS. I have also seen various statements elsewhere that a kill-switch is in general not reliable. Can someone explain this to me? I would have thought that either a static route could be created on the NAS which would prevent outward traffic on the LAN to none local addresses, or some firewall rules could be created. Why are these approaches not possible? Thanks! Quote Share this post Link to post
Mikeyy 49 Posted ... Script in first post just implements firewall rules which block ALL communication from your internal IP (NAS) to Internet, except on UDP port 443. Those rules are ALWAYS active, not just when VPN tunnel fails. NAS can still reach Internet, but just on allowed port and protocol. As mentioned, you could make it even more secure by just using one fixed AirVPN server, and allowing internet connection to just that server on selected port and protocol. Quote Share this post Link to post
kjbxcrzb 3 Posted ... On 5/10/2024 at 3:00 PM, Mikeyy said: Script in first post just implements firewall rules which block ALL communication from your internal IP (NAS) to Internet, except on UDP port 443. Those rules are ALWAYS active, not just when VPN tunnel fails. NAS can still reach Internet, but just on allowed port and protocol. As mentioned, you could make it even more secure by just using one fixed AirVPN server, and allowing internet connection to just that server on selected port and protocol. Do you mean section 4 (Prevent leaks when VPN connection on Synology fails)? But that section says it's specifically for the router level. I'd like to create routing rules on the Synology NAS. Is that not possible? Quote Share this post Link to post
Mikeyy 49 Posted ... 1 hour ago, kjbxcrzb said: Do you mean section 4 (Prevent leaks when VPN connection on Synology fails)? But that section says it's specifically for the router level. I'd like to create routing rules on the Synology NAS. Is that not possible? Yes, it's on router setup. I don't know how to make openvpn kill switch on nas. Quote Share this post Link to post
rhorho 0 Posted ... Hi, The VPN connection on my Synology stopped working. I tried to create a new VPN profile using this guide. However after entering the files/keys and specifying the advanced setting, when I press Apply I get an error message stating that the .ovpn files contains invalid parameters... Any help or suggestions would be greately appreciated! I'm using a Synology running DSM 6.2.4-25556 Update 7. My .ovpn file looks like this: # -------------------------------------------------------- # Air VPN | https://airvpn.org | Saturday 1st of June 2024 01:01:06 PM # OpenVPN Client Configuration # AirVPN_Europe_UDP-443 # -------------------------------------------------------- client dev tun remote europe.vpn.airdns.org 443 resolv-retry infinite nobind persist-key persist-tun auth-nocache verb 3 explicit-exit-notify 5 push-peer-info setenv UV_IPV6 yes ca ca.crt cert user.crt key user.key remote-cert-tls server comp-lzo no data-ciphers AES-128-GCM data-ciphers-fallback AES-256-CBC proto udp tls-auth "ta.key" 1 Quote Share this post Link to post
Staff 10014 Posted ... 1 hour ago, rhorho said: I'm using a Synology running DSM 6.2.4-25556 Update 7. Hello! Probably this old version runs OpenVPN 2.4 which does not support some directives implemented in OpenVPN 2.5 and later versions (for example "data-ciphers"). DSM 6.2 reached the End of Life about a year ago. You may either upgrade to DSM 7 or tell the Configuration Generator to generate a configuration file for OpenVPN 2.4: on the CG page turn on the "Advanced" switch set the "OpenVPN profile" combo box to "2.4" generate, download and import as usual Kind regards Quote Share this post Link to post
rhorho 0 Posted ... On 6/1/2024 at 4:47 PM, Staff said: … set the "OpenVPN profile" combo box to "2.4" generate, download and import as usual Kind regards Re-reading the original guide the comment to use v 2.4 for older DSM's was already there, so I should have read it more carefully. Anyway I generated the files again and it now works, so many thanks! Quote Share this post Link to post
Mikeyy 49 Posted ... If this is true ( https://community.synology.com/enu/forum/1/post/160585 ) then 6.2.4 is running OpenVPN 2.3. Quote Share this post Link to post