Escolar Documentos
Profissional Documentos
Cultura Documentos
php/Install_OpenVPN_on_QNAP
Remember Me?
Anzeige
Advanced Search
This HOWTO will guide you through a complete installation of an OpenVPN server on your NAS, which will enable you to access your NAS
securely with multiple clients form the internet. You will be able to use all services provided by the NAS.
Additionally you will setup an OpenVPN client on a Windows-PC and use this to create all necessary certificates and keys.
1 of 7 1/29/2011 01:36
Install OpenVPN on QNAP – NAS Wiki http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP
QNAP
TS-109 (pro/II)
TS-209 (pro/II)
TS-409 (pro)
(Firmware 2.1.4 it is causing issues with autostart. A workaround is described here (http://forum.qnap.com/viewtopic.php?f=90&
t=10400&p=61890#p61697) ).
Raidsonic
IB-NAS1000-B
IB-NAS2000-B
IB-NAS2001-B
IB-NAS4210-B
IB-NAS4220-B
Disclaimer
ssh-Login Details:
QNAP:
The box will install ipkg automatically and restart. After this, go back to the same page, open ipkg and click "Enable", if the status is
different.
Raidsonic:
(If this generates an error message (-sh: ipkg: command not found) restart the box and repeat).
Install OpenVPN
# ipkg install openvpn
2 of 7 1/29/2011 01:36
Install OpenVPN on QNAP – NAS Wiki http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP
# openvpn
This should show a list of options. If an error message appears (... command not found) restart and repeat.
# cd /opt/etc/openvpn
# mkdir log
# cd log
# touch openvpn.log
# touch status.log
# mkdir /opt/etc/openvpn/modules
In order to be fully functional, OpenVPN requires a kernel module, which by default is not installed on the box (Dec. 2008).
Now it's time to access the flash and create or edit the file autostart.sh. This will automatically call the tun.ko module on every startup.
If you worked on your autostart before, you will know, how to merge the code of autorun.sh with your own autostart . Do not, by any
chance, use Windows Notepad! It will create a corrupted file.
If you never heard of autostart.sh before, simply copy the file autorun.sh with winSCP to /tmp/config
Make the file executable: F9 in WinSCP or right click -> Properties: 0755 or type chmod +x autorun.sh in PuTTY.
Unmount the flash partition (PuTTY):
# umount /tmp/config
Reboot.
Any time the system is started the tun module should be installed automatically. You can check this after a restart in PuTTY:
# lsmod
If tun does not show up but /dev/net/tun exists add more seconds to sleep. Up to 30 can be needed, depending on model.
If you know how to configure openVPN and generate your own keys, you are done by now.
Otherwise, just go on.
In order to establish a secure connection over the internet, you need a set of keys. A simple and straightforward way is to do this in
windows.
Preparation
open a windows console (-> Start -> Run -> cmd) and enter the following commands:
# cd \Program Files\openvpn\easy-rsa
# init-config
Using win explorer (or WinSCP), navigate to C:\Program Files\OpenVPN\easy-rsa\ and open vars.bat. Edit the last few lines due to your
own requirements. The following is just an example:
3 of 7 1/29/2011 01:36
Install OpenVPN on QNAP – NAS Wiki http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP
You will be asked for some input, but as vars.bat was edited previously, simply confirm the values by hitting the Return key.
When common name pops up, enter a name of your choice for the server.
Enter server for the common name and answer the following two questions with "yes".
# build-key client1
generates a key for the client client1. When the common name is asked, enter client1. Run the command for each client (ie every other
PC, that needs to connect to your VPN) with an appropriate name.
The client keys for the PC are already in the right place.
Copy the certificates and keys for the server using WinSCP to this place in the NAS (choose binary option if prompted):
/share/HDA_DATA/optware/opt/etc/openvpn/keys
Presume the following network scenario as an example. (Edit the ip-addresses in your own config-files according to your needs).
4 of 7 1/29/2011 01:36
Install OpenVPN on QNAP – NAS Wiki http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP
Lines with ";" will include an optional configuration. Activate if necessary by the deletion of ";"
Navigate with WinSCP to /opt/etc/openvpn and create the file easy.conf
Copy & paste the following configuration code and edit, where appropriate:
# OpenVPN server configuration QNAP NAS
# basic settings
port 1194
proto udp
dev tun
#
# detect mtu if the connection is slow.
; mtu-test
#
# define mtu, if necessary
; tun-mtu xyz
#
# define the ip-addresses of the underlying tunnel
server 10.8.0.0 255.255.255.0
#
# Route
push "route 192.168.4.0 255.255.255.0" # <--- Enter the ip-address of your home network here!
#
# certificates & keys
dh /opt/etc/openvpn/keys/dh1024.pem
ca /opt/etc/openvpn/keys/ca.crt
cert /opt/etc/openvpn/keys/server.crt
key /opt/etc/openvpn/keys/server.key
#
# data compression
comp-lzo
#
# allow, that several clients with the same common name log on
; duplicate-cn
#
# different clients can "see" each other through the tunnel.
; client-to-client
#
# Keepalive
keepalive 15 120
#
# verbosity of status messages in the console. Activate for debugging (1-9 possible)
; verb 5
#
# Log files
; status /share/HDA_DATA/optware/opt/etc/openvpn/log/status.log
; log-append /share/HDA_DATA/optware/opt/etc/openvpn/log/openvpn.log
#
# Run as daemon (activate, after everything is set up properly)
; daemon
#
# Management Interface. Access with "telnet localhost 7505"
management localhost 7505
Client configuration
Navigate to C:\Programme\OpenVPN\config on your PC and create the file easyclient.ovpn
Copy & paste the following code and edit, where appropriate:
# connect to QNAP OpenVPN Server
#
proto udp
dev tun
tls-client
remote supernetwork.dyndns.org 1194 # <--- enter your dyndns-account here!
pull
# set mtu, if necessary
; tun-mtu xyz
#
resolv-retry infinite
nobind
persist-key
persist-tun
# certificates and keys
# Note the double \\ in the path for a windows config
ca C:\\Programme\\OpenVPN\\easy-rsa\\keys\\ca.crt
cert C:\\Programme\\OpenVPN\\easy-rsa\\keys\\client1.crt
key C:\\Programme\\OpenVPN\\easy-rsa\\keys\\client1.key
#
comp-lzo
Port forward
Set up a port forward in your router / modem / cable modem, or whatever device manages the connection to the internet. Forward port
1194 (UDP) to your NAS.
If you did not yet set up a dynDNS account, now it is time to do so.
Test run
Server
Start the OpenVPN-server in PuTTY:
# cd /opt/etc/openvpn
# openvpn easy.conf
Mon Dec 8 03:52:22 2008 OpenVPN 2.1_rc9 arm-none-linux gnueabi [SSL] [LZO1] [epoll] built on May 19 2008
Mon Dec 8 03:52:22 2008 TUN / TAP device tun0 opened
Mon Dec 8 03:52:22 2008 / sbin / ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Mon Dec 8 03:52:22 2008 UDPv4 link local (bound): [undef]: 1194
Mon Dec 8 03:52:22 2008 UDPv4 link remote: [undef]
Mon Dec 8 03:52:22 2008 Initialization Sequence Completed
Client
It is to be preferred to use a different internet connection for the client (eg a UMTS modem at hand), if you are testing with a laptop at
home.
5 of 7 1/29/2011 01:36
Install OpenVPN on QNAP – NAS Wiki http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP
This creates some additional entries in the console messages of the server:
In the Windows taskbar, a new symbol (two red or green screens) will appear. By right-clicking it, you can control the OpenVPN client
connection.
In Windows an additional LAN connection is generated with an ip-address of the address space 10.8.0.0.
Check the connection
Enter in the Windows console of your client:
# ping 10.8.0.1
A ping from the server to the client is possible theoretically, if you shut down or open the windows firewall for testing purposes. However,
it is not necessary for OpenVPN to run correctly, so the firwall should remain up.
Autostart
If, after a reboot, the command ps in PuTTY does not show this line in the list of running processes
OpenVPN obviously is not running. Try a higher number with the sleep command in the script. (sleep 30 should do on most cases. I
guess, it depends on how many processes the box has to start at startup)
You have now a VPN server running on your NAS, allowing you to connect and log in remotely. You can use all services
and access the shares.
More OpenVPN
Administration
Telnet Management Interface
The management interface is a management tool, which offers the possibility to control the current VPN server.
OpenVPN Control (http://sourceforge.net/projects/openvpn-control/) is a small, sleek, graphical OpenVPN server control tool for
Windows, Linux and Mac. Using VPN / ssh it can also connect to a remote server.
It shows "status" information of the management interface and offers the possibility to forcedly disconnect clients from the server.
OpenVPN Control can control the status of multiple servers simultaneously.
OpenVPN Admin
OpenVPN Admin (http://sourceforge.net/projects/openvpn-admin/) is a very user-friendly, complete OpenVPN client installation using a
6 of 7 1/29/2011 01:36
Install OpenVPN on QNAP – NAS Wiki http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP
graphical administration tool for the creation of certificates and keys. You also can manage and manipulate a config file through
check-boxes on the GUI. Connecting to a server obviously is just as easy.
OpenVPN Admin is available for Windows and Linux and requires mono (http://mono-project.com/Main_Page) .
XCA
Extras
OpenVPN Extras
Further reading
An English HOWTO for an earlier version of OpenVPN on QNAP can be found here here (http://forum.qnap.com/viewtopic.php?f=90&
t=2349) , which is where I found the kernel module.
Everything about OpenVPN can obviously be found at OpenVPN (http://openvpn.net/index.php/home.html) . There is a good HOWTO
(http://openvpn.net/index.php/documentation/howto.html) and mini HOWTO (http://openvpn.net/index.php/documentation
/miscellaneous/static-key-mini-howto.html) .
Von „http://wiki.nas-portal.org/index.php/Install_OpenVPN_on_QNAP“
Diese Seite wurde zuletzt am 26. Oktober 2009 um 17:49 Uhr geändert.
7 of 7 1/29/2011 01:36