I recently purchased a 4 disk-bay Netgear ReadyNAS NV+ box. This was a few days after I lost 60% of my media collection because my HD just decided to stop working. And yes, I've been meaning to back up the archive, but never got around to actually doing it, till it died. Hindsight is 20-20, isn't it?
Anyhow, the ReadyNAS NV+ is a great box. The nicest thing about it is that via plugins, you can convert it into a full fledged development box running linux. One of the things lacking was how to make this box a VPN server as well. I currently have OpenVPN running in an 'always on' home laptop, but it was better if I moved the VPN server to the ReadyNAS box as it is the one that is supposed to be 'always on' anyway.
I searched around. There are several sites that give only partial instructions of how to get things working. No one site has 'everything you need'. So I thought I'd post *exactly* how to do everything you need to get this working.
Step 1: Install SSH and apt-get
1) Download the Enable RootSSH plugin from here. (You need this to ssh into readynas)
2) Install it in the ReadyNas via the menu (System/Update/Local Update)
3) Download the apt plugin from here. (you need this to download the openvpn package and dependencies)
4) Install it in the ReadyNas via the menu (System/Update/Local Update)
Note: Don't try and upload both plugin images together and then apply. Only the latest plugin will be applied.
Step 2: Getting OpenVPN working: The layout
Before we setup OpenVPN, lets discuss the network first. You may need to change the client.conf or server.conf as fit.
My home LAN has the following network: 192.168.1.x
The ReadyNAS server (which will be my VPN server soon) runs on: 192.168.1.10
The home router (Which allocates DHCP addresses to my home LAN and is the default internet gateway) runs on: 192.168.1.1
What I want:
a) I want to be able to connect to my ReadyNAS VPN server from outside my home
b) I want to make sure all my internet connections are not forced through my home LAN when connected via VPN.
c) I want my remote client to be able to access all my other machines @ home in addition to the VPN server
Step 3: Getting OpenVPN Server working: The execution
We need to do the following steps:
1) Generate the right certificates/keys for the server and client (easy)
2) Configure the server.conf and client.conf files correctly (logical if you follow the instructions)
3) Enable IP forwarding in your ReadyNas (if you don't do this, you will not be able to access other machines on LAN)
4) Configure your default home router with a static route (if you don't do this, you will not be able to access other machines on the LAN)
Step 3.1: Install openVPN
Pre-requisite: You have SSH and apt-get installed and enabled in the ReadyNas.
First, connect to your readynas via SSH (password is same as your readyNas admin password)
ssh -l root 192.168.1.10
Once logged in:
apt-get install openvpn
(the above will download and install all dependencies)
[Note: If you upgrade the NAS Firmware after installing openvpn (like I did for it to support OSX Lion) you will need to re-install openvpn or you may find it segfaulting when a client attempts to connect]
Step 3.2: Create your certificates
(This is just the same instructions as this thread)
You need to set some key variables which will be used to generate the certificate. The content here is not critical - you can change it to what you need. Basically, edit the vars file in your favorite editor and make the changes to the following variables in them. Make sure you save the changes.
Important: You will be asked a series of questions: The default values are filled in. I just entered my name in the Organization question as well. Also,when it asks you "Sign certificate?" please answer YES otherwise it will generate 0 byte certificates and OpenVPN won't start.
Note: It is important you do ". ./vars" and not "./vars" as this will not export the variables to your current shell and you will get errors.
At this point, you have the certificate and key for the server instance. Now, you need to build the client keys
Finally, build the Diffe-helman code (this takes forever on the ReadyNAS. Take a meal break here).
Step 3.3: Copy the certificates and keys to the right location to your server
cp ./keys/ca.crt /etc/openvpn/
cp ./keys/ca.key /etc/openvpn/
cp ./keys/MyVPNServer.crt /etc/openvpn/
cp ./keys/MyVPNServer.key /etc/openvpn/
cp ./keys/dh1024.pem /etc/openvpn/
The next step is optional - but I prefer to do it and suggest you do too. Basically, you can create a new user/group with limited rights which will run the openvpn server. It's not a good idea really to run the server as root, because one could exploit a vulnerability in it and get access to a root shell, which is not going to be pretty.
useradd -d /dev/null -g openvpn -s /bin/false openvpn
Step 3.4: Set up the server.conf file
Now just create a server.conf file in your favorite text editor and use the contents below Please modify the IP addresses according to your local LAN and VPN IPs.
You can create server.conf in this directory using any text editor (vim, emacs, whatever). Note that you may need to 'sudo' if you don't have permissions to create a file in that directory. Alternately, just create a server.conf file where-ever you want and copy it to /etc/openvpn when done
local 192.168.1.10 # real LAN IP address of my VPN server
port 1194 # This is the port OpenVPN is running on
proto udp # UDP tends to perform better than TCP for VPN
mssfix 1400 # Supposedly this fixes erros with RemoteDesktop over VPN. Never tried it
# note: these two pushs below don't work for non windows clients unless
# you write a script to parse for these pushes. See OpenVPN Howto.
push "dhcp-option DNS 220.127.116.11" # I am using Google's DNS servers - I like them they are fast
push "dhcp-option DNS 18.104.22.168" #
server 10.8.0.0 255.255.255.0 # 10.8.0.0 is the VPN virtual LAN. The VPN server will get 10.8.0.1 and the remote clients will get the next ones
ifconfig-pool-persist ipp.txt # don't worry about ipp.txt - it will be created
push "route 192.168.1.0 255.255.255.0" # this route will be pushed to a client which connects
keepalive 10 120
cipher BF-CBC # Blowfish (default) encryption
max-clients 100 # Assign the maximum number of clients here
user openvpn # remember to start the process using the user/group we created earlier
group openvpn # thanks to anonymous commenter 'foobar' for catching this
Tun vs Tap (in .conf files)
Note that I am using a "tun" virtual adapter and not "tap". Simply put, it means I am establishing an IP level p2p link between my client and the VPN server.
On the other hand, if I used "tap", then I'd be creating an ethernet bridge between the two. Specifically, in tun mode, any protocols that use broadcast packets to advertise themselves (example, netbios & AFP uses broadcast packets) will not work, as broadcast packets will not be shared from the VPN lan to my lan. Practically, what it means is that I will not see any of my home devices in my network "automatically" - I will need to connect with them over SMB. For example, when I use tap, the home devices automatically show up in my network list. While in tun mode, I need to "Connect to server" to get access to it. I chose to use tun because I believe it is better in performance - though I am not sure by how much. Actually, the real reason I chose tun was so that my Time Machine backup doesn't auto start syncing gigabytes of data over VPN. Whichever you choose, make sure you use the same interface in the client side as well.
Also note that if you choose tun, Apple's TimeMachine will stop working, as it uses broadcast packets to identify/locate itself. If you want TimeMachine to sync over the VPN, change tun back to tap in both client and server files. I like it this way, as for now, I don't want my mac to sync over the VPN. Every time time machine syncs, it syncs many gigabytes of data (Gee I never knew OSX files change so much in an hour) which I did not want. I only want it to sync when I am @ home (ie no VPN on).
Now, launch the VPN server. I find it easier to run it in non-daemon mode first to make sure there are no errors. So,
openvpn --config server.conf
Make sure openvpn is working and it does not exit.
Great. Now get openVPN running in daemon mode
Make sure it is running by checking ps:
ps aux | grep openvpn
All good? Great. Your server is ready.
Step 3.5: IP forwarding - Don't forget
Whoops, we almost forgot. You need to enable IP forwarding in your ReadyNas.
Add the following line: (if it exists, make sure ip_forward is 1 not 0)
net.ipv4.ip_forward = 1
This will make sure IP forwarding is permanent across reboots. To apply it to the current session without rebooting:
sysctl -p /etc/sysctl.conf
Double check by
If it says 1, good. You are ready to focus on the client. If not, go back and trace your steps and see what you might have missed.
Step 4: Getting OpenVPN client working: The execution
The main thing here is you need to copy the certificates and keys you created for the client to your remote client as well and set up its conf file. The files you need to copy from /etc/openvpn to your client are:
In my case, I have a MacOS remote client. I use the excellent tunnel brick app (free) to connect. In the case of TunnelBrick, all the configuration files are stored in the path
~/Library/Application Support/Tunnelblick/Configurationsso I just copied the above files here.
(Note: these Client01.crt, csr, key files can be found in /usr/share/doc/openvpn/examples/easy-rsa/keys directory where you created them as part of Step 3.2 - thanks Martyn)
Now all that remains is to set up a client configuration that can connect to the VPN server.
Here is my client.conf file (you can call it whatever-you-want.conf)
1194 # Replace AA.BB.CC.DD with the public IP of your VPN server (if you don't have one, this will be the public IP of your home router and port forward from your home router to the VPN server. The latter is my case)
Step 5: Configuring your home router
This last step can be forgotten very easily. If you don't do this, things won't work.
We need to do 2 things:
a) If your VPN server is not on a public IP, you need to use the public IP of your router and port forward all traffic to port 1194 to the router to the VPN server.
b) Set up a static route to make sure remote clients can reach other LAN terminals once connected via VPN.
For a) there is a better way - I use dyndns.org to assign a permanent hostname for my router. This is better than IP as if the wan IP of the router changes, the hostname in dyndns is automatically updated. Most routers allow you to specify a dyndns acct and it can automatically keep dyndns updated. Dyndns is free and this is very useful. Google around on how to do this, or, to start just use wan IP of the router in the client code. In my case, "AA.BB.CC.DD" in the conf file above reads "myhostname.dyndns.org"
Next, add the port forwarding:
a) Open the Port fowarding entry in your home router, and add a new rule (call it "openvpn")
b) Start port:1194, end port: 1194, protocol:UDP
c) Server IP address: 192.168.1.10 (in my case, change to LAN IP of your VPN server)
What we did here is made sure that if the router receives any connections/traffic to port 1194 of its WAN IP, it will forward it internally to the VPN server (your readynas box). That takes care of the VPN server not having a public IP.
Next up, add a static route to your router: (Change IP addresses to match your setup)
Click on the static route option of your router and create a new route:
route name: name it whatever - I called it vpnroute
Destination IP address: 10.8.0.0 (This is the virtual LAN that the VPN server will create)
Gateway: 192.168.1.1 (This is my default LAN gateway)- (Changed on Feb 22 2012 - see below)
Gateway: 192.168.1.10 (This is the IP address of my VPN server)
(Note: I am not sure if you need the above step if you use tap because it is supposed to be an ethernet bridge. You can experiment by not doing this while using tap to see if you can still access other machines)
Step 6: Test
Now try and connect to your VPN server from a remote client.
Works? great, check a few things:
At the client type:
If you are using tun (ip p2p link), you will see something like this:
tun0: flags=8851 mtu 1500
inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff
open (pid 2205)
Or, if using tap (ethernet bridge):
tap0: flags=8843 mtu 1500
inet 10.8.0.2 netmask 0xffffff00 broadcast 10.8.0.255
open (pid 3146)
Note the difference. In tap, your virtual interface works at layer 2 and creates a virtual ethernet mac address. While in tun mode, a routing path is established at the IP layer.
In both cases, it is telling you a virtual interface has been created with a 10.8.0.x address. (Remember I chose 10.8.0.0 as my VPN network range)
Now ping the VPN server at its virtual LAN address:
arjun@~] ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: icmp_seq=0 ttl=64 time=70.841 ms
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=48.327 ms
Great. Now ping the VPN server at its real LAN address (this won't work if routes are not set up properly)
[arjun@~] ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10): 56 data bytes
64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=29.200 ms
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=46.460 ms
Finally, ping another machine on the LAN:
[arjun@~] ping 192.168.1.9
PING 192.168.1.9 (192.168.1.9): 56 data bytes
64 bytes from 192.168.1.9: icmp_seq=0 ttl=126 time=190.009 ms
64 bytes from 192.168.1.9: icmp_seq=1 ttl=126 time=30.312 ms
Great. All done.