Hi all!
I know that themes with settings OpenVPN A lot has been done. However, I personally encountered the lack of systematized information on the topic of the title, and I decided to share my experience primarily with those who are not administration gurus. OpenVPN, but I'd like to achieve site-to-site connectivity for remote subnets on a Synology NAS. I'd also like to make a note of this for myself.
So, I have a Synology DS918+ NAS with the package installed. VPN Server configured OpenVPN and users who can connect to the VPN server. I won't go into detail about setting up the server in the DSM interface (the NAS server's web portal). This information is available on the manufacturer's website.
The problem is that the DSM interface (version 6.2.3 as of the date of publication) has a limited number of settings for management OpenVPN server. In our case, a site-to-site connection is required, meaning hosts on the VPN client subnet should be able to see hosts on the VPN server subnet and vice versa. The default settings available on the NAS allow access only from hosts on the VPN client subnet to hosts on the VPN server subnet.
To configure access to VPN client subnets from the VPN server subnet, we will need to log into the NAS via SSH and configure the configuration file OpenVPN servers manually.
To edit files on the NAS via SSH, it is more convenient for me to use Midnight Commander. To do this, I connected the source in the Package Center and installed the Midnight Commander package.
Log in via SSH to the NAS under an account with administrator rights.
We type sudo su and specify the administrator password again:
We type the command mc and run Midnight Commander:
Next, go to the /var/packages/VPNCenter/etc/openvpn/ directory and find the openvpn.conf file:
According to the task, we need to connect 2 remote subnets. To do this, we create accounts on the NAS through DSM 2 with limited rights to all NAS services and give access only to the VPN connection in the VPN Server settings. For each client, we need to configure a static IP allocated by the VPN server and route through this IP traffic from the VPN server's subnet to the client's VPN subnet.
Initial data:
VPN server subnet: 192.168.1.0/24.
Address pool OpenVPN server 10.8.0.0/24. Myself OpenVPN The server receives the address 10.8.0.1.
VPN client 1 (VPN user) subnet: 192.168.10.0/24, should receive on OpenVPN the server has a static address 10.8.0.5
VPN client 2 subnet (VPN-GUST user): 192.168.5.0/24, should receive on OpenVPN the server has a static address 10.8.0.4
In the settings directory, create a ccd folder and create settings files with names corresponding to user logins.
For the VPN user, write the following settings in the file:
For the VPN-GUST user, write the following in the file:
All that remains is to fine-tune the configuration OpenVPN servers - add a parameter for reading client settings and add routing to client subnets:
In the screenshot provided, the first 2 lines of the config are configured using the DSM interface (checking the box “Allow clients to access the server’s local network” in the settings) OpenVPN servers).
The client-config-dir ccd line specifies that the client settings are in the ccd folder.
Next, 2 configuration lines add routes to client subnets through the corresponding gateways. OpenVPN.
Finally, the subnet topology must be applied to work properly.
We do not touch all other settings in the file.
After prescribing the settings, do not forget to restart the VPN Server service in the package manager. On the hosts or the gateway for the hosts of the server subnet, register routes to the client subnets through the NAS.
In my case, the gateway for all hosts on the subnet in which the NAS is located (its IP 192.168.1.3) was the router (192.168.1.1). On this router, I added routing entries for networks 192.168.5.0/24 and 192.168.10.0/24 to the gateway 192.168.1.3 (NAS) in the static route table.
Do not forget that with the firewall enabled on the NAS, you will need to configure it as well. Plus, a firewall can be enabled on the client side, which will also need to be configured.
P.S. I am not a professional in network technologies and in particular in working with OpenVPNI'm simply sharing my experience and publishing the settings I made that allowed me to set up site-to-site communication between subnets. Perhaps there's a simpler and/or more correct setup, and I'd be happy if you shared your experiences in the comments.
Source: habr.com
