2.84 - Cannot route through VPN

[dhstsw]

Thanks mafredi, i'll give it a shot as soon as i get a reliable vpn service

BTW; do you know of any service compatible with asustor implementation of OpenVPN? (i looked, nearly all with synology use PPTP - the few ones with openvpn need some scripting config in openvpn client wich i can't find in my asustor).

thx.

[mafredri]

Sorry, I can't tell you of any service that will surely be compatible with Asustor. Basically any VPN service should work, the problem is just that Asustor does not expose all the configuration options of OpenVPN. Asustor have not made an own implementation, they actually use OpenVPN in the background. What this means is that as long as the options required by your service are configurable through the ADM interface, it will be supported.

For example, I don't use the ADM interface to configure my VPN, I manually run the openvpn binary like so:

Code: Select all

openvpn --config /root/openvpn/conf.ovpn \
        --mute-replay-warnings \
        --script-security 2 \
        --route-up /root/openvpn/route-up.sh

(That route-up.sh script is actually what I posted in the previous post with the ip commands to set up the routes)

PS. You should always prefer OpenVPN over PPTP since PPTP is not secure.

[dhstsw]

Ok, i managed to have it working Thanks.

The only thing i miss is "how to" make openvpn start at boot time.

I putted the file "S99ovpn.sh" in /usr/local/etc/init.d/

Code: Select all

#!/bin/sh -e
SERVER="server.ovpn"
openvpn --config /share/Download/vpn/$SERVER
exit

if i try to execute it:

Code: Select all

root@asustor:/volume1/.@plugins/etc/init.d # /usr/local/etc/init.d/S99ovpn.sh

it gives me:

Code: Select all

/bin/sh: illegal option -

If i try:

Code: Select all

root@asustor:/volume1/.@plugins/etc/init.d # sh /usr/local/etc/init.d/S99ovpn.sh

it gives me:

Code: Select all

Options error: In [CMD-LINE]:1: Error opening configuration file: /share/Download/vpn/server.ovpn
Use --help for more information.
: not foundetc/init.d/S99ovpn.sh: line 4: exit

I'm quite lost :-/

[mafredri]

Ok, i managed to have it working Thanks.

No problem

The only thing i miss is "how to" make openvpn start at boottime.

I tried to put a S99OpenVPN file (with 755 persmissions) in /etc/init.d containing the following lines:

openvpn --config /path/to/config.ovpn --auth --auth-user-pass /path/to/pass.txt

but at reboot the file was deleted (and, of course, openvpn didn't start).

Any idea?

/etc/init.d (and actually anything on the root filesystem that is not mounted from /volume1) is only stored in memory, therefore it will disappear when you reboot the NAS.

You can try putting it in /volume1/.@plugins/etc/init.d/ and see if that works. Alternatively create an AppCentral app that starts it (and stops it on shutdown).

[dhstsw]

Thanks.

I modified the post before your answer. Could you check it again?

thanks-

[mafredri]

I modified the post before your answer. Could you check it again?

All I can see is that openvpn can't find the file, so make sure it's actually there and readable.

Also, /usr/local/etc/init.d/ is the same folder I suggested above (from volume1), so the path should be fine.

PS. This way you are running openvpn it will likely override your routes and cause all traffic on the NAS to go through the VPN (although that depends on the .ovpn config, but usually this is the case).

[dhstsw]

FIles not found were automatically fixed running the script as a start-stop.sh (and softlinked) in in /usr/local/etc/init.d/ as S99OpenVPN.
(too bad it's not launching it at boot time... dunno).

Another problem arised since openvpn couldn't find the TUN module.

Found an override this way:

Code: Select all

mkdir /dev/net
mknod /dev/net/tun c 10 200

This way openvpn starts without complaining.

I guess about the route you're right. Problem is, i don't know much about routing. I see you use iproute2, but i can't find the binary to run on my nas.

in the .ovpn config files the route options are left as this:

Code: Select all

route-method exe
route-delay 2
route 0.0.0.0 0.0.0.0

my lan IP is 10.0.1.x, gateway is 10.0.1.2 and nas ip is 10.0.1.150.

Can you give me any hint in how to set it up?


The public ip given by the vpn isn't static, so i have to change it on transmission.json at every reboot.

By the way, i found the .ovpn config files, they're stored here:

/volume0/usr/builtin/etc/vpnclient

Problem is, if i modify them, starting the vpn with the web interface modifies the config file, removing all the mods i did.

[mafredri]

Code: Select all

mkdir /dev/net
mknod /dev/net/tun c 10 200

This way openvpn starts without complaining.

To initialize vpn I use

Code: Select all

/etc/script/vpn.sh insmod

and on shutdown you might want to call

Code: Select all

/etc/script/vpn.sh rmmod

I guess about the route you're right. Problem is, i don't know much about routing. I see you use iproute2, but i can't find the binary to run on my nas.

I made the ip binary from iproute2 available here. It's not strictly necessary though, the busybox ip binary is sufficient if configuring the routes in a slightly different way than me.

in the .ovpn config files the route options are left as this:

Code: Select all

route-method exe
route-delay 2
route 0.0.0.0 0.0.0.0

my lan IP is 10.0.1.x, gateway is 10.0.1.2 and nas ip is 10.0.1.150.

Can you give me any hint in how to set it up?

Sorry, this information doesn't allow me to help you at all. Please revisit my post on setting up routes.

The public ip given by the vpn isn't static, so i have to change it on transmission.json at every reboot.

So make sure your script start AFTER transmission, then do

Code: Select all

/usr/local/AppCentral/transmission/CONTROL/start-stop.sh stop
sed -ie "s/\(.*ipv4\": \"\)[^\"]*\(.*\)/\1${ifconfig_local}\2/g" /usr/local/AppCentral/transmission/config/settings.json
/usr/local/AppCentral/transmission/CONTROL/start-stop.sh start

By the way, i found the .ovpn config files, they're stored here:

/volume0/usr/builtin/etc/vpnclient

Problem is, if i modify them, starting the vpn with the web interface modifies the config file, removing all the mods i did.

Yes, definitely not recommended, they are auto generated from the settings in ADM. You can try to chmod 444 the file to remove write permissions, could work, but still I do not recommend it (it does not anyway help you with the transmission bind woes).


Putting all your requirements into a script, the following should do it (the while loop makes sure your VPN attempt to reconnect when it disconnects, otherwise it is a one-off thing):

Code: Select all

#!/bin/sh
# filename: /root/openvpn/start.sh

/etc/script/vpn.sh insmod

while true; do
    openvpn --config /root/openvpn/server.ovpn \
        --mute-replay-warnings \
        --script-security 2 \
        --route-up /root/openvpn/route-up.sh
    sleep 5
done

Code: Select all

#!/bin/sh
# filename: /root/openvpn/route-up.sh

IP=/root/openvpn/ip
ETH=eth0
TUN=tun0

# Cleanup
$IP route flush table 42

$IP route add $trusted_ip via $route_net_gateway dev $ETH
$IP route add ${trusted_ip%%.*}.0.0.0/1 via $ifconfig_remote dev $TUN
$IP route add 0.0.0.0/1 via $ifconfig_remote dev $TUN table 42

$IP rule del from all to $ifconfig_local lookup 42
$IP rule del from $ifconfig_local lookup 42
$IP rule add from all to $ifconfig_local lookup 42
$IP rule add from $ifconfig_local lookup 42

# Make sure transmission is stopped
/usr/local/AppCentral/transmission/CONTROL/start-stop.sh stop
# Wait a bit
sleep 5

# Update IP
sed -ie "s/\(.*ipv4\": \"\)[^\"]*\(.*\)/\1${ifconfig_local}\2/g" /usr/local/AppCentral/transmission/config/settings.json
# Start Transmission
/usr/local/AppCentral/transmission/CONTROL/start-stop.sh start

[dhstsw]

Mafredi,

THX a LOT.
I'm going to try and kee you posted!

[dhstsw]

Works perfectly!

I'm not sure about the routing tho:

Code: Select all

root@asustor:/volume1/.@plugins/AppCentral/openvpn/CONTROL # ip route
0.0.0.0/1 via 188.72.115.129 dev tun0
default via 188.72.115.129 dev tun0
default via 10.0.1.2 dev eth0
10.0.1.0/24 dev eth0  src 10.0.1.150
128.0.0.0/1 via 188.72.115.129 dev tun0
188.72.115.3 via 10.0.1.2 dev eth0
188.72.115.128/26 dev tun0  src 188.72.115.138

how does it look?

Also, openvpn doesn't look like starting in daemon mode (even giving the --daemon parameter), stopping from execute all the subsequential "starts" in init.d