I was pleasantly surprised when I did find out, that had added a VPN client in their DSM 4 release. This VPN client supports either PPTP or openvpn. Openvpn support is what I am interested in. Unfortunately openvpn wizard in DSM assumes that username authentication is used. I need certificate authentication. Fortunately it can be arranged.
First create a bogus openvpn connection. It creates some configuration files and a connection name that can be started up via GUI.
Changing those configuration files is done via ssh to Diskstation.
DSM 4.0-2198 has
OpenVPN 2.1.4 armle-unknown-linux [SSL] [LZO2] [EPOLL] built on Feb 23 2012
Openvpn configuration files are located at:
/usr/syno/etc/synovpnclient/openvpn
The interesting file is client_XX something. It is a plain openvpn configuration file.
It is a bit inconvenient to edit this file directly in ssh session to Diskstation, so I copied it to a shared folder and changed it there. Copied it back later. Shared folders are, what Diskstation is used for, right?
I got inspiration for setting up my Synology DS211j as openvpn client from this posting
My openvpn configuration looks like this:
client float resolv-retry infinite nobind persist-key persist-tun ca keys/ca.crt cert keys/client.crt key keys/client.key ns-cert-type server tls-auth keys/ta.key 1 cipher BF-CBC verb 5 log openvpn.log dev tun tls-client remote myserver 1194 pull proto udp comp-lzo script-security 2 reneg-sec 0 explicit-exit-notify plugin /lib/openvpn/openvpn-down-root.so /etc/ppp/ip-down #auth-user-pass /tmp/ovpn_client_up
As long as I do not edit that pseudo config in VPN GUI all is good. Connect works and it seems to reconnect after connection loss.
Connection stability is still to be tested.
Update: The same procedure also works with DSM 5 and stability is good. Even reconnects, if needed.
What do you make of this error – this is the output following a peer connection initiated
Mon Apr 30 11:39:15 2012 SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1)
Mon Apr 30 11:39:16 2012 PUSH: Received control message: ‘PUSH_REPLY,dhcp-option DNS 8.8.8.8,redirect-gateway,route 10.10.0.1,topology net30,ping 20,ping-restart 240’
Mon Apr 30 11:39:16 2012 OPTIONS IMPORT: timers and/or timeouts modified
Mon Apr 30 11:39:16 2012 NOTE: –mute triggered…
Mon Apr 30 11:39:16 2012 3 variation(s) on previous 3 message(s) suppressed by –mute
Mon Apr 30 11:39:16 2012 ROUTE default_gateway=192.168.1.254
Mon Apr 30 11:39:16 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either –route-gateway or –ifconfig options
Mon Apr 30 11:39:16 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.10.0.1
Mon Apr 30 11:39:16 2012 Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
Mon Apr 30 11:39:16 2012 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Mon Apr 30 11:39:16 2012 Cannot allocate TUN/TAP dev dynamically
Mon Apr 30 11:39:16 2012 Exiting
Most important first:
Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
It seems that tun module is not loaded. Openvpn needs this to work. You should have tun.ko somewhere below /lib/modules/. Try modprobe tun and look at dmesg.
Thank you so much for your howto, it worked for me after my first attempt!!
Wow, thanks. I’ve been searching for a way to make the VPN auto-reconnect, and this seems to have done the trick 🙂
Hi,
Which VPN provider are you using, if I might ask ?
I succesfully setup a connection with PIA but I’m having troubled with TorPVN. The latter uses TCP so I changed the protocol in the client config but to no avail.
The benefit of TorVPN is that they support push routes (to exclude DDNS IP range) and for personal use I need an Hungarian IP. Adding a static route (route add) in the Synology apparantly has a lower priority than the default gateway of the VPN tunnel.
Any help is welcome here, it’s been two days that I’m troubleshooting this.
Regards
I had previously managed to setup the disk station to connect to the openvpn server the way you described, but it stopped working after the upgrade to dsm 5.0. i take it you haven’t experienced any problem with dsm5.0?
found the problem.
i am on dsm 5.0-4493 update 1. i found that openvpn 2.3 introduced a bug concerning “explicit-exit-notify” (which they fixed in 2.3.1). dsm 5.0 probably is using 2.3, so by just commenting out the “explicit-exit-notify” will fix this problem.