PART 5 - Setting Up OpenVPN
Now that the firmware is updated, we just need to set up OpenVPN. Now the way I am doing this doesn’t actually start automatically, we have to do it manually. Part of the problem is that the operating system is overwritten from the flash every time we boot, so if we change any startup scripts it won’t be permanent. The only way to do it permanently would as far as I know be to recompile the firmware. If someone knows a better way, please, let me know!
The good news is there is a section of the OS which is not lost, the /usr/local/config/ directory. So this is where I am going to set up all the OpenVPN configuration.
(5a) Start by making a directory in the config folder and moving there:
mkdir /usr/local/config/openvpn
cd /usr/local/config/openvpn
( b) The OpenVPN version on the NAS is fine, but it doesn’t come with any of the example scripts or easy-rsa. So first lets get easy-rsa:
wget --no-check-certificate https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip
( c) Extract only the folder we need, then clean up the rest
unzip 2.x
mv easy-rsa-release-2.x/easy-rsa/2.0 ./easy-rsa
rm 2.x
rm -R easy-rsa-release-2.x
( d) Now lets configure easy-rsa. Good thing we installed Nano, otherwise you would have to do this with vi!
nano vars
Edit the following lines (they are near the bottom of the file) to whatever details you want on your CA (pick something you can identify as you):
export KEY_COUNTRY="Country"
export KEY_PROVINCE="State/Province"
export KEY_CITY="City"
export KEY_ORG="Organisation"
export KEY_EMAIL="an@email.address"
( e) Next lets create our certificates. In the below commands, replace with whatever you want your OpenVPN server to be called:
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server <ServerName>
cd keys
openvpn.bin --genkey --secret ta.key
( f) Now move our keys to the openvpn folder. Again, replace with whatever you used above.
cp <ServerName>.crt <ServerName>.key ca.crt dh2048.pem ta.key /usr/local/config/openvpn
( g) Now we make some client keys. Replace with the name of your client. Do this for each of the clients you want to connect:
cd /usr/local/config/openvpn/easy-rsa
source vars
./pkitool <ClientName>
( h) Now lets put the keys we need to give to the client into an archive, and copy it somewhere where we can access it - e.g. into the shares/yourName folder. Again replace as above. Also replace with the name of your share on the NAS.
tar -czf keysForClient.tgz ca.crt ta.key <ClientName>.crt <ClientName>.key
mv keysForClient.tgz /shares/<yourName>/
For the following scripts I am assuming that the IP address of your VPN is 10.10.10.0 to 10.10.10.24. If you have a different address or range, make sure to change the IP addresses in the below script.
I am also using a TAP interface with TCP. I’ve configured my router to port forward the TCP port that I am using to my NAS which I have made the router assign a static IP to.
( i) Now we create a script for configuring iptables when when load the VPN.
cd /usr/local/config/openvpn
echo "" > up.sh
chmod 755 up.sh
nano up.sh
Then paste the following into that file:
#!/bin/bash
#This is /etc/openvpn/up.sh
IPT="/usr/sbin/iptables"
LAN="egiga0"
VNET="10.10.10.0/24" #VPN network IP Range
VPNIF="tap+"
sysctl -w net.ipv4.ip_forward=1
#Flush existing rules
$IPT -P INPUT ACCEPT
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t nat -F
#And set up some new ones
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -i $VPNIF -j ACCEPT
$IPT -A FORWARD -i $VPNIF -j ACCEPT
$IPT -t nat -A POSTROUTING -s $VNET -o $LAN -j MASQUERADE
Save and exit nano.
( j) Now create a server.conf file to run:
echo "" > server.conf
chmod 755 server.conf
nano server.conf
And then paste in the following, making changes as required
# Static IP of your NAS
local 192.168.1.10
# Which TCP/UDP port should OpenVPN listen on?
port 1194
proto tcp
dev tap
script-security 2
up "/usr/local/config/openvpn/up.sh"
# Make sure you change the <ServerName> below to whatever you called your server.
ca /usr/local/config/openvpn/ca.crt
cert /usr/local/config/openvpn/<ServerName>.crt
key /usr/local/config/openvpn/<ServerName>.key
dh /usr/local/config/openvpn/dh2048.pem
topology subnet
# Make sure to change the IP to match your desired VPN and what is in up.sh
server 10.10.10.0 255.255.255.0
ifconfig 10.10.10.1 255.255.255.0
ifconfig-pool-persist ipp.txt
# Make sure you change the IP below to match your local network and VPN ip's
push "route 192.168.1.0 255.255.255.0 10.10.10.1"
# Redirect Gateway so we can have internet through the VPN
push "redirect-gateway def1"
# Update these to your ISP's DNS servers, or leave them as the google public DNS.
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
tls-auth /usr/local/config/openvpn/ta.key 0 # This file is secret
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 24
persist-key
persist-tun
status openvpn-status.log
verb 4
Save and exit nano.
( k) Finally, start OpenVPN:
cd /
openvpn.bin --config /usr/local/config/openvpn/server.conf &
Now all you need to do is set up your OpenVPN client using the keys that you saved to /shares/<yourName>/keysForClient.tgz, which you can copy from the Nas at your convenience.
Fingers crossed you will now have a working VPN. If anyone has suggestions or corrections, I am all ears.
