Synology NAS – OpenVPN: enable certificate based authentication

By default, you can enable only username-password based authentication for OpenVPN in the GUI.

It’s not so secure, using a certificate based authentication gives you higher security and it can protect against MITM attack.

But you can only set this in the configuration file of the OpenVPN service, that means you have to login to the NAS via SSH.

I assume you already enabled OpenVPN and configured your NAS to use certificate (https) (so you have a CA and you can generate certs and keys), so the content below will only describe the certificate based authentication.

Enable OpenVPN

 

 

 

 

preconfigured PKI in NAS

For the next part, you need a little skill and experience in console usage, so please do it only if you know what you do!

First enable ssh:

Go to control panel, terminal, and enable SSH service

Enable SSH

 

 

 

 

 

 

 

 

 

Then login to the NAS and change the VPN settings


$ ssh myadminuser@192.168.1.102
myadminuser@mynas:~$ sudo su
cd /usr/syno/etc/packages/VPNCenter/openvpn
ash-4.3# vim openvpn.conf
client-cert-not-required ->remove this line or disable using # char at the first place like #client-cert-not-required
To save the change and exit from vim (it’s a console based editor), press ESC key, then type the next text:
:wq
and enter (write&quit, if you don’t want to save type :q!)

Now restart the NAS, or disable&enable the vpn setting in the GUI to restart the vpn service.

Finally, if you want to access your NAS via OpenVPN from your Android based mobile:

Install OpenVPN to the phone

Download from GPlay: OpenVPN

Click + and import profile from file.

Create the config file similar to this one:


client
remote mynas 1212
auth-user-pass
reneg-sec 0
cipher AES-256-CBC
auth SHA512
comp-lzo yes
dev tun
dev-type tun
proto tcp
port 1212
route '192.168.1.0' '255.255.255.0' '10.8.0.5' 0
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nogroup
<cert>
-----BEGIN CERTIFICATE-----
MII...here add the content of your certificate file
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MII...here add the content of your key file
-----END RSA PRIVATE KEY-----
</key>
<ca>
-----BEGIN CERTIFICATE-----
MII...here add the content of your CA certificate
-----END CERTIFICATE-----
</ca>


How to test your NAS speed

This is just something personal.

Recently I installed a Synology NAS (DS216j) to my home and wanted to test the speed of this NAS. Of course you can test it via file copy but I wanted to know several values:

• the maximum available raw speed when my computer is connected to the NAS
• the maximum available raw speed when my mobile is connected to the NAS
• and the samba speed when my mobile using the NAS

So first of all, I enabled ssh connection to my NAS, then copied my wifi-speed-test-server.py file to the NAS. This Synology NAS already contains python support, so I could start it easily:

pzolee@pzoleenas:/volume1/$ python wifi_speed_test_server.py

Then just downloaded and started the java version of wifi speed test app, set the IP address of the NAS and started the test:

Wow, it was impressive 316 Mbps (~40 MB/s). My laptop is using AC wifi.

Then I tested the same on my mobile (LG G4) with my WiFi Speed Test app:

 

It was very similar, 33 MB/s.

And finally I tested the samba speed:

Using my laptop, I could reach the 40 MB/s transfer rate via samba, but my phone could only transfer with 7 MB/s.