ANSWERED How to configure a Synology device

[afurbano 1]

Hi guys,

Anyone knows how to configuration a synology server to work through Airvpn servers?

Thanks

[ranjeetsodhi 0]

bump!! need help with this as well. I have run the OpenVPN connection on my Mac without any issues, but haven't been able to get the OpenVPN client on Synology to even complete the setup - it just goes into a endless sleep state..

Anybody have a Synology NAS 4.0 or 4.1 Beta configured with AirVPN?

[Staff 9969]

Hello!

We're sorry, as far as we know the Synology NAS is not fully compatible with OpenVPN in client mode because it does not support double certificate+key authentications. Please refer to the Synology customer support.

Kind regards

[ranjeetsodhi 0]

Is there any way to get PPTP to work with a Synology NAS (running DSM 4.1Beta)?

[Staff 9969]

Is there any way to get PPTP to work with a Synology NAS (running DSM 4.1Beta)?

Hello!

We don't provide PPTP access. Please refer to the Synology customers' support.

Kind regards

[ranjeetsodhi 0]

Thanks much for the quick response.

[Shakazulu 0]

Synology allows for application to built for it. Has anyone built an airvpn application that can be installed on the synology device. Just want to reopen this thread. This seems like a real need for that system.

[janern 0]

This was the sole purpose for me just bying the 6 month package. So this was very disappointing. I just took it for granted that it would work. A couple of weeks ago I tried Astrill's free trial, and was completely able to use that on my Synology NAS, they even had a wiki-page about it; http://wiki.astrill.com/index.php/Astrill_Setup_Manual:How_to_get_OpenVPN_working_on_Synology_NAS , (feel free to remove the link from the post if i'm overstepping here. just providing you information about the "competition" ) I was thinking it should work the same way, but i didn't seem to.

[Staff 9969]

@janern

 

We are not removing the link because it gives us the option to talk about an important security issue.

 

With our service, you don't even have to create manually a file. Our Configuration Generator will generate all the files needed by OpenVPN.

 

Make sure to tick "Advanced Mode", and then tick "Separate certs/keys from .ovpn file".

 

Unfortunately, the instructions you linked talk only about a ca certificate, as if the Astrill authentication method is based only on that (with, optionally, login and password, which would be even worse). That's really a very bad way to build a secure & trusted VPN. Our authentication method is based on client certificate, server certificate and client key, with TLS re-keying at each connection and every 60 minutes (Perfect Forward Secrecy). No VPN server keeps any database of login names, passwords, user names or anything else. This is the correct way to provide a higher security service with OpenVPN. It is so obvious that we are astonished that you even compare a service without the aforementioned features with AirVPN.

 

Since security and strength of the anonymity layer are one of our highest priorities, we're sure you'll understand our decision to never compromise the system to meet the needs of devices that do not implement all the OpenVPN features (IF it's your case, of course), even if that would mean to have some gullible customers that with the current system we can't have.

 

If some services meet your need and our service does not because it provides a much higher security level, it's unfair to blame us, and not only in consideration of the fact that we clearly list all the systems that are compatible with our service. You should blame VPN providers and manufacturers that do not offer the better security options. We see that you have already asked for a refund and that the refund has been granted, so you are free to pick the service that you prefer. If you think that security is not of your concern, there are literally hundreds of low security, low privacy VPN services on the Internet that you can use. Our service will not compromise security and/or privacy for marketing reasons.

 

Kind regards

[phantasteek 9]

I have actually been able to successfully connect my Synology DS211j. I got a three day trial, configured it and got it running properly yesterday. The only issue I've had was the inability to reconnect automatically upon disconnect.

 

If Air staff are ok, I can share the steps I've followed to configure the connection. In principle I've generated and downloaded the configuration files, uploaded the cert and key files to the diskstation using a terminal connection, created a placeholder OpenVPN connection in the Synology diskstation's VPN control panel using the user cert I uploaded, then downloaded the configuration file from the station using terminal, modified it to use all Air parameters and keys/certificates and finally uploaded it back to the diskstation and connected.

 

Staff, please let me know if it's ok to post details and if you'd like to see my connection logs to confirm all is good from a security standpoint.

 

Thanks.

[Staff 9969]

@phantasteek

 

Hello!

 

Of course, it's just fine, thank you! Also feel free to publish or send us in private the connection logs.

 

Kind regards

[Royee 10]

Another possible choice and work around is to use a tomato Router with VPN already ?   that way anything connected to the router via ethernet is running through the VPN.  All your apps on the Synology torrent etc should in theory be running through the VPN.

 

One can always buy a Asus RT-N16 for around £40-60 off ebay easily,  if you add firewall rules you can further safe guard yourself in case the VPN drops out also.

 

I am only guessing the above however !  but in theory it should work

[Staff 9969]

@Royee

 

Yes, absolutely. We have very many customers who connect their whole house or office to a VPN server via a Tomato, DD-WRT or other supporting OpenVPN firmware builds. As you can see, we provide instructions to configure both Toastman Tomato and DD-WRT ('OpenVPN-flavored') through the router web interface.

 

One thing to keep in mind, though: consumers' routers CPU processing power is not outstanding for real time AES encryption/decryption. Our OpenVPN Data Channel cipher is AES-256-CBC. Consumers' routers CPU will be able to handle no more than 7-10 Mbit/s AES throughput, due to encryption and decryption on the fly, so the connected devices will be "capped" at that maximum TOTAL throughput.

 

Kind regards

[phantasteek 9]

Here's a step-by-step of how I've setup an AirVPN OpenVPN connection on a Synology DS211j running DSM 4.2-3202:

1. Generate the configuration and cert/key files on the AirVPN web site:

• Choose your Operating System: select Linux (see ChooseOS.jpg attachment)

• Pick a server

• Under Connection Modes: select Advanced Mode, select Direct, protocol UDP, port 53 and select Separate keys/certs from .ovpn file (see ConnectionModes.jpg)

• Accept both then click on Generate

• Click on ZIP to download a ZIP archive containing all files (see DownloadFiles.jpg); unzip the contents to a work folder; the archive should contain the following files:

  • AirVPN_XXXXX_UDP-53.ovpn; XXXXX reflects the server selected above

  • ca.crt

  • user.crt

  • user.key

2. Create an OpenVPN connection in the Synology diskstation's VPN control panel (see VPN.jpg):

• use anything for the IP, user and password as they will be changed/removed manually below anyways

• import the ca.crt certificate you extracted into the work folder above (see VPNGeneral.jpg)

• set advanced settings as desired

• apply changes

• as a result the following files will get created in the /usr/syno/etc/synovpnclient/openvpn folder on the diskstation (see Files.jpg):

  • ca_oXXXXXXXX.crt

  • client_oXXXXXXXX

  • ovpn_oXXXXXXXX.conf, where XXXXXXXX is a number assigned automatically when the OpenVPN connection is saved (probably an Id for the connection)

3. Modify the Synology configuration file created above:

• telnet into the Synology diskstation using a telnet/ssh app such as Putty, login as root, which should have the same password as the admin user

• change directory to the openvpn folder using this command:

cd /usr/syno/etc/synovpnclient/openvpn

 

• use a command like below to copy the client_oXXXXXXXX described above to a diskstation shared folder to be able to open and change it with a text editor:

cp client_oXXXXXXXX /volume1/SharedFolder/

where you substitute your specific numbers for XXXXXXXX and your specific volume and folder name for /volume1/SharedFolder

• open the file you copied to the shared folder with your favourite text editor (e.g. Notepad or Notepad++) and make the following changes to merge the configuration file generated and downloaded from the AirVPN web site into it:

• remove all the lines from the client_oXXXXXXXX file except the 3 below:

float

reneg-sec 0

plugin /lib/openvpn/openvpn-down-root.so /etc/ppp/ip-down

• then insert all lines from the AirVPN_XXXXX_UDP-53.ovpn into the file and save it

• optionally, if you wish to have a client connection log file for debugging/troubleshooting purposes, you can also include a line like this (with your own folder and file name):

log-append /volume1/SharedFolder/AirVPN.log

• at this point the file should look something like this:

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Wednesday 4th of September 2013 12:07:47 AM
# OpenVPN Client Configuration
# AirVPN_Server_UDP-53
# --------------------------------------------------------

client
dev tun
proto udp
remote some.server.address.here 53
resolv-retry infinite
nobind
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
explicit-exit-notify 5
ca ca_oXXXXXXXX.crt
cert user.crt
key user.key
script-security 2
redirect-gateway
float
reneg-sec 0
plugin /lib/openvpn/openvpn-down-root.so /etc/ppp/ip-down

with the proper values for the server and numeric connection id instead of the placeholders "some.server.address.here" and "XXXXXXXX" I've included above

• in the telnet app, while continuing to be positioned in the /usr/syno/etc/synovpnclient/openvpn folder, copy the modified client_oXXXXXXXX file back to that folder using a command like:

cp /volume1/SharedFolder/client_oXXXXXXXX .

• using similar commands, also copy the user.crt and user.key files over to the /usr/syno/etc/synovpnclient/openvpn folder:

 

cp /volume1/SharedFolder/user.crt .

cp /volume1/SharedFolder/user.key .

• done

 

NOTES:

• any VPN configuration changes made and saved through the Synology VPN control panel will result in the client_oXXXXXXXX file being overwritten and reset to its original state before the manual edits described above, which basically renders the configuration unusable with AirVPN; if this happens the file should be restored from a previously saved backup using a cp (copy) command like the ones above; so when you get the configuration working, create a backup of the client_XXXXXXXX file somewhere safe;
• multiple entries for different AirVPN servers can be created by downloading the configuration and key files for each server from the web site and re-doing the above steps for each entry; the proper ca.crt certificate file should be used for each entry; I believe the user.crt and user.key are the same for all servers as they are user-specific rather than server-specific and therefore they can be reused for all connections (they don't need to be copied over to the usr/syno/etc/synovpnclient/openvpn folder multiple times - last step above, before "done").

[SeriousDuke 1]

@phantasteek

 

Hey man, thanks a lot!

Managed to get my Synology (also DS211j) with DSM 4.3-3776 connected to AirVPN thanks to your guidelines.

This was even the first time I ever used telnet in my life (but it turns out to be similar to DOS).

 

I did need to repeat the filename at the end op the cp command though or it wouldn't work:

cp client_oXXXXXXXX /volume1/SharedFolder/client_oXXXXXXXX

 

There were a few lines in the client_o file that were somewhat different from yours:

Some lines with " ":

ca "ca_oXXXXXXXXXX.crt"

cert "user.crt"

key "user.key"

And my last line looked like: plugin /lib/openvpn/openvpn-down-root.so /usr/syno/etc.defaults/synovpnclient/scripts/ip-down

 

But it worked! Used telnet to verify my connection with traceroute and everything ok.

 

So Synology owners: give it a try. First I was a bit put off when I saw the technical explanation, but just follow phantasteek's steps and you'll be fine.

[phantasteek 9]

 

@phantasteek

 

Hey man, thanks a lot!

Managed to get my Synology (also DS211j) with DSM 4.3-3776 connected to AirVPN thanks to your guidelines.

This was even the first time I ever used telnet in my life (but it turns out to be similar to DOS).

 

I did need to repeat the filename at the end op the cp command though or it wouldn't work:

cp client_oXXXXXXXX /volume1/SharedFolder/client_oXXXXXXXX

 

There were a few lines in the client_o file that were somewhat different from yours:

Some lines with " ":

ca "ca_oXXXXXXXXXX.crt"

cert "user.crt"

key "user.key"

And my last line looked like: plugin /lib/openvpn/openvpn-down-root.so /usr/syno/etc.defaults/synovpnclient/scripts/ip-down

 

But it worked! Used telnet to verify my connection with traceroute and everything ok.

 

So Synology owners: give it a try. First I was a bit put off when I saw the technical explanation, but just follow phantasteek's steps and you'll be fine.

 

Hey SeriousDuke. Glad I could help.

Ya, the quotes were in my file, too, but I removed them to simplify things, and since the file names did not contain any spaces that was ok.

I'm guessing the plugin line is different due to the different (newer) version of DSM that you have.

 

Thanks.

[2df46c2fb3 1]

@phantasteek

 

Thanks very much for your guide. Just tried it and everything is fine, except for that fact that I'm getting "Permission denied" errors when trying to copy the client_xxxxxxx, user.crt and user.key files.

I'm logged in as Admin via Putty, si I should have all rights.

 

Any tips?

eally appreciate it, thanks!

[phantasteek 9]

@phantasteek

 

Thanks very much for your guide. Just tried it and everything is fine, except for that fact that I'm getting "Permission denied" errors when trying to copy the client_xxxxxxx, user.crt and user.key files.

I'm logged in as Admin via Putty, si I should have all rights.

 

Any tips?

eally appreciate it, thanks!

 

Hi there. You need to login as root (not admin). root should have the same password as admin.

[karmalized 0]

Hello All,

 

 I have tried following these guidelines to get my DS212j setup using DSM 4.3 but I am not able to connect. I am wondering if anyone can see anything wrong with my config file:

 

# --------------------------------------------------------

# Air VPN | https://airvpn.org | Friday 1st of November 2013 02:15:05 AM

# OpenVPN Client Configuration

# AirVPN_CA-Lesath_UDP-53

# --------------------------------------------------------

 

client

dev tun

proto udp

remote 184.75.221.2 53

resolv-retry infinite

nobind

ns-cert-type server

cipher AES-256-CBC

comp-lzo

verb 3

explicit-exit-notify 5

ca “ca_o1383270549.crt”

cert "user.crt"

key "user.key”

script-security 2

float

reneg-sec 0

plugin /lib/openvpn/openvpn-down-root.so /usr/syno/etc.defaults/synovpnclient/scripts/ip-down

log-append /volume1/Jay/AirVPN.log

 

 

Here is my file list from the NAS server:

 

JaysServer> pwd

/usr/syno/etc/synovpnclient/openvpn

JaysServer> ls -al

drwxr-xr-x    2 root     root          4096 Nov  1 21:21 .

drwxr-xr-x    7 root     root          4096 Oct 29 20:55 ..

-rw-r--r--    1 root     root          1562 Oct 31 22:35 ca.crt

-rwxr-xr-x    1 root     root          1562 Oct 31 22:42 ca_o1383270549.crt

-rw-r--r--    1 root     root           648 Nov  1 21:23 client_o1383270549

-rw-------    1 root     root           439 Nov  1 21:13 ovpn_o1383270549.conf

-rw-r--r--    1 root     root          5126 Oct 31 22:35 user.crt

-rw-r--r--    1 root     root          1675 Nov  1 21:21 user.key

[Staff 9969]

Hello!

 

Please try to add the directive log-append to generate a log file which can be very useful for troubleshooting (feel free to send the logs).

 

Kind regards

[karmalized 0]

Actually, even though I have the log file append command, I do not see the log file being generated in the folder, and I can't seem to find any logs elsewhere on the DSM system. Is there any other way to get log files generated?

[Staff 9969]

Hello!

 

If the log file is not generated, chances are that OpenVPN was not running at all, can you please check?

 

Kind regards

[Spronky 0]

You know, I must be thicker than a thick thing because I cannot get these incantations to work.

As far as I can tell, I followed phantasteek's instructions to the letter, but it all got messed up around the part where he says "use anything for the IP, user and password as they will be changed/removed manually below anyways".

I did as instructed, but when/what/where were they changed manually?

I was still stuck with the pretend IP address. a username of "Blah" and a password just as silly.

Hey. I pressed "connect" and it did, to 10.8.0.222

I disconnected. Put the Nashira IP in - 84.39.116.179

My AirVPN username

My AirVPN password

> no connection. I messed up.

Simple instructions. Baby steps, please?

tia Susi xx

 

(I modded the client_o....... file. Copied it back, along with the user.crt and user.key over as well.)

 

EDIT:

OK. I did all that above as said earlier, but somehow, and I have no idea why, but things got messed up because (it seems) I put in dummy IP, usernames and password.

I had to put the proper ones in, re-edit the client_oxxxxxxxx file, as somehow the details had changed, and away it went....

I think.

The AirVPN "Client Area" says it's connected. So fingers crossed....

[karmalized 0]

Hello!

 

If the log file is not generated, chances are that OpenVPN was not running at all, can you please check?

 

Kind regards

Hello,

 

 Do you know how to check to see if it is running? In the Synology VPN configuration section, I click on the bottom to connect, but I do not know how to check if OpenVPN is running.

[karmalized 0]

Ok, looks like i got it working. Seems the client_oXXXXXXX file for my config, doesn't like the quotation marks around the certificate file names. I restarted this and found that by leaving them off, it now works. Here is my client file:

 

client

dev tun

proto udp

remote xxx.xxx.xxx.xxx 53

resolv-retry infinite

nobind

ns-cert-type server

cipher AES-256-CBC

comp-lzo

verb 3

explicit-exit-notify 5

ca ca_o138327XXXX.crt

cert user.crt

key user.key

script-security 2

redirect-gateway

float

reneg-sec 0

plugin /lib/openvpn/openvpn-down-root.so /usr/syno/etc.defaults/synovpnclient/scripts/ip-down