Install OpenVPN on QNAP – NAS Wiki http://wiki.nas-portal.org/index.

php/Install_OpenVPN_on_QNAP

User Name Password Log in Help Register

Remember Me?
Anzeige

Home Forum Wiki Blogs What's New?

Advanced Search

Wiki Install OpenVPN on QNAP

Install OpenVPN on QNAP

Aus NAS Wiki
Inhaltsverzeichnis
1 Preliminary remarks
1.1 OpenVPN - what is it?
1.2 The aim of this guide
1.3 On which devices will OpenVPN work?
1.4 Disclaimer
1.5 What you need
2 Installation
2.1 Install Qpkg optware / ipkg on the NAS
2.2 Install OpenVPN on the NAS
2.3 Install the missing tun.ko module
2.4 Install OpenVPN to the PC
3 Key-generation
3.1 Preparation
3.2 Create the certificate authority
3.3 Generate the server key
3.4 Generate client keys
3.5 Generate Diffie-Hellman parameters
3.6 Distribute the keys
4 Configuration
4.1 Scenario
4.2 Server configuration
4.3 Client configuration
4.4 Port forward
5 Test run
5.1 Server
5.2 Client
5.3 Check the connection
6 Final configuration
6.1 Adjust the server config
6.2 Autostart
7 More OpenVPN
7.1 Administration
7.1.1 Telnet Management Interface
7.2 GUI
7.2.1 OpenVPN GUI
7.2.2 OpenVPN Control
7.2.3 OpenVPN Admin
7.2.4 XCA
7.3 Extras
7.4 Problems and Solutions
8 Further reading
Preliminary remarks

---> German version / Deutsche Version

OpenVPN - what is it?

OpenVPN offers the possibility to have a secure connection to a remote computer or network.
OpenVPN can be installed on different operating systems including Windows, Linux and Mac and offers some os-independent, graphical
administration tools for server or client.
OpenVPN is not compatible to windows VPN. However, after the initial installation and configuration it is as simple to run.
(Open the VPN tunnel by a mouse click).
OpenVPN is a complex program with extensive configuration options. It offers far more options, than described here. If you want to get
more from OpenVPN, you can find further reading at the end of this HOWTO.
The aim of this guide

This HOWTO will guide you through a complete installation of an OpenVPN server on your NAS, which will enable you to access your NAS
securely with multiple clients form the internet. You will be able to use all services provided by the NAS.
Additionally you will setup an OpenVPN client on a Windows-PC and use this to create all necessary certificates and keys.

On which devices will OpenVPN work?

1 of 7 1/29/2011 01:36
Install OpenVPN on QNAP – NAS Wiki http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP

This howto was designed to work on the following devices:

QNAP

TS-109 (pro/II)
TS-209 (pro/II)
TS-409 (pro)

(Firmware 2.1.4 it is causing issues with autostart. A workaround is described here (http://forum.qnap.com/viewtopic.php?f=90&
t=10400&p=61890#p61697) ).

Raidsonic

IB-NAS1000-B
IB-NAS2000-B
IB-NAS2001-B
IB-NAS4210-B
IB-NAS4220-B
Disclaimer

Any manipulation of the system is at your own risk.

What you need

A NAS, as mentioned above, the SSH server active.
A Windows PC to create the key, PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) and WinSCP
(http://winscp.net/eng/index.php) on the PC.
Knowledge of how to connect to your NAS through ssh with PuTTY and winSCP.
An DynDNS (http://www.dyndns.com/) account and the knowledge how to use it, in order to reach your home network from anywhere in
the internet.
Knowledge of how to redirect a port on the modem / router of your home network.
Note: The # sign in front of a command shows the prompt, as it will appear in the console. Do not copy & paste it, when entering a
command in the console.
Raidsonic: open firmware with package-support through "new_software". IB-NAS4210-B users can download an unofficial open fw from
here (http://www.box.net/shared/k5amvhhv7e) .

ssh-Login Details:

Device login usernamelogin passwort

QNAP admin admin-passwort
Raidsonicroot admin-passwort
Installation
Install Qpkg optware / ipkg on the NAS

QNAP:

Login to the administrations page.

-> System Tools -> qpkg -> Get qpkg -> Optware ipkg
Choose the package, according to your device, download and save it to your computer.
-> System Tools -> qpkg -> Select (select the package) -> upload (Confirm)

The box will install ipkg automatically and restart. After this, go back to the same page, open ipkg and click "Enable", if the status is
different.

Raidsonic:

Download Optware (http://en.nas-4220.org/index.php/Packages:Optware) .

IB-NAS 4220, 4210-B: Download autovpn-4220-1.1.tgz (http://www.box.net/shared/mdiqgr9av8)
IB-NAS 2001, 2000. 1000-B: Download zlibs (http://www.box.net/shared/4iky7vmdl8) and autovpn-2000-1.1.tgz (http://www.box.net
/shared/me8ct9qozs)
Move packages to (/mnt/...)/public/applications/new-software .
Reboot.
Continue here.
Install OpenVPN on the NAS
Start PuTTY (or any other console program) and connect to your NAS
# ipkg update

(If this generates an error message (-sh: ipkg: command not found) restart the box and repeat).

# ipkg list | grep openvpn

should show the line (Sep. 2009):

openvpn- 2.1_rc15-1 - SSL-based VPN server with Windows client support

Install OpenVPN
# ipkg install openvpn

2 of 7 1/29/2011 01:36
Install OpenVPN on QNAP – NAS Wiki http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP

After a successfiul installation enter

# openvpn

This should show a list of options. If an error message appears (... command not found) restart and repeat.

Execute these commands:

# cd /opt/etc/openvpn
# mkdir log
# cd log
# touch openvpn.log
# touch status.log
# mkdir /opt/etc/openvpn/modules

Install the missing tun.ko module

In order to be fully functional, OpenVPN requires a kernel module, which by default is not installed on the box (Dec. 2008).

Download the appropriate zip.file: TS-109/TS-209 (http://www.box.net/shared/68nynucztf) or TS-409 (http://www.box.net/shared

/mflmakpgdl) OR if you have TS-219P you can find tun.ko in /opt/lib/modules/2.6.22.18/kernel/drivers/net/tun.ko
unpack the .zip
connect to the box using WinSCP
Copy the file to /opt/etc/openvpn/modules

Now it's time to access the flash and create or edit the file autostart.sh. This will automatically call the tun.ko module on every startup.

Download autorun.sh (http://www.box.net/shared/9g5prnxqht) .

Mount the flash partition:
# mount -t ext2 /dev/mtdblock5 /tmp/config

If you worked on your autostart before, you will know, how to merge the code of autorun.sh with your own autostart . Do not, by any
chance, use Windows Notepad! It will create a corrupted file.
If you never heard of autostart.sh before, simply copy the file autorun.sh with winSCP to /tmp/config
Make the file executable: F9 in WinSCP or right click -> Properties: 0755 or type chmod +x autorun.sh in PuTTY.
Unmount the flash partition (PuTTY):
# umount /tmp/config

Reboot.

Any time the system is started the tun module should be installed automatically. You can check this after a restart in PuTTY:

# lsmod

should also a line similar to this:

tun 8896 0 - Live 0xbf0370000

If tun does not show up but /dev/net/tun exists add more seconds to sleep. Up to 30 can be needed, depending on model.

If you know how to configure openVPN and generate your own keys, you are done by now.
Otherwise, just go on.

Install OpenVPN to the PC

Download and install OpenVPN GUI (http://openvpn.se/) to your PC.
Key-generation

In order to establish a secure connection over the internet, you need a set of keys. A simple and straightforward way is to do this in
windows.

Preparation
open a windows console (-> Start -> Run -> cmd) and enter the following commands:
# cd \Program Files\openvpn\easy-rsa
# init-config

Edit the file vars.bat:

Using win explorer (or WinSCP), navigate to C:\Program Files\OpenVPN\easy-rsa\ and open vars.bat. Edit the last few lines due to your
own requirements. The following is just an example:

set KEY_COUNTRY = DE (this would be Germany)

set KEY_PROVINCE = Your province
set KEY_CITY =City
set KEY_ORG = QNAP-OpenVPN (or a server name of your choice)
set KEY_EMAIL = example@example.com

Now enter the following commands in the console:

# vars
# clean-all

3 of 7 1/29/2011 01:36
Install OpenVPN on QNAP – NAS Wiki http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP

Create the certificate authority

# build-ca

You will be asked for some input, but as vars.bat was edited previously, simply confirm the values by hitting the Return key.
When common name pops up, enter a name of your choice for the server.

The consecutive output looks something like this:

ai: easy-rsa #. / build-ca

Generating a 1024 bits RSA private key
............++++++
...........++++++
Writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-----
Country Name (2 letter code) [KG]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: <--- Enter your server's name here
Email Address [me@myhost.mydomain]:

Generate the server key

# build-key-server server

Enter server for the common name and answer the following two questions with "yes".

Generate client keys

Each client gets an own key.

# build-key client1

generates a key for the client client1. When the common name is asked, enter client1. Run the command for each client (ie every other
PC, that needs to connect to your VPN) with an appropriate name.

Generate Diffie-Hellman (http://en.wikipedia.org/wiki/Diffie_hellman) parameters

# build-dh

It takes a while (depending on the performance of the PC up to several minutes).

Distribute the keys

On the PC in C:\Program Files\OpenVPN\keys you will find these files:

file required by use secret

ca.crt server + all clients root CA certificate NO
ca.key certification PC onlyroot CA key YES
dh1024.pem server only encryption parametersNO
server.crt server only server certificate NO
server.key server only server key YES
client1.crt client only client1 certificate NO
client1.key client only client1 key YES

The client keys for the PC are already in the right place.

Copy the certificates and keys for the server using WinSCP to this place in the NAS (choose binary option if prompted):

/share/HDA_DATA/optware/opt/etc/openvpn/keys

Set the executable rights of the keys to 0600.

Configuration
Scenario

Presume the following network scenario as an example. (Edit the ip-addresses in your own config-files according to your needs).

The home network is accessible via DynDNS.

The address of the home network is 192.168.4.0/255.255.255.0
The NAS has the IP address 192.168.4.7
The OpenVPN server creates a virtual network 10.8.0.0/255.255.255.0 (VPN tunnel)
The IP address of the server is 10.8.0.1, the clients receive 10.8.0.x addresses from the server.
Server configuration
The # sign indicates, that anything after the # is only a comment and can ultimately be deleted.

4 of 7 1/29/2011 01:36
Install OpenVPN on QNAP – NAS Wiki http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP

Lines with ";" will include an optional configuration. Activate if necessary by the deletion of ";"
Navigate with WinSCP to /opt/etc/openvpn and create the file easy.conf
Copy & paste the following configuration code and edit, where appropriate:
# OpenVPN server configuration QNAP NAS
# basic settings
port 1194
proto udp
dev tun
#
# detect mtu if the connection is slow.
; mtu-test
#
# define mtu, if necessary
; tun-mtu xyz
#
# define the ip-addresses of the underlying tunnel
server 10.8.0.0 255.255.255.0
#
# Route
push "route 192.168.4.0 255.255.255.0" # <--- Enter the ip-address of your home network here!
#
# certificates & keys
dh /opt/etc/openvpn/keys/dh1024.pem
ca /opt/etc/openvpn/keys/ca.crt
cert /opt/etc/openvpn/keys/server.crt
key /opt/etc/openvpn/keys/server.key
#
# data compression
comp-lzo
#
# allow, that several clients with the same common name log on
; duplicate-cn
#
# different clients can "see" each other through the tunnel.
; client-to-client
#
# Keepalive
keepalive 15 120
#
# verbosity of status messages in the console. Activate for debugging (1-9 possible)
; verb 5
#
# Log files
; status /share/HDA_DATA/optware/opt/etc/openvpn/log/status.log
; log-append /share/HDA_DATA/optware/opt/etc/openvpn/log/openvpn.log
#
# Run as daemon (activate, after everything is set up properly)
; daemon
#
# Management Interface. Access with "telnet localhost 7505"
management localhost 7505

Client configuration
Navigate to C:\Programme\OpenVPN\config on your PC and create the file easyclient.ovpn
Copy & paste the following code and edit, where appropriate:
# connect to QNAP OpenVPN Server
#
proto udp
dev tun
tls-client
remote supernetwork.dyndns.org 1194 # <--- enter your dyndns-account here!
pull
# set mtu, if necessary
; tun-mtu xyz
#
resolv-retry infinite
nobind
persist-key
persist-tun
# certificates and keys
# Note the double \\ in the path for a windows config
ca C:\\Programme\\OpenVPN\\easy-rsa\\keys\\ca.crt
cert C:\\Programme\\OpenVPN\\easy-rsa\\keys\\client1.crt
key C:\\Programme\\OpenVPN\\easy-rsa\\keys\\client1.key
#
comp-lzo

Port forward

Set up a port forward in your router / modem / cable modem, or whatever device manages the connection to the internet. Forward port
1194 (UDP) to your NAS.

If you did not yet set up a dynDNS account, now it is time to do so.

Test run
Server
Start the OpenVPN-server in PuTTY:
# cd /opt/etc/openvpn
# openvpn easy.conf

This creates something like that:

Mon Dec 8 03:52:22 2008 OpenVPN 2.1_rc9 arm-none-linux gnueabi [SSL] [LZO1] [epoll] built on May 19 2008
Mon Dec 8 03:52:22 2008 TUN / TAP device tun0 opened
Mon Dec 8 03:52:22 2008 / sbin / ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Mon Dec 8 03:52:22 2008 UDPv4 link local (bound): [undef]: 1194
Mon Dec 8 03:52:22 2008 UDPv4 link remote: [undef]
Mon Dec 8 03:52:22 2008 Initialization Sequence Completed

Client
It is to be preferred to use a different internet connection for the client (eg a UMTS modem at hand), if you are testing with a laptop at
home.

5 of 7 1/29/2011 01:36
Install OpenVPN on QNAP – NAS Wiki http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP

Start OpenVPN by right-clicking easyclient.ovpn.

This creates some additional entries in the console messages of the server:

Mon Dec 8 03:59:52 2008 194.24.158.8:20955 Re-using SSL / TLS context

Mon Dec 8 03:59:52 2008 194.24.158.8:20955 LZO compression initialized
Mon Dec 8 03:59:54 2008 194.24.158.8:20955 [client1] Peer Connection Initiated with 122.23.157.8:20955

In the Windows taskbar, a new symbol (two red or green screens) will appear. By right-clicking it, you can control the OpenVPN client
connection.
In Windows an additional LAN connection is generated with an ip-address of the address space 10.8.0.0.
Check the connection
Enter in the Windows console of your client:
# ping 10.8.0.1

There should be a correct answer from the server.

A ping from the server to the client is possible theoretically, if you shut down or open the windows firewall for testing purposes. However,
it is not necessary for OpenVPN to run correctly, so the firwall should remain up.

Open Windows explorer on the client PC

enter the IP address of the NAS. In this scenario this would be \\192.168.4.7
The shares (Windows shares) of the NAS should now be displayed and accessible.
If all went well, it's definitely time for a beer!
Final configuration
Adjust the server config
Open a second PuTTY session and terminate the server.
# killall openvpn

Edit easy.config and activate daemon ( remove the ";").

If you need a log file activate log-append .
Restart the server, as described above.

Autostart

If you like, you can make OpenVPN start automatically at startup.

QNAP: Open autostart.sh as described before.

Raidsonic: open /public/applications/openvpn/init in an editor.
Add the following line at the end of the script.
(sleep 12; /opt/sbin/openvpn /opt/etc/openvpn/easy.conf)&

If, after a reboot, the command ps in PuTTY does not show this line in the list of running processes

1108 admin 1800 S /opt/sbin/openvpn /opt/etc/openvpn/easy.conf

OpenVPN obviously is not running. Try a higher number with the sleep command in the script. (sleep 30 should do on most cases. I
guess, it depends on how many processes the box has to start at startup)

You have now a VPN server running on your NAS, allowing you to connect and log in remotely. You can use all services
and access the shares.

More OpenVPN
Administration
Telnet Management Interface

The management interface is a management tool, which offers the possibility to control the current VPN server.

connect through ssh to the server

Enter telnet localhost 7505
Help will list the available commands, status will show the logged on clients and their associated parameters.
GUI
OpenVPN GUI
OpenVPN GUI (http://openvpn.se/) is a handy windows-tool to open and close a VPN tunnel by a single mouse-click.
gopenvpn (http://gopenvpn.sourceforge.net/) does pretty much the same for Linux.
Tunnelblick (http://code.google.com/p/tunnelblick/) is a complete graphic OpenVPN client for Mac.
OpenVPN Control

OpenVPN Control (http://sourceforge.net/projects/openvpn-control/) is a small, sleek, graphical OpenVPN server control tool for
Windows, Linux and Mac. Using VPN / ssh it can also connect to a remote server.
It shows "status" information of the management interface and offers the possibility to forcedly disconnect clients from the server.
OpenVPN Control can control the status of multiple servers simultaneously.

OpenVPN Admin

OpenVPN Admin (http://sourceforge.net/projects/openvpn-admin/) is a very user-friendly, complete OpenVPN client installation using a

6 of 7 1/29/2011 01:36
Install OpenVPN on QNAP – NAS Wiki http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP

graphical administration tool for the creation of certificates and keys. You also can manage and manipulate a config file through
check-boxes on the GUI. Connecting to a server obviously is just as easy.

OpenVPN Admin is available for Windows and Linux and requires mono (http://mono-project.com/Main_Page) .

XCA

XCA (http://www.hohnstaedt.de/xca.html) is a small CA with key management and a GUI.

Extras

OpenVPN Extras

Problems and Solutions

OpenVPN auf QNAP - Troubleshooting

Further reading
An English HOWTO for an earlier version of OpenVPN on QNAP can be found here here (http://forum.qnap.com/viewtopic.php?f=90&
t=2349) , which is where I found the kernel module.
Everything about OpenVPN can obviously be found at OpenVPN (http://openvpn.net/index.php/home.html) . There is a good HOWTO
(http://openvpn.net/index.php/documentation/howto.html) and mini HOWTO (http://openvpn.net/index.php/documentation
/miscellaneous/static-key-mini-howto.html) .
Von „http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP“
Diese Seite wurde zuletzt am 26. Oktober 2009 um 17:49 Uhr geändert.

All times are GMT +2. The time now is 11:06.

Powered by vBulletin™ Version 4.0.3

Copyright © 2011 vBulletin Solutions, Inc. All rights reserved.

7 of 7 1/29/2011 01:36