Install OpenVPN on QNAP
Aus NAS Wiki
OpenVPN - what is it?
- OpenVPN offers the possibility to have a secure connection to a remote computer or network.
- OpenVPN can be installed on different operating systems including Windows, Linux and Mac and offers some os-independent, graphical administration tools for server or client.
- OpenVPN is not compatible to windows VPN. However, after the initial installation and configuration it is as simple to run. (Open the VPN tunnel by a mouse click).
- OpenVPN is a complex program with extensive configuration options. It offers far more options, than described here. If you want to get more from OpenVPN, you can find further reading at the end of this HOWTO.
The aim of this guide
This HOWTO will guide you through a complete installation of an OpenVPN server on your NAS, which will enable you to access your NAS securely with multiple clients form the internet. You will be able to use all services provided by the NAS.
Additionally you will setup an OpenVPN client on a Windows-PC and use this to create all necessary certificates and keys.
On which devices will OpenVPN work?
This howto was designed to work on the following devices:
- TS-109 (pro/II)
- TS-209 (pro/II)
- TS-409 (pro)
(Firmware 2.1.4 it is causing issues with autostart. A workaround is described here).
Any manipulation of the system is at your own risk.
What you need
- A NAS, as mentioned above, the SSH server active.
- A Windows PC to create the key, PuTTY and WinSCP on the PC.
- Knowledge of how to connect to your NAS through ssh with PuTTY and winSCP.
- An DynDNS account and the knowledge how to use it, in order to reach your home network from anywhere in the internet.
- Knowledge of how to redirect a port on the modem / router of your home network.
- Note: The # sign in front of a command shows the prompt, as it will appear in the console. Do not copy & paste it, when entering a command in the console.
- Raidsonic: open firmware with package-support through "new_software". IB-NAS4210-B users can download an unofficial open fw from here.
|Device||login username||login passwort|
Install Qpkg optware / ipkg on the NAS
- Login to the administrations page.
- -> System Tools -> qpkg -> Get qpkg -> Optware ipkg
- Choose the package, according to your device, download and save it to your computer.
- -> System Tools -> qpkg -> Select (select the package) -> upload (Confirm)
The box will install ipkg automatically and restart. After this, go back to the same page, open ipkg and click "Enable", if the status is different.
- Download Optware.
- IB-NAS 4220, 4210-B: Download autovpn-4220-1.1.tgz
- IB-NAS 2001, 2000. 1000-B: Download zlibs and autovpn-2000-1.1.tgz
- Move packages to (/mnt/...)/public/applications/new-software.
- Continue here.
Install OpenVPN on the NAS
- Start PuTTY (or any other console program) and connect to your NAS
# ipkg update
(If this generates an error message (-sh: ipkg: command not found) restart the box and repeat).
# ipkg list | grep openvpn
should show the line (Sep. 2009):
openvpn- 2.1_rc15-1 - SSL-based VPN server with Windows client support
- Install OpenVPN
# ipkg install openvpn
After a successfiul installation enter
This should show a list of options. If an error message appears (... command not found) restart and repeat.
Execute these commands:
# cd /opt/etc/openvpn # mkdir log # cd log # touch openvpn.log # touch status.log # mkdir /opt/etc/openvpn/modules
Install the missing tun.ko module
In order to be fully functional, OpenVPN requires a kernel module, which by default is not installed on the box (Dec. 2008).
- Download the appropriate zip.file: TS-109/TS-209 or TS-409 OR if you have TS-219P you can find tun.ko in /opt/lib/modules/126.96.36.199/kernel/drivers/net/tun.ko
- unpack the .zip
- connect to the box using WinSCP
- Copy the file to /opt/etc/openvpn/modules
Now it's time to access the flash and create or edit the file autostart.sh. This will automatically call the tun.ko module on every startup.
- Download autorun.sh.
- Mount the flash partition:
# mount -t ext2 /dev/mtdblock5 /tmp/config
- If you worked on your autostart before, you will know, how to merge the code of autorun.sh with your own autostart. Do not, by any chance, use Windows Notepad! It will create a corrupted file.
- If you never heard of autostart.sh before, simply copy the file autorun.sh with winSCP to /tmp/config
- Make the file executable: F9 in WinSCP or right click -> Properties: 0755 or type chmod +x autorun.sh in PuTTY.
- Unmount the flash partition (PuTTY):
# umount /tmp/config
Any time the system is started the tun module should be installed automatically. You can check this after a restart in PuTTY:
should also a line similar to this:
tun 8896 0 - Live 0xbf0370000
If tun does not show up but /dev/net/tun exists add more seconds to sleep. Up to 30 can be needed, depending on model.
If you know how to configure openVPN and generate your own keys, you are done by now.
Otherwise, just go on.
Install OpenVPN to the PC
- Download and install OpenVPN GUI to your PC.
In order to establish a secure connection over the internet, you need a set of keys. A simple and straightforward way is to do this in windows.
- open a windows console (-> Start -> Run -> cmd) and enter the following commands:
# cd \Program Files\openvpn\easy-rsa # init-config
- Edit the file vars.bat:
Using win explorer (or WinSCP), navigate to C:\Program Files\OpenVPN\easy-rsa\ and open vars.bat. Edit the last few lines due to your own requirements. The following is just an example:
set KEY_COUNTRY = DE (this would be Germany) set KEY_PROVINCE = Your province set KEY_CITY =City set KEY_ORG = QNAP-OpenVPN (or a server name of your choice) set KEY_EMAIL = firstname.lastname@example.org
- Now enter the following commands in the console:
# vars # clean-all
You will be asked for some input, but as vars.bat was edited previously, simply confirm the values by hitting the Return key.
When common name pops up, enter a name of your choice for the server.
The consecutive output looks something like this:
ai: easy-rsa #. / build-ca Generating a 1024 bits RSA private key ............++++++ ...........++++++ Writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', The field will be left blank. ----- Country Name (2 letter code) [KG]: State or Province Name (full name) [NA]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [OpenVPN TEST]: Organizational Unit Name (eg, section) : Common Name (eg, your name or your server's hostname) : <--- Enter your server's name here Email Address [email@example.com]:
Generate the server key
# build-key-server server
Enter server for the common name and answer the following two questions with "yes".
Generate client keys
Each client gets an own key.
# build-key client1
generates a key for the client client1. When the common name is asked, enter client1. Run the command for each client (ie every other PC, that needs to connect to your VPN) with an appropriate name.
Generate Diffie-Hellman parameters
It takes a while (depending on the performance of the PC up to several minutes).
Distribute the keys
On the PC in C:\Program Files\OpenVPN\keys you will find these files:
|ca.crt||server + all clients||root CA certificate||NO|
|ca.key||certification PC only||root CA key||YES|
|dh1024.pem||server only||encryption parameters||NO|
|server.crt||server only||server certificate||NO|
|server.key||server only||server key||YES|
|client1.crt||client only||client1 certificate||NO|
|client1.key||client only||client1 key||YES|
The client keys for the PC are already in the right place.
- Copy the certificates and keys for the server using WinSCP to this place in the NAS (choose binary option if prompted):
- Set the executable rights of the keys to 0600.
Presume the following network scenario as an example. (Edit the ip-addresses in your own config-files according to your needs).
- The home network is accessible via DynDNS.
- The address of the home network is 192.168.4.0/255.255.255.0
- The NAS has the IP address 192.168.4.7
- The OpenVPN server creates a virtual network 10.8.0.0/255.255.255.0 (VPN tunnel)
- The IP address of the server is 10.8.0.1, the clients receive 10.8.0.x addresses from the server.
- The # sign indicates, that anything after the # is only a comment and can ultimately be deleted.
- Lines with ";" will include an optional configuration. Activate if necessary by the deletion of ";"
- Navigate with WinSCP to /opt/etc/openvpn and create the file easy.conf
- Copy & paste the following configuration code and edit, where appropriate:
# OpenVPN server configuration QNAP NAS # basic settings port 1194 proto udp dev tun # # detect mtu if the connection is slow. ; mtu-test # # define mtu, if necessary ; tun-mtu xyz # # define the ip-addresses of the underlying tunnel server 10.8.0.0 255.255.255.0 # # Route push "route 192.168.4.0 255.255.255.0" # <--- Enter the ip-address of your home network here! # # certificates & keys dh /opt/etc/openvpn/keys/dh1024.pem ca /opt/etc/openvpn/keys/ca.crt cert /opt/etc/openvpn/keys/server.crt key /opt/etc/openvpn/keys/server.key # # data compression comp-lzo # # allow, that several clients with the same common name log on ; duplicate-cn # # different clients can "see" each other through the tunnel. ; client-to-client # # Keepalive keepalive 15 120 # # verbosity of status messages in the console. Activate for debugging (1-9 possible) ; verb 5 # # Log files ; status /share/HDA_DATA/optware/opt/etc/openvpn/log/status.log ; log-append /share/HDA_DATA/optware/opt/etc/openvpn/log/openvpn.log # # Run as daemon (activate, after everything is set up properly) ; daemon # # Management Interface. Access with "telnet localhost 7505" management localhost 7505
- Navigate to C:\Programme\OpenVPN\config on your PC and create the file easyclient.ovpn
- Copy & paste the following code and edit, where appropriate:
# connect to QNAP OpenVPN Server # proto udp dev tun tls-client remote supernetwork.dyndns.org 1194 # <--- enter your dyndns-account here! pull # set mtu, if necessary ; tun-mtu xyz # resolv-retry infinite nobind persist-key persist-tun # certificates and keys # Note the double \\ in the path for a windows config ca C:\\Programme\\OpenVPN\\easy-rsa\\keys\\ca.crt cert C:\\Programme\\OpenVPN\\easy-rsa\\keys\\client1.crt key C:\\Programme\\OpenVPN\\easy-rsa\\keys\\client1.key # comp-lzo
Set up a port forward in your router / modem / cable modem, or whatever device manages the connection to the internet. Forward port 1194 (UDP) to your NAS.
If you did not yet set up a dynDNS account, now it is time to do so.
- Start the OpenVPN-server in PuTTY:
# cd /opt/etc/openvpn # openvpn easy.conf
This creates something like that:
Mon Dec 8 03:52:22 2008 OpenVPN 2.1_rc9 arm-none-linux gnueabi [SSL] [LZO1] [epoll] built on May 19 2008 Mon Dec 8 03:52:22 2008 TUN / TAP device tun0 opened Mon Dec 8 03:52:22 2008 / sbin / ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 Mon Dec 8 03:52:22 2008 UDPv4 link local (bound): [undef]: 1194 Mon Dec 8 03:52:22 2008 UDPv4 link remote: [undef] Mon Dec 8 03:52:22 2008 Initialization Sequence Completed
- It is to be preferred to use a different internet connection for the client (eg a UMTS modem at hand), if you are testing with a laptop at home.
- Start OpenVPN by right-clicking easyclient.ovpn.
This creates some additional entries in the console messages of the server:
Mon Dec 8 03:59:52 2008 188.8.131.52:20955 Re-using SSL / TLS context Mon Dec 8 03:59:52 2008 184.108.40.206:20955 LZO compression initialized Mon Dec 8 03:59:54 2008 220.127.116.11:20955 [client1] Peer Connection Initiated with 18.104.22.168:20955
- In the Windows taskbar, a new symbol (two red or green screens) will appear. By right-clicking it, you can control the OpenVPN client connection.
- In Windows an additional LAN connection is generated with an ip-address of the address space 10.8.0.0.
Check the connection
- Enter in the Windows console of your client:
# ping 10.8.0.1
There should be a correct answer from the server.
A ping from the server to the client is possible theoretically, if you shut down or open the windows firewall for testing purposes. However, it is not necessary for OpenVPN to run correctly, so the firwall should remain up.
- Open Windows explorer on the client PC
- enter the IP address of the NAS. In this scenario this would be \\192.168.4.7
- The shares (Windows shares) of the NAS should now be displayed and accessible.
- If all went well, it's definitely time for a beer!
Adjust the server config
- Open a second PuTTY session and terminate the server.
# killall openvpn
- Edit easy.config and activate daemon ( remove the ";").
- If you need a log file activate log-append .
- Restart the server, as described above.
If you like, you can make OpenVPN start automatically at startup.
- QNAP: Open autostart.sh as described before.
- Raidsonic: open /public/applications/openvpn/init in an editor.
- Add the following line at the end of the script.
(sleep 12; /opt/sbin/openvpn /opt/etc/openvpn/easy.conf)&
If, after a reboot, the command ps in PuTTY does not show this line in the list of running processes
1108 admin 1800 S /opt/sbin/openvpn /opt/etc/openvpn/easy.conf
OpenVPN obviously is not running. Try a higher number with the sleep command in the script. (sleep 30 should do on most cases. I guess, it depends on how many processes the box has to start at startup)
You have now a VPN server running on your NAS, allowing you to connect and log in remotely. You can use all services and access the shares.
Telnet Management Interface
The management interface is a management tool, which offers the possibility to control the current VPN server.
- connect through ssh to the server
- Enter telnet localhost 7505
- Help will list the available commands, status will show the logged on clients and their associated parameters.
- OpenVPN GUI is a handy windows-tool to open and close a VPN tunnel by a single mouse-click.
- gopenvpn does pretty much the same for Linux.
- Tunnelblick is a complete graphic OpenVPN client for Mac.
OpenVPN Control is a small, sleek, graphical OpenVPN server control tool for Windows, Linux and Mac. Using VPN / ssh it can also connect to a remote server.
It shows "status" information of the management interface and offers the possibility to forcedly disconnect clients from the server. OpenVPN Control can control the status of multiple servers simultaneously.
OpenVPN Admin is a very user-friendly, complete OpenVPN client installation using a graphical administration tool for the creation of certificates and keys. You also can manage and manipulate a config file through check-boxes on the GUI. Connecting to a server obviously is just as easy.
OpenVPN Admin is available for Windows and Linux and requires mono.
XCA is a small CA with key management and a GUI.