Synology NAS – OpenVPN: enable certificate based authentication
June 5, 2020
By default, you can enable only username-password based authentication for OpenVPN in the GUI.
It’s not so secure, using a certificate based authentication gives you higher security and it can protect against MITM attack.
But you can only set this in the configuration file of the OpenVPN service, that means you have to login to the NAS via SSH.
I assume you already enabled OpenVPN and configured your NAS to use certificate (https) (so you have a CA and you can generate certs and keys), so the content below will only describe the certificate based authentication.
For the next part, you need a little skill and experience in console usage, so please do it only if you know what you do!
First enable ssh:
Go to control panel, terminal, and enable SSH service
Then login to the NAS and change the VPN settings
$ ssh myadminuser@192.168.1.102
myadminuser@mynas:~$ sudo su
cd /usr/syno/etc/packages/VPNCenter/openvpn
ash-4.3# vim openvpn.conf
client-cert-not-required ->remove this line or disable using # char at the first place like #client-cert-not-required
To save the change and exit from vim (it’s a console based editor), press ESC key, then type the next text:
:wq
and enter (write&quit, if you don’t want to save type :q!)
Now restart the NAS, or disable&enable the vpn setting in the GUI to restart the vpn service.
Finally, if you want to access your NAS via OpenVPN from your Android based mobile:
Install OpenVPN to the phone
Download from GPlay: OpenVPN
Click + and import profile from file.
Create the config file similar to this one:
client
remote mynas 1212
auth-user-pass
reneg-sec 0
cipher AES-256-CBC
auth SHA512
comp-lzo yes
dev tun
dev-type tun
proto tcp
port 1212
route '192.168.1.0' '255.255.255.0' '10.8.0.5' 0
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nogroup
<cert>
-----BEGIN CERTIFICATE-----
MII...here add the content of your certificate file
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MII...here add the content of your key file
-----END RSA PRIVATE KEY-----
</key>
<ca>
-----BEGIN CERTIFICATE-----
MII...here add the content of your CA certificate
-----END CERTIFICATE-----
</ca>