How to use client certificates with Synology VPN Server and OpenVPN

The holidays are near and I want to have access to my files on my Synology NAS, while I’m visiting my family. That’s why I’m showing you today how to configure the official Synology VPN server to use OpenVPN with client certificates instead of username/password.

 

1. Start with a custom root CA

First of all you need your own self-signed root CA. A useful tool is XCA but you can also do this from the terminal.

2. Create a certificate for your DiskStation

Create a new Certificate for your DiskStation. Be aware to use the assigned DNS name, otherwise your browser will complain when you try to connect to the web interface of the DiskStation.

3. Configure the DiskStation to use the server certificate

I’m using DSM 5. There’s a nice new Security setting in the system settings. You can define and upload a certificate there:

Import CertificateThe Private Key and Certificate fields are straight forward. However, the intermediate certificate is the tricky part I forgot. This is the certificate of your self signed root CA. Only with this additional certifacte the trust chain is complete.

4. Trusting the root CA

The next step depends on your computers OS. I’m using Mac OS where I can easily add the root CA certificate as an always trusted certificate.

5. Reload the web interface of your DiskStation

After you’ve set the certificate, the web interface should have been reloaded. Eventually you’ve been warned by your browser about a security issue (you did not trusted your root CA, therefore the web page was untrusted). After a reload and the instructions from step 4, this warning should go away. If you take a look at the certificate tab of the DiskStation’s security setting, you will see that your new server certificate is active.

6. Install the VPN Server

Install the VPN Server from Synology’s Package Center. Its configuration is done from the start menu.

7. Configure the VPN Server

Enable OpenVPN from the Settings of the VPN Server. For more details see Synology’s instructions.

8. Connect via SSH to your DiskStation

Disable user authentication on the DiskStation and enable the certificate based authentication (code taken from this wiki) in this file: /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf

 

9. Configure your client

I’m only using iOS devices and Macs. Therefore this is again a little biased 🙂 The installation of the clients for Mac and Windows is explained on Synology’s page. iOS is explained on this page (only in german but with screenshots). The initial configuration can be downloaded from the OpenVPN settings page from the DiskStation web interface. The extracted zip file contains the servers official certificates but needs to be modified to add support for the client certificates. Text is taken again from same wiki as above.

 

The DiffieHellmann Parameters (dh) can also be created with XCA. I would recommend 2048, since 4096 takes ages to generate.

10. Give it a try

Now you can test your VPN connection on your devices. It should not ask for a password, instead it should use the my.crt and my.key you’ve set in the configuration.

Use OpenElec on Raspberry Pi with Hyperion

I recently updated my Raspberry Pi in the living room. I used Rasbmc as an easy to use XBMC distribution. However, there will be no update for Rasbmc once XBMC is replaced by KODI. You are then forced to use OSMC. As I also use Hyperion as server for my WS2801 LED stripes behind the TV I’m not sure if Hyperion will work with OSMC. Therefore, it was time to look for an alternative.

This is where OpenElec comes into play. Its a Linux distribution optimised for use with XBMC and is not that easily customizable if you want your Rasbperry to serve other purposes as well. But that’s not my concern, as I just intend to use it as XBMC client.

There is already a nice tutorial available on the OpenElec Github page. However, I had some serious issues with Hyperion and I want it to document, should I ever reinstall again.

Hyperion tries to connect to the XBMC JSON RPC api to get information about the current status of XBMC. This includes the information for active screensavers or just idling in the main menu. If I just use the instructions from the Github page, I was not able to deactivate my background lights while I was in the XBMC main menu. I’ve found two issues in the Github Project but only one was really helpful:

You have to activate and deactivate the Remote and local control of XBMC, only then is Hyperion able to connect to XBMC and only then it will get the right status information. Now it finally obeys the configuration and disable the background lights when its in the main menu.

 

PS: Don’t let yourself be fooled by the colors from the attached picture. The white balance picked it wrong up and it was also to a time where I did not calibrated colors for Hyperion 🙂 It looks much better in reality 😉

Synology DiskStation Download Station access to temporary BitTorrent files

My Synology DS-213+ can be used as a BitTorrent client. The necessary package „Download Station“ is available for free in the standard repositories of the DiskStation. If you use the Download Station for BitTorrent downloads, you may want to access files from the torrent early and before the complete torrent is finished.

In this case you could assume that the setup download folder would be also used as a place for these temporary files. But the Download Station uses a hidden folder for these files. It’s only visible if you login to your DiskStation using SSH or Telnet. It’s the folder „/volume1/@download“.

If you want to continue to download and want to check the folders content at the same time, you will need to mount this folder to a shared folder which is accessable via SMB or AFP and their likes. The command

mount --bind /volume1/@download /volume1/your-shared-folder"

will mount this hidden folder into your-shared-folder. This way you can access all temporary files. But be aware, that this command will only last until you reboot your DiskStation. By the way: I’m not alone with this wish to access the temporary files. Some people in the official Synology forum also decided to ask for this feature.

How to enable separated Guest Networks with DD-WRT on TP-Link TL-WR1043N

I’ve recently setup a new and shiny TP-Link TL-WR1043N Gigabit Router with DD-WRT and wanted to document how I set it up as access point with opening an additional guest network.

First, you need to flash DD-WRT to the Router. As I was using a brand new device, I’ve chosen the „factory-to-ddwrt.bin“ from the DD-WRT Router Database. Just type in „TP-Link TL-WR1043N“ and you will see three image files. If you are uncertain, which firmware is the right to choose, try these instructions. If you already used DD-WRT, you should know how to make updates to your router. I will not cover this cases in my documentation.

After flashing, you need to configure it as Wireless Access Point.

When you are ready, open these instructions on how to create „Multiple WLANs“. The TP-Link is Atheros based hardware, which means that all wireless network interfaces will start with „ath“ in their names. Follow the guide, until you come to the part where it describes the „Command Method for DHCP“. Add to the configuration the IP of your local DNS server:


# Enables DHCP on br1
interface=br1
# Set the default gateway for br1 clients
dhcp-option=br1,3,192.168.2.1
# Set the DHCP range and default lease time of 24 hours for br1 clients
dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h
dhcp-option=br1,6,[DNS IP 1],[DNS IP 2]

Continue with the instructions of the wiki page until you reach the chapter „Restricting Access“. This is the configuration which I used to separate the Guest network from your main network:


iptables -t nat -I POSTROUTING -o get_wanface -j SNAT --to nvram get wan_ipaddr
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d nvram get lan_ipaddr/nvram get lan_netmask -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to nvram get lan_ipaddr
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

With this configuration I was able to create a separated Guest WLAN.

Rasbmc – falsche Zeitzoneneinstellung

Seit einiger Zeit besitze ich ein Raspberry Pi. Dieser kleine Computer ist sehr günstig (etwa 30 Euro) und kann als XBMC eingerichtet werden. Dabei habe ich mich für die Rasbmc Distribution entschieden, da diese sehr einfach (ein Befehl auf der Konsole) installiert werden kann.

 

Bereits bei der Ersteinrichtung wird man nach der aktuellen Zeitzone gefragt. Hier habe ich natürlich für Deutschland Berlin als Stadt und Europa als Region ausgewählt. Leider zeigt mir mein XBMC aber die Uhrzeit immer um zwei Stunden nach hinten versetzt an. Wenn also jetzt 21:47 ist, dann zeigte XBMC 19:47 an.

 

Eine kurze Google Recherche ergab dann, dass man den Assistenten zur Einrichtung der Zeitzone erneut aufrufen kann. Dazu tippt man

sudo dpkg-reconfigure tzdata

ein. Der Assistent führt einen dann durch die Konfiguration und sieht dann in etwa so aus:

Rasbmc - Geographic Area Raspbmc - Region

Doch das reichte noch nicht aus, um auch wirklich die richtige Uhrzeit anzuzeigen. Man muss in den Darstellungsoptionen des XBMC ebenfalls die Region und den Ort auswählen. Ich hatte eigentlich erwartet, das diese Einstellung übernommen wird, aber dem ist leider nicht so. Die richtigen Einstellungen für Deutschland sieht man auf dem Screenshot:

Raspbmc - Time Settings