Image (c) NetGear
I recently purchased a 4 disk-bay Netgear ReadyNAS NV+ box. This was a few days after I lost 60% of my media collection because my HD just decided to stop working. And yes, I’ve been meaning to back up the archive, but never got around it, till it died. Hindsight is 20-20, I guess.
Anyhow, the ReadyNAS NV+ is a great box. The nicest thing about it is that via plugins, you can convert it into a full fledged development box running linux. One of the things lacking was how to make this box a VPN server as well. I currently have OpenVPN running on an ‘always on’ home laptop, but it was better if I moved the VPN server to the ReadyNAS box as it is the one that is supposed to be ‘always on’ anyway.
I searched around. There are several sites that give only partial instructions of how to get things working. No one site has ‘everything you need’. So I thought I’d post *exactly* how to do everything you need to get this working.
Step 1: Install SSH and apt-get
1) Download the Enable RootSSH plugin from here. (You need this to ssh into readynas)
2) Install it in the ReadyNas via the menu (System/Update/Local Update)
3) Download the apt plugin from here. (you need this to download the openvpn package and dependencies)
4) Install it in the ReadyNas via the menu (System/Update/Local Update)
Note: Don’t try and upload both plugin images together and then apply. Only the latest plugin will be applied.
Step 2: Getting OpenVPN working: The layout
Before we setup OpenVPN, lets discuss the network first. You may need to change the client.conf or server.conf as fit.
My home LAN has the following network: 192.168.1.x
The ReadyNAS server (which will be my VPN server soon) runs on: 192.168.1.10
The home router (Which allocates DHCP addresses to my home LAN and is the default internet gateway) runs on: 192.168.1.1
What I want:
a) I want to be able to connect to my ReadyNAS VPN server from outside my home
b) I want to make sure all my internet connections are not forced through my home LAN when connected via VPN.
c) I want my remote client to be able to access all my other machines @ home in addition to the VPN server
Step 3: Getting OpenVPN Server working: The execution
We need to do the following steps:
1) Generate the right certificates/keys for the server and client (easy)
2) Configure the server.conf and client.conf files correctly (logical if you follow the instructions)
3) Enable IP forwarding in your ReadyNas (if you don’t do this, you will not be able to access other machines on LAN)
4) Configure your default home router with a static route (if you don’t do this, you will not be able to access other machines on the LAN)
Step 3.1: Install openVPN
Pre-requisite: You have SSH and apt-get installed and enabled in the ReadyNas.
First, connect to your readynas via SSH (password is same as your readyNas admin password)
ssh -l root 192.168.1.10
Once logged in:
apt-get update
apt-get install openvpn
(the above will download and install all dependencies)
[Note: If you upgrade the NAS Firmware after installing openvpn (like I did for it to support OSX Lion) you will need to re-install openvpn or you may find it segfaulting when a client attempts to connect]
Step 3.2: Create your certificates
(This is just the same instructions as this thread)
You need to set some key variables which will be used to generate the certificate. The content here is not critical – you can change it to what you need. Basically, edit the vars file in your favorite editor and make the changes to the following variables in them. Make sure you save the changes.
cd /usr/share/doc/openvpn/examples/easy-rsa/
vi vars
export KEY_COUNTRY=US
export KEY_PROVINCE=Maryland
export KEY_CITY=MD
export KEY_ORG="Arjun"
export KEY_EMAIL="your@email.com"
Next up:
. ./vars
./clean-all
gunzip openssl.cnf.gz
./build-ca
./build-key-server MyVPNServer
Important: You will be asked a series of questions: The default values are filled in. I just entered my name in the Organization question as well. Also,when it asks you “Sign certificate?” please answer YES otherwise it will generate 0 byte certificates and OpenVPN won’t start.
Note: It is important you do “. ./vars” and not “./vars” as this will not export the variables to your current shell and you will get errors.
At this point, you have the certificate and key for the server instance. Now, you need to build the client keys
./build-key Client01
Finally, build the Diffe-helman code (this takes forever on the ReadyNAS. Take a meal break here).
./build-dh
Step 3.3: Copy the certificates and keys to the right location to your server
cp ./keys/ca.crt /etc/openvpn/
cp ./keys/ca.key /etc/openvpn/
cp ./keys/MyVPNServer.crt /etc/openvpn/
cp ./keys/MyVPNServer.key /etc/openvpn/
cp ./keys/dh1024.pem /etc/openvpn/
The next step is optional – but I prefer to do it and suggest you do too. Basically, you can create a new user/group with limited rights which will run the openvpn server. It’s not a good idea really to run the server as root, because one could exploit a vulnerability in it and get access to a root shell, which is not going to be pretty.
groupadd openvpn
useradd -d /dev/null -g openvpn -s /bin/false openvpn
Step 3.4: Set up the server.conf file
cd /etc/openvpn/
Now just create a server.conf file in your favorite text editor and use the contents below Please modify the IP addresses according to your local LAN and VPN IPs.
You can create server.conf in this directory using any text editor (vim, emacs, whatever). Note that you may need to ‘sudo’ if you don’t have permissions to create a file in that directory. Alternately, just create a server.conf file where-ever you want and copy it to /etc/openvpn when done
local 192.168.1.10 # real LAN IP address of my VPN server port 1194 # This is the port OpenVPN is running on proto udp # UDP tends to perform better than TCP for VPN mssfix 1400 # Supposedly this fixes erros with RemoteDesktop over VPN. Never tried it # note: these two pushs below don't work for non windows clients unless # you write a script to parse for these pushes. See OpenVPN Howto. push "dhcp-option DNS 8.8.8.8" # I am using Google's DNS servers - I like them they are fast push "dhcp-option DNS 8.8.4.4" # dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/MyVPNServer.crt key /etc/openvpn/MyVPNServer.key dh /etc/openvpn/dh1024.pem server 10.8.0.0 255.255.255.0 # 10.8.0.0 is the VPN virtual LAN. The VPN server will get 10.8.0.1 and the remote clients will get the next ones ifconfig-pool-persist ipp.txt # don't worry about ipp.txt - it will be created push "route 192.168.1.0 255.255.255.0" # this route will be pushed to a client which connects keepalive 10 120 cipher BF-CBC # Blowfish (default) encryption comp-lzo max-clients 100 # Assign the maximum number of clients here persist-key persist-tun status openvpn-status.log verb 1 user openvpn # remember to start the process using the user/group we created earlier group openvpn # thanks to anonymous commenter 'foobar' for catching this
Sidebar: Tun vs Tap (in .conf files)
Note that I am using a “tun” virtual adapter and not “tap”. Simply put, it means I am establishing an IP level p2p link between my client and the VPN server.
On the other hand, if I used “tap”, then I’d be creating an ethernet bridge between the two. Specifically, in tun mode, any protocols that use broadcast packets to advertise themselves (example, netbios & AFP uses broadcast packets) will not work, as broadcast packets will not be shared from the VPN lan to my lan. Practically, what it means is that I will not see any of my home devices in my network “automatically” – I will need to connect with them over SMB. For example, when I use tap, the home devices automatically show up in my network list. While in tun mode, I need to “Connect to server” to get access to it. I chose to use tun because I believe it is better in performance – though I am not sure by how much. Actually, the real reason I chose tun was so that my Time Machine backup doesn’t auto start syncing gigabytes of data over VPN. Whichever you choose, make sure you use the same interface in the client side as well.Also note that if you choose tun, Apple’s TimeMachine will stop working, as it uses broadcast packets to identify/locate itself. If you want TimeMachine to sync over the VPN, change tun back to tap in both client and server files. I like it this way, as for now, I don’t want my mac to sync over the VPN. Every time time machine syncs, it syncs many gigabytes of data (Gee I never knew OSX files change so much in an hour) which I did not want. I only want it to sync when I am @ home (ie no VPN on).
Now, launch the VPN server. I find it easier to run it in non-daemon mode first to make sure there are no errors. So,
openvpn --config server.conf
Make sure openvpn is working and it does not exit.
Great. Now get openVPN running in daemon mode
/etc/init.d/openvpn restart
Make sure it is running by checking ps:
ps aux | grep openvpn
All good? Great. Your server is ready.
Step 3.5: IP forwarding – Don’t forget
Whoops, we almost forgot. You need to enable IP forwarding in your ReadyNas.
vi /etc/sysctl.conf:
Add the following line: (if it exists, make sure ip_forward is 1 not 0)
net.ipv4.ip_forward = 1
This will make sure IP forwarding is permanent across reboots. To apply it to the current session without rebooting:
sysctl -p /etc/sysctl.conf
Double check by
cat /proc/sys/net/ipv4/ip_forward
If it says 1, good. You are ready to focus on the client. If not, go back and trace your steps and see what you might have missed.
Step 4: Getting OpenVPN client working: The execution
The main thing here is you need to copy the certificates and keys you created for the client to your remote client as well and set up its conf file. The files you need to copy from /etc/openvpn to your client are:
Client01.crt
Client01.csr
Client01.key
ca.crt
In my case, I have a MacOS remote client. I use the excellent tunnel brick app (free) to connect. In the case of TunnelBrick, all the configuration files are stored in the path
~/Library/Application Support/Tunnelblick/Configurations so I just copied the above files here.
(Note: these Client01.crt, csr, key files can be found in /usr/share/doc/openvpn/examples/easy-rsa/keys directory where you created them as part of Step 3.2 – thanks Martyn)
Now all that remains is to set up a client configuration that can connect to the VPN server.
Here is my client.conf file (you can call it whatever-you-want.conf)
client proto udp dev tun remote AA.BB.CC.DD 1194 # Replace AA.BB.CC.DD with the public IP of your VPN server (if you don't have one, this will be the public IP of your home router and port forward from your home router to the VPN server. The latter is my case) resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert Client01.crt key Client01.key ns-cert-type server cipher BF-CBC comp-lzo verb 3
Step 5: Configuring your home router
This last step can be forgotten very easily. If you don’t do this, things won’t work.
We need to do 2 things:
a) If your VPN server is not on a public IP, you need to use the public IP of your router and port forward all traffic to port 1194 to the router to the VPN server.
b) Set up a static route to make sure remote clients can reach other LAN terminals once connected via VPN.
For a) there is a better way – I use dyndns.org to assign a permanent hostname for my router. This is better than IP as if the wan IP of the router changes, the hostname in dyndns is automatically updated. Most routers allow you to specify a dyndns acct and it can automatically keep dyndns updated. Dyndns is free and this is very useful. Google around on how to do this, or, to start just use wan IP of the router in the client code. In my case, “AA.BB.CC.DD” in the conf file above reads “myhostname.dyndns.org”
Next, add the port forwarding:
a) Open the Port fowarding entry in your home router, and add a new rule (call it “openvpn”)
b) Start port:1194, end port: 1194, protocol:UDP
c) Server IP address: 192.168.1.10 (in my case, change to LAN IP of your VPN server)
What we did here is made sure that if the router receives any connections/traffic to port 1194 of its WAN IP, it will forward it internally to the VPN server (your readynas box). That takes care of the VPN server not having a public IP.
Next up, add a static route to your router: (Change IP addresses to match your setup)
Click on the static route option of your router and create a new route:
route name: name it whatever – I called it vpnroute
Destination IP address: 10.8.0.0 (This is the virtual LAN that the VPN server will create)
Netmask: 255.255.255.0
Gateway: 192.168.1.1 (This is my default LAN gateway)- (Changed on Feb 22 2012 – see below)
Gateway: 192.168.1.10 (This is the IP address of my VPN server)
And save.
(Note: I am not sure if you need the above step if you use tap because it is supposed to be an ethernet bridge. You can experiment by not doing this while using tap to see if you can still access other machines)
Step 6: Test
Now try and connect to your VPN server from a remote client.
Works? great, check a few things:
At the client type:
ifconfig
If you are using tun (ip p2p link), you will see something like this:
tun0: flags=8851 mtu 1500
inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff
open (pid 2205)
Or, if using tap (ethernet bridge):
tap0: flags=8843 mtu 1500
ether x:x:x:x:x:x
inet 10.8.0.2 netmask 0xffffff00 broadcast 10.8.0.255
open (pid 3146)
Note the difference. In tap, your virtual interface works at layer 2 and creates a virtual ethernet mac address. While in tun mode, a routing path is established at the IP layer.
In both cases, it is telling you a virtual interface has been created with a 10.8.0.x address. (Remember I chose 10.8.0.0 as my VPN network range)
good.
Now ping the VPN server at its virtual LAN address:
arjun@~] ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: icmp_seq=0 ttl=64 time=70.841 ms
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=48.327 ms
Great. Now ping the VPN server at its real LAN address (this won’t work if routes are not set up properly)
[arjun@~] ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10): 56 data bytes
64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=29.200 ms
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=46.460 ms
Finally, ping another machine on the LAN:
[arjun@~] ping 192.168.1.9
PING 192.168.1.9 (192.168.1.9): 56 data bytes
64 bytes from 192.168.1.9: icmp_seq=0 ttl=126 time=190.009 ms
64 bytes from 192.168.1.9: icmp_seq=1 ttl=126 time=30.312 ms
Great. All done.
on 
That is great – well done! Something I've been looking for for a while.
I have a Duo. Do you know if it would cope with this install? I suspect maybe not due to processor requirements but I'd love to do it.
@Steve, I believe it should work. (Don't have one, but when I was reading the various links talking about this, Duo users have said openvpn works)
Works on DUO, thanks for the tutorial.
great.
Hi, its very simple to use scp
The command to copy from the NAS to your local machine is:
scp root@:/etc/openvpn/
Or, if the file is small, just expand to full screen, and copy paste :-)
Mike, to be sure, I just installed an openvpn client for windows to try it out (I don’t use windows, but have one at home). It connected without any hitches. The client I used was [HERE]
I googled on why why this message may be coming and I think its to do with the push commands in server.conf, but since it worked without any problem for me, I wonder why its not working for you – so can you try with the above client? Note that you need to rename your client .conf file to .ovpn for this client to work
Also see http://forum.pfsense.org/index.php?topic=27405.0
I think you are using the wrong client. If you use the one I referred to above it should work.
Arjun, Thanks for the prompt replies and all the help! It is most appreciated. Over the past couple of days I've been tweaking some things and still have problems. I am using the openVPN client gui you recommended, found at http://forum.pfsense.org/index.php?topic=27405.0 and was at least able to get it to try and connect but came up with errors. It keeps giving me this error: "read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)". It gives that 5 times in a row, then "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)", and lastly "TLS Error: TLS handshake failed".
Judging from what I've been reading, it might be the way I have my network setup but I'm not sure. I have a DSL connection from Qwest (now CenturyLink) and I have my m1000 modem transparently bridged to my Trendnet tew-639gr router. Now, I have the routing setup the way you suggested but I'm wondering if maybe both the devices have NAT enabled, causing the vpn connection to be confused? I've never done a vpn before or transparent bridging so I might have done something wrong! lol
If it would help at all, here's my server.conf settings:
local 192.168.10.100
port 1194
proto udp
mssfix 1400
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/MyVPNServer.crt
key /etc/openvpn/MyVPNServer.key # This file should be kept secret
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route [My dyndns domain name] 255.255.255.0"
keepalive 10 120
cipher BF-CBC # Blowfish (default)
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
verb 6
Mike, this is very likely a firewall issue. Your firewall (in one of your routers, likely) is likely blocking the port. Try first disabling all firewalls everywhere, make it work, then re-enable them and set up your port forwarding.
And here's my client.ovpn file:
client
dev tun
proto udp
remote [My dyndns domain name] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Client01.crt
key Client01.key
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 6
Arjun,
Thanks for posting this tutorial. With this guidance I was able to get it to work. My only issue is that upon disconnecting the VPN, my network connection (wifi – I am on a macbook air) does not fall back to the regular configuration. Any ideas?
Thanks!
JP
JP, how do you disconnect? In my case, when I disconnect from TunnelBrick, my tun0 interface disappears and things are normal. What happens in your case ?
I disconnect by selecting disconnect from the tunnelblick drop-down menu. tun0 dissapears as in your case and the settings for en0 stick, however it does not work unless I turn wifi off and then on, or I jump to another wifi network. :S
Odd, Frankly, I don't have a clue. I use WiFi too and not ethernet. The difference is I am on an MBP
So all I can tell you is specifics of what I have:
a) Running OSX Lion 10.7.2. with TunnelBrick 3.2. beta 32 ( I needed this when I moved to Lion)
b) In Configurations screen settings tab, Set DNS/WINS is "Set Name Server", Connect: "Manually", both options checked (Monitor nw settings, show config)
Thanks for the very detailed tutorial. Looking forward to use it next weekend! I was wondering about one more thing, can i use openvpn for setting up a vpn-connection between two readynasses? I want to set up a secure rsync-backup over internet.
Sure, I think that should be possible – in this case, one would be a VPN server and the other a VPN client. ReadyNAS NV+ has a nice linux development set up, so you can just run the open vpn linux client on one and even set it up to automatically connect, always connect or anything in between.
Thank you Arjun, i'll give it a try and let you know if it worked.
Hey Arjun,
Great tutorial. I’m kind of confused though, step 3.4 is the actual setup of the server.conf file but I don’t know where that file is to change settings. I’ve tried looking on OpenVPN’s page but I just can’t find it.
Any help?
Clayton, I'll add that text to my tutorial. Just create an empty file called sever.conf in /etc/openvpn and copy paste the contents of 3.4
Arjun,
Brilliant write up, I am way out of my comfort zone at Linux CLI, and your article was a crutch! One small note, at the point of copying the created keys to /etc/openvpn/ you fail to include the three Client01 files…. Took me an age to find them!
Anyway, i have encountered an issue when running /etc/init.d/openvpn start …..I get….. Starting virtual private network daemon: FAILED-> server.
When i run openvpn –config server.conf …..I get……
Sat Dec 3 17:11:57 2011 OpenVPN 2.0 sparc-unknown-linux [SSL] [LZO] [EPOLL] built on Jan 17 2007
Sat Dec 3 17:11:58 2011 TCP/UDP: Socket bind failed on local address 192.168.1.13:1194: Address already in use
Sat Dec 3 17:11:58 2011 Exiting
Thanks Martyn. As far as the Client01 files go, you should not need to copy it to the server directory. These are client files that get copied to your client machine from where you launch the openvpn client to connect to the server (Step 4 explains this)
Ah ok, I see what you mean – I'll fix it
Although I'm sure the first time i ran it, it ran cleanly with no error.
If I try ps aux | grep openvpn ……I get:
root 4858 0.0 0.2 4368 2608 ? S 14:42 0:01 openvpn –config server.conf
root 5398 0.0 0.1 4256 1200 pts/1 S+ 17:20 0:00 grep openvpn
I'm not sure what I am supposed to see, but from what I have read, it should tell me if the openVPN service is running…. Is it??!
I'm not a Linux user, although i have no problem getting my hands dirty, but looking at the openvpn command switches, I don't really know where to start troubleshooting. So for once in my life I thought I'd ask!
Cheers
Martyn
Martyn, that means openvpn is already running. "ps" is a mechanism to see what processes are running in memory. The first line shows openvpn is. That is why if you try and start it again, it says 'bind error' because another openvpn is already listening to the network socket. If you want to stop openvpn, do /etc/init.d/openvpn stop
Thanks for the quick reply Arjun….
So technically it's working then!? Strange though, that i did actually try stopping the service, and upon initiating start, get the same error. But PS shows it to be running regardless…..?
Oh well, next step, try connecting…… Need to punch a couple of holes through the work Router PIX and Firewall first…..
Martyn, yes its running. II am guessing you are getting this error because you already have vpn running and you are trying to run it again. Kill openvpn (/etc/init.d/openvpn stop) and then start it again to make sure there are no errors.
When you start openvpn, don't start in daemon mode (i.e., do a cd /etc/openvpn followed by openvpn –config server.conf ). Then connect your client to the server. If it works, exit openvpn by hitting Ctrl+C on the terminal where you did openvpn –config server.conf and restart in daemon mode (/etc/init.d/openvpn restart)
Remember:
If you try and start openvpn again while its already running, you will see errors
Hi and thx for your excellent tutorial. I got my Windows 7 Client connecting to my readynas and I am able to ping the vpn address (10.8.0.1) and the local network address (10.0.0.222) of my readynas. Unfortunately I am unable to connect (or even ping) other network clients on my LAN I am connected to (10.0.0.x). I used exactly the server and client configs you used in your tutorial.
Hi Phil, are you sure you did not forget to set up the routing table in your home router correctly? Don’t forget step 3.5 and 5
Hi Arjun, thx for your answer. I have done everything listed in3.5 and 5 and double checked it. Maybe I am misunderstanding something…
My Router is 10.0.0.138, my readynas is 10.0.0.222 and VPN is 10.8.0.x. At my Router I have an entry in my routing table which is: Target 10.8.0.0, GW 10.0.0.138, Subnetmask 255.255.255.0. The routes in my readynas are
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.0.0.0 * 255.255.255.0 U 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
default 10.0.0.138 0.0.0.0 UG 0 0 0 eth0
When I am connected, my client VPN IP is 10.8.0.6, the routes on my win client are
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.9.1 192.168.9.62 276
10.0.0.0 255.255.255.0 10.8.0.5 10.8.0.6 30
10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 30
10.8.0.4 255.255.255.252 On-link 10.8.0.6 286
10.8.0.6 255.255.255.255 On-link 10.8.0.6 286
10.8.0.7 255.255.255.255 On-link 10.8.0.6 286
Can yout tell me what's wrong with this config?
Best regards
Phil
Phil, do you have firewalls anywhere along the route? As a first step, disable them (just for testing) and see if you can ping
Yes, i have tried to disable all Firewalls. I even tried it from other clients (linux pc, android phone), same result. I can connect and ping the lan ip of the server, but nothing else…
Phil, just to make sure, please tell me the result of
cat /proc/sys/net/ipv4/ip_forward
if its 0, ip forwarding has not yet been applied. Do ” echo 1 > /proc/sys/net/ipv4/ip_forward” if its 0 and then try.
Also, after checking ip_forwarding, do this:
You have said:
Change that to be
It seems that is logical (though my example says otherwise in the article). If it works for you, I’ll change my setup as well and see if it works. It would seem logical to keep the VPN server as the gateway for VPN traffic and not the router…
ip_forwarding was already set to 1.
After reading so many articles about routing I was thinking over my router config and I changed the route to use 10.0.0.222 as the gateway – the same as you suggested – which also makes much more sense to me. So after changing that, I was able to reach my connected vpn client 10.8.0.6 from any client in my local lan 10.0.0.x, so my router routs the packets correctly. A little progress, thanks for your hint :-)
But still I am not able to connect the other way round, which means from 10.8.0.6 to 10.0.0.2 which is my main target. I took wireshark and looked at the network traffic at 10.0.0.2 and when I tried to connect (ping) from 10.8.0.6. the packets arrive, but no response is going out. As mentioned, ping from 10.0.0.2 to 10.8.0.6 works…
ok, I see, I am a little confused because of too much configs and routes… :-) Because of a restart my Client Firewall was enabled again, so connecting the other way round is possible now! Thanks again for your help!!
Phil, thanks for the update. Glad it worked out.
Well, to close the loop, I went home and checked. My gateway IP was set to my VPN server and not my router. That explains why it worked. I’ve corrected that part in the original article.
Hm.. Step 3.4 is tricky, ore is it? To edit a textfile is not hard but how to put the file in /etc/openvpn/ ?
No, it's not. Just go to that directory and create the file, if you are unfamiliar with cp.
This is the tricky part for me because i cant find the root. I have created a network conection called root on my NAS in windows but there is nothing in it. Ore… i cant see it. Whats the easiest way to brows files in root on NAS?
I am not sure how you are connecting to your NAS. For this to work, you need to ssh to the NAS – so not sure what you mean by a network connection called root. This tutorial assumes you have opened an ssh shell and are working on the NAS using a command line terminal.
Yes, im using PuTTY but to create a file with it is over my limit but i would like to learn if it is nessesary. I can create a file in windows and drag it to a folder but i asume thats not the case when creating server.conf
Awesome guide, I am done with the server part, and it runs correctly, but I am not sure where to go from there. When I try to connect using the OpenVPN client for windows 7, it just asks for credentials. Any tips for a newbie? What credentials are you supposed to use? Do you need to copy the certificate files manually?
Thor, follow "Step 4: Getting OpenVPN client working: The execution". You need to generate the client certificates on the server, then copy the certificates to the client machine and set its configuration correctly. I have this working for OpenVPN client for Windows XP as well as Tunnel Brick for Mac (which is a Mac client that uses openVPN)
Hi Arjun. My name is Aaron. I'm in the business development department of Vault Services, the company that makes the ReadyNAS Vault software. ReadyNAS Vault is a cloud-based storage solution for Netgear ReadyNAS devices. Had you had the Vault you wouldn't have lost your data due to hardware malfunction. If you'd like, I can set you up with a free trial of our software. Please email me at aaron@vaultservices.net.
Thanks Aaron. Yes I am aware of ReadyNAS vault. For the amount of data I have (music and movies) the cloud backup costs were just not economical for me (around 200 a month). Thanks for writing in.
Hi Arjun. Thanks for the very good tutorial. I could easily adapt it for my needs. And it works perfect.
I have one question: I have a Readynas Pro 4 and there is a new beta fw out for it. (4.2.20 T42). If I install that FW, what exacly do I have to do concerning openvpn? Does a simple "apt-get install openvpn" perform the correct installation, or do I have to go through your tutorial again. That of course means creating all certificates again.
Thanks in advance
Michael
Hi Michael, when I upgraded my firmware _after_ setting up everything, I noticed that the openvpn process kept crashing. All I had to do was uninstall openvpn and re-install again with apt-get install openvpn and everything worked as before. You do not have to re-generate certs et al. After upgrading your firmware, go to the command like and run openvpn in non daemon mode so you can see errors easily – if it crashes, you know you have to reinstall it again.
Hi Arjun, thank you for your reply. I will try it and report. :-)
Hi Arjun,
I just updated from 4.2.19 to the new released final 4.2.20 without problems. And the openvpn-deamon survived the update. :-) I did not have to do a reinstall.
Greetings Michael
Hi Michael, thanks for the update. Glad it worked across upgrades. I don’t know why mine crashed when I upgraded the firmware to support Lion
Just one simple glitch: I had to activate IP-Forwarding again. But that was no hassle with you tutorial.
Ah ok – thanks for reporting. In my case, it was just the opposite (as far as I can recall) – ipfwding was ok, openvpn crashed :)
didn't you forget "user openvpn", "group openvpn" lines in server.conf? Otherwise the user created in step 3.3 is useless.
Indeed. thanks for the catch. I will add that.
Hi Arjun,
Looking back, its 22 weeks since i last looked at this! I never quite got it working, at the time the network border at work prevented me from finishing the job, we had caching proxies that messed it up, but the topology has been tidied up and i now have clean access….
I have been reading Phil’s communication with interest, and comparing his routing tables to my own, and I’m fairly convinced it must be my static route that isn't right, although there are limited changes that can be made and on the face of it, it looks right. The routing table of my WRT45GC router is as follows:
Destination Mask Gateway Metric
10.8.0.0 255.255.255.0 192.168.1.13 2
<PublicIP> 255.255.255.255 <PublicIP> 1
192.168.1.0 255.255.255.0 192.168.1.1 1
192.168.1.1 255.255.255.255 192.168.1.1 1
My NAS routing table is:
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
5.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 LeafNets
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
And my Win client routing table is:
10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 30
10.8.0.4 255.255.255.252 On-link 10.8.0.6 286
10.8.0.6 255.255.255.255 On-link 10.8.0.6 286
10.8.0.7 255.255.255.255 On-link 10.8.0.6 286
With my router at 192.168.1.1 and Nas at 192.168.1.13
When I connect, I get, like Phil, the address 10.8.0.6 and can ping 10.8.0.1, but I can't ping the 192 address range, and as you state in your excellent tutorial, this points at routing. Can you see something strikingly obvious that I am missing!?
[...] Source : http://blog.roychowdhury.org/2011/05/10/adding-a-vpn-server-to-readynas [...]
Thanks for the excellent tutorial, it's finally got me round to configuring a VPN on my DUO! Just a quick question though: You wanted to make sure your connection is not forced through your LAN, however if I wanted to change this (for example when making purchases on an unsecured/public connection) how difficult would it be to do so?
Ideally I'd like to route my connection through the VPN sometimes and other times (when secure) in the way you specified above. Do you know how to configure the VPN in this way? Is it (I'm hoping) a client setting that can be specified or will I need to make changes on the NAS?
Thanks for the tutorial!
I want to make sure all my internet connections are not forced through my home LAN when connected via VPN.
Nevermind I figured it out. It's pretty simple and just involves using 2 connection profiles; one laid out as above, the other identical except with the below commands added:
redirect-gateway def1
dhcp-option DNS 10.8.0.1
Now I can connect to my VPN in one profile, and use the other for security when browsing on public networks (with the caveat that browsing is slower). Thought I'd post the solution up for anyone who is curious.