Synology DSM 4 & 5 Openvpn client 7


I was pleasantly surprised when I did find out, that had added a VPN client in their DSM 4 release. This VPN client supports either PPTP or openvpn. Openvpn support is what I am interested in. Unfortunately openvpn wizard in DSM assumes that username authentication is used. I need certificate authentication. Fortunately it can be arranged.
First create a bogus openvpn connection. It creates some configuration files and a connection name that can be started up via GUI.
Changing those configuration files is done via ssh to Diskstation.
DSM 4.0-2198 has
OpenVPN 2.1.4 armle-unknown-linux [SSL] [LZO2] [EPOLL] built on Feb 23 2012

Openvpn configuration files are located at:
/usr/syno/etc/synovpnclient/openvpn
The interesting file is client_XX something. It is a plain openvpn configuration file.
It is a bit inconvenient to edit this file directly in ssh session to Diskstation, so I copied it to a shared folder and changed it there. Copied it back later. Shared folders are, what Diskstation is used for, right?
I got inspiration for setting up my Synology DS211j as openvpn client from this posting

My openvpn configuration looks like this:

client
float
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ns-cert-type server
tls-auth keys/ta.key 1
cipher BF-CBC
verb 5
log openvpn.log

dev tun
tls-client
remote myserver 1194
pull
proto udp
comp-lzo
script-security 2
reneg-sec 0
explicit-exit-notify
plugin /lib/openvpn/openvpn-down-root.so /etc/ppp/ip-down
#auth-user-pass /tmp/ovpn_client_up

As long as I do not edit that pseudo config in VPN GUI all is good. Connect works and it seems to reconnect after connection loss.
Connection stability is still to be tested.

Update: The same procedure also works with DSM 5 and stability is good. Even reconnects, if needed.


Leave a comment

Your email address will not be published. Required fields are marked *

7 thoughts on “Synology DSM 4 & 5 Openvpn client

  • eric

    What do you make of this error – this is the output following a peer connection initiated

    Mon Apr 30 11:39:15 2012 SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1)
    Mon Apr 30 11:39:16 2012 PUSH: Received control message: ‘PUSH_REPLY,dhcp-option DNS 8.8.8.8,redirect-gateway,route 10.10.0.1,topology net30,ping 20,ping-restart 240’
    Mon Apr 30 11:39:16 2012 OPTIONS IMPORT: timers and/or timeouts modified
    Mon Apr 30 11:39:16 2012 NOTE: –mute triggered…
    Mon Apr 30 11:39:16 2012 3 variation(s) on previous 3 message(s) suppressed by –mute
    Mon Apr 30 11:39:16 2012 ROUTE default_gateway=192.168.1.254
    Mon Apr 30 11:39:16 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either –route-gateway or –ifconfig options
    Mon Apr 30 11:39:16 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.10.0.1
    Mon Apr 30 11:39:16 2012 Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
    Mon Apr 30 11:39:16 2012 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
    Mon Apr 30 11:39:16 2012 Cannot allocate TUN/TAP dev dynamically
    Mon Apr 30 11:39:16 2012 Exiting

    • owl Post author

      Most important first:

      Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)

      It seems that tun module is not loaded. Openvpn needs this to work. You should have tun.ko somewhere below /lib/modules/. Try modprobe tun and look at dmesg.

  • Martijn

    Wow, thanks. I’ve been searching for a way to make the VPN auto-reconnect, and this seems to have done the trick 🙂

  • Me, david

    Hi,

    Which VPN provider are you using, if I might ask ?

    I succesfully setup a connection with PIA but I’m having troubled with TorPVN. The latter uses TCP so I changed the protocol in the client config but to no avail.

    The benefit of TorVPN is that they support push routes (to exclude DDNS IP range) and for personal use I need an Hungarian IP. Adding a static route (route add) in the Synology apparantly has a lower priority than the default gateway of the VPN tunnel.

    Any help is welcome here, it’s been two days that I’m troubleshooting this.

    Regards

  • steve

    I had previously managed to setup the disk station to connect to the openvpn server the way you described, but it stopped working after the upgrade to dsm 5.0. i take it you haven’t experienced any problem with dsm5.0?

  • steve

    found the problem.

    i am on dsm 5.0-4493 update 1. i found that openvpn 2.3 introduced a bug concerning “explicit-exit-notify” (which they fixed in 2.3.1). dsm 5.0 probably is using 2.3, so by just commenting out the “explicit-exit-notify” will fix this problem.