DS107e needs to have ipkg and bootstrap installed, if not, please refer to this guide; Then using ipkg to install openvpn package:
ipkg install openvpn
Once this has been done, refer to openvpn’s howto guide to setup the openvpn configuration.
Please note, easy-rsa is a separated download and can be downloaded and run from a local environment other than inside DS107e. An easy windows based guide on using easy-rsa to prepare the keys and certificates can be found here.
Transfer generated server keys and certificates to DS107e, such as to /opt/etc/openvpn/keys/. Change the permission for all the keys to private:
chmod 600 *.key
Modify /opt/etc/openvpn/openvpn.conf to reflect your server configuration. It should have something similar like following:
port 1194 proto udp dev tun ca /opt/etc/openvpn/keys/ca.crt cert /opt/etc/openvpn/keys/server.crt key /opt/etc/openvpn/keys/server.key dh /opt/etc/openvpn/keys/dh1024.pem server 10.8.0.0 255.255.255.0 status /opt/var/log/openvpn/openvpn-status.log log /opt/var/log/openvpn/openvpn.log verb 3
Enable push redirect, route, DNS etc. if you want your vpn client to access your network resources and use your network setup for internet other than client’s local network setup.
Comment out the return 0 line from following script, then start the vpn using following command:
/opt/etc/init.d/S20openvpn
Tail the openvpn.log to monitor whether openvpn has been started correctly or not. If it is, it should show following line in the log:
Initialization Sequence Completed
Now, basic VPN server setup has been completed. we also need to setup port forwarding on the router to forward all the public access traffic to your vpn port 1194 to your vpn server’s IP. So VPN service can be used from WAN.
If we want vpn clients to access local network resources or using local network setup for internet service, we need to either setup routing rules or a bridge between vpn tu0 with ethernet port eth0.
If your router supports setup static routing rules, then set the rules up to redirect all the network traffic of your vpn network subnet to your vpn server’s IP address.
However, if your router doesn’t support static routing, then we need to setup either bridge or NAT from DS107e. Unfortunately, DS107e doesn’t include kernel bridge moduels (bridge.ko and stp.ko), so the bridge option is out of questions too.
DS107e has a version 1.4.2 iptables installed, which doesn’t include some required components for NAT we needed for VPN routing. So we need to install a newer, extended version:
ipkg install iptables
Now, load the iptables kernel modules:
insmod /lib/modules/ip_tables.o insmod /lib/modules/iptable_filter.o insmod /lib/modules/ip_conntrack.o insmod /lib/modules/iptable_nat.o
Since the MASQUERADE doesn’t work, so we can’t use following command to setup the NAT rule:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
We have to use SNAT to create the iptables rule to NAT the traffic:
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <DS107e static IP>
We need to save the iptables rule, so it can be loaded next time when NAS reboot:
/usr/syno/bin/firewalltool -dump_rules /etc firewall_rules.dump
We are done! Test this out and verify everything works as expected.