Enabling VPN while preserving external access in your home NAS

Enabling VPN in a home NAS is a good way – some might say paramount requirement – to preserve your privacy when using certain applications. While the highest flexibility comes from running the NAS directly in a Linux machine, out-of-the-box solutions can win in convenience thanks to built-in applications and mobile App support. One of such solutions is Synology. In this post I will describe how to setup OpenVPN in a Synology NAS while still preserving access from the outside.

Find a VPN provider

The first thing to do is finding a VPN provider. While there are many possibilities, based on my experience I can highly recommend iVPN. Apart from providing very stable VPN connections while introducing low overhead, iVPN maintains servers in different countries, which might also be convenient for using services such as Netflix or Pandora. Besides, they are members of the EFF and adhere to good service provider practices such as maintaining a warrant canary.

Independently of the VPN provider you choose, it is important to check that they support OpenVPN and that they provide certificates and configuration files for their different servers. For iVPN, those can be downloaded here. When your download these files copy them in a directory (we will refer to this directory as $IVPN_CONFIG).

Configure OpenVPN

For configuring the VPN in our Synology box, we will make use of the command line; Synology’s GUI allows to configure a primitive VPN service, but for configuring VPN using OpenVPN and certificates this is not enough. Note that we will need ssh access privileges to the NAS.

We will use the following convention for the VPN configuration:

XXX = Name of the client (as in client_XXX)
$USERNAME = VPN username.
$PASSWORD = VPN password.
$IVPN_CONFIG = Name for the VPN configuration directory where VON configurations and certificates are located.
$AUTH_FILE = File where the VPN $USERNAME and $PASSWORD are stored.
$VPN_SERVER = Server (e.g., gw1.ch.ivpn.net). In the example we will use gw1.ch.ivpn.net, which corresponds IVPN’s the Swiss server. This can be changed. This applies too to the port and protocol (2049 and udp respectively.

Step 1. First, we log into the Synology NAS using a browser and navigate the GUI:

Control Panel > Network > Network Interface > Create > Create VPN Profile.

We choose OpenVPN and introduce the data obtained from your VPN provider. This will not create the right configuration, but will create the skeleton that we will use later on.

Step 2. Then, we access the NAS from the terminal using ssh. The following commands will create a symbolic link to the openvpn configuration directory in our home directory. This is convenient for future use.

$ ln -s /usr/syno/etc/synovpnclient/openvpn/

And we copy the VPN configuration files to our Synology box. From a terminal in our local machine:

$ scp -r $DOWNLOAD_DIR/$IVPN_CONFIG $SYNOLOGY_USERNAME@$SYNOLOGY_IPADDRESS:~/openvpn/

Step 3. Now in the Synology (ssh), we go to the openvpn directory. Here, we are interested in two files:  client_XXX.crt and ovpnclient.conf; these hold the OpenVPN configuration. The configuration I use is the following:

$ vi client_XXX.crt
client
dev tun
proto udp
tls-client
log log.log

remote gw1.ch.ivpn.net 2049
auth-user-pass $AUTH_FILE

resolv-retry infinite
nobind
persist-tun
persist-key

ca $IVPN_CONFIG/ca.crt
cert $IVPN_CONFIG/client1.crt
key $IVPN_CONFIG/client1.key
tls-auth $IVPN_CONFIG/ta.key 1

cipher AES-256-CBC
ns-cert-type server
comp-lzo
verb 3

up /usr/syno/etc.defaults/synovpnclient/scripts/ovpn-up
route-up /usr/syno/etc.defaults/synovpnclient/scripts/route-up
script-security 2
explicit-exit-notify
plugin /lib/openvpn/openvpn-down-root.so /usr/syno/etc.defaults/synovpnclient/scripts/ip-down
$ vi ovpnclient.conf
[oXXX]
nat=no
protocol=udp
redirect-gateway=no
comp-lzo=yes
route-nopull
pass=$GENERATED
port=2049
reconnect=yes
conf_name=@VPN_NAME
user=$USERNAME
remote=gw1.ch.ivpn.net

Step 3. Finally, we create $AUTH_FILE and write our VPN $USERNAME and $PASSWORD in two different lines.

$ vi $AUTH_FILE
$USERNAME
$PASSWORD

Step 4. We come back to the GUI (Control Panel > Network > Network Interface) and click on “connect” under the VPN interface. Meanwhile, in the terminal (ssh to Synology) look at the log file to check that everything is correct.

$ tail -f log.log

The connection should succeed. Now from the terminal, check that your public IP corresponds to the country where the server is located:

$ wget -qO- http://ipecho.net/plain ; echo

There are many ways to do this. A simple one is just copying the IP address in iplocation.net.

Also, if you have configured a Synology DDNS you can see your public IP address from Control Panel > External Access > DDNS

Enable external access

If you had configured access to your NAS from outside your network (e.g., mobile Apps, Cloud Station) you will notice that they all stopped working. The reason is that all traffic is redirected through the VPN interface (e.g., tun0). Thus, any incoming connection is lost. This can be seen by looking at the routing tables (route -n). 

Traditionally, this is solved by enabling multi route tables, which allow to manage traffic at a lower granularity. Unfortunately, Synology boxes are not so easy to update when it comes to recompiling the Linux kernel and installing a package manager: Updates become messy, depending on the model and the chipset used, packages vary, etc.

Since version 5.1 however, a new option in the GUI allows to enable multiple gateways simultaneously and to reply to requests that target specific interfaces. I am not sure how this works exactly, since ip tables are not modified. Either way, in Control Panel > Network > General > Advanced Settings (under Manually configure DNS server), enabling the two available options gives the wanted behaviour.

Now, all traffic initiated by the NAS will be through the VPN interface while connections initiated from the outside will be answered using the incoming interface. Note that it is not necessary to make modification in the router(s) (e.g., forwarded ports), nor in the Synology firewall – VPN should be now transparent to all incoming connections.

Check that everything works fine

Finally, come back to Step 4. and check that the public IP address corresponds to the country where the VPN server is located. Try connecting to the Synology NAS from one of the mobile Apps from outside your local network. If it works, you have succeeded 🙂

Note that this is a very experimental approach. Checking the ip tables generated by OpenVPN and analyzing incoming and outgoing packages allows us to be sure that the interface split is as clean as we wanted it to be. If interested, Wireshark is the best tool I know.

Troubleshooting

If you experience that you cannot access your Synology media center after configuring VPN, uncheck the advanced settings in the Synology GUI, apply, and apply them again. These options should be apply after VPN is already up and running.

Enjoy! 🙂

Javier.

2 thoughts on “Enabling VPN while preserving external access in your home NAS

  1. I had done the exact steps you’ve described in your post and it just wouldn’t work, which is why I searched online, leading me here.
    Then I did the same steps again following your guide and now it works!
    Must have been some magic bits coming from your post 🙂

    One question remains though. On the “Network Interface” tab the “Service Order” can be changed manually. Does the activation of “Multiple Gateways” make the service order irrelevant?

    Thanks for a well structured and easy to follow post!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s