Learn Synology NAS to route traffic to OpenVPN tunnel with certificate authentication

It took me some sites to think that I was not in Europe, but in Russia. Yes, I wanted to hide my interest in torrents from local authorities (I'm not sure that they are following, but nonetheless.) And I had an OpenVPN client configuration file and certificates for it. In addition, I really did not want to install OpenVPN on every device on the network. The home router belongs to an extremely low price group and certainly does not know how to work with OpenVPN. And I remembered about my network data storage, which only does for me what the data stores. Previously, torrents also downloaded, but after moving from torrents, it was decided to temporarily refuse. Here it was (Synology DS211j) that it was decided to turn it into a gateway to the Russian Internet, and the fact that the processor capacities were idle.

I warn you in advance that all the manipulations were performed on DSM version 5.0-4458 and on other versions everything can be different.

Setting up OpenVPN connection on synology

First of all, we go to the web-interface of our storage in the section "Control Panel> Network> Network Interface" and create an OpenVPN profile there. Unfortunately, the web-based interface is designed only to create a connection with password authentication. We are interested in certificate authentication. Therefore, we fill in the proposed fields with any data:



Click on and set the following settings:



Pay attention to the second setting item. What is meant is not very clear. In DSM version 4.3, I did not notice such translation flaws.

Then in the section “Control Panel> Terminal and SNMP> Terminal” we turn on the method of communication with the storage that is ideologically closer to you:



We are connected to synology using the selected protocol. Then we will need to correct the automatically created file / usr / syno / etc / synovpnclient / openvpn / client_oXXXXXXXXXX. Gurus vi can do this directly in the console, for others it may be convenient to copy the file to their shared folder and edit the file there using more familiar tools. This is done by the following command.

cp /usr/syno/etc/synovpnclient/openvpn/client_oXXXXXXXXXX /volume1/Share

When editing a file, note that Linux and windows have different approaches to marking the end of a line, so use a text editor that can save the file in the usual synology format.
In my case, the configuration file looks like this:

client
dev tun
proto udp
remote 255.255.255.255 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ns-cert-type server
cipher AES-128-CBC
auth SHA1
redirect-gateway def1

Then, using the mkdir command, we create the keys directory in the / usr / syno / etc / synovpnclient / openvpn / directory where we put the certificate files we have and the keys to them with the cp command. Using the same command, you need to copy the modified configuration file back to the appropriate directory.

In order to connect to the OpenVPN server, go to "Control Panel> Network> Network Interface", select the connection we created and click on the "Connect" button. Thanks to the “redirect-gateway def1” line in the configuration file, synology will use the created tunnel as the main channel for accessing the Internet, and when disconnected from the VPN server, our storage will reuse the router on the local network to access the global network.

Configure other devices

Now it remains to teach other devices to choose the path to the Internet. To do this, I created two scripts with the following contents:
directly.

route change 0.0.0.0 mask 0.0.0.0 255.255.255.254 metric 1

Bat : through the tunnel. Bat:

route change 0.0.0.0 mask 0.0.0.0 255.255.255.255 metric 1
where 255.255.255.254 is the address of the home router, and 255.255.255.255 is the synology address on the local network.

If necessary, release one of the devices on the Internet via the Russian channel, the VPN connection rises to synology via the web interface, and the default gateway is changed on the PC using a script. When the need disappears, the connection on synology is extinguished, and on the PC, using another script, the default gateway returns.

Speed

In my pattern of using this configuration, the load on the storage processor does not exceed 80%, which is a lot, but not critical. Do not forget that this configuration introduces great delays, and the speed through the tunnel in my case does not exceed 8 megabits with a home Internet speed of 20 megabits and a speed of 40 megabits at the other end of the tunnel.