Openvpn Access Server Certificate

Set up VPN Server

• Openvpn Access Server Certificate Authentication
• Openvpn Access Server Download Certificates
• Openvpn Access Server License

With the VPN Server package, you can easily turn your Synology NAS into a VPN server to allow DSM users to remotely and securely access resources shared within the local area network of your Synology NAS. By integrating common VPN protocols - PPTP, OpenVPN and L2TP/IPSec - VPN Server provides options to establish and manage VPN services tailored to your individual needs. To choose any of the following types of VPN server and to enable VPN services on your Synology NAS, install and launch VPN Server.

Aug 28, 2020  Home Board index OpenVPN Inc. Enterprise business solutions The OpenVPN Access Server General Questions; Installing Let's Encrypt SSL certificate on OpenVPN server. 8 posts. Page 1 of 1. Jvonschaumburg OpenVpn Newbie Posts: 2 Joined: Wed Feb 10, 2016 2:03 pm. Installing Let's Encrypt SSL certificate on OpenVPN server. Post by jvonschaumburg. A verified and trusted SSL certificate is a guarantee that you are connected to the right server. Here's how to install yours with Access Server. Jan 22, 2013 I have an IPCop firewall running an OpenVPN server, which works well for all the Windows clients, the firewall provides GUI to setup the server and also sort of 'all-in-one' ZIP package to copy to clients - it's basically a.ovpn file with.p12 file for authentication. Also there are certificates created during the setup of the OpenVPN server. I have no server admin. This is an hp elite 8300 sff i7-2600 box I setup server 2019 on and then installed Open VPN. I'd be happy to provide needed info. I've setup the vpn through enabling the open vpn setting on my nighthawk R7000P.

Note:

• Enabling VPN service affects the network performance of the system.
• Only DSM users belonging to the administrators group can install and set up VPN Server.

PPTP

PPTP (Point-to-Point Tunneling Protocol) is a commonly used VPN solution supported by most clients (including Windows, Mac, Linux, and mobile devices). For more information about PPTP, refer to here.

To enable PPTP VPN server:

1. Open VPN Server and then go to Settings > PPTP on the left panel.
2. Tick Enable PPTP VPN server.
3. Specify a virtual IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
4. Set Maximum connection number to limit the number of concurrent VPN connections.
5. Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.
6. Choose either of the following from the Authentication drop-down menu to authenticate VPN clients:
   • PAP: VPN clients' passwords will not be encrypted during authentication.
   • MS-CHAP v2: VPN clients' passwords will be encrypted during authentication using Microsoft CHAP version 2.
7. If you selected MS-CHAP v2 for authentication above, choose any of the following from the Encryption drop-down menu to encrypt VPN connection:
   • No MPPE: VPN connection will not be protected with Microsoft Point-to-Point Encryption(MPPE) mechanism.
   • Optional MPPE: If the client enables MPPE mechanism, VPN connection will be protected with MPPE mechanism. Otherwise, VPN connection will not be protected.
   • Require MPPE: VPN connection will be protected with MPPE mechanism.
8. Set MTU (Maximum Transmission Unit) to limit data packet size transmitted via the VPN.
9. Tick Use manual DNS and specify the IP address of a DNS server to push DNS to PPTP clients. If this option is disabled, the DNS server used by the Synology NAS will be pushed to clients.
10. Click Apply for the changes to take effect.

Note:

• When connecting to the VPN, the authentication and encryption settings of VPN clients must be identical to the settings specified on VPN Server, or else clients will not be able to connect successfully.
• To be compatible with most PPTP clients running Windows, Mac OS, iOS and Android operating systems, the default MTU is set to 1400. For more complicated network environments, a smaller MTU might be required. Try to reduce the MTU size if you keep receiving timeout error or experience unstable connections.
• Please check the port forwarding and firewall settings on your Synology NAS and router to make sure the TCP port 1723 is open.
• PPTP VPN service is built-in on some routers, the port 1723 might be occupied. To ensure VPN Server works properly, you might need to disable the built-in PPTP VPN service through the router's management interface to have the PPTP of VPN Server work. In addition, some old routers block the GRE protocol (IP protocol 47), which will result in VPN connection failure. It is recommended using a router that supports VPN pass-through connections.

OpenVPN

OpenVPN is an open source solution for implementing VPN service. It protects the VPN connection with the SSL/TLS encryption mechanism. For more information about OpenVPN, visit here.

To enable OpenVPN VPN server:

1. Open VPN Server and then go to Settings > OpenVPN on the left panel.
2. Tick Enable OpenVPN server.
3. Specify a virtual internal IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
4. Set Maximum connection number to limit the number of concurrent VPN connections.
5. Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.
6. Tick Enable compression on the VPN link if you want to compress data during transfer. This option can increase transmission speed, but might consume more system resources.
7. Tick Allow clients to access server's LAN to permit clients to access the server's LAN.
8. Tick Enable IPv6 server mode to enable OpenVPN server to send IPv6 addresses. You will first need to get a prefix via 6in4/6to4/DHCP-PD in Control Panel > Network > Network Interface. Then select the prefix in this page.
9. Click Apply for the changes to take effect.

Note:

• VPN Server does not support bridge mode for site-to-site connections.
• Please check the port forwarding and firewall settings on your Synology NAS and router to make sure the UDP port 1194 is open.
• When running OpenVPN GUI on Windows Vista or Windows 7, please note that UAC (User Account Control) is enabled by default. If enabled, you need to use the Run as administrator option to properly connect with OpenVPN GUI.
• When enabling IPv6 server mode in Windows with OpenVPN GUI, please note the following:
  1. The interface name used by the VPN cannot have a space, e.g., LAN 1 needs to be changed to LAN1.
  2. The option redirect-gateway has to be set in the openvpn.ovpn file at the client side. If you do not want to set this option, you should set the DNS of the VPN interface manually. You may use Google IPv6 DNS: 2001:4860:4860::8888.
• When Allow clients to access server's LAN is not ticked, VPN clients will still be able to access your server's LAN in the following situations:
  1. VPN server is set as the default gateway at the client side.
  2. Related routing rules are added manually at the client side.

To export configuration file:

Click Export Configuration. OpenVPN allows VPN server to issue an authentication certificate to the clients. The exported file is a zip file that contains ca.crt (certificate file for VPN server), openvpn.ovpn (configuration file for the client), and README.txt (simple instruction on how to set up OpenVPN connection for the client). For more information, refer to here.

Note:

• Each time VPN Server runs, it will automatically copy and use the certificate shown at Control Panel > Security > Certificate. If you need to use a third-party certificate, please import the certificate at Control Panel > Security > Certificate > Action and restart VPN Server.
• VPN Server will automatically restart each time the certificate file shown at Control Panel > Security > Certificate is modified.

L2TP/IPSec

L2TP (Layer 2 Tunneling Protocol) over IPSec provides virtual private networks with increased security and is supported by most clients (such as Windows, Mac, Linux, and mobile devices). For more information about L2TP, refer to here.

Note:

• To use L2TP/IPSec, make sure your Synology NAS is running DSM 4.3 or later.

To enable L2TP/IPSec VPN server:

1. Open VPN Server and then go to Settings > L2TP/IPSec on the left panel.
2. Tick Enable L2TP/IPSec VPN server.
3. Specify a virtual IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
4. Set Maximum connection number to limit the number of concurrent VPN connections.
5. Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.
6. Choose either of the following from the Authentication drop-down menu to authenticate VPN clients:
   • PAP: VPN clients' passwords will not be encrypted during authentication.
   • MS-CHAP v2: VPN clients' passwords will be encrypted during authentication using Microsoft CHAP version 2.
7. Set MTU (Maximum Transmission Unit) to limit data packet size transmitted via the VPN.
8. Tick Use manual DNS and specify the IP address of a DNS server to push DNS to L2TP/IPSec clients. If this option is disabled, the DNS server used by the Synology NAS will be pushed to clients.
9. Enter and confirm a pre-shared key. This secret key should be given to your L2TP/IPSec VPN user to authenticate the connection.
10. Click Apply for the changes to take effect.

Note:

• When connecting to the VPN, the authentication and encryption settings of VPN clients must be identical to the settings specified on VPN Server, or else clients will not be able to connect successfully.
• To be compatible with most L2TP/IPSec clients running Windows, Mac OS, iOS, and Android operating systems, the default MTU is set to 1400. For more complicated network environments, a smaller MTU might be required. Try to reduce the MTU size if you keep receiving timeout error or experience unstable connection.
• Please check the port forwarding and firewall settings on your Synology NAS and router to make sure the UDP port 1701, 500, and 4500 are open.
• L2TP or IPSec VPN service is built-in on some routers, the port 1701, 500 or 4500 might be occupied. To ensure VPN Server works properly, you might need to disable the built-in L2TP or IPSec VPN service through the router's management interface to have the L2TP/IPSec of VPN Server work. It is recommended using a router that supports VPN pass-through connections.

About Dynamic IP Address

Depending on the number you entered in Dynamic IP address, VPN Server will choose from a range of virtual IP addresses while assigning IP addresses to VPN clients. For example, if the dynamic IP address of VPN server is set as '10.0.0.0', a VPN client's virtual IP address could range from '10.0.0.1' to '10.0.0.[maximum connection number]' for PPTP, and from '10.0.0.2' to '10.0.0.255' for OpenVPN.

Important:Before specifying the dynamic IP address of VPN server, please note:

1. Dynamic IP addresses allowed for VPN server should be any of the following:
   • From '10.0.0.0' to '10.255.255.0'
   • From '172.16.0.0' to '172.31.255.0'
   • From '192.168.0.0' to '192.168.255.0'
2. The specified dynamic IP address of VPN server and the assigned virtual IP addresses for VPN clients should not conflict with any IP addresses currently used within your local area network.

About Client's Gateway Setting for VPN Connection

Before connecting to the local area network of Synology NAS via VPN, the clients might need to change their gateway setting for VPN connection. Otherwise, they might not be able to connect to the Internet when VPN connection is established. For detailed information, refer to here.

Please note that this post is out of date.

For a great guide on setting up a VPN visit these two posts:

Click Export Configuration. OpenVPN allows VPN server to issue an authentication certificate to the clients. The exported file is a zip file that contains ca.crt (certificate file for VPN server), openvpn.ovpn (configuration file for the client), and README.txt (simple instruction on how to set up OpenVPN connection for the client). For more information, refer to here.

Note:

• Each time VPN Server runs, it will automatically copy and use the certificate shown at Control Panel > Security > Certificate. If you need to use a third-party certificate, please import the certificate at Control Panel > Security > Certificate > Action and restart VPN Server.
• VPN Server will automatically restart each time the certificate file shown at Control Panel > Security > Certificate is modified.

L2TP/IPSec

L2TP (Layer 2 Tunneling Protocol) over IPSec provides virtual private networks with increased security and is supported by most clients (such as Windows, Mac, Linux, and mobile devices). For more information about L2TP, refer to here.

Note:

• To use L2TP/IPSec, make sure your Synology NAS is running DSM 4.3 or later.

To enable L2TP/IPSec VPN server:

1. Open VPN Server and then go to Settings > L2TP/IPSec on the left panel.
2. Tick Enable L2TP/IPSec VPN server.
3. Specify a virtual IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
4. Set Maximum connection number to limit the number of concurrent VPN connections.
5. Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.
6. Choose either of the following from the Authentication drop-down menu to authenticate VPN clients:
   • PAP: VPN clients' passwords will not be encrypted during authentication.
   • MS-CHAP v2: VPN clients' passwords will be encrypted during authentication using Microsoft CHAP version 2.
7. Set MTU (Maximum Transmission Unit) to limit data packet size transmitted via the VPN.
8. Tick Use manual DNS and specify the IP address of a DNS server to push DNS to L2TP/IPSec clients. If this option is disabled, the DNS server used by the Synology NAS will be pushed to clients.
9. Enter and confirm a pre-shared key. This secret key should be given to your L2TP/IPSec VPN user to authenticate the connection.
10. Click Apply for the changes to take effect.

Note:

• When connecting to the VPN, the authentication and encryption settings of VPN clients must be identical to the settings specified on VPN Server, or else clients will not be able to connect successfully.
• To be compatible with most L2TP/IPSec clients running Windows, Mac OS, iOS, and Android operating systems, the default MTU is set to 1400. For more complicated network environments, a smaller MTU might be required. Try to reduce the MTU size if you keep receiving timeout error or experience unstable connection.
• Please check the port forwarding and firewall settings on your Synology NAS and router to make sure the UDP port 1701, 500, and 4500 are open.
• L2TP or IPSec VPN service is built-in on some routers, the port 1701, 500 or 4500 might be occupied. To ensure VPN Server works properly, you might need to disable the built-in L2TP or IPSec VPN service through the router's management interface to have the L2TP/IPSec of VPN Server work. It is recommended using a router that supports VPN pass-through connections.

About Dynamic IP Address

Depending on the number you entered in Dynamic IP address, VPN Server will choose from a range of virtual IP addresses while assigning IP addresses to VPN clients. For example, if the dynamic IP address of VPN server is set as '10.0.0.0', a VPN client's virtual IP address could range from '10.0.0.1' to '10.0.0.[maximum connection number]' for PPTP, and from '10.0.0.2' to '10.0.0.255' for OpenVPN.

Important:Before specifying the dynamic IP address of VPN server, please note:

1. Dynamic IP addresses allowed for VPN server should be any of the following:
   • From '10.0.0.0' to '10.255.255.0'
   • From '172.16.0.0' to '172.31.255.0'
   • From '192.168.0.0' to '192.168.255.0'
2. The specified dynamic IP address of VPN server and the assigned virtual IP addresses for VPN clients should not conflict with any IP addresses currently used within your local area network.

About Client's Gateway Setting for VPN Connection

Before connecting to the local area network of Synology NAS via VPN, the clients might need to change their gateway setting for VPN connection. Otherwise, they might not be able to connect to the Internet when VPN connection is established. For detailed information, refer to here.

Please note that this post is out of date.

For a great guide on setting up a VPN visit these two posts:

………………………………………….

Setting up OpenVPN on PFSense 2.4.x is a straightforward but rather long process but hopefully this step-by-step guide can give you the direction you need to implement this solution as painlessly as possible. There are 3 primary steps to installing and configuring OpenVPN on PFSense:

1. Create the Certificate Infrastructure
2. Configure OpenVPN on PFSense
3. Configure Client Access

VPN's are very versatile infrastructure solutions which give you the ability to enable remote access to your local environment. They are also a more secure solution than exposing remote access protocols such as RDP or SSH directly over the Internet and also provide you with a level of privacy and security when you are using the Internet from insecure locations.

Let's get started.

OpenVPN uses certificates to secure the VPN service for authentication and encryption purposes. The first thing we need to do on PFSense is create a Certificate Authority. If you already have one configured you can skip this step.

Creating a Certificate Authority on PFSense

The first step in the process is to navigate to the built-in PFSense Certificate Manager

You will then be presented with a dashboard detailing the list of CA's installed on the server. In the example below there isn't one so click on ‘+Add‘ to create a new one.

Next we need to fill out the form which PFSense will use to create the Certificate Authority. Since we are building an Internal Certificate Authority, select this option from the drop-down list as highlighted in the image below and then fill out the necessary details about your organization in the fields provided. Remember to give you CA a useful common name which you can use to identify it. In my example I used PFSense_RootCA. Once done, click on ‘Save‘ and your Internal Certificate Authority will be created.

Creating the OpenVPN Server Certificate on PFSense

The next step is to create the certificate for the OpenVPN server which clients will use to verify the identity of the server when connecting to it. Under System – Certificate Manager navigate to the Certificates tab and click on ‘+ Add/Sign‘.

Next complete the form to create the certificate. Note you need to select the ‘Create an internal Certificate' method and ensure you select ‘Server Certificate' as the certificate type. Fill in the rest of the relevant information and once complete, click on ‘Save‘.

The certificate infrastructure needed for OpenVPN is now complete so we can move onto the next phase, creating the OpenVPN service

We will be using the OpenVPN configuration wizard for this step. To start go to VPN in the main menu and then click on OpenVPN.

Next click on the ‘Wizards‘ tab to start the configuration sequence.

We now need to select type of server. In the drop-down list provided, select ‘Local User Access‘ and then click ‘Next‘

Next Select the Certificate Authority and click ‘Next‘. If you have not created one, follow the steps above.

The next step is to select the VPN Server Certificate. Once completed click ‘Next‘. Again, if you have not created one, follow the steps above.

Next you will need to complete the Server Setup form which consists of four sections: General OpenVPN Server Information, Cryptographic Settings, Tunnel Settings and Client Settings. As each environment is different, you may need to adjust these to meet your specific requirements. The settings below are the default settings which ensure privacy and use PFSense as your DNS server etc.

First, let's configure the General OpenVPN Server Information. Leave everything as default and give your VPN a description if you so choose as per the example below.

Under Cryptographic Settings, leave everything as default but change the Auth Digest Algorithm to SHA256 as per the example below since SHA1 is not that secure.

Under Tunnel Settings, enter the IP address range in CIDR notation for the Tunnel network (this will be the IP address range OpenVPN will use to assign IP's to VPN clients). You also need to tick the checkbox labeled Redirect Gateway to ensure all clients only use the VPN for all their traffic. Next enter the local network IP address range in CIDR notation (this is usually your LAN) and then set your maximum number of concurrent connections.

In my configuration example I have left all Client Settings in their default state. Here you may want to specify a DNS server etc. Once completed click on ‘Next‘.

Next the wizard will want to create the Firewall rule configuration. Select the Firewall rule and the OpenVPN rule as per the example below and click ‘Next‘

Finally, the configuration is complete. Click ‘Finish‘.

You should now have a configured OpenVPN server, a newly created WAN Firewall Rule and an OpenVPN tab under Firewall rules with the OpenVPN rule configured. Examples below.

Now that the OpenVPN server is up and running, we need to configure VPN client access.

Creating the OpenVPN Client on PFSense

Navigate to VPN – OpenVPN and click on the ‘Clients‘ tab and then click on ‘+Add‘.

This will open the OpenVPN client edit form which has 5 sections, General information, User Authentication Settings, Cryptographic Settings, Tunnel Settings and Advanced Configuration. As with the server config you will need to configure these settings to match your specific requirements. Below are the minimum changes you need to make.

Under General information enter the Server IP address or Fully Qualified Domain Name (FQDN) of your PFSense server and provide a description.

Peerless guitars serial numbers. Geometry dash subzero full version. Under User Authentication Settings provide a Username and Password.

Under Cryptographic Settings select SHA256 for the Auth digest algorithm

Under Advanced Configuration select ‘IPv4' Only and then click ‘Save‘

Openvpn Access Server Certificate Authentication

You should now have a suitably configured client configuration

Installing the OpenVPN Client Export Package

We now need to go and install the OpenVPN Client Export package so we can export the client configuration which we will need to provide to clients so that they can connect to our OpenVPN server.

First go to System – Package Manager

Click on Available Packages and then search for OpenVPN. In the search results which are returned click on ‘Install‘ to install the openvpn-client-export package.

On the next screen click on ‘Confirm‘

The package will then install and you should get notified if it was installed successfully.

Openvpn Access Server Download Certificates

Adding the VPN User

Openvpn Access Server License

We now need to create the VPN user. To do this go to System – User Manager and click on ‘Add‘ to create a new user. Fill in the username and password which needs to match the config you created under Client Settings during the OpenVPN client configuration. Ensure you tick ‘Click to create user certificate‘ and then give the certificate a name and select your Certificate Authority. Once all is done click on ‘Save‘

You have no completed the OpenVPN setup. To download the Client Configuration navigate to Client Export under the OpenVPN menu item.

If all is configured correctly you should now be presented different download options which give you the OpenVPN config settings you need to configure your client so that they are able to connect to your PFSense OpenVPN server.