My good old Synology DS107e finally decide to quit after about 10 years of usage. DS116 is then purchased as the replacement.
- Setup SSH
- From Control Panel -> Applications -> Terminal & SNMP, enable SSH service
This allows connection using user name and password. To allow access using user certificate, we need to do some changes manually. - Open /etc/ssh/sshd_config, make proper changes
- After the changes have been made, we need to reload sshd. We can do this by using DSM to turn SSH service off then on again.
- From Control Panel -> Applications -> Terminal & SNMP, enable SSH service
- Set up OpenVPN
With the new DSM 6.0, it is a lot easier to install and enable OpenVPN. Just do the following:- From package center, install VPN Server
- Run VPN Server application, then from Settings -> OpenVPN, enable OpenVPN. VPN can then use DS116’s authentication setup to control the access, However to enable the client certificate access other than using user name, password, we need to do some custimzations.
- Create your CA, server key and certificate (using EasyRSA, XCA or other certificate management tools). From DSM management console, Control Panel -> Security->Certificate, add your own certificates to the DS
- After that is done, select your certificate, choose Configure and assign this certificate to your VPN service
- Now SSH into DS116, open /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf file, make proper changes:
- Restart OpenVPN service either via DSM enable OpenVPN interface or from command line
- Set up 3rd party package sources and a pkg management tool
DS116 uses Marvell Armada 385 88F6820 processor, which belongs to armada38x family and is based on ARMv7. There are several ways we can install pkg tool for this box. The easiest method that we can use is a EBI package installation to enable either optware or entware repo, or use a manual approach like this. Since entware is the modern alternative of optware and provides a lot more packages than optware-ng, so choosing entware-ng bootstrap using EBI will be the obvious choice.- Add package source: https://www.cphub.net in the DSM package center.
- From Community find the Easy Bootstrap Installer and install the package
- Follow the on-screen instructions to complete the installation. At the end of the installation, select to use entware-ng.
- Install OpenConnect VPN
OpenConnect VPN Server (ocserv) is an SSL based VPN server. It has the compatibility with Cisco AnyConnect VPN protocol. Since this is a VPN works over GFW without any extra obfuscation needed, unlike OpenVPN (which require a secured proxy, like Shadowsocks, to work), so it is desirable to get this up and running.- Using opkg to install the ocserv
- Modify the ocserv.conf file located at /opt/etc/ocserv with proper setting.
Hint: it can share the same certificates setup as the OpenVPN if desired - Create a file ocserv in /usr/local/etc/syslog-ng/patterndb.d/ with following to capture the log:
filter f_ocserv { program(ocserv); }; destination d_ocserv { file("/opt/var/log/ocserv.log"); }; log { source(src); filter(f_ocserv); destination(d_ocserv); }; - Reload the syslog-ng configuration with:
/usr/syno/etc.defaults/rc.sysv/syslog-ng.sh reload
- If non-standard port number is used then modify the iptables rule in
/opt/etc/init.d/S79ocserv, or comment them out and use NAT instead
- Enable NAT
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
- Enable IPV4 forwarding, modify the file /etc/sysctl.conf with following:
net.ipv4.ip_forward=1, Apply the change:sysctl -p /etc/sysctl.conf
Notes: This change seems not working correctly, it also break the Resource Monitor package. So alternative solution is to turn on ip forward directly with:
echo 1 > /proc/sys/net/ipv4/ip_forward
- Start up the server:
/opt/etc/init.d/S79ocserv start
- ocserv actually span two processes, one main process named ocserv-main, another worker named ocserv-sm. So the script to stop the ocserv failed to stop both process with the killall ocserv command. If desired, modify the /opt/etc/init.d/rc.func stop() to kill the ocserv-main process instead.
- Runing ocserv without OpenVPN
Once OpenConnect server is up and running, there is no need to keep both VPN solutions running at the same time. Also, the performance test seems to suggest OpenConnect provides better network transfer rate. So we can switch off OpenVPN. However, if OpenVPN is not running, then the iptables and tun kernel modules will not be loaded when ocserv starts, so we need to update the /opt/etc/init.d/S79ocserv script with following to check and load the required modules and do the necessary network setup as needed:IPTABLES_MODULE_LIST="/usr/syno/etc/iptables_modules_list" BIN_SYNOMODULETOOL="/usr/syno/bin/synomoduletool" source "${IPTABLES_MODULE_LIST}"; # check on iptables and load NAT rule if [ -z "`grep -w ip_tables /proc/modules`"]; then "${BIN_SYNOMODULETOOL}" --insmod "ocserv_nat" ${KERNEL_MODULES_CORE}; "${BIN_SYNOMODULETOOL}" --insmod "ocserv_nat" ${KERNEL_MODULES_NAT}; sleep 1; iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE; echo 1 > /proc/sys/net/ipv4/ip_forward fi # check on tunnel module if [ -z "`grep -w tun /proc/modules`" ]; then "${BIN_SYNOMODULETOOL}" --insmod "ocserv_nat" ${OPENVPN_MODULES}; sleep 1 fi . /opt/etc/init.d/rc.func - This should keep the ocserv service running correctly after a DS116 reboot.
Resources & References:
https://openvpn.net/index.php/open-source/documentation/howto.html
http://www.synology-forum.de/showthread.html?68335-EBI-Easy-Bootstrap-Installer
http://jexbat.com/2016/NAS-Shadowsocks/
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/syslog-ng.conf.5.html
https://forum.synology.com/enu/viewtopic.php?t=116126
http://blog.centurio.net/2014/12/23/how-to-use-client-certificates-with-synology-vpn-server-and-openvpn/
Michael's Blog 