Glad to see this utility released!
Where can we find the documentation on it? If the docs are on OpenVPN.net, I can't find 'em. In particular, we'd like to know which server settings it's compatible with, and how to format the config files and get those installed correctly on both Android and iOS devices. We're running the community version of OpenVPN.
OpenVPN Connect documentation?
-
valmiles
- OpenVpn Newbie
- Posts: 1
- Joined: Fri Jul 05, 2013 6:44 pm
Re: OpenVPN Connect documentation?
Below are my notes on setting up IOS OpenVPN client with OpenVPN Server on Synology NAS. Other OpenVPN servers are probably very similar.
There are several steps involved in setting up OpenVPN on a Synology NAS and an OpenVPN client on IOS device. Unfortunately, many steps are manual, but nothing is overly complicated, once you know what needs to be done.
Here is a high-level overview of the key steps:
1. Generate Public Key Infrastructure (PKI) keys and certificates
a. OpenVPN uses Public Key Infrastructure (PKI) certificates and associated keys to secure client-server communication. While Synology has provisioned its own keys and certificates, it is the same set of keys and certificates that all Synology NAS users have, so it is highly recommended to generate your own.
2. Configure OpenVPN server to use the correct keys and certificates and also set few other configuration items.
3. Configure OpenVPN client in an IOS device to use correct keys and certificates.
4. Open a hole in your firewall (FW) to allow the OpenVPN client to communicate to the OpenVPN server.
5. Start using OpenVPN
1. Generating PKI keys and certificates:
General Background Information (could skip if not interested in understanding the concepts): PKI is based on a hierarchical model where one entity can generate certificates for another entity, while the lower-level entity can generate certificates for other entities below it. The lowest-level entity is called a subscriber and it cannot generate any certificates, it just uses them. The top-most entity is called a Root Certificate Authority (CA), all entities in the middle are called Intermediate CAs. When a certificate is generated by a CA, it is also digitally signed. Digital signature is nothing more (or less) than computing a hash (digest) over certificate fields, then encrypting the hash value with private key of the issuing CA.
Root CA –issues cert-> Intermediate CA1 –issues cert-> Intermediate CA2 –issues certs->Subscribers
PKI is based on asymmetric, public key cryptography, where there are two keys that are generated at the same time: private key and public key. The private key is kept private and the public key is added to the certificate and signed by a CA and is made available to the public. Public cryptography has a property of when data is encrypted with private key, it can be decrypted with a public key and vise-versa. Private key encryption is used for digital signatures, a successful decryption provides a proof of private key possession and therefore the identity of the signer. The encryption with the public key is used for data encryption for confidentiality, only the private key owner can decrypt the data.
Steps to Generate Certificates and Keys:
Now, back to the specifics of the OpenVPN, it’ll let you use a flat CA->Subscriber hierarchy. It might be possible to have more levels, but I haven’t personally experimented with that, nor is it required for a simple home, home office configuration. We’ll have the following setup:
Root CA -> Server
->Client1
->Client2
->etc.
First, we need to generate a key and certificate for the Root CA. The Root CA signs its own certificate, so this process is straight forward. While I have seen discussion groups using OpenVPN to generate keys and certificates, I can’t confirm or deny that capability. I have used OpenSSL to that task. Synology NAS has OpenSSL bundled with the DSM, however, I found it failing few commands, and so I quickly transitioned to using a Windows-based OpenSSL. You could download it for multiple platforms at http://www.openssl.org/related/binaries.html
OpenSSL provides many command line tools for key and certificate management. By-the-way, OpenVPN uses OpenSSL for all of its cryptographic functions. Anyway, after installing OpenSSL for Windows (there are binaries available), I have added the “C:\OpenSSL-Win32\bin” (default installation path) to the environment variable Path so that OpenSSL binaries can be called from any directory. Then in DOS prompt, you can issue OpenSSL commands.
First step is to generate CA private and public keys:
openssl genrsa -des3 -out ca.key 1024
Second step is to generate what is called a Certificate Signing Request (CSR):
openssl req -new -key ca.key -out ca.csr
CSR contains all the fields in the certificate to be signed, so the tool will be asking you for what is called Distinguished Name (DN) items, Country (C=US), State (S=CA), etc. I’d recommend filling them out.
Third step is to generate CA self-signed certificate:
openssl x509 -days 3650 -signkey ca.key -in ca.csr -req -out ca.crt
At this point, you should be able to click on the ca.crt file in Windows and examine certificate fields.
The next phase of certificate generation is similar, but this time, we’ll use the CA certificate to sign the server certificate:
First step is to generate Server private and public keys:
openssl genrsa -out server.key 1024
Second step is to generate a CSR:
openssl req -new -key server.key -out server.csr
The Common Name (CN) should be set to the DNS name that you would use to access the OpenVPN server. I set mine to an IP address, since I access my OpenVPN server using a static IP Address. If you use a Domain Name to access your server, set it to that Domain Name.
Now generate signed certificate:
openssl x509 -days 3650 -CA ca.crt -CAkey ca.key -set_serial 01 -in server.csr -req -out server.crt
Repeat the above server certificate generation steps for one or more client certificates, one for each client device. I would recommend using a separate certificate for each client (e.g. iPhone, iPad, etc.). Replace all the server.* with client1.* (or 2 or 3, etc.). Also use incremental serial numbers (-set_serial 02, 03, etc.). The CN field doesn’t need to correspond to the server DNS name.
Now, enable Telnet in Synology Control Panel (make sure your NAS Telnet port is only accessible on your local home network, not from the Internet, i.e. TCP port 23 is blocked by your network firewall). You can now login into the NAS using Telnet client on Windows (or other platform). Use the “root” account (not the “admin” account) and your DSM “admin” account password to login. If you use “admin” username logon, when manipulating you will get permission errors. It appears that the DSM admin account password is also set by the DSM as the password for root account logon.
Copy the following files to your NAS share from Windows (or other platform):
ca.crt
server.crt
server.key
From the Telnet prompt, change to the following directory:
/var/packages/VPNCenter/target/etc/openvpn/keys
Rename (using Linux mv command) ALL the files with the same names as above to something else, e.g.:
mv ca.crt ca.crt_old.
Copy the files from the share location (where you placed the files above), in my case it is /volume1/myshare to the current directory:
cp /volume1/myshare/ca.crt .
cp /volume1/myshare/server.crt .
cp /volume1/myshare/server.key .
cp /volume1/myshare/client.crt .
This is strange, but true with the OpenVPN port on Synology NAS, but the same files must be also copied to the following directory:
/usr/syno/etc/packages/VPNCenter/openvpn/keys
As with the copying step above, backup the old files just in case and copy the same files as above to this directory.
2. Configuring OpenVPN server
Unless you like VI editor, I don’t, copy OpenVPN configuration file to where you could get to it from another platform (e.g. Windows). In my case, it is /volume1/myshare:
Change to this directory:
/var/packages/VPNCenter/target/etc/openvpn
cp openvpn.conf /volume1/myshare/.
Now, you could open the shared directory in Windows or another platform and edit it with an editor, e.g. Wordpad or Notepad:
In the file, verify that the following lines represent your certificate and key file names:
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key
Comment out by placing a # in front of it the following statements:
#client-cert-not-required
#username-as-common-name
#duplicate-cn
The above changes are required to use client certificate for authentication of your IOS device in addition to a password.
Save the file and go back to the telnet and copy the file back to the original location, overwriting the old file:
cp /volume1/myshare/openvpn.conf .
Restart the OpenVPN server from the DSM management console:
The last step is selecting “Export Configuration” and saving the files provided to where they can be accessed from iTunes.
Ensure that your “Privileges” configuration above has at least one user selected and you know user name and password.
3. Configuring OpenVPN client:
Collect the following files to where your iTunes can get to them:
openvpn.ovpn
client.crt
client.key
ca.crt
Before deploying the openvpn.ovpn file to an IOS device, edit to ensure:
1. remote YOUR_SERVER 1194
a. Has your Internet (WAN) IP Address if static address is used, or your DNS name otherwise
2. redirect-gateway
a. Uncomment this line, this forces ALL data to flow through the VPN when active
3. ca ca.crt
a. This line specifies your CA certificate filename
4. cert client.crt
a. This line specifies you client certificate filename
5. key client.key
a. This line specifies you client private key filename
Sample openvpn.ovpn file:
dev tun
tls-client
remote 98.235.174.287 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
redirect-gateway
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
proto udp
script-security 2
comp-lzo
reneg-sec 0
auth-user-pass
ca ca.crt
cert client.crt
key client.key
Save the file.
Now, copy the above files positioned on your system to the IOS device:
a. Attach the device to a system that has iTunes and import the above set of files.
b. Select your device in the left pane and then select “Apps” tab
c. Find OpenVPN application in the list under “File Sharing” and select it.
d. Once files are loaded into iTunes they can be imported into iOS device by opening OpenVPN app on the device and selecting import of the OpenVPN profile. Then sync the device with iTunes.
4. Opening a hole in your FW (Port Forwarding Router/Firewall Configuration)
In most home networks, your Synology NAS will be behind a firewall (FW). In order for the client to reach your NAS server you need to allow incoming client packets to cross the FW. Login to your FW and setup port forwarding rules for incoming UDP packets on port 1194.
5. Start Using OpenVPN
While having your IOS device outside of your home network, e.g. on Verizon Wireless 3G network, open OpenVPN application on your IOS device. Select the profile that you just have imported above in the openvpn.ovpn file.
Enter user name and password, then slide the On/Off connection switch to On and if you have done all the steps above correctly and the username and password match server configuration, the device should connect and you’ll see a small VPN in the topmost area of the screen.
I was not able to get OpenVPN server to produce any detailed logs, even when setting log level to 6. It’ll fail silently. I was able to review FW logs to see that FW port forwarding was working correctly and passing the incoming IOS device packets to the NAS.
There are several steps involved in setting up OpenVPN on a Synology NAS and an OpenVPN client on IOS device. Unfortunately, many steps are manual, but nothing is overly complicated, once you know what needs to be done.
Here is a high-level overview of the key steps:
1. Generate Public Key Infrastructure (PKI) keys and certificates
a. OpenVPN uses Public Key Infrastructure (PKI) certificates and associated keys to secure client-server communication. While Synology has provisioned its own keys and certificates, it is the same set of keys and certificates that all Synology NAS users have, so it is highly recommended to generate your own.
2. Configure OpenVPN server to use the correct keys and certificates and also set few other configuration items.
3. Configure OpenVPN client in an IOS device to use correct keys and certificates.
4. Open a hole in your firewall (FW) to allow the OpenVPN client to communicate to the OpenVPN server.
5. Start using OpenVPN
1. Generating PKI keys and certificates:
General Background Information (could skip if not interested in understanding the concepts): PKI is based on a hierarchical model where one entity can generate certificates for another entity, while the lower-level entity can generate certificates for other entities below it. The lowest-level entity is called a subscriber and it cannot generate any certificates, it just uses them. The top-most entity is called a Root Certificate Authority (CA), all entities in the middle are called Intermediate CAs. When a certificate is generated by a CA, it is also digitally signed. Digital signature is nothing more (or less) than computing a hash (digest) over certificate fields, then encrypting the hash value with private key of the issuing CA.
Root CA –issues cert-> Intermediate CA1 –issues cert-> Intermediate CA2 –issues certs->Subscribers
PKI is based on asymmetric, public key cryptography, where there are two keys that are generated at the same time: private key and public key. The private key is kept private and the public key is added to the certificate and signed by a CA and is made available to the public. Public cryptography has a property of when data is encrypted with private key, it can be decrypted with a public key and vise-versa. Private key encryption is used for digital signatures, a successful decryption provides a proof of private key possession and therefore the identity of the signer. The encryption with the public key is used for data encryption for confidentiality, only the private key owner can decrypt the data.
Steps to Generate Certificates and Keys:
Now, back to the specifics of the OpenVPN, it’ll let you use a flat CA->Subscriber hierarchy. It might be possible to have more levels, but I haven’t personally experimented with that, nor is it required for a simple home, home office configuration. We’ll have the following setup:
Root CA -> Server
->Client1
->Client2
->etc.
First, we need to generate a key and certificate for the Root CA. The Root CA signs its own certificate, so this process is straight forward. While I have seen discussion groups using OpenVPN to generate keys and certificates, I can’t confirm or deny that capability. I have used OpenSSL to that task. Synology NAS has OpenSSL bundled with the DSM, however, I found it failing few commands, and so I quickly transitioned to using a Windows-based OpenSSL. You could download it for multiple platforms at http://www.openssl.org/related/binaries.html
OpenSSL provides many command line tools for key and certificate management. By-the-way, OpenVPN uses OpenSSL for all of its cryptographic functions. Anyway, after installing OpenSSL for Windows (there are binaries available), I have added the “C:\OpenSSL-Win32\bin” (default installation path) to the environment variable Path so that OpenSSL binaries can be called from any directory. Then in DOS prompt, you can issue OpenSSL commands.
First step is to generate CA private and public keys:
openssl genrsa -des3 -out ca.key 1024
Second step is to generate what is called a Certificate Signing Request (CSR):
openssl req -new -key ca.key -out ca.csr
CSR contains all the fields in the certificate to be signed, so the tool will be asking you for what is called Distinguished Name (DN) items, Country (C=US), State (S=CA), etc. I’d recommend filling them out.
Third step is to generate CA self-signed certificate:
openssl x509 -days 3650 -signkey ca.key -in ca.csr -req -out ca.crt
At this point, you should be able to click on the ca.crt file in Windows and examine certificate fields.
The next phase of certificate generation is similar, but this time, we’ll use the CA certificate to sign the server certificate:
First step is to generate Server private and public keys:
openssl genrsa -out server.key 1024
Second step is to generate a CSR:
openssl req -new -key server.key -out server.csr
The Common Name (CN) should be set to the DNS name that you would use to access the OpenVPN server. I set mine to an IP address, since I access my OpenVPN server using a static IP Address. If you use a Domain Name to access your server, set it to that Domain Name.
Now generate signed certificate:
openssl x509 -days 3650 -CA ca.crt -CAkey ca.key -set_serial 01 -in server.csr -req -out server.crt
Repeat the above server certificate generation steps for one or more client certificates, one for each client device. I would recommend using a separate certificate for each client (e.g. iPhone, iPad, etc.). Replace all the server.* with client1.* (or 2 or 3, etc.). Also use incremental serial numbers (-set_serial 02, 03, etc.). The CN field doesn’t need to correspond to the server DNS name.
Now, enable Telnet in Synology Control Panel (make sure your NAS Telnet port is only accessible on your local home network, not from the Internet, i.e. TCP port 23 is blocked by your network firewall). You can now login into the NAS using Telnet client on Windows (or other platform). Use the “root” account (not the “admin” account) and your DSM “admin” account password to login. If you use “admin” username logon, when manipulating you will get permission errors. It appears that the DSM admin account password is also set by the DSM as the password for root account logon.
Copy the following files to your NAS share from Windows (or other platform):
ca.crt
server.crt
server.key
From the Telnet prompt, change to the following directory:
/var/packages/VPNCenter/target/etc/openvpn/keys
Rename (using Linux mv command) ALL the files with the same names as above to something else, e.g.:
mv ca.crt ca.crt_old.
Copy the files from the share location (where you placed the files above), in my case it is /volume1/myshare to the current directory:
cp /volume1/myshare/ca.crt .
cp /volume1/myshare/server.crt .
cp /volume1/myshare/server.key .
cp /volume1/myshare/client.crt .
This is strange, but true with the OpenVPN port on Synology NAS, but the same files must be also copied to the following directory:
/usr/syno/etc/packages/VPNCenter/openvpn/keys
As with the copying step above, backup the old files just in case and copy the same files as above to this directory.
2. Configuring OpenVPN server
Unless you like VI editor, I don’t, copy OpenVPN configuration file to where you could get to it from another platform (e.g. Windows). In my case, it is /volume1/myshare:
Change to this directory:
/var/packages/VPNCenter/target/etc/openvpn
cp openvpn.conf /volume1/myshare/.
Now, you could open the shared directory in Windows or another platform and edit it with an editor, e.g. Wordpad or Notepad:
In the file, verify that the following lines represent your certificate and key file names:
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key
Comment out by placing a # in front of it the following statements:
#client-cert-not-required
#username-as-common-name
#duplicate-cn
The above changes are required to use client certificate for authentication of your IOS device in addition to a password.
Save the file and go back to the telnet and copy the file back to the original location, overwriting the old file:
cp /volume1/myshare/openvpn.conf .
Restart the OpenVPN server from the DSM management console:
The last step is selecting “Export Configuration” and saving the files provided to where they can be accessed from iTunes.
Ensure that your “Privileges” configuration above has at least one user selected and you know user name and password.
3. Configuring OpenVPN client:
Collect the following files to where your iTunes can get to them:
openvpn.ovpn
client.crt
client.key
ca.crt
Before deploying the openvpn.ovpn file to an IOS device, edit to ensure:
1. remote YOUR_SERVER 1194
a. Has your Internet (WAN) IP Address if static address is used, or your DNS name otherwise
2. redirect-gateway
a. Uncomment this line, this forces ALL data to flow through the VPN when active
3. ca ca.crt
a. This line specifies your CA certificate filename
4. cert client.crt
a. This line specifies you client certificate filename
5. key client.key
a. This line specifies you client private key filename
Sample openvpn.ovpn file:
dev tun
tls-client
remote 98.235.174.287 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
redirect-gateway
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
proto udp
script-security 2
comp-lzo
reneg-sec 0
auth-user-pass
ca ca.crt
cert client.crt
key client.key
Save the file.
Now, copy the above files positioned on your system to the IOS device:
a. Attach the device to a system that has iTunes and import the above set of files.
b. Select your device in the left pane and then select “Apps” tab
c. Find OpenVPN application in the list under “File Sharing” and select it.
d. Once files are loaded into iTunes they can be imported into iOS device by opening OpenVPN app on the device and selecting import of the OpenVPN profile. Then sync the device with iTunes.
4. Opening a hole in your FW (Port Forwarding Router/Firewall Configuration)
In most home networks, your Synology NAS will be behind a firewall (FW). In order for the client to reach your NAS server you need to allow incoming client packets to cross the FW. Login to your FW and setup port forwarding rules for incoming UDP packets on port 1194.
5. Start Using OpenVPN
While having your IOS device outside of your home network, e.g. on Verizon Wireless 3G network, open OpenVPN application on your IOS device. Select the profile that you just have imported above in the openvpn.ovpn file.
Enter user name and password, then slide the On/Off connection switch to On and if you have done all the steps above correctly and the username and password match server configuration, the device should connect and you’ll see a small VPN in the topmost area of the screen.
I was not able to get OpenVPN server to produce any detailed logs, even when setting log level to 6. It’ll fail silently. I was able to review FW logs to see that FW port forwarding was working correctly and passing the incoming IOS device packets to the NAS.