Connect to an OpenVPN server running on Synology DSM 7

Introduction

This is the second part of the series "Configure OpenVPN on Synology DSM 7". In the first part we've set up an OpenVPN server on Synology DSM 7, configured port forwarding and firewall on our router and NAS.

In this part we'll see how we can connect to that OpenVPN server using the OpenVPN Connect client in Windows 10 and iOS.

The setup

The setup remains the same as what we've used in the first part:

NAS: Synology DS920+, DSM 7.1-42661 Update 4
OpenVPN server app: VPN Server package (1.4.7-2901) by Synology Inc.
Router: Ubiquiti UniFi DreamMachine

OpenVPN clients:

• OpenVPN Connect 3.3.6.2752 on Windows 10
• OpenVPN Connect 3.3.2.5086 on iOS 16.0.2

The OpenVPN Connect client is an official client developed and maintained by OpenVPN Inc. It can be downloaded from here:
https://openvpn.net/client-connect-vpn-for-windows/

There's another client called OpenVPN GUI. This is a community project and can also be used on Windows. It can be downloaded from here:
https://openvpn.net/community-downloads/

We'll use the official OpenVPN Connect client as the UX is pretty identical on both Windows and iOS.

Exporting the configuration file:

First we have to export the configuration .ovpn file to be used with the clients. Clicking the Export Configuration will export the configuration and initiate a file download. The exported file is a .zip file that contains a VPNConfig.ovpn file (a configuration file for the client) and a README.txt file (simple instruction on how to set up OpenVPN connection for the client).

Following is how the .ovpn file looks like.

dev tun
tls-client

remote YOUR_SERVER_IP 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS DNS_IP_ADDRESS

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2



reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
MIIF...hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF...GCc=
-----END CERTIFICATE-----

</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
c78b6...6c58c2
-----END OpenVPN Static key V1-----

</tls-auth>
verify-x509-name 'myhostname.synology.me' name

Let's talk about the configuration file a little.

We basically have to change one thing in the above config file. At line #4, we have to replace YOUR_SERVER_IP with the DDNS hostname, myhostname.synology.me, which we've configured in the first part. Or we can use the static IP address if we have one.

The other directive of note is redirect-gateway def1. This is what determines whether we configure a split-tunnel or full-tunnel VPN. If we want full-tunneling then we have to uncomment the directive. This means that all connection requests, including the ones for websites on the public internet, will go through the VPN server. But we're only interested in accessing the Synology apps like DS Photo, DS Video, DS File etc. (which are only available within our home network and not exposed to the public internet). So, we'll leave this commented out.

Note that:

• OpenVPN allows VPN server to issue an authentication certificate to the clients.
• Each time VPN Server runs, it will automatically copy and use the certificate shown at Control Panel > Security > Certificate. This is the certificate which we got from Let's Encrypt while configuring DDNS using Synology provider.
• If we want to use a third-party certificate, we have to import the certificate at Control Panel > Security > Certificate > Add and restart VPN Server. We'll explore this in the third part of this tutorial.
• VPN Server will automatically restart each time the certificate file shown at Control Panel > Security > Certificate is modified. We will also have to export the new .opvn file to all clients.
• More info on Certificates can be found here: https://kb.synology.com/en-br/DSM/help/DSM/AdminCenter/connection_certificate?version=7

Let's check firewall settings on Windows 10

Since we'll be using Windows 10 as our client OS, it's a good idea to check its firewall settings before we try to connect. We need to check whether outgoing UDP requests are allowed on remote port 1194 in Windows Firewall. I've found that it works without having to add any additional rule.

Connect using OpenVPN Connect in Windows 10

I've already installed the OpenVPN Connect 3.3.6.2752 client from the link mentioned above under 'The setup'. I've also disconnected from my home Wi-Fi network in Windows and switched to mobile hotspot so that I connect from 'outside' of my home network.

When we first launch the app, it lets us import a config file via an URL or a file upload. We'll use the file upload option.

After selecting the .ovpn config file, we're prompted to enter the VPN Username and Password. This is the same vpnuser that we've configured in part one.

We're also being asked to assign a Certificate and Key for the client but we'll skip them. Because we're not concerned with Certificate Authentication in this part. We'll look at that in the third part.

Note that we can also customize the profile name at the top.

After we've entered the Username and Password, let's click the big orange CONNECT button.

But we're presented with an info dialog that says that the external certificate is missing. It also says that we can still continue if our profile allows connection without client certificate. It does, so we'll click CONTINUE.

Note:

• By default the OpenVPN sever doesn't require a client certificate.
• In the config file for the OpenVPN server, openvpn.conf, there is a directive, verify-client-cert none, which dictates that.
• The config file is located here on the NAS: usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf.
• In order to access that file, we have to SSH into the NAS.
• It's possible to tell the client to not expect a client Certificate and Key because it's a bit annoying to skip it everytime. This can be done by adding this directive to the .ovpn file: setenv CLIENT_CERT 0.
• It's documented here: https://openvpn.net/faq/how-to-make-the-app-work-with-profiles-that-lack-a-client-certificate-key/

Anyway, after clicking CONTINUE, we're hit with another roadblock. This time the connection failed, and the error message read "Peer certificate verification failure".

The culprit is on the last line in the VPNConfig.ovpn file above:
verify-x509-name 'myhostname.synology.me' name

This is the issue that I've mentioned about in the first part. That last line got added when we ticked the Verify server CN checkbox.

When the .ovpn file was exported, the myhostname.synology.me was wrapped within single quotes (''). And because of this, the client couldn't connect when the .ovpn file was imported to it. It seems like this issue only appeared in OpenVPN Connect client since version 3.3.x.

Fortunately, after a little googling around I've found a fix, which was provided by the user called DreamCypher in this OpenVPN Support Forum topic:
https://forums.openvpn.net/viewtopic.php?p=106554#p106554

The fix is very simple. We just need to wrap myhostname.synology.me within double-quotes (""):
verify-x509-name "myhostname.synology.me" name

So let's do that, import the updated .ovpn file to the client and try connecting again. It works!

Connect using OpenVPN Connect in iOS

Let's search for the OpenVPN Connect client in App Store and install it. The client UI is pretty identical to the Windows client.

Now we have to import the VPNConfig.ovpn file. There's no need to change anything, just import the exact same file that we've imported to the Windows client.

I've put it on my Synology NAS home directory and will now open it in the DS File app in iOS.

DS File is a file manager app developed by Synology.

Then tap the ... menu and tap on Share.

Tap the OpenVPN app icon to import the .ovpn file to it.

The UI we're presented with next is already familiar with us by now. We can customize the profile name, enter the VPN Username and Password and tap CONNECT.

We will leave the Certificate and Key field with the default value None as we're not going to use client-side Certificate Authentication. We'll look at how to do that in part three of this tutorial.

iOS now prompts us to allow the OpenVPN app to add a VPN configuration to the OS. We will allow it.

We're asked to enter our iPhone passcode. Let's do that.

Et voilà! We're connected.

If we go to Settings > General > VPN & Device Management > VPN, we can see the configuration added by the OpenVPN app.

Summary

So that's about it. Configuring the client is pretty straight forward (when it works of course ;)). There are tons of very good tutorial videos and posts on OpenVPN all over the internet. And the OpenVPN docs are also very helpful. Hope this tutorial also comes in handy for some.