Synology NAS, OpenVPN, and PfSense

itsmikeboyd · May 12, 2021, 9:29pm

Hello,

I’ve come here many times asking for thoughts, ideas, and help and figured someone might find this information useful. Awhile back I decided I wanted to invest in a 2nd Synology unit that I could have hosted at a family members house, many states away, in the event my existing one died, was lost in a storm, or fire.

I did not want to use Synology Cloud or any other packages, but wanted the remote NAS to use OpenVPN to tunnel back to my house so the main NAS could sync files to it when scheduled. I ran into a handful of issues and gave up for a bit, but finally got this working and think the various things that have resolved the issues.

Issue #1 - Could not create a VPN Profile within DSM 6x and was getting errors saying Operation Failed, Login to DSM and try again (in Chrome), and Invalid Parameters exist in the OVPN file, please use a different OVPN file (in IE).

What I discovered was when using the OpenVPN client export tool, it puts in a parameter for ncp-ciphers. I’ve never had any issues with these profiles not working. They work on Windows, Android, Linux, etc. I contacted Synology to figure out what parameters were failing with little response from them, so I one by one removed them until it quit complaining. Here is the response from Synology which leads me to believe this might not be an issue later down the road, albeit, some of the others things I list next might break with a new version of DSM.

The parameter “ncp-ciphers” is not supported in the current openvpn client on the NAS, and we would expect that would be supported in DSM7.0 .

Issue 2 - OpenVPN client required me to manually connect it after a reboot.

This was relatively easy to accomplish by using the steps I found on this page.

Issue 3 - Now that I had the VPN tunnel connecting at startup, I ran into this issue. If the NAS lost connectivity to my OpenVPN server for any reasonable amount of time, it would not auto reconnect and required a reboot by me calling a family member.

I did a few different things here, but the last one really seemed to keep this reliable. First, I came across this page (it’s in French but understandable, or can be translated.) I set my reconnect_times to 500, and interval to 60.

That step seemed to help, but I discovered that sometimes the DSM software doesn’t actually realize the tunnel is down. That’s when I found this script.

I have put the script above in place, and created a scheduled task that currently runs every 15 minutes and has not failed me yet. In that script, there is a configuration parameter that is relatively new, VPN_CHECK_METHOD. I changed it from dsm_status to gateway_ping. That way even if DSM says the tunnel is up, it will try to ping the VPN tunnels gateway, and if it fails, it kills the synovpnc process and restarts it.

VPN Tunnels reconnecting with Synology DSM has been an ongoing issue for years, and with the articles and scripts listed above, this seems to be the best solution for me so far and hasn’t let me down yet.

Hope someone finds this information helpful if they are trying to setup a remote NAS over an OpenVPN tunnel into pfSense.

Tykisson · May 19, 2021, 2:29pm

I have a very similar setup where I use a secondary Synology as an offsite backup. In order to pass data between the two I setup a ZeroTier network and joined both Synology devices to the ZeroTier network. They are able to talk to each other with out issue and I did not make a single change to either side router.

The only issue I ran into was maintaining the network link to ZeroTier over a reboot. A simple task command in the Synology took care of that. I can also connect my computer to the ZeroTier network and then access the offsite Synology anytime.

itsmikeboyd · May 22, 2021, 8:03am

I’ve added some timestamps and had this spit out some logging, but when I cut the head end of the VPN off, DSM shows connect. This is where that third link is awesome

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2021-05-22 — 03-05-02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[I] There is 1 VPN profile. Continuing…
[I] Synology DSM reports VPN is connected.
[W] The gateway IP 192.168.10.1 did not respond to ping.
[I] Attempting to reconnect…

kill client …OK
get arguemnt id: o1621618229
[I] Synology DSM reports VPN is connected.
[I] The gateway IP 192.168.10.1 responded to ping.
[I] VPN successfully reconnected. Exiting…

jvedman · May 23, 2021, 3:12pm

Excellent post. Thank you!
This has me wondering if this would have been easier with a site-to-site VPN between the pfSense boxes (assuming you have pfSense boxes on both sides) and then having rules so that only the Synology devices have access to the tunnel. That would also give you direct access to the remote device’s U/I. I’ve been thinking about doing something similar for direct access to the servers in my co-lo without needing to kick up a VPN instance, just have never gotten around to setting it up.

itsmikeboyd · August 28, 2021, 11:07am

I do not have a pfSense box on the other side, that was my pain point. Anyways, I live in NC and deployed this NAS in Toledo, OH a month ago… it’s been rock solid thus far

Edit: This method does give me direct access to the device UI and all shares on it via it’s OpenVPN IP address @ 192.168.40.30

neogrid · August 28, 2021, 1:20pm

Guessed you solved your problem.

However, you could have setup OpenVPN on a Raspberry Pi 4, as a low cost option for an always on device. Though pfSense on both ends gives much better control/options for OpenVPN. The problem with the applications on QNAP or Synology is that you have to wait until they have updated / deployed it. PfSense is pretty good with keeping OpenVPN updated, clients and servers.

BTW if you’ve added a pfsense on the other end I’d add your OpenVPN to the Watchdog, it should then hopefully restart if it stops for some reason.

itsmikeboyd · August 29, 2021, 1:52am

Edit:

I did not put a Pi in place on purpose.

This was specifically how to keep the DSM from Synology connected to an OpenVPN tunnel to pfSense box without site to site.

I’d love to hear your feedback on that…

neogrid · August 29, 2021, 11:01am

I was in a similar situation with a remote site and my QNAP NAS, which also has a OpenVPN application. However, at that time I was using an Asus router with OpenVPN .

Just like you I didn’t want to go to the remote site to restart OpenVPN to bring up the connection.

In your shoes, there are still a few things you could do without spending any money.

It sounds like you have the NAS OpenVPN client connecting to the your OpenVPN server on pfSense, I’d set up a second OpenVPN server on your NAS and client on your pfSense. With two tunnels you have some redundancy at least.

I still think these implementations of OpenVPN by QNAP / Synology are a bit iffy, you could spin up a headless vm with OpenVPN’s remote access server, it’s free for 2 clients, then add the client to your pfSense.

I was looking to see how you could have several openVPN servers in a group so that if one went down the other could be used, wasn’t successful in that, but I did see that the pfSense has something that might be this in their next release.