howto, IOS openVPN client & Synology

[stekki]

I know there are a lot of people here struggling (including myself) to get the IOS OpenVpn client working with their Synology server. Yesterday I finally found out (after days of trial and error) how it works...

There are several steps to follow and a bit of modding in the Synology server via Telnet.

1. First, we will generate new keys and certs, I used this website (http://www.carbonwind.net/VPN/XCA_OpenV ... N.htm#toMm), very easy!! Here, you can download the tool to make the CA, certs and keys.
Please follow all steps, first you will create a CA.
With this CA you will create certs and keys. You can skip the Netscape part(s) and the Diffie-Hellman part.
After doing this, you export the PEM and CERT files you just created. Rename the PEM files to KEY files.

2. Now you need to copy all those files in two directories. (/var/packages/VPNCenter/target/etc/openvpn/keys AND /usr/syno/etc/packages/VPNCenter/openvpn/keys). I have DSM4.2, don't know if other versions have other paths to the 'key and cert' directories. I used the USB port on the Synology to copy/transfer the files from my pc. I advise to firstly create a new directory on a USB stick, in this case I created 'keys'. Here you can store all keys and certs you just made with the tool. So copy the files to the keys directory on the stick.

First, enable the Telnet access in your Control Panel by going to Terminal.
Log in your Synology with 'root' and use your admin password.
Go to the USB directory: cd /volumeUSB1/usbshare/keys
Copy all the files to the 2 directories:
cp *.key *.cert /var/packages/VPNCenter/target/etc/openvpn/keys
cp *.key *.cert /usr/syno/etc/packages/VPNCenter/openvpn/keys

3. Now we have to tell the server where the new files are located and which certs and keys he's got to use
Those parameters are located in the openvpn.conf file in this directory: /usr/syno/etc/packages/VPNCenter/openvpn
Type, cd /usr/syno/etc/packages/VPNCenter/openvpn I made a backup of this file by renaming to openvpnOLD.conf.
To do this, you type: mv openvpn.conf openvpnOLD.conf
Now, we got to edit this file, it is easier to edit on a pc, so we got to copy this file to the USB stick to transfer to the pc.
Type, cp openvpnOLD.conf /volumeUSB1/usbshare/
Next step, edit this file with notepad on your pc. Two parts must be edited, tell the server where keys and certs are located.
ca /var/packages/VPNCenter/target/etc/openvpn/keys/'file name of CA you created'
cert /var/packages/VPNCenter/target/etc/openvpn/keys/'file name of server crt you created'
key /var/packages/VPNCenter/target/etc/openvpn/keys/'file name of server key you created'
AND change the reneg-sec 0 parameter to renege-sec 3600.
Now save this file to openvpn.conf
Insert the USB stick with the edited file in your Synology and go back to telnet.
Copy this file to the directory: cp openvpn.conf /usr/syno/etc/packages/VPNCenter/openvpn

4. Now, we are going to edit the client openvpn.conf file. (you will retrieve this file while doing an export in the config screen of VPN server, OpenVPN settings, export settings. The other files that come with the export can be deleted). We will copy/paste the newly generated keys and certs and CA in this file. Again, this is easier on the pc in notepad. 3 things are edited:
First the server address where the client has to connect to. remote 'ip address' 'portnumber'
Secondly we change reneg-sec 0 parameter to renege-sec 3600.
And lastly we copy the CA, cert and key files into this single file. These are the client files you created in the beginning.
Again, open in notepad the .key .crt and CA client files. Copy the content like this:

<ca>
------BEGIN CERTIFICATE-----
------END CERTIFICATE------
</ca>

<cert>
------BEGIN CERTIFICATE-----
------END CERTIFICATE------
</cert>


<key>
-------BEGIN RSA PRIVATE KEY------
-------END RSA PRIVATE KEY-------
</key>

Save your file. Now, put this file on your iPhone via iTunes.

Stop/Start your OpenVpn Server in your Control Panel (VERY IMPORTANT, otherwise he will not take the right config) et voilà this should work!!

Now enjoy your app!

[vuwuwuv]

Thank you so very much for making this work for me!

This made it work for me over my LAN but what I really wanted was of course over 3G/4G. PPTP from iOS worked over both the mobile carriers (Sweden: Telia and 3 aka Tre) I use but never OpenVPN to my Synology NAS (DS412+/DSM4.2). So I tried changing proto from udp to tcp in the config file "openvpn.conf" on both the NAS and the one pushed to Openvpn Connect on iOS over iTunes and now OpenVPN works over my mobile nets as well! Tried it with both carriers from an iPhone 5 and an iPad 3 with the same results, UDP doesn't work and TCP works fine.

Thanks again and I hope this will be equally useful for someone.

[Daiki]

Hi,
Thanks a lot for your guide! Following it helped me much and allowed me to set openvpn on my iphone with my Synology nas.
Now i'd have to set it up on my computer but for some reason it doesn't work :s

i created a clientB key and cert, as explained for the clientA(iphone)
then modified the downloaded config file from Synology (change the ip, change udp to tcp, reneg from 0 to 3600 and pasted the CA, and cert and key for the clientB
then copied that config file in the config folder of openvpn
(the openvpn client installed from this link: http://swupdate.openvpn.org/community/r ... x86_64.exe )

Do you have an idea on how to solve it?

Thanks in advance,
BR

[jamesyonan]

Some of the issues running OpenVPN Connect with Synology may be caused by Synology's use of PKCS#8 private keys which were not supported by PolarSSL until 1.2.8.

The upcoming OpenVPN Connect for iOS version 1.0.2 will support PolarSSL 1.2.8 and PKCS#8 private keys.

If you have an Android device, you can get a sneak-preview of this capability with the newly released OpenVPN Connect for Android version 1.1.12 which is built with PolarSSL 1.2.8.

James

[MC7]

Any idea on a release date for 1.0.2?

From reading several posts, it looks like the promise of this release goes back to at least May 31, 2013 and September is closing in fast!

There appears to be several workarounds to get OpenVPN and Synology to properly work together, but not having to edit files would certainly be welcome!

[Daiki]

Hello,
Stupid idea: i updated the VPN Center Package...
and now can't connect with OpenVPN anymore; nor from my computer nor my iPhone :s

i uninstalled, deleted everything, reinstalled, re configure following this guide
always connecting, then timeout.... :s

Anyone experienced the same issue?

Hope someone can help me and all stupid updaters:)

BR
David

[Daiki]

Hello

just to make sure:

the crt and key to put in the openvpn file (the one uploaded to the iphone): those are:
- CA (of the server of course)
- CRT (of the client, not the server!?)
- KEY (of the client, or the server?)

Thanks in advance,
BR

[lolex]

just to make sure:

the crt and key to put in the openvpn file (the one uploaded to the iphone): those are:
- CA (of the server of course)
- CRT (of the client, not the server!?)
- KEY (of the client, or the server?)

CRT and KEY of the client. The CA belongs neither to a server nor a client, but is used to sign all the other certificates of servers and clients.

[Daiki]

Thank you Lolex
i finally got it working
- uninstalled the package
delete the packages/vpncenter folders in both USR and VAR folders
- download and install the previous version of vpncenter
- follow the procedure above
and voilà:)

[age]

cp *.key *.cert /var/packages/VPNCenter/target/etc/openvpn/keys
cp *.key *.cert /usr/syno/etc/packages/VPNCenter/openvpn/keys

In regards to the above quote, should it say crt instead or cert? my files that is exported from XCA is .crt extention.

So is it:

cp *.key *.crt /var/packages/VPNCenter/target/etc/openvpn/keys
cp *.key *.crt /usr/syno/etc/packages/VPNCenter/openvpn/keys

or

cp *.key *.cert /var/packages/VPNCenter/target/etc/openvpn/keys
cp *.key *.cert /usr/syno/etc/packages/VPNCenter/openvpn/keys

thanks!