I have been working on my qnap for approx. 5 hours now. First some trouble with the new openvpn on Windows 7 but finally I got everything working.
After reading lots of posts of other unfortunate qnap owners, I got my setup like this:
This is the server
Code: Select all
# OpenVPN server Konfiguration QNAP NAS
# Basiseinstellungen
port 1194
proto udp
dev tun
#
# Legt die IP-Adressen der zugrundeliegenden VPN Verbindung fest
server 10.8.0.0 255.255.255.0
#
; mtu-test # mtu-Wert feststellen, falls die Übertragung sehr langsam ist.
; tun-mtu xyz # mtu Wert festlegen, falls notwendig
#
# Route
push "route 192.168.0.0 255.255.255.0" # <--- Hier die IP des Heimnetzwerks eintragen!
#
# Schlüssel und Zertifikate
dh /opt/etc/openvpn/keys/dh1024.pem
ca /opt/etc/openvpn/keys/ca.crt
cert /opt/etc/openvpn/keys/nasserver.crt
key /opt/etc/openvpn/keys/nasserver.key
#
# Datenkomprimierung
comp-lzo
#
# Erlaubt, dass sich mehrere clients mit dem selben common name anmelden
duplicate-cn
#
# Verschiedene clients können sich gegenseitig sehen
#client-to-client
#
# Keepalive
keepalive 15 120
#
# Meldungen in der Konsole (1-9 möglich. Zur Fehlerbehebung aktivieren)
verb 5
mute 30 # logging nach 30 gleichen Einträgen einstellen bis zu einer Änderung
#
# Log
status /opt/etc/openvpn/log/status.log
log-append /opt/etc/openvpn/log/openvpn.log
#
# Run as daemon (Erst aktivieren, wenn alles eingerichtet ist und läuft)
daemon
#
# Management Interface über "telnet localhost 7505" zu erreichen
management localhost 7505Code: Select all
# connect to QNAP OpenVPN Server
#
proto udp
dev tun
tls-client
remote XXXXXXXXXXXXX 1194 # <--- Hier deinen dyndns-account eintragen
pull
# mtu-Wert festlegen, falls notwendig
; tun-mtu xyz
#
resolv-retry infinite
nobind
persist-key
persist-tun
# Zertifikate und Schlüssel
# Beachte die doppelten \\ in der Pfadangabe für eine windows-config
ca "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\client1.crt"
key "C:\\Program Files (x86)\\OpenVPN\\easy-rsa\\keys\\client1.key"
#
comp-lzo
verb 3Code: Select all
Wed Jan 11 00:30:32 2012 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 8 2010
Wed Jan 11 00:30:32 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Jan 11 00:30:32 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jan 11 00:30:33 2012 LZO compression initialized
Wed Jan 11 00:30:33 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jan 11 00:30:33 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jan 11 00:30:34 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jan 11 00:30:34 2012 Local Options hash (VER=V4): '41690919'
Wed Jan 11 00:30:34 2012 Expected Remote Options hash (VER=V4): '530fdded'
Wed Jan 11 00:30:34 2012 UDPv4 link local: [undef]
Wed Jan 11 00:30:34 2012 UDPv4 link remote: XXXXXXXXXXX:1194
Wed Jan 11 00:30:34 2012 TLS: Initial packet from XXXXXXXXXX:1194, sid=c5077818 4145a1da
Wed Jan 11 00:30:34 2012 VERIFY OK: depth=1, /C=DE/ST=NRW/L=Paderborn/O=OpenVPN/CN=nasserver/emailAddress=x@sdfsdfsdf.de
Wed Jan 11 00:30:34 2012 VERIFY OK: depth=0, /C=DE/ST=NRW/O=OpenVPN/CN=nasserver/emailAddress=x@sdfsdf.de
Wed Jan 11 00:30:35 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jan 11 00:30:35 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 11 00:30:35 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jan 11 00:30:35 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 11 00:30:35 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jan 11 00:30:35 2012 [nasserver] Peer Connection Initiated with XXXXXXXXXXX:1194
Wed Jan 11 00:30:37 2012 SENT CONTROL [nasserver]: 'PUSH_REQUEST' (status=1)
Wed Jan 11 00:30:37 2012 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 10.8.0.1,topology net30,ping 15,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Jan 11 00:30:37 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jan 11 00:30:37 2012 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jan 11 00:30:37 2012 OPTIONS IMPORT: route options modified
Wed Jan 11 00:30:37 2012 ROUTE default_gateway=192.168.222.220
Wed Jan 11 00:30:37 2012 TAP-WIN32 device [LAN-Verbindung 3] opened: \\.\Global\{E88F04E7-A336-49A7-B19E-20BF0A36124F}.tap
Wed Jan 11 00:30:37 2012 TAP-Win32 Driver Version 9.7
Wed Jan 11 00:30:37 2012 TAP-Win32 MTU=1500
Wed Jan 11 00:30:37 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {E88F04E7-A336-49A7-B19E-20BF0A36124F} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Jan 11 00:30:37 2012 Successful ARP Flush on interface [48] {E88F04E7-A336-49A7-B19E-20BF0A36124F}
Wed Jan 11 00:30:42 2012 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Wed Jan 11 00:30:42 2012 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 10.8.0.5
Wed Jan 11 00:30:42 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jan 11 00:30:42 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jan 11 00:30:42 2012 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Jan 11 00:30:42 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jan 11 00:30:42 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jan 11 00:30:42 2012 Initialization Sequence Completed
Code: Select all
Wed Jan 11 00:30:21 2012 us=126435 Current Parameter Settings:
Wed Jan 11 00:30:21 2012 us=126739 config = '/opt/etc/openvpn/openvpn.conf'
Wed Jan 11 00:30:21 2012 us=126788 mode = 1
Wed Jan 11 00:30:21 2012 us=126832 persist_config = DISABLED
Wed Jan 11 00:30:21 2012 us=126875 persist_mode = 1
Wed Jan 11 00:30:21 2012 us=127057 show_ciphers = DISABLED
Wed Jan 11 00:30:21 2012 us=127103 show_digests = DISABLED
Wed Jan 11 00:30:21 2012 us=127145 show_engines = DISABLED
Wed Jan 11 00:30:21 2012 us=127186 genkey = DISABLED
Wed Jan 11 00:30:21 2012 us=127228 key_pass_file = '[UNDEF]'
Wed Jan 11 00:30:21 2012 us=127270 show_tls_ciphers = DISABLED
Wed Jan 11 00:30:21 2012 us=127312 Connection profiles [default]:
Wed Jan 11 00:30:21 2012 us=127354 proto = udp
Wed Jan 11 00:30:21 2012 us=127395 local = '[UNDEF]'
Wed Jan 11 00:30:21 2012 us=127437 local_port = 1194
Wed Jan 11 00:30:21 2012 us=127478 remote = '[UNDEF]'
Wed Jan 11 00:30:21 2012 us=127519 remote_port = 1194
Wed Jan 11 00:30:21 2012 us=127561 remote_float = DISABLED
Wed Jan 11 00:30:21 2012 us=127601 bind_defined = DISABLED
Wed Jan 11 00:30:21 2012 us=127643 bind_local = ENABLED
Wed Jan 11 00:30:21 2012 us=127685 connect_retry_seconds = 5
Wed Jan 11 00:30:21 2012 us=127727 connect_timeout = 10
Wed Jan 11 00:30:21 2012 us=127768 connect_retry_max = 0
Wed Jan 11 00:30:21 2012 us=127809 socks_proxy_server = '[UNDEF]'
Wed Jan 11 00:30:21 2012 us=127851 socks_proxy_port = 0
Wed Jan 11 00:30:21 2012 us=127892 socks_proxy_retry = DISABLED
Wed Jan 11 00:30:21 2012 us=127933 Connection profiles END
Wed Jan 11 00:30:21 2012 us=127975 remote_random = DISABLED
Wed Jan 11 00:30:21 2012 us=128016 ipchange = '[UNDEF]'
Wed Jan 11 00:30:21 2012 us=128058 dev = 'tun'
Wed Jan 11 00:30:21 2012 us=128099 NOTE: --mute triggered...
Wed Jan 11 00:30:21 2012 us=128157 187 variation(s) on previous 30 message(s) suppressed by --mute
Wed Jan 11 00:30:21 2012 us=128201 OpenVPN 2.2.0 arm-none-linux-gnueabi [SSL] [LZO2] [EPOLL] [eurephia] built on Apr 28 2011
Wed Jan 11 00:30:21 2012 us=129294 MANAGEMENT: TCP Socket listening on 127.0.0.1:7505
Wed Jan 11 00:30:21 2012 us=129696 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Wed Jan 11 00:30:21 2012 us=129781 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jan 11 00:30:21 2012 us=154464 Diffie-Hellman initialized with 1024 bit key
Wed Jan 11 00:30:21 2012 us=155317 WARNING: file '/opt/etc/openvpn/keys/nasserver.key' is group or others accessible
Wed Jan 11 00:30:21 2012 us=156813 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jan 11 00:30:21 2012 us=156976 Socket Buffers: R=[112640->131072] S=[112640->131072]
Wed Jan 11 00:30:21 2012 us=157430 ROUTE default_gateway=192.168.0.1
Wed Jan 11 00:30:21 2012 us=158029 TUN/TAP device tun0 opened
Wed Jan 11 00:30:21 2012 us=158123 TUN/TAP TX queue length set to 100
Wed Jan 11 00:30:21 2012 us=158256 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Wed Jan 11 00:30:21 2012 us=161881 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Wed Jan 11 00:30:21 2012 us=164874 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jan 11 00:30:21 2012 us=166184 UDPv4 link local (bound): [undef]:1194
Wed Jan 11 00:30:21 2012 us=166361 UDPv4 link remote: [undef]
Wed Jan 11 00:30:21 2012 us=166429 MULTI: multi_init called, r=256 v=256
Wed Jan 11 00:30:21 2012 us=166862 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Jan 11 00:30:21 2012 us=172553 Initialization Sequence Completed
Wed Jan 11 00:30:33 2012 us=876162 MULTI: multi_create_instance called
Wed Jan 11 00:30:33 2012 us=876349 cl.ie.nt.ip:60020 Re-using SSL/TLS context
Wed Jan 11 00:30:33 2012 us=876480 cl.ie.nt.ip:60020 LZO compression initialized
Wed Jan 11 00:30:33 2012 us=877138 cl.ie.nt.ip:60020 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jan 11 00:30:33 2012 us=877214 cl.ie.nt.ip:60020 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jan 11 00:30:33 2012 us=877503 cl.ie.nt.ip:60020 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Jan 11 00:30:33 2012 us=877555 cl.ie.nt.ip:60020 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Jan 11 00:30:33 2012 us=877657 cl.ie.nt.ip:60020 Local Options hash (VER=V4): '530fdded'
Wed Jan 11 00:30:33 2012 us=877733 cl.ie.nt.ip:60020 Expected Remote Options hash (VER=V4): '41690919'
RWed Jan 11 00:30:33 2012 us=877967 cl.ie.nt.ip:60020 TLS: Initial packet from cl.ie.nt.ip:60020, sid=cde3e340 4a0275eb
WRRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWed Jan 11 00:30:34 2012 us=442381 cl.ie.nt.ip:60020 VERIFY OK: depth=1, /C=DE/ST=NRW/L=Paderborn/O=OpenVPN/CN=nasserver/emailAddress=x@sdfsdfsdf.de
Wed Jan 11 00:30:34 2012 us=443182 cl.ie.nt.ip:60020 VERIFY OK: depth=0, /C=DE/ST=NRW/O=OpenVPN/CN=nasserver/emailAddress=mail@host.domain
WRWRWRWWWWRWRWRWRWRWRWRWRRRRWRWRWRWed Jan 11 00:30:34 2012 us=610850 cl.ie.nt.ip:60020 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jan 11 00:30:34 2012 us=610939 XXXXXXXXXXX:60020 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 11 00:30:34 2012 us=611118 XXXXXXXXXXXXX:60020 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jan 11 00:30:34 2012 us=611186 XXXXXXXXXXXX:60020 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WWWRRRWed Jan 11 00:30:34 2012 us=654752 cl.ie.nt.ip:60020 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jan 11 00:30:34 2012 us=654854 XXXXXXXXXXX:60020 [nasserver] Peer Connection Initiated with XXXXXXXXXXXXX:60020
Wed Jan 11 00:30:34 2012 us=655078 nasserver/XXXXXXXXXXXX:60020 MULTI: Learn: 10.8.0.6 -> nasserver/XXXXXXXXXXXX:60020
Wed Jan 11 00:30:34 2012 us=655144 nasserver/XXXXXXXXXXXXXXX:60020 MULTI: primary virtual IP for nasserver/XXXXXXXXXX:60020: 10.8.0.6
WWWWWWRWed Jan 11 00:30:37 2012 us=368385 nasserver/XXXXXXXXXXXXXx:60020 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jan 11 00:30:37 2012 us=368572 nasserver/XXXXXXXXXX:60020 SENT CONTROL [nasserver]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 10.8.0.1,topology net30,ping 15,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
WWWWRRRRwRwRwWRwRwRwRwRwrWRwRwrWRwRwRwWRwRwRwRwRwRwWRwRwRwRwRwWWWWWRwWRwRwRwRWwRwRwRwWRwRwRwRwWRwRwRwRwWRwWWWWWWRwRwRwRwWRwRwRwRwWRwRwRwRwWRwRwRwRwWRwWWWWWWRwRwRwRwWRwRwRwWRwRwRwRwWRwRwRwRwRWwWWWWWWRwRwRwRwWRwRwRwRwRWwRwRwRwWRwRwRwRwWRwWWWWWWRwRwRwRwWRwRwRwWRwRwRwRwWRwRwRwRwWRwWWWWWWRwRwRwRwWRwRwRwRwRWwRwRwRwWRwRwRwRWwRwWWWWWWRwRwRwRwWRwRwRwWRwRwRwRwWRwRwRwRwWRwWWWWWWRwRwRwRwWRwRwRwRwWRwRwRwRwWRwRwRwWRwRwWWRwWWWWRwRwRwWRwRwRwRWwRwRwRwRWwRwRwRwRWwRwWWWWWW[/]
- Client <-> qnap VPN-Server <-> Other Host (e.g. Apple TV)
- Client can ping the apple TV
- client can NOT ping the qnap VPN Server on its LAN ip (192.168...)
- Client can ping the qnap VPN Server on its vpn IP (10.8....)
I need access to the machine via its normal IP. Because if I am at home I want to use the machine's IP directly and if I am not at home I want to use it via VPN.
Just to let you know:
- IP-Forwarding has been activated on the qnap
- the qnap is NOT the router. For this I am using a separate router. But this one does have a static IP entry pointing the 10.8.x.x network to the LAN IP of the qnap vpn server.
These are the routing tables:
client:
Code: Select all
===========================================================================
Schnittstellenliste
48...00 ff e8 8f 04 e7 ......TAP-Win32 Adapter V9
24...00 27 13 c4 dd 45 ......Bluetooth-Gerät (PAN) #2
22...00 24 d7 47 8b 51 ......Microsoft Virtual WiFi Miniport Adapter #4
21...00 24 d7 47 8b 51 ......Microsoft Virtual WiFi Miniport Adapter #3
20...00 24 d7 47 8b 50 ......Intel(R) Centrino(R) Ultimate-N 6300 AGN
19...88 ae 1d b2 f1 5e ......Intel(R) 82577LM Gigabit Network Connection
1...........................Software Loopback Interface 1
44...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter
45...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #2
42...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #4
41...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #5
18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
46...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #7
===========================================================================
IPv4-Routentabelle
===========================================================================
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
0.0.0.0 0.0.0.0 192.168.222.220 192.168.222.60 20
10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 30
10.8.0.4 255.255.255.252 Auf Verbindung 10.8.0.6 286
10.8.0.6 255.255.255.255 Auf Verbindung 10.8.0.6 286
10.8.0.7 255.255.255.255 Auf Verbindung 10.8.0.6 286
127.0.0.0 255.0.0.0 Auf Verbindung 127.0.0.1 306
127.0.0.1 255.255.255.255 Auf Verbindung 127.0.0.1 306
127.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306
192.168.0.0 255.255.255.0 10.8.0.5 10.8.0.6 30
192.168.222.0 255.255.255.0 Auf Verbindung 192.168.222.60 276
192.168.222.60 255.255.255.255 Auf Verbindung 192.168.222.60 276
192.168.222.255 255.255.255.255 Auf Verbindung 192.168.222.60 276
224.0.0.0 240.0.0.0 Auf Verbindung 127.0.0.1 306
224.0.0.0 240.0.0.0 Auf Verbindung 192.168.222.60 276
224.0.0.0 240.0.0.0 Auf Verbindung 10.8.0.6 286
255.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306
255.255.255.255 255.255.255.255 Auf Verbindung 192.168.222.60 276
255.255.255.255 255.255.255.255 Auf Verbindung 10.8.0.6 286
===========================================================================
Ständige Routen:
Netzwerkadresse Netzmaske Gatewayadresse Metrik
192.168.99.0 255.255.255.0 10.0.0.1 1
192.168.0.0 255.255.255.0 10.0.8.1 1
192.168.0.0 255.255.255.0 10.0.8.6 1
===========================================================================
IPv6-Routentabelle
===========================================================================
Aktive Routen:
If Metrik Netzwerkziel Gateway
1 306 ::1/128 Auf Verbindung
19 276 fe80::/64 Auf Verbindung
48 286 fe80::/64 Auf Verbindung
19 276 fe80::5d2a:6ba7:3363:d606/128
Auf Verbindung
48 286 fe80::9999:dec1:f103:32d9/128
Auf Verbindung
1 306 ff00::/8 Auf Verbindung
19 276 ff00::/8 Auf Verbindung
48 286 ff00::/8 Auf Verbindung
===========================================================================
Ständige Routen:
Keine
Code: Select all
[/] # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
224.0.0.0 * 240.0.0.0 U 0 0 0 eth0
default fritz.box 0.0.0.0 UG 0 0 0 eth0
Thanks in advance!