Install OpenVPN on QNAP

Aus NAS Wiki

Wechseln zu:Navigation, Suche

Inhaltsverzeichnis

Preliminary remarks

---> German version / Deutsche Version

OpenVPN - what is it?

  • OpenVPN offers the possibility to have a secure connection to a remote computer or network.
  • OpenVPN can be installed on different operating systems including Windows, Linux and Mac and offers some os-independent, graphical administration tools for server or client.
  • OpenVPN is not compatible to windows VPN. However, after the initial installation and configuration it is as simple to run. (Open the VPN tunnel by a mouse click).
  • OpenVPN is a complex program with extensive configuration options. It offers far more options, than described here. If you want to get more from OpenVPN, you can find further reading at the end of this HOWTO.

The aim of this guide

This HOWTO will guide you through a complete installation of an OpenVPN server on your NAS, which will enable you to access your NAS securely with multiple clients form the internet. You will be able to use all services provided by the NAS.
Additionally you will setup an OpenVPN client on a Windows-PC and use this to create all necessary certificates and keys.

On which devices will OpenVPN work?

This howto was designed to work on the following devices:

QNAP

  • TS-109 (pro/II)
  • TS-209 (pro/II)
  • TS-409 (pro)

(Firmware 2.1.4 it is causing issues with autostart. A workaround is described here).


Raidsonic

  • IB-NAS1000-B
  • IB-NAS2000-B
  • IB-NAS2001-B
  • IB-NAS4210-B
  • IB-NAS4220-B

Disclaimer

Any manipulation of the system is at your own risk.

What you need

  • A NAS, as mentioned above, the SSH server active.
  • A Windows PC to create the key, PuTTY and WinSCP on the PC.
  • Knowledge of how to connect to your NAS through ssh with PuTTY and winSCP.
  • An DynDNS account and the knowledge how to use it, in order to reach your home network from anywhere in the internet.
  • Knowledge of how to redirect a port on the modem / router of your home network.
  • Note: The # sign in front of a command shows the prompt, as it will appear in the console. Do not copy & paste it, when entering a command in the console.
  • Raidsonic: open firmware with package-support through "new_software". IB-NAS4210-B users can download an unofficial open fw from here.


ssh-Login Details:

Device login username login passwort
QNAP admin admin-passwort
Raidsonic root admin-passwort

Installation

Install Qpkg optware / ipkg on the NAS

QNAP:

  • Login to the administrations page.
  • -> System Tools -> qpkg -> Get qpkg -> Optware ipkg
  • Choose the package, according to your device, download and save it to your computer.
  • -> System Tools -> qpkg -> Select (select the package) -> upload (Confirm)

The box will install ipkg automatically and restart. After this, go back to the same page, open ipkg and click "Enable", if the status is different.

Raidsonic:

Install OpenVPN on the NAS

  • Start PuTTY (or any other console program) and connect to your NAS
 # ipkg update 

(If this generates an error message (-sh: ipkg: command not found) restart the box and repeat).

 # ipkg list | grep openvpn

should show the line (Sep. 2009):

openvpn- 2.1_rc15-1 - SSL-based VPN server with Windows client support

  • Install OpenVPN
 # ipkg install openvpn 

After a successfiul installation enter

 # openvpn 

This should show a list of options. If an error message appears (... command not found) restart and repeat.

Execute these commands:

# cd /opt/etc/openvpn
# mkdir log
# cd log
# touch openvpn.log
# touch status.log
# mkdir /opt/etc/openvpn/modules

Install the missing tun.ko module

In order to be fully functional, OpenVPN requires a kernel module, which by default is not installed on the box (Dec. 2008).

  • Download the appropriate zip.file: TS-109/TS-209 or TS-409 OR if you have TS-219P you can find tun.ko in /opt/lib/modules/2.6.22.18/kernel/drivers/net/tun.ko
  • unpack the .zip
  • connect to the box using WinSCP
  • Copy the file to /opt/etc/openvpn/modules

Now it's time to access the flash and create or edit the file autostart.sh. This will automatically call the tun.ko module on every startup.

 # mount -t ext2 /dev/mtdblock5 /tmp/config 
  • If you worked on your autostart before, you will know, how to merge the code of autorun.sh with your own autostart. Do not, by any chance, use Windows Notepad! It will create a corrupted file.
  • If you never heard of autostart.sh before, simply copy the file autorun.sh with winSCP to /tmp/config
  • Make the file executable: F9 in WinSCP or right click -> Properties: 0755 or type chmod +x autorun.sh in PuTTY.
  • Unmount the flash partition (PuTTY):
 # umount /tmp/config 
  • Reboot.

Any time the system is started the tun module should be installed automatically. You can check this after a restart in PuTTY:

 # lsmod 

should also a line similar to this:

tun 8896 0 - Live 0xbf0370000

If tun does not show up but /dev/net/tun exists add more seconds to sleep. Up to 30 can be needed, depending on model.



If you know how to configure openVPN and generate your own keys, you are done by now.
Otherwise, just go on.


Install OpenVPN to the PC

Key-generation

In order to establish a secure connection over the internet, you need a set of keys. A simple and straightforward way is to do this in windows.

Preparation

  • open a windows console (-> Start -> Run -> cmd) and enter the following commands:
 # cd \Program Files\openvpn\easy-rsa 
 # init-config 
  • Edit the file vars.bat:

Using win explorer (or WinSCP), navigate to C:\Program Files\OpenVPN\easy-rsa\ and open vars.bat. Edit the last few lines due to your own requirements. The following is just an example:

 set KEY_COUNTRY = DE (this would be Germany) 
 set KEY_PROVINCE = Your province 
 set KEY_CITY =City 
 set KEY_ORG = QNAP-OpenVPN (or a server name of your choice) 
 set KEY_EMAIL = example@example.com 
  • Now enter the following commands in the console:
 # vars 
 # clean-all

Create the certificate authority

 # build-ca 

You will be asked for some input, but as vars.bat was edited previously, simply confirm the values by hitting the Return key.
When common name pops up, enter a name of your choice for the server.

The consecutive output looks something like this:

 ai: easy-rsa #. / build-ca 
 Generating a 1024 bits RSA private key 
 ............++++++ 
 ...........++++++ 
 Writing new private key to 'ca.key' 
 ----- 
 You are about to be asked to enter information that will be incorporated 
 into your certificate request. 
 What you are about to enter is what is called a Distinguished Name or a DN. 
 There are quite a few fields but you can leave some blank 
 For some fields there will be a default value, 
 If you enter '.', The field will be left blank. 
 ----- 
 Country Name (2 letter code) [KG]: 
 State or Province Name (full name) [NA]: 
 Locality Name (eg, city) [BISHKEK]: 
 Organization Name (eg, company) [OpenVPN TEST]: 
 Organizational Unit Name (eg, section) []: 
 Common Name (eg, your name or your server's hostname) []:      <--- Enter your server's name here
 Email Address [me@myhost.mydomain]: 


Generate the server key

 # build-key-server server 

Enter server for the common name and answer the following two questions with "yes".

Generate client keys

Each client gets an own key.

 # build-key client1 

generates a key for the client client1. When the common name is asked, enter client1. Run the command for each client (ie every other PC, that needs to connect to your VPN) with an appropriate name.

Generate Diffie-Hellman parameters

 # build-dh 

It takes a while (depending on the performance of the PC up to several minutes).

Distribute the keys

On the PC in C:\Program Files\OpenVPN\keys you will find these files:

file required by use secret
ca.crt server + all clients root CA certificate NO
ca.key certification PC only root CA key YES
dh1024.pem server only encryption parameters NO
server.crt server only server certificate NO
server.key server only server key YES
client1.crt client only client1 certificate NO
client1.key client only client1 key YES


The client keys for the PC are already in the right place.

  • Copy the certificates and keys for the server using WinSCP to this place in the NAS (choose binary option if prompted):

/share/HDA_DATA/optware/opt/etc/openvpn/keys

  • Set the executable rights of the keys to 0600.

Configuration

Scenario

Presume the following network scenario as an example. (Edit the ip-addresses in your own config-files according to your needs).

  • The home network is accessible via DynDNS.
  • The address of the home network is 192.168.4.0/255.255.255.0
  • The NAS has the IP address 192.168.4.7
  • The OpenVPN server creates a virtual network 10.8.0.0/255.255.255.0 (VPN tunnel)
  • The IP address of the server is 10.8.0.1, the clients receive 10.8.0.x addresses from the server.

Server configuration

  • The # sign indicates, that anything after the # is only a comment and can ultimately be deleted.
  • Lines with ";" will include an optional configuration. Activate if necessary by the deletion of ";"
  • Navigate with WinSCP to /opt/etc/openvpn and create the file easy.conf
  • Copy & paste the following configuration code and edit, where appropriate:
# OpenVPN server configuration QNAP NAS
# basic settings
port 1194
proto udp
dev tun
#
# detect mtu if the connection is slow.
; mtu-test
#
# define mtu, if necessary
; tun-mtu xyz
#
# define the ip-addresses of the underlying tunnel 
server 10.8.0.0 255.255.255.0
#
# Route 
push "route 192.168.4.0 255.255.255.0"   #  <--- Enter the ip-address of your home network here!
#
# certificates & keys
dh /opt/etc/openvpn/keys/dh1024.pem
ca /opt/etc/openvpn/keys/ca.crt
cert /opt/etc/openvpn/keys/server.crt
key /opt/etc/openvpn/keys/server.key
#
# data compression
comp-lzo
#
# allow, that several clients with the same common name log on
; duplicate-cn
#
# different clients can "see" each other through the tunnel.
; client-to-client
#
# Keepalive
keepalive 15 120
#
# verbosity of status messages in the console. Activate for debugging (1-9 possible)
; verb 5
#
# Log files
; status /share/HDA_DATA/optware/opt/etc/openvpn/log/status.log
; log-append /share/HDA_DATA/optware/opt/etc/openvpn/log/openvpn.log
# 
# Run as daemon (activate, after everything is set up properly)
; daemon
#
# Management Interface. Access with "telnet localhost 7505"
management localhost 7505

Client configuration

  • Navigate to C:\Programme\OpenVPN\config on your PC and create the file easyclient.ovpn
  • Copy & paste the following code and edit, where appropriate:
# connect to QNAP OpenVPN Server
# 
proto udp
dev tun
tls-client
remote supernetwork.dyndns.org 1194  #  <--- enter your dyndns-account here!
pull
# set mtu, if necessary
; tun-mtu xyz
#
resolv-retry infinite
nobind
persist-key
persist-tun
# certificates and keys
# Note the double \\ in the path for a windows config
ca C:\\Programme\\OpenVPN\\easy-rsa\\keys\\ca.crt
cert C:\\Programme\\OpenVPN\\easy-rsa\\keys\\client1.crt
key C:\\Programme\\OpenVPN\\easy-rsa\\keys\\client1.key
#
comp-lzo

Port forward

Set up a port forward in your router / modem / cable modem, or whatever device manages the connection to the internet. Forward port 1194 (UDP) to your NAS.

If you did not yet set up a dynDNS account, now it is time to do so.

Test run

Server

  • Start the OpenVPN-server in PuTTY:
 # cd /opt/etc/openvpn 
 # openvpn easy.conf 

This creates something like that:

 Mon Dec 8 03:52:22 2008 OpenVPN 2.1_rc9 arm-none-linux gnueabi [SSL] [LZO1] [epoll] built on May 19 2008 
 Mon Dec 8 03:52:22 2008 TUN / TAP device tun0 opened 
 Mon Dec 8 03:52:22 2008 / sbin / ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 
 Mon Dec 8 03:52:22 2008 UDPv4 link local (bound): [undef]: 1194 
 Mon Dec 8 03:52:22 2008 UDPv4 link remote: [undef] 
 Mon Dec 8 03:52:22 2008 Initialization Sequence Completed

Client

  • It is to be preferred to use a different internet connection for the client (eg a UMTS modem at hand), if you are testing with a laptop at home.
  • Start OpenVPN by right-clicking easyclient.ovpn.

This creates some additional entries in the console messages of the server:

 Mon Dec 8 03:59:52 2008 194.24.158.8:20955 Re-using SSL / TLS context 
 Mon Dec 8 03:59:52 2008 194.24.158.8:20955 LZO compression initialized 
 Mon Dec 8 03:59:54 2008 194.24.158.8:20955 [client1] Peer Connection Initiated with 122.23.157.8:20955 
  • In the Windows taskbar, a new symbol (two red or green screens) will appear. By right-clicking it, you can control the OpenVPN client connection.
  • In Windows an additional LAN connection is generated with an ip-address of the address space 10.8.0.0.

Check the connection

  • Enter in the Windows console of your client:
 # ping 10.8.0.1 

There should be a correct answer from the server.

A ping from the server to the client is possible theoretically, if you shut down or open the windows firewall for testing purposes. However, it is not necessary for OpenVPN to run correctly, so the firwall should remain up.

  • Open Windows explorer on the client PC
  • enter the IP address of the NAS. In this scenario this would be \\192.168.4.7
  • The shares (Windows shares) of the NAS should now be displayed and accessible.
  • If all went well, it's definitely time for a beer!

Final configuration

Adjust the server config

  • Open a second PuTTY session and terminate the server.
 # killall openvpn 
  • Edit easy.config and activate daemon ( remove the ";").
  • If you need a log file activate log-append .
  • Restart the server, as described above.


Autostart

If you like, you can make OpenVPN start automatically at startup.

  • QNAP: Open autostart.sh as described before.
  • Raidsonic: open /public/applications/openvpn/init in an editor.
  • Add the following line at the end of the script.
(sleep 12; /opt/sbin/openvpn /opt/etc/openvpn/easy.conf)&

If, after a reboot, the command ps in PuTTY does not show this line in the list of running processes

1108 admin      1800 S   /opt/sbin/openvpn /opt/etc/openvpn/easy.conf

OpenVPN obviously is not running. Try a higher number with the sleep command in the script. (sleep 30 should do on most cases. I guess, it depends on how many processes the box has to start at startup)


You have now a VPN server running on your NAS, allowing you to connect and log in remotely. You can use all services and access the shares.


More OpenVPN

Administration

Telnet Management Interface

The management interface is a management tool, which offers the possibility to control the current VPN server.

  • connect through ssh to the server
  • Enter telnet localhost 7505
  • Help will list the available commands, status will show the logged on clients and their associated parameters.

GUI

OpenVPN GUI
  • OpenVPN GUI is a handy windows-tool to open and close a VPN tunnel by a single mouse-click.
  • gopenvpn does pretty much the same for Linux.
  • Tunnelblick is a complete graphic OpenVPN client for Mac.
OpenVPN Control

OpenVPN Control is a small, sleek, graphical OpenVPN server control tool for Windows, Linux and Mac. Using VPN / ssh it can also connect to a remote server.
It shows "status" information of the management interface and offers the possibility to forcedly disconnect clients from the server. OpenVPN Control can control the status of multiple servers simultaneously.

OpenVPN Admin

OpenVPN Admin is a very user-friendly, complete OpenVPN client installation using a graphical administration tool for the creation of certificates and keys. You also can manage and manipulate a config file through check-boxes on the GUI. Connecting to a server obviously is just as easy.

OpenVPN Admin is available for Windows and Linux and requires mono.

XCA

XCA is a small CA with key management and a GUI.

Extras

OpenVPN Extras

Problems and Solutions

OpenVPN auf QNAP - Troubleshooting

Further reading

  • An English HOWTO for an earlier version of OpenVPN on QNAP can be found here here, which is where I found the kernel module.
  • Everything about OpenVPN can obviously be found at OpenVPN. There is a good HOWTO and mini HOWTO.