Learning NAS Synology to route traffic to an OpenVPN tunnel with certificate authentication

It took me that some sites thought that I was not in Europe, but in Russia. And I wanted to hide my interest in torrents from local authorities (I'm not sure what they are watching, but nonetheless.) And I had an OpenVPN client configuration file and certificates for it. In addition, I really did not want to install OpenVPN on every device on the network. The home router belongs to the extremely lower price group and definitely does not know how to work with OpenVPN. And I remembered about my online data storage, which I just have what it stores. Previously, the torrents also swung, but after moving from the torrents, it was decided to temporarily give up. That's it (Synology DS211j) and it was decided to turn it into a gateway to the Russian Internet, and the fact that the processor power is idle.

I warn you in advance that all the manipulations were performed on DSM version 5.0-4458 and on other versions everything may be different.

Configure OpenVPN connections on synology

First of all, go to the web-interface of our repository in the section “Control Panel> Network> Network Interface” and create an OpenVPN profile there. Unfortunately, the web-interface is designed only to create a connection with password authentication. We are also interested in certificate authentication. Therefore, we fill in the proposed fields with any data:
')


Click next, and set the following settings:



Pay attention to the second item of settings. What is meant is not very clear. In DSM version 4.3, I did not notice such translation deficiencies.

Then in the section “Control Panel> Terminal and SNMP> Terminal” we enable the method of communication with the storage which is ideologically closer to you:



Connect to synology using the selected protocol. Then we will need to fix the automatically created / usr / syno / etc / synovpnclient / openvpn / client_oXXXXXXXXXX file. The vi guru can do it right in the console, the rest can be convenient to copy the file to themselves in the shared folder and edit the file there using more familiar tools. This is done by the following command

cp /usr/syno/etc/synovpnclient/openvpn/client_oXXXXXXXXXX /volume1/Share

When editing a file, note that Linux and windows have different approaches to designating the end of a line, so use a text editor that can save the file in the usual synology format.
In my case, the configuration file looks like this:

client
dev tun
proto udp
remote 255.255.255.255 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ns-cert-type server
cipher AES-128-CBC
auth SHA1
redirect-gateway def1

Then, using the mkdir command, we create the keys directory in the / usr / syno / etc / synovpnclient / openvpn / directory where and put the certificate files and keys from them with the cp command. Using the same command, you must copy the modified configuration file back to the appropriate directory.

In order to connect to the OpenVPN server, go to “Control Panel> Network> Network Interface”, select the connection created by us and click on the “Connect” button. Thanks to the string “redirect-gateway def1” in the configuration file, synology will use the created tunnel as the main channel to access the Internet, and when disconnected from the VPN server, our storage will again use the router’s local network access to the global network.

We configure other devices

Now it remains to teach the rest of the device to choose the path to the Internet. For this, I have created two scripts with the following contents:
directly.bat:

route change 0.0.0.0 mask 0.0.0.0 255.255.255.254 metric 1

through the tunnel.bat:

route change 0.0.0.0 mask 0.0.0.0 255.255.255.255 metric 1
where 255.255.255.254 is the address of the home router, and 255.255.255.255 is the address of the synology in the local network.

If it is necessary to release one of the devices to the Internet via the Russian channel on synology, the VPN connection is raised via the web interface, and the default gateway is changed on the PC using a script. When the need disappears - the connection to synology is extinguished, and on the PC, using another script, the default gateway comes back.

Speed

With my pattern of using such a configuration, the load on the storage processor does not exceed 80%, which is a lot, but not critical. We should not also forget that this configuration introduces large delays, and the speed through the tunnel in my case does not exceed 8 megabits with a home Internet speed of 20 megabits and a speed of 40 megabits at that end of the tunnel.