OpenVPN connected, but no access to the Synology NAS then

[mm_user]

Hello,

We have a Synology NAS, that we'd like to have access to from anywhere. We successfully configured our NAS and our computers, so we can connect ourselves to the NAS' OpenVPN.

But, two problems :
1- On the MAC, it says that no new IP address has been attributed to the computer (we still use the casual one).
2- We don't know how to have access to the folders contained in the NAS. The public and private IP address of the NAS doesn't give access to anything, when we try to enter it in the navigator or in the Finder (\\ipaddress\\folder).

Could someone help us please?

[Traffic]

Please post a client log file ..

[mm_user]

Well, worked yesterday, doesn't work tomorrow.

Tue Apr 26 09:51:30 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 10 2016
Tue Apr 26 09:51:30 2016 Windows version 6.2 (Windows 8 or greater)
Tue Apr 26 09:51:30 2016 library versions: OpenSSL 1.0.1s 1 Mar 2016, LZO 2.09
Tue Apr 26 09:51:34 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Apr 26 09:51:34 2016 Attempting to establish TCP connection with [AF_INET]80.13.xxx.xxx:1194 [nonblock]
Tue Apr 26 09:51:44 2016 TCP: connect to [AF_INET]80.13.xxx.xxx:1194 failed, will try again in 5 seconds: Le système a tenté de joindre un lecteur à un répertoire stocké sur un lecteur joint.
Tue Apr 26 09:51:59 2016 TCP: connect to [AF_INET]80.13.xxx.xxx:1194 failed, will try again in 5 seconds: Le système a tenté de joindre un lecteur à un répertoire stocké sur un lecteur joint.



External port 94 being opened on the router (internal port being 1194)

[Traffic]

External port 94 being opened on the router (internal port being 1194)

Attempting to establish TCP connection with [AF_INET]80.13.xxx.xxx:1194

• Setup portforwarding correctly ..

[mm_user]

We already tried with the external port being 1194 (internal port 94), it seemed like the logic thing to be, but it didn't work either. We saw on another tutorial that it needed to be the other way around, so we gave it a try, and, well, it worked yesterday. No longer today.

We just changed it. So, global config :

Router



VPN Server



Port number 1194 opened on our firewalls.

---

openvpn.ovpn :

dev tun
tls-client

remote 80.13.xxx.xxx 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS DNS_IP_ADDRESS

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto tcp-client

script-security 2

ca ca.crt

comp-lzo

reneg-sec 0

auth-user-pass


----------------------

(btw, the error message in english is " The system tried to join a drive to a directory on a joined drive ".)

If we use the private IP address (192.168.1.34) while we are on our private network, no problem, it works. What we want to do is use the public IP address (80.13.xxx.xxx), from anywhere (private network or anywhere else. We're currently testing on our private network). Thanks for your help.

[Traffic]

We already tried with the external port being 1194 (internal port 94)

• Use 1194 internal and external ..

[mm_user]

We just did that (on the screenshot)

[Traffic]

External port 94 being opened on the router (internal port being 1194)

We already tried with the external port being 1194 (internal port 94)

• I am not going to dignify this with an answer ..

Make sure your ds412plus is on the address you expect it to be (internally).

[mm_user]

Okay, so we tried :
- external port 1194, internal port 94. Didn't work.
- external port 94, internal port 1194. Worked yesterday.
- external port 1194, internal port 1194. Doesn't work.

And about the address I expect ds412plus to be :

[Pippin]

Check Firewall on Synology, you have to explicitly open the port on correct interface and off course also port-forward on the router.
First stick too the standard port 1194, all the way, you can change later if you wish.

Do restarts.....
Also do not connect from your LAN to your external IP.
Instead use a wifi-hotspot or hotspot from your phone which has wifi disabled.

[Traffic]

do not connect from your LAN to your external IP

@Pippin: Good advise (thanks)

@mm_user: perhaps your router does not support that kind of connection. (AKA: Loopback connection)

Make sure your ds412plus is on the address you expect it to be (internally).

And about the address I expect ds412plus to be .. {screenshot of router showing external IP address}

• The ds412plus will have an internal IP address .. probably assigned by DHCP, and you are expecting this:
  
  • Private IP address (192.168.1.34)
  Make sure it really is on that address.
  
  Also, make sure that is the address that the port-forward is pointing to.
  
  Finally, check your server log for connection attempts - Post details here.

[mm_user]

Ports on Synology are already opened :


We're many users on the server, we'll only be able to restart it at 1 p.m. (Paris hour) !

@mm_user: perhaps your router does not support that kind of connection. (AKA: Loopback connection)

Can we test that, to see if it's the case?

And yep, sorry, bad english from a french man, it's the public address (80.xxx.xxx.xxx) that we want to have access to from anywhere (we can have access to the private address from our local network, it works).

The VPN Server is configured for TCP (screenshot sent earlier).


We did change something : our router was doing the post-forward on the private address, we just changed that to the public one.

When you talk about the server log, you talk about the Synology's one, on the OpenVPN menu? If so, which one? There are many logs about the local connections we did (on 192.168.1.34), but none on any connection attempt..

[Pippin]

Welcome,

Finally, check your server log for connection attempts - Post details here.

That is not viewable in the WebUI on Synology.
It`s in /var/log/openvpn.log, WinSCP or SSH is needed, first enable SSH in WebUI.

[mm_user]

No sign of any openvpn.log :/

[Pippin]

Looks like you`re on DSM 6 ?
Navigate to:

Code: Select all

/usr/syno/etc/packages/VPNCenter/openvpn

and open

Code: Select all

openvpn.conf

add

Code: Select all

log /var/log/openvpn.log
verb 4

and save.
Restart the VPN by doing

Code: Select all

/volume1/@appstore/VPNCenter/scripts/openvpn.sh stop
/volume1/@appstore/VPNCenter/scripts/openvpn.sh start

Ignore the Warning about ca_bundle if you get it.
Or simply restart through WebUI.
Now you will have a openvpn.log in /var/log

No DSM 6 for me, it has too many problems/bugs and features that were poorly implemented.
I also read many users report problems with the VPN Center package.

it's the public address (80.xxx.xxx.xxx) that we want to have access to from anywhere

I still have a hunch that you are not connecting from outside your LAN to the 80.x.x.x IP

[mm_user]

Thanks, we're gonna do those changes later, we're configuring the R-Sync (we bought a new NAS, and we're trying to extract all the data from the old one to the new one), and we need to have a compatible version on both NAS.

I still have a hunch that you are not connecting from outside your LAN to the 80.x.x.x IP

We use the iPhone 4G connection on our PCs to try to connect to the 80.x.x.x IP (we checked that the iPhone isn't connected via Wi-Fi to the LAN).

[Pippin]

Just got a notice, the VPN Center package got a update for DSM 6:

Release notes

Version: 1.3.0-2734

(2016/04/26)
Fixed an L2TP/IPSec connection compatibility issue with Android 6.0 devices.
Fixed an issue where established PPTP link will disconnect because the assigned IP address has changed after update.
Fixed an issue where PPTP and L2TP connections become unstable and lose speed after update.
Fixed an issue where changing the openVPN certificate might fail.
Fixed an issue where VPN Server might not be accessed after DDNS daily update.

[mm_user]

Thanks, we're updating it now !

[doc. caliban]

May be completely unrelated, but last year I had the same issue and found that using "redirect-gateway def1" resolved the issue. I asked Synology if they were going to update their default config to avoid the same issue for people in the future and got mixed messages.

-Doc