How to use client certificates with Synology VPN Server and OpenVPN

The holidays are near and I want to have access to my files on my Synology NAS, while I’m visiting my family. That’s why I’m showing you today how to configure the official Synology VPN server to use OpenVPN with client certificates instead of username/password.


1. Start with a custom root CA

First of all you need your own self-signed root CA. A useful tool is XCA but you can also do this from the terminal.

2. Create a certificate for your DiskStation

Create a new Certificate for your DiskStation. Be aware to use the assigned DNS name, otherwise your browser will complain when you try to connect to the web interface of the DiskStation.

3. Configure the DiskStation to use the server certificate

I’m using DSM 5. There’s a nice new Security setting in the system settings. You can define and upload a certificate there:

Import CertificateThe Private Key and Certificate fields are straight forward. However, the intermediate certificate is the tricky part I forgot. This is the certificate of your self signed root CA. Only with this additional certifacte the trust chain is complete.

4. Trusting the root CA

The next step depends on your computers OS. I’m using Mac OS where I can easily add the root CA certificate as an always trusted certificate.

5. Reload the web interface of your DiskStation

After you’ve set the certificate, the web interface should have been reloaded. Eventually you’ve been warned by your browser about a security issue (you did not trusted your root CA, therefore the web page was untrusted). After a reload and the instructions from step 4, this warning should go away. If you take a look at the certificate tab of the DiskStation’s security setting, you will see that your new server certificate is active.

6. Install the VPN Server

Install the VPN Server from Synology’s Package Center. Its configuration is done from the start menu.

7. Configure the VPN Server

Enable OpenVPN from the Settings of the VPN Server. For more details see Synology’s instructions.

8. Connect via SSH to your DiskStation

Disable user authentication on the DiskStation and enable the certificate based authentication (code taken from this wiki) in this file: /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf

#ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
ca /volume1/myCA/demoCA/my-ca.crt
#cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
cert /volume1/myCA/syn.crt
#key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key
key /volume1/myCA/syn.key

#you can enable this line temporary to view log with "tail -f -n 100 /var/log/openvpn.log":
#log-append /var/log/openvpn.log

#plugin /var/packages/VPNCenter/target/lib/ /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf

user nobody
group nobody


9. Configure your client

I’m only using iOS devices and Macs. Therefore this is again a little biased 🙂 The installation of the clients for Mac and Windows is explained on Synology’s page. iOS is explained on this page (only in german but with screenshots). The initial configuration can be downloaded from the OpenVPN settings page from the DiskStation web interface. The extracted zip file contains the servers official certificates but needs to be modified to add support for the client certificates. Text is taken again from same wiki as above.

#ca ca.crt

dh dh1024.pem
ca my-ca.crt
cert my.crt
key my.key
verb 3



The DiffieHellmann Parameters (dh) can also be created with XCA. I would recommend 2048, since 4096 takes ages to generate.

10. Give it a try

Now you can test your VPN connection on your devices. It should not ask for a password, instead it should use the my.crt and my.key you’ve set in the configuration.

Synology DiskStation 5 – Mapping of external USB drives

The mapping of external USB drives in Synologys Diskstation 5 is a mystery to me. The order of connected drives does not seem to be of interest and keeps being the same even after a reboot. Especially after the latest update to DiskStation 5, my DiskStation 213+ assigned other than usual drive numbers to my external USB drives. This results in broken backup plans and network volumes.

A little Google research led me to this forum entry together with a suitable solution:

  • Unmount/Eject all connected external USB drives
  • Disconnect the drives from the DiskStation
  • Connect with telnet/ssh to your DiskStation and edit the file /usr/syno/etc/
  • The number gives you the name of the usbshareX mount point, while the guid behind the equal sign identifies your USB drive. The last entries will propably your connected drives as you can access them from their usbshareX mount points.
  • Remove unwanted entries and restore the number to their original position.
  • Reboot the DiskStation.
  • Reconnect your Devices, starting with the drive with the lowest number first.
  • All done.

Synology DiskStation Download Station access to temporary BitTorrent files

My Synology DS-213+ can be used as a BitTorrent client. The necessary package „Download Station“ is available for free in the standard repositories of the DiskStation. If you use the Download Station for BitTorrent downloads, you may want to access files from the torrent early and before the complete torrent is finished.

In this case you could assume that the setup download folder would be also used as a place for these temporary files. But the Download Station uses a hidden folder for these files. It’s only visible if you login to your DiskStation using SSH or Telnet. It’s the folder „/volume1/@download“.

If you want to continue to download and want to check the folders content at the same time, you will need to mount this folder to a shared folder which is accessable via SMB or AFP and their likes. The command

mount --bind /volume1/@download /volume1/your-shared-folder"

will mount this hidden folder into your-shared-folder. This way you can access all temporary files. But be aware, that this command will only last until you reboot your DiskStation. By the way: I’m not alone with this wish to access the temporary files. Some people in the official Synology forum also decided to ask for this feature.

Synology DS213+ – Datenwiederherstellung vom Raid

Ich musste es bisher noch nicht ausprobieren, aber sollte mal der Tag kommen, dann könnte diese Seite hilfreich sein. Dort ist auch die Rede von dem mdraid Gerät, das ich in meinem anderen Blog Post angesprochen hatte. Letztlich sollte es also kein Problem sein, im Fehlerfall eine der Festplatten des Raids auszubauen und auf einem PC lesbar zu laden.

Synology DS213+ – PhotoStation mit iPhoto 11 und Lightroom 4

Ich habe mir die DS213+ auch dafür gekauft um meine vielen Photographien sicher zu verstauen. Meistens brauche ich eh nicht mein komplettes Bilderarchiv und zweitens habe ich so mehr Platz unterwegs. Mein Ansatz war daher, dass ich den kompletten Bilder Ordner meines Macs auf das NAS in den photos Ordner kopiere. Dort würde er indiziert werden und würde dann der PhotoStation zur Verfügung stehen.

Von der Theorie her war der Ansatz nicht verkehrt, aber es gibt dabei einige Dinge zu beachten:

  • Es werden ALLE unterstützten Bilder indiziert und entsprechend wird auch dafür ein Thumbnail erstellt. Dies dauert sehr lange, wenn man denn nicht den Synology DiskStation Admin verwendet.
  • Wenn man sehr viele Fotos hat, verliert man sehr schnell den Überblick.
  • Wenn man eine iPhoto oder Aperture Bibliothek auf das NAS kopiert, so werden sehr viele unnötige Thumbnails mit erstellt. iPhoto speichert in seinem Resourcen Bundle modifizierte Versionen als auch Originale ab, so hat man u.U. sehr viele unnötige Thumbnails doppelt.
  • iPhoto bzw. Aperture Bibliotheken funktionieren nur auf HFS+ formatierten Volumes!

Insbesondere der letzte Punkt stört mich. Jetzt könnte man natürlich ein DiskImage anlegen auf dem NAS, in dem wiederum die Bibliothek abgespeichert werden kann. Dann hat man allerdings wieder einen unnötigen Schritt dazwischen. Ich belasse daher meine iPhoto Bibliothek lieber auf meinem Mac und versuche dann mit TimeMachine von dieser Datenbank eine Kopie zu sichern.

Lightroom kann man so benutzen, das es Bilder nach Jahren und Tagen anlegt. Da würde eine Indizierung und Benutzung der PhotoStation prinzipiell möglich und einfacher sein, jedoch habe ich mich aufgrund dieses Postings dagegen entschieden. Stattdessen werde ich einfach nur die wirklich guten/wichtigen Photos in die PhotoStation einpflegen.