Leaderboard

Hello all, This is collection from different tutorials which I will refer here, but usually changed since some things changed. Setting up VPN on Synology is modified neolefort tutorial from here and reconnect script if from sundi which you can find here, which probably modified this script, plus my iptables for blocking Synology on router level when VPN fails. Other contributions: foobar666 - you no longer need to enter variables manually _sinnerman_ - fixed script for DS 6.1 I'm doing this mostly because I usually forget things I managed to solve after year or two, so this is way to have constant reminder how it was solved and also help others. 1. Get your certificates from AirVPN. Go to the https://airvpn.org/generator/ page to generate the configuration file. (1) SELECT the Advanced Mode (under "Config generator" title ) (2) SELECT LINUX OS (3) Under "Protocols" section select one with protocol UDP, port 443 and tls-auth in the right column (at the time of writing, it was in middle of the list). You can choose any combination of protocol/port, but then also change iptables accordingly if you are using failsafe script. Don't choose any combination which has tls-crypt in the right column. (4) Under "Advanced - OpenVPN only" section (right part of page), toggle "Separate keys/certs from .ovpn file" button and change/leave OpenVPN version to 2.5 (This works in DSM 7.2.1. For older versions you will maybe have to select OpenVPN version 2.4). (5) SELECT 1 SERVER (refer to section "by single servers") OR COUNTRY OR ANYTHING ELSE YOU WANT In original tutorial, neolefort said to choose 1 server, because in that case you will get IP instead of xxx.airvpn.org domain. Choosing 1 server is safe because it doesn't need working DNS when you want to connect to VPN. If you choose anything else, you need working DNS on your router when establishing VPN connection. (6) Click "GENERATE" at the bottom. (7) Page will reload with links on top to your files, save them to you computer. Following files will be generated: -AirVPN_XXXXX_UDP-443.ovpn -ca.crt -user.crt -user.key -ta.key 2. Setup AirVPN on Synology. - Login as admin or with user from Administrator group. - Open Control panel. - Go "Network" and click on tab "Network Interface" - Click on button "Create" - "Create VPN profile" - Choose "OpenVPN (via importing .ovpn file)" - Click "Advanced options" so it shows all options - Profile name: anything you want, but please keep is short and if you can without spaces " ", for example "AirVPN". - User name: LEAVE EMPTY (for DSM 7+ just put anything here) - Password: LEAVE EMPTY (for DSM 7+ just put anything here) - Import .ovpn file: click button and import your AirVPN_XXXXX_UDP-443.ovpn - CA certificate: click button and import your ca.crt - Client certificate: click button and import your user.crt - Client key: click button and import your user.key - Certificate revocation: LEAVE EMPTY - TLS-auth key: click button and import your ta.key - Click "Next" - Select all options and click "Done" Now you have working OpenVPN link on your Synology. You just need to start it from "Control panel" - "Network" - "Network Interface". If you want to make your connection faster, you can remove some ciphers. Look for this line in .ovpn file: data-ciphers AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC And change it to this: data-ciphers AES-128-GCM Then save file and create new connection with it. After some testing I found out AES-128-GCM is fastest from all other mentioned in settings. You can also test other ciphers your self and leave one you find fastest. EXTRAS!!! 3. Setting up external access to your Synology. First what you will notice is, "I CAN'T ACCESS MY SYNOLOGY FROM OUTSIDE OF MY LAN!!!!!!! OMG OMG OMG!!!!" I will not explain port fowards on your router here, if you don't know how to make one, learn! (1) You can port forward trough AirVPN webpage and access your Syno via VPN exit IP. This sometimes works, most of times it doesn't since Syno has some ports you cannot change. Anyway, change your default HTTP / HTTPS port on Syno to your forwarded AirVPN port and you should be fine. But forget about Cloudstation and similliar things. (2) If you want to access Syno via you ISP IP (WAN), then problem is, your Syno is receiving your connection, but it's replying trough VPN. That's a security risk and those connections get droped. But there is solution! - Access "Control panel" - "Network" - "General" - Click "Advanced Settings" button - Mark "Enable multiple gateways" and click "OK" and then "Apply" You're done! It's working now (if you forwarded good ports on your router). 4. Prevent leaks when VPN connection on Synology fails. There will be time, when you VPN will fail, drop, disconnect, and your ISP IP will become visible to world. This is one of ways you can prevent it, on router level. For this you need Tomato, Merlin, DD-WRT or OpenWRT firmware on your router. I will tell you steps for Tomato router. If you are using different firmware, then you need to learn alone how to input this code into your router. Since Shibby version 129 for ARM routers, syntax of iptables changed and depending on which version of iptables you are using, apply that code. - Login to your router (usually just by entering 192.168.1.1 into your browser, if your IP is different, find out which is your gateway IP). - Click on "Administration" - Click on "Scripts" - Choose tab "Firewall" For Shibby v129 for ARM and later (iptables 1.4.x) us this: #Use this order of commands because it executes in reverse order. #This command will execute last, it kills all UDP requests. iptables -I FORWARD -p udp -s 192.168.1.100 -j REJECT #This command will execute second and will block all TCP source ports except those needed for web access or services iptables -I FORWARD -p tcp -s 192.168.1.100 -m multiport ! --sports 5000,5001,6690 -j REJECT #This command will execute first and will ACCEPT connection to your VPN on destination port 443 UDP iptables -I FORWARD -p udp -s 192.168.1.100 -m multiport --dports 443 -j ACCEPT For earlier Shibby versions and later for MIPS routers: #Use this order of commands because it executes in reverse order. #This command will execute last, it kills all UDP requests. iptables -I FORWARD -p udp -s 192.168.1.100 -j REJECT #This command will execute second and will block all TCP source ports except those needed for web access or services iptables -I FORWARD -p tcp -s 192.168.1.100 -m multiport --sports ! 5000,5001,6690 -j REJECT #This command will execute first and will ACCEPT connection to your VPN on destination port 443 UDP iptables -I FORWARD -p udp -s 192.168.1.100 -m multiport --dports 443 -j ACCEPT Port TCP 5000 = HTTP for for Synology web access (change to your if it's not default) Port TCP 5001 = HTTPS for for Synology web access (change to your it's not default) Port TCP 6690 = Cloud Station port Port UDP 443 = AirVPN connection port which you defined in step 1 of this tutorial. If you are using TCP port, then you need to change "-p udp" to "-p tcp" in that line. If you need more ports, just add them separated by comma ",". If you want port range, for example 123,124,125,126,127, you can add it like this 123:127. Change IP 192.168.1.100 to your Synology LAN IP. Be careful NOT TO assign those ports to your Download Station on Synology. This isn't perfect, you can still leak your IP through UDP 443, but since torrent uses mostly TCP, those chances are minimal. If you use TCP port for VPN, then those chances increase. If you really want to be sure nothing leaks even on UDP 443 (or your custom port), you need to choose 1 (ONE) AirVPN server. You need to find that server entry IP and change last IPTABLES rule to something like this: iptables -I FORWARD -p udp -s 192.168.1.100 -d 123.456.789.123 -m multiport --dports 443 -j ACCEPT Where 123.456.789.123 is AirVPN server entry IP. This will allow UDP 443 only for that server, rest will be rejected by router. These are all my opinions, from my very limited knowledge, which may be right and may be wrong. 5. Auto reconnection when VPN is down. Since when you made your VPN connection on your Synology, you checked "Reconnect" option, Syno will try to reconnect automaticly when connection fails. But in some cases, your network will be offline long enough and Syno will stop trying to reconnect, or will hang with VPN connection established, but not working. In those cases you can use this auto reconnect script. This is reconnect script. Just select all script text and copy it. #VPN Check script modified Sep 11, 2016 #Script checks if VPN is up, and if it is, it checks if it's working or not. It provides details like VPN is up since, data #received/sent, VPN IP & WAN IP. #If VPN is not up it will report it in the log file and start it #Change LogFile path to your own location. #Save this script to file of your choosing (for example "synovpn_reconnect"). Store it in one of your Synology shared folders and chmod it: "chmod +x /volume1/shared_folder_name/your_path/synovpn_reconnect" #Edit "/etc/crontab" and add this line without quotes for starting script every 10 minutes: "*/10 * * * * root /volume1/shared_folder_name/your_path/synovpn_reconnect" #After that restart cron with: "/usr/syno/sbin/synoservicectl --restart crond" #!/bin/sh DATE=$(date +"%F") TIME=$(date +"%T") VPNID=$(grep "\[.*\]" /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf | cut -f 2 -d "[" | cut -f 1 -d "]") VPNNAME=$(grep conf_name /usr/syno/etc/synovpnclient/openvpn/ovpnclient.conf | cut -f 2 -d "=") LogFile="/volume1/filmovi/Backup/airvpn/check_airvpn_$DATE.log" PUBIP=$(curl -s -m 5 icanhazip.com) #PUBIP=$(curl -s -m 5 ipinfo.io/ip) #PUBIP=$(curl -s -m 5 ifconfig.me) CHECKIP=$(echo $PUBIP | grep -c ".") start_vpn() { echo "VPN is down. Attempting to (re)start now." >> $LogFile # /usr/syno/bin/synovpnc kill_client --protocol=openvpn --name=$VPNNAME /usr/syno/bin/synovpnc kill_client /bin/kill `cat /var/run/ovpn_client.pid` 2>/dev/null sleep 35 echo 1 > /usr/syno/etc/synovpnclient/vpnc_connecting echo conf_id=$VPNID > /usr/syno/etc/synovpnclient/vpnc_connecting echo conf_name=$VPNNAME >> /usr/syno/etc/synovpnclient/vpnc_connecting echo proto=openvpn >> /usr/syno/etc/synovpnclient/vpnc_connecting /usr/syno/bin/synovpnc reconnect --protocol=openvpn --name=$VPNNAME >> $LogFile } sleep 6 echo "======================================" >> $LogFile echo "$DATE $TIME" >> $LogFile if ifconfig tun0 | grep -q "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00" then if [ "$CHECKIP" == 1 ] then IPADDR=$(/sbin/ifconfig tun0 | grep 'inet addr' | cut -d: -f2 | awk '{print $1}') RXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f2 | awk '{print $1,$2,$3}') TXDATA=$(/sbin/ifconfig tun0 | grep "bytes:" | cut -d: -f3 | awk '{print $1,$2,$3}') UPTIME=$(cat /var/log/messages | grep "$IPADDR" | awk '{print $1}' | tail -1) UPTIME=$(date -d"$UPTIME" +"%Y/%m/%d %H:%M:%S") echo "VPN is up since: $UPTIME" >> $LogFile echo "Session Data RX: $RXDATA" >> $LogFile echo "Session Data TX: $TXDATA" >> $LogFile echo "VPN IP is: $IPADDR" >> $LogFile echo "WAN IP is: $PUBIP" >> $LogFile else start_vpn fi else start_vpn fi exit 0 (1) Login to you Synology DSM web interface as admin. - As admin go to "Control panel" - "Task Scheduler" (you need to enable advanced mode in top right corner of control panel for this) - Click "Create" button near top of page, then select "Scheduled Task" and then "User-defined script" (2) New popup window will open. - under "Task:" enter task name - under "User:" select "root" if it's not already selected - switch to "Schedule" tab and select how often you want this task to run, my settings are: - "Run of following days" - "Daily" - "First run time" - 00:00 - "Frequency" - "Every 10 minutes" - "Last run time" - 23:50 - switch to "Task settings" tab - paste script you copied into empty box under "User-defined script" title - press OK and you're done I tested this on DSM 6.2.2 and it works without problems for now. Still, I'm keeping old instructions in next post, if someone wants to do it like that. Tip: If you don't want logfile, you can comment out those lines, or remove ">> $LogFile" code from whole script. That's all. If you entered everything correctly, you should be fine and ready to go! Comments are welcome. If you find mistakes, please correct me.

https://lttelevision.com/product/mango-vpn/ I would love to have a little box like that for Air. Its possible I could simply buy that box and maybe change the config to point to Air instead. Anyone seen anything like this?

I can confirm this and reproduce it on a 1024x768 screen. Beyond 1000px the site layout changes from one looking like it's for mobile to the full desktop one and that's where the font overlaps with the logo.

An ipleak.net server issue, now fixed.

Sao Paulo is as cental America as you can get. "Lite South" America would be something like Mexico/Panama in where it would be better getting a server in Miami instead, for both ping and bandwidth related performance. Geographical center: Panama/Mexico/Costa Rica - Most providers are limited to lease a shared 100mbit connection per customer. This is because they have max 5-10Gbit per datacenter or less. Because of that, their main peering happens to be with U.S. providers, so see the sentence above. "Southern South": Rest of the countries are not going to happen - Peru, Chile, Argentina. No sufficient datacenters to offer quality bandwidth for a reasonable price. Wholesale of 1Gbit almost unspoken of. Bolivia, Paraguay, Uruguay - the same reasons as above, + add at least 5 more years for their availability after the countries above. Most providers in those areas offer only shaped 10Mbit traffic (yes, in 2019) with a burstable option to 100Mbit with a very high premium. Those providers mostly offer local data as well as CDN to companies like Akamai, Cloudflare, Google which is their most profitable way of operation. Other Caribbean islands or countries with less than 5M residents - can be totally dismissed. Not a valid option even for large "Big 10" companies to operate. An exotic new location will not give you the privacy/performance you would probably assume from a service like Air. So this is a strategic point which is totally transparent and provable. Don't make other providers who sell fake GeoIP locations (this is possible and actually much cheaper) or sell VPS/Cloud connectivity with limited 100Mbit b/w make your decision here, test your own locations with your maximum speed before you buy a VPN service. And always remember: If AirVPN ever wanted to cross that grey area, there would probably be 50 available countries now. Or maybe 100. This is not an ethical way to do (VPN) business. Not flagging any competitors here since we all know who they are. // Finding even a single provider in South America with apparently enough bandwidth and acceptable prices (probably because they have more than utilized) is not an easy task by it's own. Right now no other country can probably overcome Brazil by price/performance, where even 3 years ago the situation was nearly as same as above. Same things happen is East Asia as well, where I am more native, and is directly linked to the country GDP. (The case has some exceptions in countries like Ukraine, Romania) because they are strategically and historically big EU transit points where AirVPN operates. But largely if it costs more than an average monthly salary to get a 100mbit connectivity, this country cannot be generally considered as a valid location.

I just saw it for the first time this morning and I dig it! FINALLY my login is saved and I don't have to sign in every time I come to the website now!!! YAAAAAAAAAY!

I got to ask, cause I'm lazy to search, can pfsense be installed on this puppy Sent from my SM-N960U using Tapatalk

Updated to reflect changes on 03-Aug-18 (previously, access was blocked from most servers).

I just started tinkering with VPN on my Synology as well. I have set it up succesfully using the above guide. But I have some connections that need to go around the VPN as well (mainly SSL connections to usenet servers). I have created a passthrough by adding static routes to the routing table in the Synology configuration that explicitly go to the specific usenet server (ranges). This seems to work quite well, but of course is not useful if the IP address of the destination servers do change.

Tried restarting DS? I don't use DSM 6.1, so I wouldn't know if something changed. But sometimes same thing happens to me on 6.0, VPN is up, but you can't reach anything. Not sure if it's DSM problem or AirVPN problem, but DS reboot usually fix it.

Hi Mikeyy, thanks to your excellent manual I've setup VPN on my DS. The VPN started, but nothing is routed over it. As a test I downloaded something via a newsserver with Downloadstation. But according to the Network Interface the amount of sent and received bytes stays at zero. And in my AirVPN the traffic also stays at 12/13 Kb received/sent. Any idea? p.s. I am on DSM 6.1 beta with active airvpn membership. During install there was no option to compress data on the VPN. I still can connect to the webinterface of my DS without implementing 3.1.

Thank you.

Website: http://www.rsi.ch/ Website: http://www.srf.ch/ Swiss public television channels (RSI, SRF). Status: OK Native: CH servers. Routing: All other servers.

Website: http://www.tf1.fr Official site of French television channels (TF1, TMC, NT1, HD1) Status: OK Native: FR servers. Routing: All other servers.

Website: http://www.mtv.it Italian website and streaming TV Status: OK Routing: All servers to IT route.

Website: http://www.dmax.it Italian streaming TV Status: OK Routing: All servers to IT route.

Probably because they decided not to use women and children as suicide bombers, or fire rockets indiscriminately into civilian areas. But this isn't really the place to discuss it.

They also reserve the right to kill anyone with a drone strike at the push of a button. No trial needed.

Synopsis This program, for Windows, Linux and OS X, opens a socket to listen or send packets to an address. It can be useful to debug the Port Forwarding with AirVPN. The IP list is automatically compiled from your interfaces. If you connect to a different server, refresh (the green icon) the list to view the new 10.* IP address.Using IP 0.0.0.0 and listening means listening on all interfaces.Each line in the log is a connection.The Send button sends a string with AirVPN text and the current date (RFC 822) to the specified address.If you use the Check button in AirVPN Port Forwarding page, you will see a line without 'IN' bytes and with 'TCP Closed' status. This is because our checking simply opens and closes a socket, without sending any data. Download Current version: 1.3 - 27/06/2013 Binary (.NET Framework 2, recommended with Windows XP/Vista/7)Binary (.NET Framework 4, recommended with Windows 8 and above)Source code (GPL3) Linux and OS X support Download the ".Net 2" version. The program requires Mono. Packages required: Debian / Ubuntu:apt-get install mono-runtime libmono-winforms2.0-cil libmono-corlib2.0-cilRHEL6, Centos6, Scientific-Linux6, etc and Fedora distros:sudo yum install mono-core mono-winformsUnder OS X, install Mono.Launch with:mono PortListen_net2.exe

Hello! If you have any problem, please submit a help request with the "Contact us" form, attaching the following data: - your network zones - your global rules - your application rules - Comodo Firewall events logs - your client logs Kind regards

Hello! We're very glad to inform you that a new 1 Gbit/s server located in São Paulo, BR, is available: Peony. Peony is our first server in South America and we are very proud to start operating there. Special thanks go to out moderator Zhang who helped us find a datacenter with particularly good connectivity The AirVPN client will show automatically the new server. If you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like every other "second generation" Air server, Peony supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.2 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the server status as usual in our real time servers monitor: https://airvpn.org/servers/peony Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

The server doesn´t appear to be very popular but I wouldn´t want it to disappear completely.

spookygoy nailed exactly what i did, localbitcoin i made that account totally legit, sent in my id blah blah that's my 'public' account, from there you can then do whatever and however you want to move things around lots of guides and tuts online i know some of the guides online have titles like 'how to buy xyz online anonymously' and yeah most folks know what that is meant for but truth is that's also a good way to move xyz around and have a 'backup' for a rainy day this is one of the things i learned from this forum and can't say thanx enough on coz even tho been around tech a bit lots of areas didn't venture into, btc is one of them and i'm really glad i did happy safe holidays to all if it applies sincerely, cm0s

ADVCash cards work well.

I like where AirVPN fits into a safe and uncensored internet. I hope AirVPN can continue to do this effectively after TTIP takes a hold. It will be stronger than ICANN. Avaaz.org has covered some of this. But I'm just here to hide from the advertising. facebook blocked me straight away and started whining about verification so I know it is working

A refreshed guide is available here: Prerequisite Install DD-WRT on router go to https://www.dd-wrt.com/ Select "router database", then enter you router model number. Follow the instructions as described and install the DD-WRT *vpn*.bin. Steps Create configuration files from our Config Generator. Select the server location and port you want to connect to, tick "Advanced Mode", tick "Separate certs/keys from .ovpn file", then generate and download the configuration files. Under the router "setup tab" locate your router's local IP address. Go to Specs page of AirVPN website and locate Air VPN DNS for the server you want to connect to, and enter it under Static DNS 1. Navigate to the "Services" tab then select the "VPN" tab. Select "Enable" under OpenVPN Client. Set the Server IP/Name and Port to the Air VPN server you selected (see here to determine VPN server entry-IP address: https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses ). Set Tunnel Device to "TUN" Set Tunnel Protocol to either "UDP" or "TCP" according to the Air VPN server you selected Set Encryption Cipher to " AES-256" Set Hash Algorithm to "SHA1" Put a check mark beside "nsCertType verification" Select "Enable" Advanced Options Select "Enable" LZO Compression Select "Enable" NAT Set Local IP Address to the router's local IP address found earlier. Set TLS Cipher to "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" or "None" Unzip the AirVPN configuration file you downloaded. Using your favorite text editor - Open up "ca.crt" and copy all of the contents into the CA Cert window. - Open up "user.crt" and copy only and including "----- BEGIN CERTIFICATE----- to the end of ----- END CERTIFICATE----- " into Public Client Cert. - Open up "user.key" and copy all of the contents into Private Client Key. - Open up "ta.key" and copy all of the contents into TLS Auth Key Select "Save" at the bottom of the page then "Apply Setting" Select "Save" at the bottom of the page then "Apply Setting" DD-WRT firewall rules Go to "Administration" tab then select the "Commands" tab. Copy the following firewall rules into the command window (IMPORTANT: check your tun interface name and set it accordingly - some firmware builds will have tun1 and not tun0) iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -I INPUT -i tun0 -j REJECT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE Click on "Save Firewall" Verification of VPN setup Go to https://airvpn.org and at the bottom of the screen it should show you are connected. Trouble Shooting If you're not shown as connected wait a minute then refresh the web (it could take a minute to make a connection with the VPN and log in). Go to DD-WRT configuration and navigate to the "Services" tab, then "VPN" tab. Once there go to the bottom of the page and click on "Apply Settings". Once completed wait a minute and verify your connection again. If you're still not connected verify the server status you're trying to connect to. Go to Air VPN website and log in, then navigate to "Support" and select "Server Status". If server is down reconfigure DD-WRT to connect to another server. If you are still have difficulties connecting, view the OpenVPN log file in DD-WRT. You can find the log by going to DD-WRT configuration and navigating to the "Status" tab and selecting "OpenVpn". Hopefully the log will give you some indication of why you can not connect. Still having issues Contact Air VPN support, they are quick at responding back to you and very knowledgeable. Another option is to ask on the Air VPN forums.