Search This Blog

2013-03-23

Synology DiskStation - OpenVPN Confusion

Update: It works now! I have since updated my DiskStation to DSM 5.0 in order to fix the well known SSL vulnerability called Heartbleed in openssl versions 1.0.0 to 1.0.1f (inclusive). Wondering whether or not I could finally use the default radius authentication method or not I gave it a shot.

I went to openvpn application > exported certificates > copied the .ovpn and .crt through iTunes to my phone and logged in. To my surprise, everything worked perfectly fine!

There was an anonymous commenter on this post that pointed out a recent fix to be implemented in openvpn and its likely the case that this fix has finally been implemented in the DiskStation. This means no more managing your own root certificate, maintaining a certificate revocation list, or signing keys! Things now work how they're supposed to work.

Thanks Synology!



Update: I've spoken with Synology support, they let me know that Synology currently does not support mobile clients connecting to OpenVPN.

I have put in a feature request to allow for such functionality, whether it be using client based keys, or password authentication for mobile devices.

In the meantime, the only way you're going to get your mobile devices working with OpenVPN on a Synology NAS is to follow the instructions on how to make your own keys for certificate based authentication. The following blogs will help with configuring your keys.

http://frednotes.wordpress.com/2013/02/09/synology-dsm4-2-and-vpn/
OR
http://forum.synology.com/wiki/index.php/How_to_use_your_own_certificates_for_connecting



I've been having some difficulty wrapping my head around how the Synology DiskStation implementation of OpenVPN functions.

Below is my take on what it's doing and what it's missing in terms of functionality/documentation:

Default Connection and Security Method

By default all synology servers will generate a root CA certificate signed by synology themselves. I'm unsure if these are unique certificates. But I would hope they are, or else every synology server would act as a root CA for everyone else. Which I believe would allow any user to authenticate with the server if they have user credentials and allow them to begin transferring encrypted data using the server certificate provided upon successful login.

All client login using default settings is accomplished by using a password based login to the synology server. Whether or not the password transmission is encrypted, I do not know. The synology server has a certificate called server.crt and a private key called server.key which should be used for the encryption and decryption of traffic going towards the server. I'm guessing once the client has the "ca.crt" they are able to authenticate themselves with the CA using it's public key to encrypt the traffic and then grab the desired server.crt to start encrypting traffic to the server (I'm still fuzzy on how this occurs)

I'm currently uncertain of how transmission of encrypted data happens in the other direction though (from synology server -> client) , as no public and private key for the client are included in the openvpn.zip file that was exported. It is possible that there is a hidden client certificate and key on the server, that is transferred to the client upon successful authorization to the CA but I can't be sure.

Mobile Client Support

One of the problems with the default implementation of Synology DiskStation's implementation of OpenVPN is that all of the mobile clients that are available require some kind of client certificate. Which to me, makes sense as you need to be able to provide secure transport both ways. There is no documentation from Synology that I could find that states how to perform this. Meaning, the only supported method of connecting to your VPN is on a desktop machine which is very limiting to anyone who travels a lot and uses a mobile device.

Below are the methods that I have tried to connect using my iPhone using the official OpenVPN Application. All files were put on the phone using iTunes app file sharing method.

Using openvpn.ovpn and ca.crt:
Finds the profile:


Cannot find ca.crt even though I added it:


Using iOS.ovpn (includes client.crt, client.key, ca.crt all in the same ovpn file)
Detects it as a "standard" profile (whatever that means).


But I end up hitting the following SSL errors for reasons which I do not understand:
2013-03-23 13:30:29 ----- OpenVPN Start -----
2013-03-23 13:30:29 LZO-ASYM init swap=0 asym=0
2013-03-23 13:30:29 EVENT: RESOLVE
2013-03-23 13:30:30 EVENT: WAIT
2013-03-23 13:30:30 Connecting to (removed):1194
(24.52.232.115) via UDPv4
2013-03-23 13:30:39 Server poll timeout, trying next remote entry...
2013-03-23 13:30:39 EVENT: RECONNECTING
2013-03-23 13:30:39 LZO-ASYM init swap=0 asym=0
2013-03-23 13:30:39 EVENT: RESOLVE
2013-03-23 13:30:39 EVENT: WAIT
2013-03-23 13:30:39 Connecting to (removed):1194
(24.52.232.115) via UDPv4
2013-03-23 13:30:49 Server poll timeout, trying next remote entry...
2013-03-23 13:30:49 EVENT: RECONNECTING
2013-03-23 13:30:49 LZO-ASYM init swap=0 asym=0
2013-03-23 13:30:49 EVENT: RESOLVE
2013-03-23 13:30:49 EVENT: WAIT
2013-03-23 13:30:49 Connecting to (removed):1194
(24.52.232.115) via UDPv4
2013-03-23 13:30:59 EVENT: CONNECTION_TIMEOUT [ERR]
2013-03-23 13:30:59 EVENT: DISCONNECTED
2013-03-23 13:30:59 Raw stats on disconnect:
  BYTES_OUT : 210
  PACKETS_OUT : 15
  CONNECTION_TIMEOUT : 1
  N_RECONNECT : 2
2013-03-23 13:30:59 Performance stats on disconnect:
  CPU usage (microseconds): 90686
  Network bytes per CPU second: 2315
  Tunnel bytes per CPU second: 0
2013-03-23 13:30:59 ----- OpenVPN Stop -----
2013-03-23 13:30:59 EVENT: DISCONNECT_PENDING
2013-03-23 13:31:34 ----- OpenVPN Start -----
2013-03-23 13:31:34 LZO-ASYM init swap=0 asym=0
2013-03-23 13:31:34 EVENT: RESOLVE
2013-03-23 13:31:34 EVENT: WAIT
2013-03-23 13:31:34 Connecting to (removed):1194
(24.52.232.115) via UDPv4
2013-03-23 13:31:44 Server poll timeout, trying next remote entry...
2013-03-23 13:31:44 EVENT: RECONNECTING
2013-03-23 13:31:44 LZO-ASYM init swap=0 asym=0
2013-03-23 13:31:44 EVENT: RESOLVE
2013-03-23 13:31:44 EVENT: WAIT
2013-03-23 13:31:44 Connecting to (removed):1194
(24.52.232.115) via UDPv4
2013-03-23 13:31:52 UDP send error: send: Can't assign requested address
2013-03-23 13:31:54 Server poll timeout, trying next remote entry...
2013-03-23 13:31:54 EVENT: RECONNECTING
2013-03-23 13:31:54 LZO-ASYM init swap=0 asym=0
2013-03-23 13:31:54 EVENT: RESOLVE
2013-03-23 13:31:55 EVENT: WAIT
2013-03-23 13:31:55 Connecting to (removed):1194
(24.52.232.115) via UDPv4
2013-03-23 13:31:55 EVENT: CONNECTING
2013-03-23 13:31:55 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2013-03-23 13:31:55 Peer Info:
IV_VER=1.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2013-03-23 13:31:56 VERIFY OK: depth=0
cert. version : 3
serial number : (removed)
issuer name  : C=TW, ST=Taiwan, L=Taipei, O=Synology Inc., OU=Certificate Authority, CN=Synology Inc. CA, emailAddress=product@synology.com subject name  : C=TW, ST=Taiwan, L=Taipei, O=Synology Inc., OU=FTP Team, CN=synology.com, emailAddress=product@synology.com
issued  on    : 2011-04-29 18:07:16
expires on    : 2031-01-14 18:07:16
signed using  : RSA+SHA1
RSA key size  : 1024 bits

2013-03-23 13:31:56 VERIFY FAIL: depth=1 cert. version : 3 serial number : (removed) issuer name  : C=TW, ST=Taiwan, L=Taipei, O=Synology Inc., OU=Certificate Authority, CN=Synology Inc. CA, emailAddress=product@synology.com subject name  : C=TW, ST=Taiwan, L=Taipei, O=Synology Inc., OU=Certificate Authority, CN=Synology Inc. CA, emailAddress=product@synology.com
issued  on    : 2011-04-29 18:07:15
expires on    : 2031-01-14 18:07:15
signed using  : RSA+SHA1
RSA key size  : 1024 bits

2013-03-23 13:31:56 Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
2013-03-23 13:31:56 EVENT: CERT_VERIFY_FAIL PolarSSL: SSL read error :
X509 - Certificate verification failed, e.g. CRL, CA or signature check failed [ERR]
2013-03-23 13:31:56 EVENT: DISCONNECTED
2013-03-23 13:31:56 Raw stats on disconnect:
  BYTES_IN : 2112
  BYTES_OUT : 606
  PACKETS_IN : 20
  PACKETS_OUT : 29
  NETWORK_SEND_ERROR : 1
  SSL_ERROR : 1
  CERT_VERIFY_FAIL : 1
  N_RECONNECT : 2
2013-03-23 13:31:56 Performance stats on disconnect:
  CPU usage (microseconds): 101768
  Network bytes per CPU second: 26707
  Tunnel bytes per CPU second: 0
2013-03-23 13:31:56 ----- OpenVPN Stop -----
2013-03-23 13:31:56 EVENT: DISCONNECT_PENDING

Alternatives to the Default Authenticaiton Method?

You have the ability in the DiskStation Manager interface to create your own root CA, public and private keys, or alternatively ask for one of your certificates to be signed by the current root CA.

This method of generating your own certificates might end up being better, as we will actually be sure that the client has a valid certificate for synology to encrypt data to it as well.

The above method may work for the creation of certificates for mobile applications but I am unsure of how the config is structured so that when you create the keys. I'm unsure they will actually used for VPN, and override the previous Synology-Signed certificates.

Synology Feedback

I would appreciate if Synology would provide additional information as to how their specific implementation of OpenVPN functions so there is no longer confusion among owners of the DiskStation products. The current documentation offering does not go into enough detail as to how this setup works.

Most importantly, I believe that instructions on how to make Synology's implementation of OpenVPN work with mobile applications is most important. In this manor, if mobile clients work by default additional documentation may not be required.

Notes

If I ever find out an easy/straight forward way of allowing OpenVPN on Synology Diskstation I will be sure to post instructions. But for now, it seems like a fairly convoluted and confusing task that most people will not be inclined to perform or attempt.

If you want to make an attempt at generating your own keys the best resource I could find is the following: http://forum.synology.com/wiki/index.php?title=How_to_use_your_own_certificates_for_connecting&printable=yes

But I am almost positive it is not supported or recommended as you could end up breaking your device if you're not careful

2 comments:

  1. Hi,
    I have only just started looking at this, but I think you are slightly mistaken in Mobile Client Support (although I had similar thoughts until I read the help within the iPhone OpenVPN client).
    If you add;

    setenv CLIENT_CERT 0

    to the .ovpn fle, you will not be prompted for a certificate. That said, it still does not work.
    Once you insert your chosen user name and password, and attempt to connect, you will get;

    X509 - Certificate verification failed

    A thread on forums.openvpn has OpenVPN Technologies stating an issue with CAs with path length zero, being fixed in 1.0.2 (dated 31 May 2013). As to when Synology update their server, who knows.

    Aparently the current workaround is still to produce your own certs, I am looking into this now (and the reason for coming across your article).

    Regards
    ChrizK

    ReplyDelete
    Replies
    1. Thanks for the extra info, I'm by no means an openvpn expert but this information is definitely helpful. If you do find that Synology updates to support this method it would be great if you could update me.

      I have produced my own certs in order to fix this, it works perfectly for me. I just wish I didn't have to and it was more out of the box supported, because every time a new version of DSM comes out it will wipe the certificate store.

      Delete