Introduction
This is the second part of the series "Configure OpenVPN on Synology DSM 7". In the first part we've set up an OpenVPN server on Synology DSM 7, configured port forwarding and firewall on our router and NAS.
In this part we'll see how we can connect to that OpenVPN server using the OpenVPN Connect client in Windows 10 and iOS.
The setup
The setup remains the same as what we've used in the first part:
NAS: Synology DS920+, DSM 7.1-42661 Update 4
OpenVPN server app: VPN Server package (1.4.7-2901) by Synology Inc.
Router: Ubiquiti UniFi DreamMachine
OpenVPN clients:
- OpenVPN Connect 3.3.6.2752 on Windows 10
- OpenVPN Connect 3.3.2.5086 on iOS 16.0.2
The OpenVPN Connect client is an official client developed and maintained by OpenVPN Inc. It can be downloaded from here:
https://openvpn.net/client-connect-vpn-for-windows/
There's another client called OpenVPN GUI. This is a community project and can also be used on Windows. It can be downloaded from here:
https://openvpn.net/community-downloads/
We'll use the official OpenVPN Connect client as the UX is pretty identical on both Windows and iOS.
Exporting the configuration file:
First we have to export the configuration .ovpn file to be used with the clients. Clicking the Export Configuration
will export the configuration and initiate a file download. The exported file is a .zip file that contains a VPNConfig.ovpn
file (a configuration file for the client) and a README.txt
file (simple instruction on how to set up OpenVPN connection for the client).
Following is how the .ovpn file looks like.
dev tun
tls-client
remote YOUR_SERVER_IP 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
#redirect-gateway def1
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp
script-security 2
reneg-sec 0
cipher AES-256-CBC
auth SHA512
auth-user-pass
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
MIIF...hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF...GCc=
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
c78b6...6c58c2
-----END OpenVPN Static key V1-----
</tls-auth>
verify-x509-name 'myhostname.synology.me' name
Let's talk about the configuration file a little.
We basically have to change one thing in the above config file. At line #4, we have to replace YOUR_SERVER_IP
with the DDNS hostname, myhostname.synology.me
, which we've configured in the first part. Or we can use the static IP address if we have one.
The other directive of note is redirect-gateway def1
. This is what determines whether we configure a split-tunnel or full-tunnel VPN. If we want full-tunneling then we have to uncomment the directive. This means that all connection requests, including the ones for websites on the public internet, will go through the VPN server. But we're only interested in accessing the Synology apps like DS Photo, DS Video, DS File etc. (which are only available within our home network and not exposed to the public internet). So, we'll leave this commented out.
Note that:
- OpenVPN allows VPN server to issue an authentication certificate to the clients.
- Each time VPN Server runs, it will automatically copy and use the certificate shown at
Control Panel
>Security
>Certificate
. This is the certificate which we got from Let's Encrypt while configuring DDNS using Synology provider.- If we want to use a third-party certificate, we have to import the certificate at
Control Panel
>Security
>Certificate
>Add
and restart VPN Server. We'll explore this in the third part of this tutorial.- VPN Server will automatically restart each time the certificate file shown at
Control Panel
>Security
>Certificate
is modified. We will also have to export the new .opvn file to all clients.- More info on Certificates can be found here: https://kb.synology.com/en-br/DSM/help/DSM/AdminCenter/connection_certificate?version=7
Let's check firewall settings on Windows 10
Since we'll be using Windows 10 as our client OS, it's a good idea to check its firewall settings before we try to connect. We need to check whether outgoing UDP requests are allowed on remote port 1194 in Windows Firewall. I've found that it works without having to add any additional rule.
Connect using OpenVPN Connect in Windows 10
I've already installed the OpenVPN Connect 3.3.6.2752 client from the link mentioned above under 'The setup'. I've also disconnected from my home Wi-Fi network in Windows and switched to mobile hotspot so that I connect from 'outside' of my home network.
When we first launch the app, it lets us import a config file via an URL or a file upload. We'll use the file upload option.
After selecting the .ovpn config file, we're prompted to enter the VPN Username and Password. This is the same vpnuser
that we've configured in part one.
We're also being asked to assign a Certificate and Key for the client but we'll skip them. Because we're not concerned with Certificate Authentication in this part. We'll look at that in the third part.
Note that we can also customize the profile name at the top.
After we've entered the Username and Password, let's click the big orange CONNECT
button.
But we're presented with an info dialog that says that the external certificate is missing. It also says that we can still continue if our profile allows connection without client certificate. It does, so we'll click CONTINUE
.
Note:
- By default the OpenVPN sever doesn't require a client certificate.
- In the config file for the OpenVPN server,
openvpn.conf
, there is a directive,verify-client-cert none
, which dictates that.- The config file is located here on the NAS:
usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf
.- In order to access that file, we have to SSH into the NAS.
- It's possible to tell the client to not expect a client
Certificate and Key
because it's a bit annoying to skip it everytime. This can be done by adding this directive to the .ovpn file:setenv CLIENT_CERT 0
.- It's documented here: https://openvpn.net/faq/how-to-make-the-app-work-with-profiles-that-lack-a-client-certificate-key/
Anyway, after clicking CONTINUE
, we're hit with another roadblock. This time the connection failed, and the error message read "Peer certificate verification failure".
The culprit is on the last line in the VPNConfig.ovpn
file above:
verify-x509-name 'myhostname.synology.me' name
This is the issue that I've mentioned about in the first part. That last line got added when we ticked the Verify server CN
checkbox.
When the .ovpn file was exported, the myhostname.synology.me
was wrapped within single quotes (''). And because of this, the client couldn't connect when the .ovpn file was imported to it. It seems like this issue only appeared in OpenVPN Connect client since version 3.3.x.
Fortunately, after a little googling around I've found a fix, which was provided by the user called DreamCypher
in this OpenVPN Support Forum topic:
https://forums.openvpn.net/viewtopic.php?p=106554#p106554
The fix is very simple. We just need to wrap myhostname.synology.me
within double-quotes (""):
verify-x509-name "myhostname.synology.me" name
So let's do that, import the updated .ovpn file to the client and try connecting again. It works!
Connect using OpenVPN Connect in iOS
Let's search for the OpenVPN Connect client in App Store and install it. The client UI is pretty identical to the Windows client.
Now we have to import the VPNConfig.ovpn
file. There's no need to change anything, just import the exact same file that we've imported to the Windows client.
I've put it on my Synology NAS home directory and will now open it in the DS File app in iOS.
DS File is a file manager app developed by Synology.
Then tap the ...
menu and tap on Share.
Tap the OpenVPN app icon to import the .ovpn file to it.
The UI we're presented with next is already familiar with us by now. We can customize the profile name, enter the VPN Username and Password and tap CONNECT
.
We will leave the Certificate and Key
field with the default value None
as we're not going to use client-side Certificate Authentication. We'll look at how to do that in part three of this tutorial.
iOS now prompts us to allow the OpenVPN app to add a VPN configuration to the OS. We will allow it.
We're asked to enter our iPhone passcode. Let's do that.
Et voilà! We're connected.
If we go to Settings
> General
> VPN & Device Management
> VPN
, we can see the configuration added by the OpenVPN app.
Summary
So that's about it. Configuring the client is pretty straight forward (when it works of course ;)). There are tons of very good tutorial videos and posts on OpenVPN all over the internet. And the OpenVPN docs are also very helpful. Hope this tutorial also comes in handy for some.
Top comments (2)
Well done articles, however, I am still uncertain about what comes next.
I have setup OpenVPN on the NAS, and the client in Windows.
How do I then use this VPN connection in Windows to connect (remotely) to DSM 7 (like I would with QuickConnect) and to say Drive Server?
Thanks,
Joe
Sorry for the late reply. After establishing VPN connection to your NAS, you simply access it the same way you do it locally from home (as if you were at home).
e.g., 192.168.3.105:5001