Synology OpenVPN connection from Android

Connecting securely to your home network has always been a bit of a challenge since common home ADSL routers not normally contain any VPN Servers (those which do contain such are generally PPTP servers which I would hardly call secure these days). Which is probably a good thing as they would be horribly out of date considering the firmware release policies of retail router manufacturers. You could run/maintain your own dedicated server, but for most home networks that is overkill and out of the technical depth of most hobbyists. However NAS Appliances are becoming more useful in home networks for storage and other common tasks. I have had good experiences with Synology NAS devices over a number of years and the latest iteration also has a very useful VPN Server package available based on OpenVPN (as most Synology Apps are common Open Source components).

Server Requirements

This is a very straight forward procedure via the Synology Web UI (http://www.synology.com/en-uk/support/tutorials/459#t3.2)

Synology Openvpn

  1. Installing the VPN Server via Synology Package Manager
  2. Enabling OpenVPN Server
  3. Export the certificate using the button “Export configuration” (openvpn.zip) and extract the CA Certificate file (ca.crt)
  4. Forward UDP Port 1194 from your modem/router to the Synology NAS
  5. Make sure your Diskstation user account has OpenVPN privileges

Android Client Configuration

This part turned out a little more difficult than I expected. Initially I tried the “OpenVPN Connect” app by OpenVPN.net the makers of OpenVPN. However this seems to have no facility to edit the configuration and would not work at all from the imported config file.

The OpenVPN client that works well for me is OpenVPN for Android (https://play.google.com/store/apps/details?id=de.blinkt.openvpn)

  1. Transfer the CA Certificate (ca.crt) extracted in the previous step to the sdcard of your Android device
  2. Install the “OpenVPN for Android” app from the Google Play Store
  3. Open the “OpenVPN for Android”¬†app, touch the + icon in the bottom left corner of the screen to add a profile
  4. Touch “Basic”
    1. Enter profile name and server address (Static IP Address or DynamicDNS of your modem/router)
    2. Touch the Select button for the CA Certificate
    3. Navigate to the file ca.crt on your sdcard and select the file
    4. Fill in the username and password of the Diskstation user with OpenVPN privileges
    5. Touch the back softkey or button of your phone
  5. Touch “IP and DNS”
    1. Check Override DNS settings by Server (Synology’s OpenVPN implementation currently does not support pushing servers)
    2. Google’s public DNS servers are the default and should work for most users)
    3. Touch the back softkey or button of your phone
  6. Touch “Authentication/Encryption”
    1. Uncheck Expect TLS server certificate
    2. Touch the back softkey or button of your phone twice to return to the app’s Profiles overview page
  7. Touch your profile’s name to connect (the icon with the sliders on the right allows to edit the profile)

Voila! Your Android device should now securely connect to your home network!

OpenVPN – forward all client traffic through tunnel using UFW

By default OpenVPN only routes traffic to and from the OpenVPN Server. If you need all traffic from a client through the OpenVPN tunnel there are several options listed in the OpenVPN docs (http://openvpn.net/index.php/open-source/documentation/howto.html#redirect). Since I don’t have any control over the server in some cases I needed a client side solution. As I already have ufw running with Ubuntu I wanted to use the existing software.

Here is how to configure ufw to enable routing all traffic from your client machines through the OpenVPN Server.

Forwarding policy

Change default forward policy, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. (Note: This will take effect at next boot).

sudo vim /etc/sysctl.conf

# Enable packet forwarding
net.ipv4.ip_forward=1

UFW config

And then configure ufw in /etc/default/ufw
sudo vim /etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

UFW before rules

Change /etc/ufw/before.rules to add the following code after the header and before the “*filter” line. Match the IP/subnet mask to the same one as in /etc/openvpn/server.conf.

sudo vim /etc/ufw/before.rules

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Enable OpenVPN

Open openvpn port 1194
sudo ufw allow 1194

Start UFW

sudo service ufw start

OpenVPN Install on CentOS 6 Server

I recently had a need to install a VPN service in a OpenVZ container. Since I normally only use Hardware emulating VM’s I ran into quite a few issues in terms of low-level networking support on this Container Virtualisation System. Turns out that you are stuck with a TUN/TAP solution as most services won’t enable PPP services on their infrastructure. Also Ethernet bridging is not available (at least on the service I used) so you’re stuck with NAT IP masquerading. Considering the options I thought best served with using OpenVPN server.

Install Server

yum --enablerepo=epel -y install openvpn

Server configuration

cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/
These are the contents of /etc/openvpn/server.conf
local XXX.XXX.XXX.XXX #Server External IP
port 1194
proto udp
dev tun
ca ca.crt
cert SERVER.crt
key SERVER.key #keep file secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8" #using Google Public DNS
push "dhcp-option DNS 8.8.4.4" #using Google Public DNS
keepalive 10 120
comp-lzo
max-clients 5
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3

mkdir -p /etc/openvpn/easy-rsa/keys
cd /etc/openvpn/easy-rsa
cp -rf /usr/share/openvpn/easy-rsa/2.0/* .
vim vars
#Set the country (KEY_COUNTRY)
#state (KEY_PROVINCE)
#locality (KEY_CITY)
#organisation name (KEY_ORG)
#support email (KEY_EMAIL)

Create certificate authority

./vars
./clean-all
./build-ca

The CA key and certificate should not be in the keys directory inside the easy-rsa directory.

Create certificate for the server

./build-key-server NAME_OF_SERVER
Answer the questions and commit the certificate into the database

Create the Diffie Hellman files

These files are used for the actual key exchange to ensure the confidentiality over an insecure channel, aka the Internet. Based on the length of the key used (KEY_SIZE) it may take a while.
./build-dh

Copy crypto files

cd keys/
cp ca.crt SERVER.crt SERVER.key dh1024.pem /etc/openvpn/

Create the certificate for each client

./build-key NOTEBOOK
./build-key MOBILE

Enable IP Forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

NAT Masquerading Setup

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE

Start OpenVPN

/etc/init.d/openvpn start
chkconfig openvpn on

Clients

Ubuntu

apt-get install network-manager-openvpn

Android

FeatVPN: http://www.featvpn.com/

Troubleshooting

  • Ensure that the client settings reflect EXACTLY the server setting (I learned the hard way wasting a lot of time on troubleshooting the fact that routing would not work – turned out to be a client setting ‘comp-lzo’ !)
  • Ensure TUN/TAP services are enabled for your OpenVZ container (http://wiki.openvz.org/VPN_via_the_TUN/TAP_device)
    ERROR: Linux ip link set failed: external program exited with error status: 255

Documentation: http://openvpn.net/howto.html

Installing Poptop (pptpd) VPN Server on CentOS 6

For roaming mobile clients PPTP (Point-to-Point Tunneling Protocol) is still the quickest way to get VPN connections to tunnel traffic over a secure link.

Installation

I always prefer installation via a yum repository as this will ensure patches are applied during regular system updates

sudo rpm --import http://poptop.sourceforge.net/yum/RPM-GPG-KEY-PPTP
sudo rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm
sudo yum install ppp pptpd -y

Configuration

Note: replace $USERNAME and $PASSWORD with actual values

IP configuration
echo "localip 192.168.0.1" >> /etc/pptpd.conf
echo "remoteip 192.168.0.100-199" >> /etc/pptpd.conf

DNS configuration
echo "ms-dns 8.8.8.8" >> /etc/ppp/options.pptpd
echo "ms-dns 4.2.2.1" >> /etc/ppp/options.pptpd

Authentication configuration
echo "$USERNAME pptpd $PASSWORD *" >> /etc/ppp/chap-secrets

Firewall config
service iptables start
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
echo "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" >> /etc/rc.local
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables restart
service iptables save
chkconfig iptables on

Start ppptd
chkconfig pptpd on
service pptpd start