QNAP OpenVPN (SSL)

tunnel2Yes, smart network attached storage (NAS) devices support secure VPNs.  An open source product named OpenVPN is installed by default on QNAP, Synology, and Asustor.  Configuration is easy and, overall, the process takes only a fraction of the effort required for a Windows oriented SSL VPN.

OpenVPN may be activated by simply checking off a box and naming the authorized users. However, since SSL is involved, an additional layer of complication is required to manage SSL certificates. SSL is much easier to manage on a NAS device than on a Windows server, but it still takes a little effort. You also need an internet URL name, which will probably be based on one you selected from your Dynamic DNS (DDNS) provider.

The final configuration steps involve a little port forwarding on your router, downloading a configuration file from your NAS device t0 your PC, downloading and installing the free OpenVPN client program, then copying the configuration file into an OpenVPN folder.

Taking Care of the Prerequisites

You first need to select a DDNS provider and create a URL that points back to your ISP provided IP address. After you decide on a URL name, you need to create an SSL certificate that names it, then load the SSL certificate into in your NAS device. Since I own a QNAP NAS, all examples will illustrate QNAP SSL and VPN management. The other smart NAS devices probably work a lot alike.

[Update March 9, 2015: OpenVPN client for Windows has a security vulnerability for versions prior to 2.3.6-I002/I602, called Freak. It allows an extremely motivated hacker to perform a man-in-the-middle attack. The likelihood of attack for most people is slim. To completely eliminate it, according to OpenVPN, load the most recent version of OpenVPN for Windows.]

[April 13, 2014 Heartbleed bug update: OpenSSL has a recently discovered security bug called Heartbleed that is said to have been repaired starting with version 1.01g and above. Version 1.02 will be secure, according to articles available on the internet. The bug will allow a knowledgeable hacker to pierce a part of the encryption so that much is in the clear. More information is available here.]

Configure the Router

Your router needs to be able to access your VPN over the internet. As a precaution, by default, routers usually won’t allow traffic into your network that is not in response to a previous request, such as a web page. VPN traffic travels on special ports, which are a little like TV channels. Certain types of traffic travel on certain port numbers. Opening these ports is called port forwarding.

OpenVPN needs these ports open and aimed toward your NAS device. Note that port 1194 is UDP, not TCP.

qnap-openvpn1###

After installing your SSL certificate into the QNAP drive, you need to turn on OpenVPN. The IP address list should be left at the default. When you sign in, your PC will be given an IP address on the local network from that pool. The first  address in the subnet is the network ID; in this case 10.1.0.1. You will access the shares using \\10.1.0.1 in Windows Explorer.

Download the configuration file by clicking the button. It will copy a zip file to your PC that holds data for your OpenVPN client software.

qnap-openvpn8

###

Next, select the authorized VPN users. You are done with server configuration.

OpenVPN is a little touchy about accessing shares. For best results, make sure the user name and password below matches the user name and password of the Windows user.

qnap-openvpn3###

Download and Install Free OpenVPN Client Software

Go to your browser and navigate to this page to download OpenVPN client software for Windows. You are on the OpenVPN web site. Select the appropriate version, download, and install with administrator level privileges.

Go to the zip file you downloaded, unzip it, and look at the read-me file. It tells you how to make the final adjustments to OpenVPN so that your URL and certificate will make it work. Use a text editor and open openvpn.ovpn. Find the line that has an IP address and replace it with your URL name. Save the file. Now copy both it and ca.crt to the location specified in the read-me file.

qnap-openvpn4

###

Fire up the OpenVPN client. Right click the OpenVPN desktop icon and Run as administrator. You’ll be prompted for a user id and password.  A little splash screen in the lower right corner will tell you that you’ve connected to a new network. If you double-click the OpenVPN icon in the lower right icon area, you’ll see a status box. When you’re done, this is where to disconnect. Note that the PC has a local IP address of 10.1.0.6 on the QNAP OpenVPN subnet.

qnap-openvpn9

###

You now have secure access to the network your NAS box is connected to. Note the IP address in Windows Explorer.

qnap-openvpn7


22 Comments on “QNAP OpenVPN (SSL)”

  1. nwgat says:

    just to be the first,
    a better openvpn client on widohttp://www.sparklabs.com/viscosity/

  2. henning says:

    Great guide but I am stuck.

    Do I write my external fixed ip adress into my openvpn.ovpn – or is it the vpn url 10.1.0.1? Do I include the port number 1194?

    “After installing your SSL certificate into the QNAP drive, ” why is this part of the guide missing?

    • Carl Rinker says:

      I wrote this awhile ago and am answering from memory, but it looks like you put your external ip address there. For example, if you have a ddns address of henning.noip.com at noip, then that’s what you put there.

      10.1.0.1 is a local non-routable ip address. the VPN is intended to get you from outside your network to your server securely. You only use local ip addresses once you’re connected to the network via the VPN.

      Nothing is missing about ssl certificate management. The article is referenced above and linked to. Read it again and look up qnap ssl management.

  3. from what I gather from your post, a SSL cert is required on the NAS and ddns, before openvpn will work?

    • Carl Rinker says:

      Yes. OpenVPN uses certificates for encryption. The point of any VPN is to get to your network from outside, not to go from downstairs to upstairs. You need an IP address for that. DDNS associates the address from your ISP, which may change frequently, to your home network. If you have a fixed IP address, use it instead.

      OpenSSL is fine for certificate generation for home networks. You need to purchase an SSL certificate if you are offering a commercial web site that needs to be authenticated by a third party while encrypting traffic. While home NAS boxes are extremely useful, you probably wouldn’t run a business on one. Thus, this last bit of information is FYI.

  4. Mannebk says:

    Thanks

  5. migland says:

    Hi my question is. NAS in local network has ip 10.0.0.40, in its setting I have no possibility to give vpn address 10.0.0.50-10.0.60. By default qnap give 10.8.0.0-XX. and than work but I want to have address from the same network f.e client vpn get address 10.0.0.50 and no 10.8.0.X

  6. migland says:

    Hi I configured qnap according ypur instruction and everything work well. But I want to go 1 step further and make openvpn connection site to site. In 1 location qnap with server, in second windows with clinet. How to configure client and both of routers to have fully site to site tunnel? Thanks in advance.

    • Carl Rinker says:

      I did a quick Google search and the reply to a similar question stated that QNAP offers only point to point, not site to site. OpenVPN provides site to site between routers. A person in the comments here on the DD-WRT – OpenVPN series noted that OpenVPN provides a configuration that uses passwords. Normally, I would think of this as not very secure, but even OpenVPN says it’s a good idea to use passwords on site to site configurations because only two routers are allowed. It looked easier than with full certificates. I don’t have any examples here.

  7. migland says:

    maybe it woud be subject for next articel. How to make site to site connection using openvpn server and client on windows? For me would be perfect 🙂 thanks in advance.

  8. Marc J says:

    Thanks for the excellent guide! I’ve now got OpenVPN connections working on my QNAP TS-453 Pro 🙂

    I’ve got a purchased SSL on my own domain to allow https://location.domain.com connections (installed on the QNAP under System Settings – Security). Can this be used for the VPN connection, or must I download the cert from the OpenVPN QNAP admin screen?

    Or is that a stupid question?

    • Carl Rinker says:

      QNAP SSL Management explains how to use an existing SSL certificate. To be honest, I haven’t done it for a couple of years so my memory of the process is a little rusty (that’s one reason why I wrote the page … so I would remember how to do it later). Assuming you are the only one accessing the drive, then you’re authenticating yourself to yourself. A home made certificate works fine in that instance.

      • Marc J says:

        Thanks for replying. I purchased the cert specifically for the QNAP, and have already installed it successfully. My question is, if I take that cert (which I can download from QNAP System Settings – > Security) and use it instead of the ca.cert download from the OpenVPN bit of QNAP admin, in Program Files/OpenVPN/config, will it work? I read elsewhere that you can use a cert purchased for Apache in OpenVPN as they’re essentially the same…. But will the QNAP allow it?

      • Marc J says:

        I forgot to say, it’s not just me…there are about half a dozen users. Also… Because it’s a purchased cert, maybe there doesn’t have to be a copy in the client’s config folder at all?

      • Carl Rinker says:

        The certificate is used for encryption of the message. Homemade certificates work the same as purchased ones, all things being equal (for example key length is the same). Purchased certificates are used so a third party who doesn’t know you can feel sure that you are who you claim to be. For example, Amazon uses purchased certificates that are authenticated by a third party you trust, via their root certificate. Amazon does this because anyone can claim they are Amazon otherwise. If you are friends dealing with friends, you are authenticating yourselves. If you are expecting someone to give you money for services, then you should have third party authentication by a certificate authority via a purchased certificate, which can be costly.

        Whoever will be contacting the server should have your root certificate installed. The root certificate and its key were used to sign the client certificate. The client certificate and its key go on the QNAP device, assuming you use your certificates. In the simple QNAP example, the root certificate and client certificate are the same things.

        If that sounds confusing, please read the pages that explain SSL and certificates. There’s nobody on earth who can make this sound simple if you are still confused at this point.

  9. Marc J says:

    I don’t _think_ I’m confused 😉 I get SSL certs and why they’re needed, and when self signed are OK.

    But, I’ve already purchased an SSL which I’m using for https connections to QNAP admin at https://location.domain.com. This was purchased so that I didn’t have to supply the cert to users, to stop them getting insecure errors in their browsers (they’re all trusted and known to me, but it makes it easier – I don’t have to supply instructions to install a self-signed cert to them). It’s installed on the QNAP and working perfectly for this purpose.

    I figured I _may_ be able to do the same on the VPN side, i.e. don’t supply the users with a .crt file (the line “ca ca.crt” in the client config) since it’s a purchased cert and uses 3rd party authentication (in my case, GlobalSign –> AlphaSSL CS – SHA256 – G2). But it looks like OpenVPN client needs a copy of the cert either in the config or stored locally, even if it’s purchased, so there doesn’t _seem_ to be any way around it.

    • Carl Rinker says:

      OpenVPN needs some certificates in it’s configuration folder on each PC, tablet, and phone connecting as a client. You can’t ignore that requirement. Otherwise, it won’t work. Having a purchased certificate or one you made at home on the server doesn’t matter. Purchased certificates are to authenticate you to strangers, plus encrypt. Home made ones are to authenticate you to yourself, then encrypt.

      Please read the articles associated with each objective you want to accomplish. Each illustrates how I did it … none of the example articles are simple think pieces or examples in a vacuum. The others are summaries of what took me months to figure out, such as certificate and basic network theory and practice. My goal there was to come straight to the point and cover the basic necessities that apply to actual use. There’s no way I can give you the magic answer in a couple of sentences. If there were, the articles would only be a couple of sentences long. The answers you seek are somewhere in the articles, most likely.

      As I mentioned, I wrote these articles a couple of years ago. One reason I wrote them was so I would have a place to look things up if I wanted to retrace the steps down the road. I don’t have everything in the web site committed to memory for instant recall. Nobody who writes this kind of material does. Most people who claim instant answers to complicated questions are probably hustling you unless they just spent a lot of time in the very recent past on the exact same problem as you or their job is to answer the one question you need answered.

      While I’m flattered that you imply I an oracle of sorts, I’m not. I wrote this material for a lot of reasons, and put it on the internet as a reference. I’m also not a free consultant, although I truly enjoy giving people that one piece of missing information that made a difference. I also think of myself as an educator.

  10. William Hadden says:

    Thanks very much for these excellent blog posts. Just to help others in case they have a similar problem I thought I’d share my experience.

    1. Persevere – it might take you an afternoon or evening to figure everything out but reading all the articles and other resources does help when things eventually sink in.

    2. I was setting up my NAS on my home wifi network. I created the SSL Cert and VPN config to work with the external address on DDNS (blah.myqnapcloud.com). I was then trying to connect from within the wifi network which just didn’t work. As soon as I changed the OpenVPN config to use internal 192.168 IP I could test and connect to VPN from within. When I tried connecting to VPN from the outside (tested on other laptop tethered to mobile phone) the external address VPN config worked.

    Maybe these are obvious but they might help someone!

    Thanks again,
    William


Have Something To Add?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s