Synology NAS VPN client to Firewalla not working
I'm having problems connecting Synology NAS's VPN Clients to the FWG VPN Server.
In DSM I created the Network Interface VPN profiles using the file and password provided by the FW but they fail to connect, I tried one local and one remote. I suspect the NAS do not like the customized OpenVPN files from Firewalla.
I can easily connect my phone to the FW using that same file so it's really something at the NAS level that is bugging.
Has anyone figured it out?
-
It just says failed to connect.
I've done some searching in the meantime and it appears Synology requires keys to be uploaded in separate files but I have not found too much details.
So I copied the CA cert section and created a CAcertificate.cert file, similarly a clientcert.cert file, a clientkey.key file and a tsl-auth.txt file. Uploaded each but I then get a invalid key error.
Researching the error here
https://kb.synology.com/en-af/DSM/tutorial/I_received_error_message_Invalid_private_key_when_importing_certificate
It seems formatted accordingly -
I have used the following workaround before with another openvpn provider and synology, and it also works fine for Firewalla.
Create a new VPN profile in synology DSM GUI: Enter a dummy username and password. Import the .ovpn file generated by firewalla but first delete the whole <key> section. This will let you add it without the errors you mentioned above.
SSH as root into your synology NAS and navigate to:
/usr/syno/etc/synovpnclient/openvpn/
You will see it copied your .ovpn to something like client_o1234567890, with some additional hooks added at the end.
Edit this file and add back in the <key> section.
Edit this file and add the following line:
askpass private_key_pass.txt
Create a text file in the same directory named private_key_pass.txt containing only the private key password from the firewalla app. Change permissions so that it is only readable by root:
sudo chmod 600 private_key_pass.txt
You will see it has also added the synology GUI options to the file ovpnclient.conf. If you need to change any of these options (e.g. auto reconnect) in the future, change them here and not through the synology GUI. You can leave the dummy username and password here because they won't be used.
Now go back into the synology DSM GUI and try to connect your VPN profile. It should work. If it's still not connecting, you can enable logging in the client_01234567890 file by adding something like the following line:
log openvpn.log
Good luck!
Please sign in to leave a comment.
Comments
5 comments