Search This Blog

Tuesday, May 10, 2011

Adding a VPN server to ReadyNAS

Image (c) NetGear

I recently purchased a 4 disk-bay Netgear ReadyNAS NV+ box. This was a few days after I lost 60% of my media collection because my HD just decided to stop working. And yes, I've been meaning to back up the archive, but never got around to actually doing it, till it died. Hindsight is 20-20, isn't it?

Anyhow, the ReadyNAS NV+ is a great box. The nicest thing about it is that via plugins, you can convert it into a full fledged development box running linux. One of the things lacking was how to make this box a VPN server as well. I currently have OpenVPN running in an 'always on' home laptop, but it was better if I moved the VPN server to the ReadyNAS box as it is the one that is supposed to be 'always on' anyway.

I searched around. There are several sites that give only partial instructions of how to get things working. No one site has 'everything you need'. So I thought I'd post *exactly* how to do everything you need to get this working.

Step 1: Install SSH and apt-get

1) Download the Enable RootSSH plugin from here. (You need this to ssh into readynas)

2) Install it in the ReadyNas via the menu (System/Update/Local Update)

3) Download the apt plugin from here. (you need this to download the openvpn package and dependencies)

4) Install it in the ReadyNas via the menu (System/Update/Local Update)

Note: Don't try and upload both plugin images together and then apply. Only the latest plugin will be applied.

Step 2: Getting OpenVPN working: The layout

Before we setup OpenVPN, lets discuss the network first. You may need to change the client.conf or server.conf as fit.

My home LAN has the following network: 192.168.1.x

The ReadyNAS server (which will be my VPN server soon) runs on:

The home router (Which allocates DHCP addresses to my home LAN and is the default internet gateway) runs on:

What I want:

a) I want to be able to connect to my ReadyNAS VPN server from outside my home

b) I want to make sure all my internet connections are not forced through my home LAN when connected via VPN.

c) I want my remote client to be able to access all my other machines @ home in addition to the VPN server

Step 3: Getting OpenVPN Server working: The execution

We need to do the following steps:

1) Generate the right certificates/keys for the server and client (easy)

2) Configure the server.conf and client.conf files correctly (logical if you follow the instructions)

3) Enable IP forwarding in your ReadyNas (if you don't do this, you will not be able to access other machines on LAN)

4) Configure your default home router with a static route (if you don't do this, you will not be able to access other machines on the LAN)

Step 3.1: Install openVPN

Pre-requisite: You have SSH and apt-get installed and enabled in the ReadyNas.

First, connect to your readynas via SSH (password is same as your readyNas admin password)
ssh -l root

Once logged in:
apt-get update
apt-get install openvpn

(the above will download and install all dependencies)

[Note: If you upgrade the NAS Firmware after installing openvpn (like I did for it to support OSX Lion) you will need to re-install openvpn or you may find it segfaulting when a client attempts to connect]

Step 3.2: Create your certificates

(This is just the same instructions as this thread)

You need to set some key variables which will be used to generate the certificate. The content here is not critical - you can change it to what you need. Basically, edit the vars file in your favorite editor and make the changes to the following variables in them. Make sure you save the changes.
cd /usr/share/doc/openvpn/examples/easy-rsa/
vi vars
export KEY_PROVINCE=Maryland
export KEY_CITY=MD
export KEY_ORG="Arjun"
export KEY_EMAIL=""

Next up:
. ./vars
gunzip openssl.cnf.gz
./build-key-server MyVPNServer

Important: You will be asked a series of questions: The default values are filled in. I just entered my name in the Organization question as well. Also,when it asks you "Sign certificate?" please answer YES otherwise it will generate 0 byte certificates and OpenVPN won't start.

Note: It is important you do ". ./vars" and not "./vars" as this will not export the variables to your current shell and you will get errors.

At this point, you have the certificate and key for the server instance. Now, you need to build the client keys

./build-key Client01

Finally, build the Diffe-helman code (this takes forever on the ReadyNAS. Take a meal break here).


Step 3.3: Copy the certificates and keys to the right location to your server
cp ./keys/ca.crt /etc/openvpn/
cp ./keys/ca.key /etc/openvpn/
cp ./keys/MyVPNServer.crt /etc/openvpn/
cp ./keys/MyVPNServer.key /etc/openvpn/
cp ./keys/dh1024.pem /etc/openvpn/

The next step is optional - but I prefer to do it and suggest you do too. Basically, you can create a new user/group with limited rights which will run the openvpn server. It's not a good idea really to run the server as root, because one could exploit a vulnerability in it and get access to a root shell, which is not going to be pretty.

groupadd openvpn
useradd -d /dev/null -g openvpn -s /bin/false openvpn

Step 3.4: Set up the server.conf file

cd /etc/openvpn/

Now just create a server.conf file in your favorite text editor and use the contents below  Please modify the IP addresses according to your local LAN and VPN IPs.

You can create server.conf in this directory using any text editor (vim, emacs, whatever). Note that you may need to 'sudo' if you don't have permissions to create a file in that directory. Alternately, just create a server.conf file where-ever you want and copy it to /etc/openvpn when done

local # real LAN IP address of my VPN server
port 1194 # This is the port OpenVPN is running on
proto udp # UDP tends to perform better than TCP for VPN
mssfix 1400 # Supposedly this fixes erros with RemoteDesktop over VPN. Never tried it
# note: these two pushs below don't work for non windows clients unless
# you write a script to parse for these pushes. See OpenVPN Howto.
push "dhcp-option DNS" # I am using Google's DNS servers - I like them they are fast
push "dhcp-option DNS" #
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/MyVPNServer.crt
key /etc/openvpn/MyVPNServer.key
dh /etc/openvpn/dh1024.pem
server # is the VPN virtual LAN. The VPN server will get and the remote clients will get the next ones
ifconfig-pool-persist ipp.txt # don't worry about ipp.txt - it will be created
push "route" # this route will be pushed to a client which connects
keepalive 10 120
cipher BF-CBC # Blowfish (default) encryption
max-clients 100 # Assign the maximum number of clients here
status openvpn-status.log
verb 1
user openvpn # remember to start the process using the user/group we created earlier
group openvpn # thanks to anonymous commenter 'foobar' for catching this

Tun vs Tap (in .conf files)

Note that I am using a "tun" virtual adapter and not "tap". Simply put, it means I am establishing an IP level p2p link between my client and the VPN server.
On the other hand, if I used "tap", then I'd be creating an ethernet bridge between the two. Specifically, in tun mode, any protocols that use broadcast packets to advertise themselves (example, netbios & AFP uses broadcast packets) will not work, as broadcast packets will not be shared from the VPN lan to my lan. Practically, what it means is that I will not see any of my home devices in my network "automatically" - I will need to connect with them over SMB. For example, when I use tap, the home devices automatically show up in my network list. While in tun mode, I need to "Connect to server" to get access to it. I chose to use tun because I believe it is better in performance - though I am not sure by how much. Actually, the real reason I chose tun was so that my Time Machine backup doesn't auto start syncing gigabytes of data over VPN. Whichever you choose, make sure you use the same interface in the client side as well.

Also note that if you choose tun, Apple's TimeMachine will stop working, as it uses broadcast packets to identify/locate itself. If you want TimeMachine to sync over the VPN, change tun back to tap in both client and server files. I like it this way, as for now, I don't want my mac to sync over the VPN. Every time time machine syncs, it syncs many gigabytes of data (Gee I never knew OSX files change so much in an hour) which I did not want. I only want it to sync when I am @ home (ie no VPN on).

Now, launch the VPN server. I find it easier to run it in non-daemon mode first to make sure there are no errors. So,
openvpn --config server.conf

Make sure openvpn is working and it does not exit.

Great. Now get openVPN running in daemon mode
/etc/init.d/openvpn restart

Make sure it is running by checking ps:
ps aux | grep openvpn

All good? Great. Your server is ready.

Step 3.5: IP forwarding - Don't forget

Whoops, we almost forgot. You need to enable IP forwarding in your ReadyNas.

vi /etc/sysctl.conf:

Add the following line: (if it exists, make sure ip_forward is 1 not 0)

net.ipv4.ip_forward = 1

This will make sure IP forwarding is permanent across reboots. To apply it to the current session without rebooting:
sysctl -p /etc/sysctl.conf

Double check by
cat /proc/sys/net/ipv4/ip_forward

If it says 1, good. You are ready to focus on the client. If not, go back and trace your steps and see what you might have missed.

Step 4: Getting OpenVPN client working: The execution

The main thing here is you need to copy the certificates and keys you created for the client to your remote client as well and set up its conf file. The files you need to copy from /etc/openvpn to your client are:

In my case, I have a MacOS remote client. I use the excellent tunnel brick app (free) to connect. In the case of TunnelBrick, all the configuration files are stored in the path
~/Library/Application Support/Tunnelblick/Configurations so I just copied the above files here.

(Note: these Client01.crt, csr, key files can be found in /usr/share/doc/openvpn/examples/easy-rsa/keys directory where you created them as part of Step 3.2 - thanks Martyn)

Now all that remains is to set up a client configuration that can connect to the VPN server.

Here is my client.conf file (you can call it whatever-you-want.conf)

proto udp
dev tun
remote AA.BB.CC.DD
1194 # Replace AA.BB.CC.DD with the public IP of your VPN server (if you don't have one, this will be the public IP of your home router and port forward from your home router to the VPN server. The latter is my case)
resolv-retry infinite
ca ca.crt
cert Client01.crt
key Client01.key
ns-cert-type server
cipher BF-CBC
verb 3

Step 5: Configuring your home router
This last step can be forgotten very easily. If you don't do this, things won't work.

We need to do 2 things:
a) If your VPN server is not on a public IP, you need to use the public IP of your router and port forward all traffic to port 1194 to the router to the VPN server.
b) Set up a static route to make sure remote clients can reach other LAN terminals once connected via VPN.

For a) there is a better way - I use to assign a permanent hostname for my router. This is better than IP as if the wan IP of the router changes, the hostname in dyndns is automatically updated. Most routers allow you to specify a dyndns acct and it can automatically keep dyndns updated. Dyndns is free and this is very useful. Google around on how to do this, or, to start just use wan IP of the router in the client code. In my case, "AA.BB.CC.DD" in the conf file above reads ""

Next, add the port forwarding:
a) Open the Port fowarding entry in your home router, and add a new rule (call it "openvpn")
b) Start port:1194, end port: 1194, protocol:UDP
c) Server IP address: (in my case, change to LAN IP of your VPN server)

What we did here is made sure that if the router receives any connections/traffic to port 1194 of its WAN IP, it will forward it internally to the VPN server (your readynas box). That takes care of the VPN server not having a public IP.

Next up, add a static route to your router: (Change IP addresses to match your setup)
Click on the static route option of your router and create a new route:
route name: name it whatever - I called it vpnroute
Destination IP address: (This is the virtual LAN that the VPN server will create)
Gateway: (This is my default LAN gateway)  - (Changed on Feb 22 2012 - see below)
Gateway: (This is the IP address of my VPN server)

And save.

(Note: I am not sure if you need the above step if you use tap because it is supposed to be an ethernet bridge. You can experiment by not doing this while using tap to see if you can still access other machines)

Step 6: Test
Now try and connect to your VPN server from a remote client.
Works? great, check a few things:

At the client type:

If you are using tun (ip p2p link), you will see something like this:

tun0: flags=8851 mtu 1500
inet --> netmask 0xffffffff
open (pid 2205)

Or, if using tap (ethernet bridge):

tap0: flags=8843 mtu 1500
ether x:x:x:x:x:x
inet netmask 0xffffff00 broadcast
open (pid 3146)

Note the difference. In tap, your virtual interface works at layer 2 and creates a virtual ethernet mac address. While in tun mode, a routing path is established at the IP layer.

In both cases, it is telling you a virtual interface has been created with a 10.8.0.x address. (Remember I chose as my VPN network range)
Now ping the VPN server at its virtual LAN address:

arjun@~] ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=70.841 ms
64 bytes from icmp_seq=1 ttl=64 time=48.327 ms

Great. Now ping the VPN server at its real LAN address (this won't work if routes are not set up properly)

[arjun@~] ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=29.200 ms
64 bytes from icmp_seq=1 ttl=64 time=46.460 ms

Finally, ping another machine on the LAN:
[arjun@~] ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=126 time=190.009 ms
64 bytes from icmp_seq=1 ttl=126 time=30.312 ms

Great. All done.


  1. That is great - well done! Something I've been looking for for a while.

    I have a Duo. Do you know if it would cope with this install? I suspect maybe not due to processor requirements but I'd love to do it.

  2. @Steve, I believe it should work. (Don't have one, but when I was reading the various links talking about this, Duo users have said openvpn works)

  3. Works on DUO, thanks for the tutorial.

  4. Hi, its very simple to use scp
    The command to copy from the NAS to your local machine is:
    scp root@:/etc/openvpn/

    Or, if the file is small, just expand to full screen, and copy paste :-)

  5. Mike, to be sure, I just installed an openvpn client for windows to try it out (I don't use windows, but have one at home). It connected without any hitches. The client I used was [HERE]

    I googled on why why this message may be coming and I think its to do with the push commands in server.conf, but since it worked without any problem for me, I wonder why its not working for you - so can you try with the above client? Note that you need to rename your client .conf file to .ovpn for this client to work

  6. Also see
    I think you are using the wrong client. If you use the one I referred to above it should work.

  7. Arjun, Thanks for the prompt replies and all the help! It is most appreciated. Over the past couple of days I've been tweaking some things and still have problems. I am using the openVPN client gui you recommended, found at and was at least able to get it to try and connect but came up with errors. It keeps giving me this error: "read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)". It gives that 5 times in a row, then "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)", and lastly "TLS Error: TLS handshake failed".

    Judging from what I've been reading, it might be the way I have my network setup but I'm not sure. I have a DSL connection from Qwest (now CenturyLink) and I have my m1000 modem transparently bridged to my Trendnet tew-639gr router. Now, I have the routing setup the way you suggested but I'm wondering if maybe both the devices have NAT enabled, causing the vpn connection to be confused? I've never done a vpn before or transparent bridging so I might have done something wrong! lol

  8. If it would help at all, here's my server.conf settings:

    port 1194
    proto udp
    mssfix 1400
    push "dhcp-option DNS"
    push "dhcp-option DNS"
    dev tun
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/MyVPNServer.crt
    key /etc/openvpn/MyVPNServer.key # This file should be kept secret
    dh /etc/openvpn/dh1024.pem
    ifconfig-pool-persist ipp.txt
    push "route [My dyndns domain name]"
    keepalive 10 120
    cipher BF-CBC # Blowfish (default)
    max-clients 100
    status openvpn-status.log
    verb 6

  9. And here's my client.ovpn file:

    dev tun
    proto udp
    remote [My dyndns domain name] 1194
    resolv-retry infinite
    ca ca.crt
    cert Client01.crt
    key Client01.key
    ns-cert-type server
    cipher BF-CBC
    verb 6

  10. Mike, this is very likely a firewall issue. Your firewall (in one of your routers, likely) is likely blocking the port. Try first disabling all firewalls everywhere, make it work, then re-enable them and set up your port forwarding.

  11. Arjun,

    Thanks for posting this tutorial. With this guidance I was able to get it to work. My only issue is that upon disconnecting the VPN, my network connection (wifi - I am on a macbook air) does not fall back to the regular configuration. Any ideas?



  12. JP, how do you disconnect? In my case, when I disconnect from TunnelBrick, my tun0 interface disappears and things are normal. What happens in your case ?

  13. I disconnect by selecting disconnect from the tunnelblick drop-down menu. tun0 dissapears as in your case and the settings for en0 stick, however it does not work unless I turn wifi off and then on, or I jump to another wifi network. :S

  14. Odd, Frankly, I don't have a clue. I use WiFi too and not ethernet. The difference is I am on an MBP

    So all I can tell you is specifics of what I have:
    a) Running OSX Lion 10.7.2. with TunnelBrick 3.2. beta 32 ( I needed this when I moved to Lion)
    b) In Configurations screen settings tab, Set DNS/WINS is "Set Name Server", Connect: "Manually", both options checked (Monitor nw settings, show config)

  15. Thanks for the very detailed tutorial. Looking forward to use it next weekend! I was wondering about one more thing, can i use openvpn for setting up a vpn-connection between two readynasses? I want to set up a secure rsync-backup over internet.

  16. Sure, I think that should be possible - in this case, one would be a VPN server and the other a VPN client. ReadyNAS NV+ has a nice linux development set up, so you can just run the open vpn linux client on one and even set it up to automatically connect, always connect or anything in between.

  17. Thank you Arjun, i'll give it a try and let you know if it worked.

  18. Hey Arjun,

    Great tutorial. I'm kind of confused though, step 3.4 is the actual setup of the server.conf file but I don't know where that file is to change settings. I've tried looking on OpenVPN's page but I just can't find it.

    Any help?

  19. Arjun,

    Brilliant write up, I am way out of my comfort zone at Linux CLI, and your article was a crutch! One small note, at the point of copying the created keys to /etc/openvpn/ you fail to include the three Client01 files.... Took me an age to find them!

    Anyway, i have encountered an issue when running /etc/init.d/openvpn start .....I get..... Starting virtual private network daemon: FAILED-> server.

    When i run openvpn --config server.conf .....I get......

    Sat Dec 3 17:11:57 2011 OpenVPN 2.0 sparc-unknown-linux [SSL] [LZO] [EPOLL] built on Jan 17 2007
    Sat Dec 3 17:11:58 2011 TCP/UDP: Socket bind failed on local address Address already in use
    Sat Dec 3 17:11:58 2011 Exiting

  20. Although I'm sure the first time i ran it, it ran cleanly with no error.

    If I try ps aux | grep openvpn ......I get:

    root 4858 0.0 0.2 4368 2608 ? S 14:42 0:01 openvpn --config server.conf
    root 5398 0.0 0.1 4256 1200 pts/1 S+ 17:20 0:00 grep openvpn

    I'm not sure what I am supposed to see, but from what I have read, it should tell me if the openVPN service is running.... Is it??!

    I'm not a Linux user, although i have no problem getting my hands dirty, but looking at the openvpn command switches, I don't really know where to start troubleshooting. So for once in my life I thought I'd ask!


  21. Clayton, I'll add that text to my tutorial. Just create an empty file called sever.conf in /etc/openvpn and copy paste the contents of 3.4

  22. Thanks Martyn. As far as the Client01 files go, you should not need to copy it to the server directory. These are client files that get copied to your client machine from where you launch the openvpn client to connect to the server (Step 4 explains this)

  23. Martyn, that means openvpn is already running. "ps" is a mechanism to see what processes are running in memory. The first line shows openvpn is. That is why if you try and start it again, it says 'bind error' because another openvpn is already listening to the network socket. If you want to stop openvpn, do /etc/init.d/openvpn stop

  24. Ah ok, I see what you mean - I'll fix it

  25. Thanks for the quick reply Arjun....

    So technically it's working then!? Strange though, that i did actually try stopping the service, and upon initiating start, get the same error. But PS shows it to be running regardless.....?

    Oh well, next step, try connecting...... Need to punch a couple of holes through the work Router PIX and Firewall first.....

  26. Martyn, yes its running. II am guessing you are getting this error because you already have vpn running and you are trying to run it again. Kill openvpn (/etc/init.d/openvpn stop) and then start it again to make sure there are no errors.
    When you start openvpn, don't start in daemon mode (i.e., do a cd /etc/openvpn followed by openvpn --config server.conf ). Then connect your client to the server. If it works, exit openvpn by hitting Ctrl+C on the terminal where you did openvpn --config server.conf and restart in daemon mode (/etc/init.d/openvpn restart)

    If you try and start openvpn again while its already running, you will see errors

  27. Hi and thx for your excellent tutorial. I got my Windows 7 Client connecting to my readynas and I am able to ping the vpn address ( and the local network address ( of my readynas. Unfortunately I am unable to connect (or even ping) other network clients on my LAN I am connected to (10.0.0.x). I used exactly the server and client configs you used in your tutorial.

  28. Hi Phil, are you sure you did not forget to set up the routing table in your home router correctly? Don't forget step 3.5 and 5

  29. Hi Arjun, thx for your answer. I have done everything listed in3.5 and 5 and double checked it. Maybe I am misunderstanding something...

    My Router is, my readynas is and VPN is 10.8.0.x. At my Router I have an entry in my routing table which is: Target, GW, Subnetmask The routes in my readynas are * UH 0 0 0 tun0 * U 0 0 0 eth0 UG 0 0 0 tun0
    default UG 0 0 0 eth0

    When I am connected, my client VPN IP is, the routes on my win client are

    Network Destination Netmask Gateway Interface Metric 276 30 30 On-link 286 On-link 286 On-link 286

    Can yout tell me what's wrong with this config?
    Best regards

  30. Phil, do you have firewalls anywhere along the route? As a first step, disable them (just for testing) and see if you can ping

  31. Yes, i have tried to disable all Firewalls. I even tried it from other clients (linux pc, android phone), same result. I can connect and ping the lan ip of the server, but nothing else...

  32. Phil, just to make sure, please tell me the result of
    cat /proc/sys/net/ipv4/ip_forward
    if its 0, ip forwarding has not yet been applied. Do " echo 1 > /proc/sys/net/ipv4/ip_forward" if its 0 and then try.

  33. Also, after checking ip_forwarding, do this:

    You have said:

    My Router is, my readynas is and VPN is 10.8.0.x. At my Router I have an entry in my routing table which is: Target, GW, Subnetmask

    Change that to be

    Target, GW, Subnetmask

    It seems that is logical (though my example says otherwise in the article). If it works for you, I'll change my setup as well and see if it works. It would seem logical to keep the VPN server as the gateway for VPN traffic and not the router...

  34. ip_forwarding was already set to 1.

    After reading so many articles about routing I was thinking over my router config and I changed the route to use as the gateway - the same as you suggested - which also makes much more sense to me. So after changing that, I was able to reach my connected vpn client from any client in my local lan 10.0.0.x, so my router routs the packets correctly. A little progress, thanks for your hint :-)

    But still I am not able to connect the other way round, which means from to which is my main target. I took wireshark and looked at the network traffic at and when I tried to connect (ping) from the packets arrive, but no response is going out. As mentioned, ping from to works...

  35. ok, I see, I am a little confused because of too much configs and routes... :-) Because of a restart my Client Firewall was enabled again, so connecting the other way round is possible now! Thanks again for your help!!

  36. Phil, thanks for the update. Glad it worked out.

  37. Well, to close the loop, I went home and checked. My gateway IP was set to my VPN server and not my router. That explains why it worked. I've corrected that part in the original article.

  38. Hm.. Step 3.4 is tricky, ore is it? To edit a textfile is not hard but how to put the file in /etc/openvpn/ ?

  39. No, it's not. Just go to that directory and create the file, if you are unfamiliar with cp.

  40. This is the tricky part for me because i cant find the root. I have created a network conection called root on my NAS in windows but there is nothing in it. Ore... i cant see it. Whats the easiest way to brows files in root on NAS?

  41. I am not sure how you are connecting to your NAS. For this to work, you need to ssh to the NAS - so not sure what you mean by a network connection called root. This tutorial assumes you have opened an ssh shell and are working on the NAS using a command line terminal.

  42. Yes, im using PuTTY but to create a file with it is over my limit but i would like to learn if it is nessesary. I can create a file in windows and drag it to a folder but i asume thats not the case when creating server.conf

  43. Awesome guide, I am done with the server part, and it runs correctly, but I am not sure where to go from there. When I try to connect using the OpenVPN client for windows 7, it just asks for credentials. Any tips for a newbie? What credentials are you supposed to use? Do you need to copy the certificate files manually?

  44. Thor, follow "Step 4: Getting OpenVPN client working: The execution". You need to generate the client certificates on the server, then copy the certificates to the client machine and set its configuration correctly. I have this working for OpenVPN client for Windows XP as well as Tunnel Brick for Mac (which is a Mac client that uses openVPN)

  45. Hi Arjun. My name is Aaron. I'm in the business development department of Vault Services, the company that makes the ReadyNAS Vault software. ReadyNAS Vault is a cloud-based storage solution for Netgear ReadyNAS devices. Had you had the Vault you wouldn't have lost your data due to hardware malfunction. If you'd like, I can set you up with a free trial of our software. Please email me at

  46. Thanks Aaron. Yes I am aware of ReadyNAS vault. For the amount of data I have (music and movies) the cloud backup costs were just not economical for me (around 200 a month). Thanks for writing in.

  47. Hi Arjun. Thanks for the very good tutorial. I could easily adapt it for my needs. And it works perfect.
    I have one question: I have a Readynas Pro 4 and there is a new beta fw out for it. (4.2.20 T42). If I install that FW, what exacly do I have to do concerning openvpn? Does a simple "apt-get install openvpn" perform the correct installation, or do I have to go through your tutorial again. That of course means creating all certificates again.
    Thanks in advance

  48. Hi Michael, when I upgraded my firmware _after_ setting up everything, I noticed that the openvpn process kept crashing. All I had to do was uninstall openvpn and re-install again with apt-get install openvpn and everything worked as before. You do not have to re-generate certs et al. After upgrading your firmware, go to the command like and run openvpn in non daemon mode so you can see errors easily - if it crashes, you know you have to reinstall it again.

  49. Hi Arjun, thank you for your reply. I will try it and report. :-)

  50. Hi Arjun,
    I just updated from 4.2.19 to the new released final 4.2.20 without problems. And the openvpn-deamon survived the update. :-) I did not have to do a reinstall.
    Greetings Michael

  51. Hi Michael, thanks for the update. Glad it worked across upgrades. I don't know why mine crashed when I upgraded the firmware to support Lion

  52. Just one simple glitch: I had to activate IP-Forwarding again. But that was no hassle with you tutorial.

  53. Ah ok - thanks for reporting. In my case, it was just the opposite (as far as I can recall) - ipfwding was ok, openvpn crashed :)

  54. didn't you forget "user openvpn", "group openvpn" lines in server.conf? Otherwise the user created in step 3.3 is useless.

  55. Indeed. thanks for the catch. I will add that.

  56. Hi Arjun,
    Looking back, its 22 weeks since i last looked at this! I never quite got it working, at the time the network border at work prevented me from finishing the job, we had caching proxies that messed it up, but the topology has been tidied up and i now have clean access....

    I have been reading Phil’s communication with interest, and comparing his routing tables to my own, and I’m fairly convinced it must be my static route that isn't right, although there are limited changes that can be made and on the face of it, it looks right. The routing table of my WRT45GC router is as follows:

    Destination Mask Gateway Metric 2
    <PublicIP> <PublicIP> 1 1 1

    My NAS routing table is: UH 0 0 0 tun0 U 0 0 0 eth0 UG 0 0 0 tun0 U 0 0 0 LeafNets UG 0 0 0 eth0

    And my Win client routing table is: 30 On-link 286 On-link 286 On-link 286

    With my router at and Nas at

    When I connect, I get, like Phil, the address and can ping, but I can't ping the 192 address range, and as you state in your excellent tutorial, this points at routing. Can you see something strikingly obvious that I am missing!?

  57. [...] Source : [...]

  58. Thanks for the excellent tutorial, it's finally got me round to configuring a VPN on my DUO! Just a quick question though: You wanted to make sure your connection is not forced through your LAN, however if I wanted to change this (for example when making purchases on an unsecured/public connection) how difficult would it be to do so?

    Ideally I'd like to route my connection through the VPN sometimes and other times (when secure) in the way you specified above. Do you know how to configure the VPN in this way? Is it (I'm hoping) a client setting that can be specified or will I need to make changes on the NAS?

    Thanks for the tutorial!

    I want to make sure all my internet connections are not forced through my home LAN when connected via VPN.

  59. Nevermind I figured it out. It's pretty simple and just involves using 2 connection profiles; one laid out as above, the other identical except with the below commands added:

    redirect-gateway def1
    dhcp-option DNS

    Now I can connect to my VPN in one profile, and use the other for security when browsing on public networks (with the caveat that browsing is slower). Thought I'd post the solution up for anyone who is curious.

  60. I know this is quite an old thread, but i hope someone could help me with my issue:

    I follow the tutorial and everything works smoothly, either tun with server.conf options:
    #dev tap
    dev tun
    persistent tun

    or tap with server.conf option:
    dev tap
    #dev tun
    #persistent tun

    of course when using tun my readynas does not shows up in the "shared" devices list, but this is as it's suppose to be.

    my problems starts when I restart my readynas
    if tun openvpn is enabled then everything is still fine, i.e. when i'm in my local network i can see the the my readynas is discovered
    however if openvpn has been set up with tap, after the restart i'm unable to see the shares through service discovery (doesn't matter if i'm within my home network, or connecting through vpn),
    however, as soon as i go to the frontview toggle off/on bonjour services (in discovery services panel) then both cifs and afp shares are visible again.
    does anything like that happen to you guys?

  61. does anyone know how to connect with windows client?

  62. Ben, thanks for the solution.

  63. Marcin, since I use tun, I have not seen this to occur. Hopefully some who uses tap can respond

  64. George, please see comments above - some of them deal with the windows client (openvpn client)

  65. thanks for your reply,
    in the meantime i sort of solved my problem by adding a restart script for the avahi-daemon into the booting sequence for my readynas just after the start of openvpn daemon.
    hope this helps someone if encounters the same problem

    again, your tutorial was a great help !
    all the best!

  66. Marcin, thanks for posting this workaround.

  67. Hi,

    I am new to all this but is it possible to ge the readynas to connect to my vpn provider with openvpn installed?. All that I have read just seems to set the readynas us a server but does the server not connect to a vpn account ?

    Thanks Paul

  68. Paul, I believe the openVPN client can only work with an openVPN server - while there are many SSL/TLS vpn variants (example Juniper, openvpn, cisco), they all use different protocols on top of the SSL/TLS tunnel which makes them un-interoperable.

  69. Paul, I might have misread your question. Are you asking if its possible for the ReadyNAS to connect to another open VPN server as a client? I don't see any reason why not. Its a regular linux system, so if you run a openvpn client on readyNAS it should not have any problem connecting to an openVPN server. In that case, you need to read the client section of this tutorial and generate the right keys are certificate from the openVPN server, copy them to your readynas box that is going to run as a client and connect away.

  70. Hey I have the same problem... can you post where you put the avahi-daemon restart?

  71. Mike, till marcin responds, I suppose you can simply type the following after you ssh into RNas:

    update-rc.d avahi-daemon defaults

    I think readynas runs at run level 3, so you can choose to only specify that runlevel, or just defaults like I said above

  72. Hi Arjun and all others,

    I just updated my Readynas Ultra 4 to the latest firmware 4.2.21.
    The openvpn installation survided the update again. The only thing I had to do is to set ip forwarding again to 1.
    This was of course done by the commands in the tutorial above.

  73. Thanks Michael. Any perceptible improvements with 4.2.21?

  74. Hi Arjun,
    no improvements that I can see. The ultra is doing a goog job here. Since Netgear recommended the update I did it. The update itself was a little bit faster than the last one (at least my feeling tells me that :-) ).
    I have a macbook that always says "Error Connecting" with a certain share on the ultra. When I try it a second time the connection is established. But that not a great issue for me.

  75. Thanks Michael. I may get the update bug soon too :)

  76. What is the best way to copy

  77. Hello,
    Did anyone succeed to install on ReadyNas Duo. Look like apt-get install openvpn donnot produce a real installation
    Here after the screenshot of PuTTY
    ArounElPoussah:/# apt-get install openvpn
    Reading Package Lists... Done
    Building Dependency Tree... Done
    You might want to run `apt-get -f install' to correct these:
    The following packages have unmet dependencies:
    openvpn: Depends: liblzo1 but it is not going to be installed
    Depends: libssl0.9.7 but it is not going to be installed
    smbclient: Depends: samba-common (= 3.0.37.netgear2) but 2:3.5.15-netgear1 is to be installed
    E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).

    However no directory is containing openvpn further (etc/ or other)
    Any guidance?

  78. Hello Henrick
    I try to insatll but get stuck at the openvpn install step. I didn't found which directory the appliction is installed on Duo. Can yo help

  79. Francis, you know, when I recently upgraded my ReadyNas NV+, and I tried to re-install openvpn, I got the same errors. I tried apt-get install against the dependencies, but it did not work - frankly I did not investigate why. I was in a hurry. I just did "apt-get install -f openvpn" and hoped -f would fix the broken dependencies and it seemingly did - openvpn got installed perfectly and is working.

  80. Arjun,
    THX for your help. I had to fix first broken dependencies for system before to try fixing dependencies for the openvpn application (if system not fixed at first, openvpn dependencies fix doesn't operate). This was my fault I didn't catch the message properly. Therefore I did first
    "apt-get -f install" (no package name) so that to get smbc (was faulty) upgadred and then i did "apd-get -f install openvpn" and this time got all openvpn dependencies fixed and openvpn installed proprely.
    I'll let you know when running

  81. Francis, correct, I too needed to fix my overall system dependencies first. I missed mentioning that. Glad it worked out for you

  82. Arjun,
    Good job your tuto works very well THX a lot.
    I made a change compare to your server.conf. I removed the ifconfig-pool-persist (adresses allocated for eternity) and use a ccd-exclusive directive which as well allow client connection control as the posibility to push and control adress allocation (like a static lease).
    Due to the user/group change of the openvpn application I was suspecting some trouble to access the client-config-dir and files which are owned by "root". But it works! I checked as well (ps aux|grep openvpn) that openvpn was owned by the new user/group I defined as you did. Did I miss smth?

  83. Francis, if that directory only needs to be read and 'others' have read permission in that directory, its not a problem (As a technical note, remember, when you do the 'user' directive within the server.conf, openvpn actually first starts as root, then switches to the unprivileged user after reading that directive, so its not technically correct that openvpn starts as this unprivileged user - but that's beside the point, even if ccd is owned by root, access depends on whats in the 'others' permissions in that folder)

  84. OK THX
    I have a question related to the client exchanges. You have set up IP forward on the NAS and created a static route on the router allowing client to client exchanges.
    Why not using the client-to-client directive in the server.conf file instead?

  85. Hi Francis, I don't know about client-client exchanges. Is there an easy reference you can point me to? Also, which part does it avoid? I had to a) ip forward b) port forward c) create a static route. I assume it will eliminate only c), correct?

  86. Hello Arjun
    Unfortunately I don't know more than what is in the OpenVPN documentation. Nevertheless by adding to your server.conf file the client-to-client directive you make the server acting like a client to client router (from openvpn doc). Therefore you no longer need to activate the ipv4_forward as well as you no longer need to setup a static route for your private network using the NAS as gateway . Look like the client-to-client directive does the both. Obviously you still need to forward the 1194 port from WAN to your NAS (that's your network router's job).
    Doing this way I was able to map drives in between clients through the VPN.
    What I don't know is which way is preferable in terms of security? I just know the one I did is easier to config (almost nothing!)
    Let me know your understanding and feedback in case you anticipate problems

  87. Hi,
    sorry for such a delay,
    if you haven't figure it out, here is how you can do it:
    you can put the restart command to /etc/rc.local:
    /etc/init.d/avahi-daemon -r
    or add it directly to a selected runlevel after the openvpn:
    in /etc/rc2.d/
    S99avahi-demon-restart - a link to the executable bash script /etc/init.d/avahi-demon-restart :
    /etc/init.d/avahi-daemon restart


  88. Hello Arjun.
    I have a Duo v1 and your tutorial went fine until step 3.4.
    I launched openvpn e non-deamon mode and worked ok
    Then just to make sure everything was ok I restarted the NAS
    when I tried to lauch it in daemon mode I got the this error:

    Stopping virtual private network daemon:.
    Starting virtual private network daemon: FAILED-> server.

    If I try again in non-deamon mode:
    Fri Dec 7 14:35:19 2012 OpenVPN 2.0 sparc-unknown-linux [SSL] [LZO] [EPOLL] built on Jan 17 2007
    Fri Dec 7 14:35:19 2012 TCP/UDP: Socket bind failed on local address Address already in use
    Fri Dec 7 14:35:19 2012 Exiting

    If I try to stop the openvpn I get this:
    /etc/init.d/openvpn stop
    Stopping virtual private network daemon:.

    And again the same Address already in use again

    From netstat I got this:
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 HomeNAS:50000 dsldevice.lan:1230 TIME_WAIT
    tcp 0 132 HomeNAS:ssh PT003013.lan:64263 ESTABLISHED
    tcp 0 0 HomeNAS:50000 dsldevice.lan:19686 TIME_WAIT
    Active UNIX domain sockets (w/o servers)
    Proto RefCnt Flags Type State I-Node Path
    unix 5 [ ] DGRAM 1325 /dev/log
    unix 2 [ ] DGRAM 2002
    unix 2 [ ] DGRAM 1817
    unix 2 [ ] DGRAM 1334

    Apreciate your help.

  89. Hi Daniel, openvpn may already be running as a service, then. Just do a 'ps aux | grep openvpn' - if it shows an entry then its already installed and running.

  90. Yes it is:
    openvpn 385 0.0 0.7 4816 1648 ? Ss 13:11 0:00 /usr/sbin/openvpn --writepid /var/run/ --daemon ovpn-server --cd /etc/openvpn - -config /etc/openvpn/server.conf
    root 1787 0.0 0.5 4256 1200 pts/0 S+ 15:38 0:00 grep openvpn

    But I'm seem unable to stop it

  91. Okay, I am a little confused, so apologies. Can you please confirm:
    a) OpenVPN service starts each time you boot your NAS
    b) You are able to connect to OpenVPN remotely
    c) The only problem you are facing is you can't stop it

    If so, questions:
    1) Why are you trying to stop it? (just to debug something or you have something else in mind)
    2) After you do openvpn stop (as root), does it still show up in ps? If so, what happens if you manually kill the process using kill

  92. Thanks Arjun
    1) trying to stop it just to restart and check if no error messages were there
    2) kill solved the issue

    Thanks again

    Really nice tutorial.

    I would like to change the mode to tap. Is it simple as changing it in server.conf?

  93. Great. Yes, its as simple as changing tun to tap in both the server and client conf. I tried it a few times when I was first fiddling around and that is all I needed to do.

  94. The other day, while I was at work, my cousin stole my apple ipad and tested
    to see if it can survive a 30 foot drop, just so she can be a youtube sensation.
    My apple ipad is now destroyed and she has 83 views.
    I know this is entirely off topic but I had to share it with someone!

  95. Hi and thanks for the tutorial. I'm a new boy, but I seem to have mastered it. Except when I try gunzip openssl.cnf.gz I get no such file or directory. Also /etc/openvpn is also missing. I see from the internet that the missing file is a bug. Any idea how to get around this.
    Kind regards,

  96. Forget the last post, I'd screwed it all up. Updated firmware in the Readynas and installed again all OK so far.
    Won't run as daemon but I'll worry it a bit. Sorry to worry YOU.

  97. Is there anyway of setting the config so it can be used without setting up a static route on the router?

    I can connect and ping the VPN server (NAS) but can't access anything else on the network.

  98. Hi there so after searching a oot and after a lot trial and error. I have to ask: This tutorial is only so we can access our lan like we are home? Because if it's only that it works fine but my problem is that I would like to forward also all my internet apps while still with my home ip. I've configure a lot of openvpn servers and while I had this one the "redirect gateway def1" I can't make it work maybe because thrre sre no iptables?

  99. I visit each day a few blogs and blogs to read posts, except this weblog presents quality
    based articles.

  100. Hi, everything is going fine here and ofcourse every one is sharing data, that's genuinely fine, keep up writing.

  101. [...] an OpenVPN and PPTP server. Ah that makes it much easier to manage. I had to go through more hoops, because my NAS did not natively support OpenVPN (ReadyNAS NV+) and I did not want to setup another [...]

  102. Can I just say what a relief to discover
    someone who really knows what they are discussing online.
    You actually realize how to bring a problem to light and make it important.

    More and more people have to look at this and understand this side of the story.
    I was surprised that you are not more popular since you certainly have the gift.

  103. And again the setup survived the new firmware 4.2.23 for the Readynas Ultra 4. The only thing I had to do is to set ip forwarding again to 1. This was of course done by the commands in the tutorial above.

  104. Have you ever thought about publishing an e-book or guest
    authoring on other websites? I have a blog centered on
    the same subjects you discuss and would really like to have you share some stories/information.
    I know my visitors would value your work. If you are even remotely interested, feel
    free to shoot me an e mail.

  105. It's really a great and helpful piece of information. I am satisfied that you simply shared this helpful info with us. Please stay us up to date like this. Thanks for sharing.

  106. My partner and I stumbled over here from a different
    web address and thought I should check things out. I like what I see so now i'm following you. Look forward to looking at your web page repeatedly.

  107. Magnificent goods from you, man. I've have in mind your stuff prior to and you're simply extremely magnificent.

    I actually like what you have obtained here, certainly
    like what you're stating and the way in which through which you assert it. You make it entertaining and you continue to care for to stay it sensible. I can not wait to read far more from you. This is actually a terrific web site.

  108. What i don't understood is in fact how you are now not actually much more smartly-favored than you may be right now. You're very intelligent.
    You already know thus significantly on the subject of this
    subject, made me in my opinion imagine it from a lot of varied angles.

    Its like women and men don't seem to be interested except it's something to do with Lady gaga!
    Your personal stuffs outstanding. Always handle it up!

  109. I was recommended this website through my cousin.
    I am not sure whether this publish is written via him as no one else
    realize such special approximately my difficulty.
    You're wonderful! Thank you!

    Here is my web-site stucco colors

  110. Hi there, You have done an excellent job.
    I will definitely digg it and personally suggest to my friends.
    I'm confident they'll be benefited from this web site.

  111. I love to disseminate knowledge that I have built up

    through the calendar year to assist improve team efficiency.

  112. Howdy! I simply would like to give a huge thumbs up for the great information you will have right here on this post.
    I shall be coming back to your blog for more soon.

  113. I do not know whether it's just me or if everyone else encountering problems with your website. It seems like some of the written text on your posts are running off the screen. Can someone else please comment and let me know if this is happening to them too? This might be a issue with my browser because I've had this happen before.

    Here is my page :: Игры онлайн

  114. Excellent willing synthetic vision with regard to fine detail and can foresee difficulties

    just before they will happen.

  115. I love to share information that I have accrued with the 12 months to assist enhance group efficiency.

  116. Hi! I know this is kind of off topic but I was wondering if you knew where I
    could get a captcha plugin for my comment form? I'm using the same blog platform as yours and I'm
    having problems finding one? Thanks a lot!

  117. My spouse and I absolutely love your blog and
    find many of your post's to be exactly what I'm looking for.

    Would you offer guest writers to write content
    for yourself? I wouldn't mind creating a post or elaborating on a few of the subjects you write regarding here. Again, awesome blog!

  118. Hello! Someone in my Myspace group shared this site with us so I came to check it out.
    I'm definitely enjoying the information. I'm book-marking and will be tweeting this to my followers!
    Fantastic blog and excellent design.

    Check out my website ... virtual private hosting

  119. Pretty! This has been an extremely wonderful post.
    Thank you for providing these details.

  120. Orland Fire District Foundation holds fundraiser Thursday May
    2The Orland Fire Protection District fire extinguishers Fire and Arson investigators attended this class
    free of charge. Know where the fire will spread and cause
    serious damage to life and property as a result of this endothermic asset.
    In Fort Worth a Fire Protection Company, Contractor fire extinguishers and/or Fire Safety Engineer will be
    able to receive most of their training from the nearest hospital.

  121. One example may be the Kaspersky anti-virus that's currently featured as the must-download software.
    Even when you'll be able to preview the file, you are going to often see that the video or audio constantly skips to another location part of the media that has already been downloaded.
    Marc Cuban has evolved a whole new movie theatre model like those
    that are springing up across the country.

  122. What a stuff of un-ambiguity and preserveness of valuable
    knowledge about unpredicted feelings.

  123. This company manufactures automobiles ranging from crossover
    SUVs to super minis in different body styles.
    Chad tells me he can dial in my setup perfectly and tweak it for me whenever I want.

    Most chrome trims now include an adhesive backing that is similar to a piece of tape.

  124. Amazing template of blog! What's it called?

  125. this one looks a lot like my shower my Partner and I got a hold of only
    recently, incredibly pleased with it for individuals found on the fence about getting one, do it now, you wont regret it

  126. You really make it seem so easy with your presentation but I find this matter to be
    really something that I think I would never understand. It seems too complicated and very broad for
    me. I am looking forward for your next post,
    I'll try to get the hang of it!

  127. If you are going for finest contents like me,
    only visit this web page every day because it gives feature contents, thanks

  128. What's Happening i'm new to this, I stumbled upon this I've
    discovered It positively helpful and it has aided me out loads.
    I hope to give a contribution & help other users like its helped me.
    Great job.

  129. Hi,
    i just got my new Readynas 102 with the Readynas OS6.
    Everthing worked great as followed the tutorial. But now i tried to get a connecting from my Android Smartphone with the official OpenVPN APP. And it dosn´t work.
    There´s one thing i miss in the tutorial, the IPTables configuration. Is this not necessary?


  130. I try to copy Clinet01.key to my windows computer, but I get an access denied error.
    I can delete the Key-File, but not cope, edit or view.
    I copy the key-file using this command: cp ./keys/Client01.key /backup
    The Key-File is in de "Backup" folder, but I cannot copy it from there to a windows folder

  131. I realise this is quote an old post, but this is AWESOME! Thanks for taking the time to share Arjun, it's greatly appreciated.

  132. Gday! My name is Patrice
    and When I just wanted to say your blog website rocks!
    It's surprising
    due to the fact I use to have a weblog that nearly had an identical web address: mine was only a few characters different.

    Nonetheless, I am a big admirer of
    your blog website and if you
    at any time would like a guest write-up please make sure to email me at:
    I absolutely love writing!

  133. Un poste vraiment rempli de vérités

  134. Fantastic gokods from you, man. I've understand your stuff previous to and you're jjust too fantastic.

    I really like what youu have acquired here, really like what you are saying and the way in which you say it.
    Yoou make it enjoyable and you still take care off to keep it smart.
    I can't wait to read far more from you. This is actually a terrific site.

  135. In this way, the hydroxyl radical is sort of nature's atmospheric "scrubbing bubbles. Pick the right unit and you will enjoy clean indoor air for years to come. For example, people with a latex allergy often have related food allergies.

  136. Hellо, just wanted to mention, I enjoyed thiѕ post. It was
    inspiring. Κeep on posting!

  137. As Rick and the group journey out of town they encounter several
    zombies, meet new people, and lose some of the group along the way.
    Simply put the code in when you are at the chalkboard
    and you will obtain certain features. They are beneficial with controlling game and gamer action in games and allowing for the development of potential games geared towards this type of game controller.

  138. Hi there, i read your blog occasionally and i own a similar one and i was just curious if you get a lot of spam feedback?
    If so how do you reduce it, any plugin or anything you can suggest?
    I get so much lately it's driving me crazy so any support is very much appreciated.

  139. I'm really impressed along with your writing talents and also
    with the structure to your blog. Is this a paid topic
    or did you customize it your self? Anyway keep up the excellent quality writing, it
    is rare to peer a great blog like this one these days..

  140. What i do not understood is in fact how you are now not actually
    much more well-preferred than you might be now. You are very
    intelligent. You realize thus considerably on the subject
    of this topic, made me in my view believe it from numerous various angles.
    Its like men and women are not involved until it is one thing to accomplish with Woman gaga!

    Your individual stuffs excellent. Always care for it

    My web-site; Injectable B12

  141. I'm really enjoying the design and layout of your
    site. It's a verry easy on the eyes which makes it muh more enjoyable for me to come here and visit more
    often. Did you hire out a developer to create your theme?
    Excellent work!

  142. Hi there! I'm at work browsing your blog from my
    new iphone 3gs! Just wanted to say I love reading your blog and look forward to all your posts!
    Keep up the superb work!

  143. WOW just what I wass looking for. Came here by searching for Matchmaker

  144. The right equipment is needed for flood cleanup and this is something the professionals will already
    have but you will have to purchase or borrow.

    It is smart to make sure that you actually have the insurance coverage that you think you do.
    Over time, any water damage you have will increase
    if not corrected immediately.

  145. Just found you blog, and this is exactly what I have been trying to do since I bout my Readynas 102. I have been using Readynas remote but that does not work halv the time. I followed your tutorial and it works great! Thank you so much, my life just got alot easyer!!

  146. I you fell need to learn about vpn please visit below links
    best vpn service

  147. This is a very good tutorial, however my ISP doesn't allow me to put a static route on the WAN router. Is there another way to reach the other machines in the LAN? Thanks