ANSWERED How to configure a Synology device

[barwhit 0]

I am perhaps the least computer literate on this site. I followed everything up until : telnet into .... such as putty,....

I downloaded putty manager but dont have a clue as to what i should do with it?Anyway, if anybody has the patience to explain  in simple terms the steps from above i would be most grateful

[amnesty 18]

I followed everything up until : telnet into .... such as putty,....

I downloaded putty manager but dont have a clue as to what i should do with it?Anyway, if anybody has the patience to explain  in simple terms the steps from above i would be most grateful

 

 

    I'm not using this but might be able to get you going. I'm not familiar with PuTTY Manager. Try downloading putty.exe

 

    As long as you follow @phantasteek's instructions you should be OK but it might not be a bad idea to backup your Synology device's data and config. The DSM 4.3 manual says the backup is here,

 

    "Go to Main Menu > Backup and Restore to perform backup tasks on Synology NAS. Before you start, do the following: For Local Backup to external disks: Go to Main Menu > Control Panel > External Devices and click Format to format the external disk".

 

    You will need the ip address, uname and passwd for the Synology device.

 

    You will need to enable access using telnet (port 23) on your Synology device.

 

    My device is 5 years old and the DSM probably isn't the same as yours.

 

    On mine I can enable telnet by logging in > Control Panel > Network Services > Terminal > Enable Telnet service (and/or Enable SSH service).

 

    The manual for DSM 4.3 says this, "Go to Main Menu > Control Panel > Terminal to enable Terminal service, allowing you to use Telnet to log in to Synology NAS and modify its settings.

    Important: Use the Terminal service with caution. Improper manipulation or modification to Synology NAS may result in system malfunction or data loss".

 

If you have a firewall running on the device, you might need to allow connections to telnet (port 23). I don't know if the newer DSM's block ports by default when the firewall is enabled. The manual for DSM v-4.3 says, Go to Main Menu > Control Panel > Firewall and QoS >

 

    If you are able to enable telnet, open PuTTY. Were you able to open putty? It is 1 file and can be run from anywhere. It's probably called putty.exe

 

    Open PuTTY > Don't worry about the Categories on the left. > You can setup a connection on the right  (Basic options for your PuTTY session).

 

    In the, "Specify the destination you want to connect to", enter the IP Address of your Synology device

    i.e. 192.168.1.232 > Set Connection type: Telnet. You will see the Port # change to 23 > Select "Open" and a terminal session will open. If your device is listening on port 23, it will display a login prompt.

 

    In the, "Saved Sessions" section,  type a name for the connection and select "Save". This will store your connection information under "Saved Sessions" so you can "Load" it the next time you run PuTTY.

 

    Here is a link to the PuTTY documentation

 

    http://www.chiark.greenend.org.uk/~sgtatham/putty/docs.html

 

    Use one from the first list (documentation for the latest release)

 

 

    Here is the area you can locate the manual for your Synology device:

 

    http://www.synology.com/en-global/support/download

 

[11647 1]

Now is there a way to "share" your connection through your Synology NAS to access the internet while it is connected to the VPN client? Because you cannot have two clients running at the same time. Computer> tunnel>sharing internet through the NAS>through the VPN connection>To the internet.

I know there are way to do this through a router but I don't always need it connected to all my devices, just these two. Any help?

[max1001 0]

Followed the guide but cannot make it work. Errors logged: 

 

Tue Dec 31 01:39:51 2013 OpenVPN 2.1.4 armle-unknown-linux [sSL] [LZO2] [EPOLL] built on Sep 16 2013

Tue Dec 31 01:39:51 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Tue Dec 31 01:39:51 2013 PLUGIN_INIT: POST /lib/openvpn/openvpn-down-root.so '[/lib/openvpn/openvpn-down-root.so] [/usr/syno/etc.defaults/synovpnclient/scripts/ip-down]' intercepted=PLUGIN_UP|PLUGIN_DOWN 

Tue Dec 31 01:39:51 2013 WARNING: file 'user.key' is group or others accessible

Tue Dec 31 01:39:51 2013 Cannot load CA certificate file ca.crt path (null) (SSL_CTX_load_verify_locations): error:02001002:lib(2):func(1):reason(2): error:2006D080:lib(32):func(109):reason(128): error:0B084002:lib(11):func(132):reason(2)

Tue Dec 31 01:39:51 2013 Exiting

[alexkuzm 0]

After some playing back and forth with DS209 - it works. I will update with performance as it moves along. 

---------------------------------------------

After trial period (3 days) - worked flawlessly. DS209, Android, Windows 8.2. 
Signing up for a year, also was easy.

Initially, I had to contact helpdesk people, whoever replied in about 30 minutes, was knowledgeable, directed to the right place (this forum), but I was already here.
Special thanks for detail instructions, one item I would add for those who struggling, is - once you comfortable with all the steps and VPN still not opening, regen files, it will give you different number at the end of the files and configuration entries -  to solve that problem.

Right now, I am working on getting to my VPN server from the outside to get that shared AirVPN connection in "always on" state, and use it as well as access to my home network at the same time.

My setup is as follows:
Modem->Router->HomeNetwork.
One server on HomeNetwork is DS209 station with AirVPN configured.
That DS209 is also has it's own VPN server. 
I would like to use that VPN server when I am outside of my home network to connect to it("I can do that when inside" and when connected and using Internet, I would like to use that AirVPN connection instead of default, just like I do when I am inside the house)

If somebody has experience with it, please share.

[Netbootz 0]

Thank you so much for takin gthe time to write that up.  Without that I could never even get close to figuring it all out.  However I also have errors. Any further help appreciated.

 

Sat Jan 18 21:44:37 2014 OpenVPN 2.1.4 armle-unknown-linux [sSL] [LZO2] [EPOLL] built on Sep 16 2013
Sat Jan 18 21:44:37 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jan 18 21:44:37 2014 PLUGIN_INIT: POST /lib/openvpn/openvpn-down-root.so '[/lib/openvpn/openvpn-down-root.so] [/usr/syno/etc.defaults/synovpnclient/scripts/ip-down]' intercepted=PLUGIN_UP|PLUGIN_DOWN 
Sat Jan 18 21:44:37 2014 WARNING: file 'user.key' is group or others accessible
Sat Jan 18 21:44:37 2014 Cannot load CA certificate file ca.crt path (null) (SSL_CTX_load_verify_locations): error:02001002:lib(2):func(1):reason(2): error:2006D080:lib(32):func(109):reason(128): error:0B084002:lib(11):func(132):reason(2)
Sat Jan 18 21:44:37 2014 Exiting

After looking for clues I reloaded the cert from within the Syno DS and removed the quotations marks from inside the "client_oXXXXXXXXXX" file

[nology 0]

Thank you so much for takin gthe time to write that up.  Without that I could never even get close to figuring it all out.  However I also have errors. Any further help appreciated.

 

Sat Jan 18 21:44:37 2014 OpenVPN 2.1.4 armle-unknown-linux [sSL] [LZO2] [EPOLL] built on Sep 16 2013
Sat Jan 18 21:44:37 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jan 18 21:44:37 2014 PLUGIN_INIT: POST /lib/openvpn/openvpn-down-root.so '[/lib/openvpn/openvpn-down-root.so] [/usr/syno/etc.defaults/synovpnclient/scripts/ip-down]' intercepted=PLUGIN_UP|PLUGIN_DOWN 
Sat Jan 18 21:44:37 2014 WARNING: file 'user.key' is group or others accessible
Sat Jan 18 21:44:37 2014 Cannot load CA certificate file ca.crt path (null) (SSL_CTX_load_verify_locations): error:02001002:lib(2):func(1):reason(2): error:2006D080:lib(32):func(109):reason(128): error:0B084002:lib(11):func(132):reason(2)
Sat Jan 18 21:44:37 2014 Exiting

After looking for clues I reloaded the cert from within the Syno DS and removed the quotations marks from inside the "client_oXXXXXXXXXX" file

 

You probably have the following line missing just after the line: key "user.key"

 

script-security 2

 

It was in the original client_XXXXXXX file but was removed per the original instructions by phantasteek.

[Netbootz 0]

@teehemkay -

 

Thanks for the response/suggestion.  I added that back and it still failed to connect.  I'll try again from scratch.

 

Addtl Info - this guide is for DSM 4.2, and I am now the current 4.3.  I did read some OpenVPNs failed to connect on the current version so maybe there are more than one reasons for the disconnect. Will report back.

[Netbootz 0]

SOLVED: synology DS212, DSM 4.3-3810 Update 2 + OpenVPN on AIRvpn

 

The "ca.crt" was not in "/usr/syno/etc/synovpnclient/openvpn". It wasn't explicitly in the directions and it doesn't get there by itself (when you Import Certificate during the vpn setup).

 

cp /volume1/SharedFolder/ca.crt /usr/syno/etc/synovpnclient/openvpn

[Spronky 0]

With the release of the new DSM5beta, AirVPN users need to be aware that if they change ANYTHING on the VPN Edit page in the new DSM and commit the changes by pressing "OK" you will wreck your conf_oXXXXXXXXXX file, and will need to copy that back to the /usr/syno/etc/synovpnclient/openvpn directory. You may have to copy back your ovpnclient.conf file as well as that can get changed as well.

 

NOTE: Undoing the changes you made on the Edit page and clicking "OK" WILL NOT fix your setup! Manual copying of your carefully edited and saved (?) files back to the Synology server will fix it.

 

The discussion on how to fix this and what is going on can be found on the Synology Forums. This gives a full description on how to fix things (basically what has already been said in this forum by phantasteek, et al, but with baby steps...). My OpenVPN (AirVPN) got broke by update

 

I was going to copy my post to here, but it's a bit big.

[BubbleGirl 0]

I'm a noob at this but I can follow the instructions. Nevertheless I'm confused between the original post started in 2012, the instruction given by synology and the two options mentioned)

What I don't understand using manual configuration of synology or Asus RT-N16 + Tomato + OpenVpn (which seems simpler to me personaly) will the reconect feature work or not like it does in the usual manner with AirVpn client in Win7 for instance? And what do I have to do in order to switch/change/reconnect to other servers from time to time like I do now?

And what is wrong with instructions provided? http://www.synology.com/en-global/support/tutorials/523#t3
 

"1. Before you start ... Before installing the VPN package on your DiskStation, please make sure the following: ...

The DiskStation Manager (DSM) of your DiskStation is the latest version. ..."

--> I guess it's the DSM 4.3-3827 not the 5.0 beta

Of course I'd prefer not to spend more money on the asus router if it works without it. I'm just trying to understand which way to go before I get the hardware.

Maybe another shoot to kill noob question: connecting mac and synology in parallel through the asus router ... is there any difference to just going through the synology NAS like in the official tutorial "How to join a Synology NAS to a VPN network"?

[Xiocus 9]

I'm definitely in love with the support from users and staff members in this community... You guys ROCK!!!

 

Thanks a lot phantasteek!!

[Gronjos 0]

Cannot connect with DSM5.

 

Get following error:

Mon Apr 14 02:31:55 2014 OpenVPN 2.1.4 armle-unknown-linux [sSL] [LZO2] [EPOLL] built on Mar  5 2014
Mon Apr 14 02:31:55 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Apr 14 02:31:55 2014 PLUGIN_INIT: POST /lib/openvpn/openvpn-down-root.so '[/lib/openvpn/openvpn-down-root.so] [/usr/syno/etc.defaults/synovpnclient/scripts/ip-down]' intercepted=PLUGIN_UP|PLUGIN_DOWN
Mon Apr 14 02:31:55 2014 WARNING: file 'user.key' is group or others accessible
Mon Apr 14 02:31:55 2014 LZO compression initialized
Mon Apr 14 02:31:55 2014 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 14 02:31:55 2014 Socket Buffers: R=[114688->131072] S=[114688->131072]
Mon Apr 14 02:31:55 2014 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Apr 14 02:31:55 2014 Local Options hash (VER=V4): '22188c5b'
Mon Apr 14 02:31:55 2014 Expected Remote Options hash (VER=V4): 'a8f55717'
Mon Apr 14 02:31:55 2014 UDPv4 link local: [undef]
Mon Apr 14 02:31:55 2014 UDPv4 link remote: 37.48.81.11:53
Mon Apr 14 02:32:55 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 14 02:32:55 2014 SYNO_ERR_CERT
Mon Apr 14 02:32:55 2014 TLS Error: TLS handshake failed

 

Any clues?

[darkshadow123 1]

You need to copy the ta.key file that will now be part of the config that needed to be regenerated again due to the update.

 

Add that line to you config file:

 

tls-auth ta.key 1

 

I added it just below they key line.

Worked like a charm right after that.

[Spronky 0]

You need to copy the ta.key file that will now be part of the config that needed to be regenerated again due to the update.

 

Add that line to you config file:

 

tls-auth ta.key 1

 

I added it just below they key line.

Worked like a charm right after that.

Thanks darkshadow123!

 

(I think I love you!)

 

In my case, ther was a bit more to do.

I had set up a log and was getting these errors -

Mon Apr 14 16:28:31 2014 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1526', remote='link-mtu 1558'

Mon Apr 14 16:28:31 2014 WARNING: 'cipher' is used inconsistently, local='cipher [null-cipher]', remote='cipher AES-256-CBC'

Mon Apr 14 16:28:31 2014 WARNING: 'keysize' is used inconsistently, local='keysize 0', remote='keysize 256'

and

Mon Apr 14 16:28:38 2014 Bad LZO decompression header byte: 60

Mon Apr 14 16:28:48 2014 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #315396379 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Mon Apr 14 16:28:59 2014 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #505792042 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Mon Apr 14 16:29:02 2014 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1398193423 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Mon Apr 14 16:29:08 2014 Replay-window backtrack occurred [328480336]

 

By changing the cipher line to -

cipher AES-256-CBC

 

and the comp-lzo line to -

comp-lzo no

 

Got rid of pretty much all errors.

There's still a few bits I need to check up on (with TechSupp), but it seems to be working now.

 

Thanks again darkshadow123 for the "heads-up"

 

Susi xx

[Gronjos 0]

You need to copy the ta.key file that will now be part of the config that needed to be regenerated again due to the update.

 

Add that line to you config file:

 

tls-auth ta.key 1

 

I added it just below they key line.

Worked like a charm right after that.

 

Thanks so much!

It works now like a charm.

[happymab 0]

I have some problem connecting my synology to airvpn after the latest update. I generated new certificates, copied them to the openvpn folder and regarding the client_xxxx file tried the following modifications:

 

1. Added the line 

 

tls-auth ta.key 1
 

 

2. Deleted all lines except the three last ones and added the lines from AirVPN_XXXXX_UDP-53.ovpn

 

The vpn connects without error with both configurations. But the synology has no internet connection. LAN however works fine.

 

Here is my config file

 

 

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Friday 18th of April 2014 08:38:28 AM
# OpenVPN Client Configuration
# AirVPN_Europe_UDP-53
# --------------------------------------------------------


log-append /volume1/myshare/tmp/AirVPN.log
client
dev tun
proto udp
remote europe.vpn.airdns.org 53
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 3
explicit-exit-notify 5
ca "ca_xxxx.crt"
cert "user.crt"
key "user.key"
tls-auth "ta.key" 1
float
reneg-sec 0
explicit-exit-notify
plugin /lib/openvpn/openvpn-down-root.so /usr/syno/etc.defaults/synovpnclient/scripts/ip-down
auth-user-pass /tmp/ovpn_client_up
 

 

 

Any ideas?

[happymab 0]

I managed to fix the issue. The DNS server was not configured properly...

 

I have some problem connecting my synology to airvpn after the latest update. I generated new certificates, copied them to the openvpn folder and regarding the client_xxxx file tried the following modifications:

 

1. Added the line 

 

tls-auth ta.key 1
 

 

2. Deleted all lines except the three last ones and added the lines from AirVPN_XXXXX_UDP-53.ovpn

 

The vpn connects without error with both configurations. But the synology has no internet connection. LAN however works fine.

 

Here is my config file

 

 

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Friday 18th of April 2014 08:38:28 AM
# OpenVPN Client Configuration
# AirVPN_Europe_UDP-53
# --------------------------------------------------------


log-append /volume1/myshare/tmp/AirVPN.log
client
dev tun
proto udp
remote europe.vpn.airdns.org 53
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 3
explicit-exit-notify 5
ca "ca_xxxx.crt"
cert "user.crt"
key "user.key"
tls-auth "ta.key" 1
float
reneg-sec 0
explicit-exit-notify
plugin /lib/openvpn/openvpn-down-root.so /usr/syno/etc.defaults/synovpnclient/scripts/ip-down
auth-user-pass /tmp/ovpn_client_up
 

 

 

Any ideas?

[ftbenjamin.mann@gmail.com 0]

I need some help in connecting to AirVpn, I have never used putty before, I am trying to follow the instructions listed above but nothing seems to work, I have a Synology DS214Play, I have created the files from the AirVPN site and placed them into a folder, I moved onto the next step where you are meant to import the certificate, no import option for me, can someone please help and give me a more uptodate instructions.

 

I am running DSM 5.0-4482

 

Thanks

[happymab 0]

I need some help in connecting to AirVpn, I have never used putty before, I am trying to follow the instructions listed above but nothing seems to work, I have a Synology DS214Play, I have created the files from the AirVPN site and placed them into a folder, I moved onto the next step where you are meant to import the certificate, no import option for me, can someone please help and give me a more uptodate instructions.

 

I am running DSM 5.0-4482

 

Thanks

I use the same DSM version. I used the following steps to configure the VPN connection after creating the certificates and config file from the AirVPN site.

• To create a VPN connection for the Synology NAS login to the Synology web interface, then open the control panel, then go to Network and Network Interface. Select “Create VPN Profile” (see vpn.jpg). Use anything for “Server address”, “User name” and “Password” (it will be changed later). Import your “ca.crt” certificate that you have created from the AirVPN site. Select “Next”, set advanced settings as you like and finish the VPN dialog. The Synology NAS now imports the certificate and creates a basic VPN configuration that will be modified in the next step.

• Select “Terminal & SNMP” from the control panel. Make sure that the option “Enable SSH service” is enabled (you can disable it again after the VPN connetion is set up).

• Use a terminal program like putty to login into your NAS with the command: “ssh root@xxx.xxx.xxx.xxx” (replace xxx.xxx.xxx.xxx with the ip of your NAS). You will be asked for the password, use the same admin password as for the login to the web interface. You are now logged in and can use Linux console commands (you may google for a cheat sheet to use Linux or bash commands).

• Now you have to locate the folder with your certificates and configuration files. If the files are in a folder named “MyAirVPNFolder” and this folder is located on a share named “MyShare” on the first volume of your NAS then you have to type: “cd /volume1/MyShare/MyAirVPNFolder”. Then type: “ls -l”, this will list the content of the folder; the list should contain the certificate and configuration files.

• Then follow the step by step instructions of phantasteek to finish the configuration:

 

• change directory to the openvpn folder using this command:

cd /usr/syno/etc/synovpnclient/openvpn

 

• use a command like below to copy the client_oXXXXXXXX described above to a diskstation shared folder to be able to open and change it with a text editor:

cp client_oXXXXXXXX /volume1/SharedFolder/

where you substitute your specific numbers for XXXXXXXX and your specific volume and folder name for /volume1/SharedFolder

...

 

 

[trebonius 2]

Hello,

Thanks for those instructions that worked for me.

- First of all, strangely when I copied the user.crt file to the openvpn directory, the file was named with a question mark at the end. I tried several times and always the same result.

I had to use mv user.crt? user.crt to rename it properly

 

- I have some errors in the log that groups are not properly configured on user.key and ta.key. Should I worry about ?

If yes thanks to tell me how (what terminal command)

Here is the log:

 

Sun May 18 18:47:58 2014 OpenVPN 2.1.4 powerpc-unknown-linux [sSL] [LZO2] [EPOLL] built on Apr  8 2014

Sun May 18 18:47:58 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Sun May 18 18:47:58 2014 PLUGIN_INIT: POST /lib/openvpn/openvpn-down-root.so '[/lib/openvpn/openvpn-down-root.so] [/usr/syno/etc.defaults/synovpnclient/scripts/ip-down]' intercepted=PLUGIN_UP|PLUGIN_DOWN 

Sun May 18 18:47:58 2014 WARNING: file 'user.key' is group or others accessible

Sun May 18 18:47:58 2014 WARNING: file 'ta.key' is group or others accessible

Sun May 18 18:47:58 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

Sun May 18 18:47:58 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Sun May 18 18:47:58 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

...

...

 

 

And here are permissions on those files.

DiskStation> ls -al

drwxr-xr-x    2 root     root          4096 May 18 18:44 .

drwxr-xr-x    6 root     root          4096 May 18 18:48 ..

-rwxrwxrwx    1 root     root          2256 May 18 18:35 ca_oxyzxyzxyz.crt

-rw-rw-rw-    1 root     root           694 May 18 18:47 client_oxyzxyzxyz

-rw-r--r--    1 root     root           127 May 18 18:35 ovpnclient.conf

-rwxr-xr-x    1 root     root           636 May 18 18:40 ta.key

-rwxr-xr-x    1 root     root          2354 May 18 18:43 user.crt

-rwxr-xr-x    1 root     root          3243 May 18 18:39 user.key

DiskStation> 

 

 

Thanks in advance for your answers.

[Pomy59 0]

Hi! I followed the instructions and I tried a lot of thinks but it won't work.

I copied ta.key, user.crt, user.key

 

Here is my client file:

 

 

# --------------------------------------------------------

# Air VPN | https://airvpn.org | Saturday 24th of May 2014 10:22:09 AM

# OpenVPN Client Configuration

# AirVPN_Netherlands_UDP-53

# --------------------------------------------------------

 

log-append /volume1/xxx/AirVPN.log

client

dev tun

proto udp

remote nl.vpn.airdns.org 53

resolv-retry infinite

nobind

persist-key

persist-tun

remote-cert-tls server

cipher AES-256-CBC

comp-lzo no

verb 3

explicit-exit-notify 5

ca ca_xxxx.crt

cert user.crt

key user.key

tls-auth ta.key 1

script-security 2

redirect-gateway

float

reneg-sec 0

plugin /lib/openvpn/openvpn-down-root.so /usr/syno/etc.defaults/synovpnclient/scripts/ip-down

auth-user-pass /tmp/ovpn_client_up

 

And I have no logs either.

And here is my /usr/syno/etc/synovpnclient/openvpn:

 

-rwxrwxrwx    1 root     root          2256 May 24 15:27 ca_xxxx.crt

-rw-r--r--    1 root     root           455 May 24 16:39 client_xxxx

-rw-rw-rw-    1 root     root           152 May 24 16:05 ovpnclient.conf

-rw-r--r--    1 root     root           636 May 24 15:20 ta.key

-rw-r--r--    1 root     root          2354 May 24 14:59 user.crt

-rw-r--r--    1 root     root          3243 May 24 15:00 user.key

 

 I'm running on last DSM release (5.0-4482)

 

Any idea?

[Pomy59 0]

Finally I found the solution. I modified the ovpnclient.conf file with the correct values and it worked. (It was filed with anything instead of an address in the ip)

[markturner 1]

Hi folks, I've followed these instructions and am still getting a TLS handshake error. Here's my log:

Sat Jun 21 13:01:32 2014 OpenVPN 2.1.4 armle-unknown-linux [SSL] [LZO2] [EPOLL] built on Feb 26 2014
Sat Jun 21 13:01:32 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jun 21 13:01:32 2014 PLUGIN_INIT: POST /lib/openvpn/openvpn-down-root.so '[/lib/openvpn/openvpn-down-root.so] [/usr/syno/etc.defaults/synovpnclient/scripts/ip-down]' intercepted=PLUGIN_UP|PLUGIN_DOWN 
Sat Jun 21 13:01:32 2014 WARNING: file 'user.key' is group or others accessible
Sat Jun 21 13:01:32 2014 WARNING: file 'ta.key' is group or others accessible
Sat Jun 21 13:01:32 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sat Jun 21 13:01:32 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 21 13:01:32 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 21 13:01:32 2014 LZO compression initialized
Sat Jun 21 13:01:32 2014 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat Jun 21 13:01:32 2014 Socket Buffers: R=[114688->131072] S=[114688->131072]
Sat Jun 21 13:01:32 2014 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jun 21 13:01:32 2014 Local Options hash (VER=V4): '9e7066d2'
Sat Jun 21 13:01:32 2014 Expected Remote Options hash (VER=V4): '162b04de'
Sat Jun 21 13:01:32 2014 UDPv4 link local: [undef]
Sat Jun 21 13:01:32 2014 UDPv4 link remote: 37.48.81.10:53
Sat Jun 21 13:02:33 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jun 21 13:02:33 2014 SYNO_ERR_CERT
Sat Jun 21 13:02:33 2014 TLS Error: TLS handshake failed
Sat Jun 21 13:02:33 2014 TCP/UDP: Closing socket

And here's my client file:

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Saturday 21st of June 2014 11:43:47 AM
# OpenVPN Client Configuration
# AirVPN_Europe_UDP-53
# --------------------------------------------------------

log-append /volumeUSB1/usbshare/logs/airvpn/airvpn.log
client
dev tun
proto udp
remote europe.vpn.airdns.org 53
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
verb 3
explicit-exit-notify 5
ca ca_o1403345979.crt
cert user.crt
key user.key
tls-auth ta.key 1
redirect-gateway
script-security 2
float
reneg-sec 0
plugin /lib/openvpn/openvpn-down-root.so /usr/syno/etc.defaults/synovpnclient/scripts/ip-down

I'm on DSM 5 and have copied the ta.key file across as well. Any suggestions would be greatly appreciated!

[trebonius 2]

Hello,

Actually doing a chmod 400 on user.key and ta.key did the work.

Hello,

Thanks for those instructions that worked for me.

- First of all, strangely when I copied the user.crt file to the openvpn directory, the file was named with a question mark at the end. I tried several times and always the same result.

I had to use mv user.crt? user.crt to rename it properly

 

- I have some errors in the log that groups are not properly configured on user.key and ta.key. Should I worry about ?

If yes thanks to tell me how (what terminal command)

Here is the log:

 

Sun May 18 18:47:58 2014 OpenVPN 2.1.4 powerpc-unknown-linux [sSL] [LZO2] [EPOLL] built on Apr  8 2014

Sun May 18 18:47:58 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Sun May 18 18:47:58 2014 PLUGIN_INIT: POST /lib/openvpn/openvpn-down-root.so '[/lib/openvpn/openvpn-down-root.so] [/usr/syno/etc.defaults/synovpnclient/scripts/ip-down]' intercepted=PLUGIN_UP|PLUGIN_DOWN 

Sun May 18 18:47:58 2014 WARNING: file 'user.key' is group or others accessible

Sun May 18 18:47:58 2014 WARNING: file 'ta.key' is group or others accessible

Sun May 18 18:47:58 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

Sun May 18 18:47:58 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Sun May 18 18:47:58 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

...

...

 

 

And here are permissions on those files.

>

DiskStation> ls -al

drwxr-xr-x    2 root     root          4096 May 18 18:44 .

drwxr-xr-x    6 root     root          4096 May 18 18:48 ..

-rwxrwxrwx    1 root     root          2256 May 18 18:35 ca_oxyzxyzxyz.crt

-rw-rw-rw-    1 root     root           694 May 18 18:47 client_oxyzxyzxyz

-rw-r--r--    1 root     root           127 May 18 18:35 ovpnclient.conf

-rwxr-xr-x    1 root     root           636 May 18 18:40 ta.key

-rwxr-xr-x    1 root     root          2354 May 18 18:43 user.crt

-rwxr-xr-x    1 root     root          3243 May 18 18:39 user.key

DiskStation> 

 

 

Thanks in advance for your answers.