Trouble to connect to VPN with OpenVPN

[poupou_gogui]

Hey everybody,

First, sorry if my english is not correct... I'm french.

I create this topic to try to find a solution to connect my QNAP to VPN using .ovpn file.

So, this is my configuration and what I would like to do :


Configuration :
- QNAP TS-251
- QTS 4.2.2 V. 2016/09/01

- I Use a Box - it's like a little router (French provider : Bouygues Telecom - BBOX Evolution - Fibre)

- VPN Provider : http://www.vpnfacile.net (it's a french provider, i'm not happy about my choice....)
This provider propose to configure VPN using this methode (it works on my Mac and on my Raspberry) :

• - config.ovpn file

• - certificat ca.crt

• - key ta.key

• - list of adress

• - Use TCP on the port 443

Why I need a VPN

Seriously ?... To download torrent (non copyright torrent of course ! ), and due to the french law I have to hide my IP (On my Raspberry I used an IP from Netherland)

What I did and what happened ?

I'm sorry : everytime i tried, it failed, so I deleted files and logs... So I can't be more explicite...

First i opened the port TCP 443 on my box (but i'm not sure of me...)

Capture d’écran 2016-09-10 à 18.11.53.png

I followed all this tuto :

• https://www.qnap.com/en/qa/con_show.php ... ne&cid=299

• https://vpnfacile.net/comment-installer ... ology.html (this is for Synology, it was just to inspire myself...)

• https://support.nordvpn.com/hc/en-us/ar ... -NAS-setup

• https://support.purevpn.com/qnap-nas-qt ... etup-guide

I retrieved this log files :

Code: Select all

Fri Sep  9 23:52:07 2016 OpenVPN 2.3.6 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep  1 2016
Fri Sep  9 23:52:07 2016 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.05
Fri Sep  9 23:52:07 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Sep  9 23:52:07 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Sep  9 23:52:07 2016 Control Channel Authentication: tls-auth using INLINE static key file
Fri Sep  9 23:52:07 2016 Attempting to establish TCP connection with [AF_INET]164.132.74.1:443 [nonblock]
Fri Sep  9 23:52:08 2016 TCP connection established with [AF_INET]164.132.74.1:443
Fri Sep  9 23:52:08 2016 TCPv4_CLIENT link local: [undef]
Fri Sep  9 23:52:08 2016 TCPv4_CLIENT link remote: [AF_INET]164.132.74.1:443
Fri Sep  9 23:52:08 2016 Connection reset, restarting [0]
Fri Sep  9 23:52:08 2016 SIGTERM[soft,connection-reset] received, process exiting

This is my client.ovpn file :

Code: Select all

client
dev tun
proto udp
remote xxx.vpnxxxxxxx.nxx 443
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
tls-auth /share/Download/vpn/ta.key
ca /share/Download/vpn/ca.crt
reneg-sec 0
auth-user-pass /share/Download/vpn/pass.txt
log-append /share/Download/vpn/openvpn.log
remote-cert-tls server
#mute 10000
comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC

Why I need you ?

Seriously ? I'm a newbie ! I don't understand anything, I don't understand the words in the log files... And seriously I'M GETTING CRAZY !!!!

I know I made a mistake, but where ? How can I fix it ?
Did you know another tutorial ?

I'm OK to change my VPN provider (but only if it works...).

Thank you for your help !
See you soon.

Greg

[Don]

I am by no means an openvpn expert but you need to look at why the connection is being reset

Code: Select all

Connection reset, restarting [0]

after it is established.

Code: Select all

TCP connection established with [AF_INET]164.132.74.1:443

Maybe your vpn provider can provide info on why the connection is resetting or maybe there are more detailed logging on the NAS that you can enable.

Also since this is an outgoing connection you should not need to forward port 443.

I use openvpn server on my router and I can connect Windows and IOS clients from the internet to it with no issues. It just works. One of these days I'll try the vpn client to a vpn provider on the NAS for non copyrighted torrents also . Hopefully someone with more VPN experience will jump in.

BTW, there is a French QNAP forum --> forum.qnapclub.fr

[poupou_gogui]

Hey Don,

thanks for your answer.
I tried to connect with another provider and with OpenVPN I have the same troubles, but now I can connect to PPTP.

I didn't try manual installation and .conf / .ovpn modification... (I have to stop it because my wife is getting mad against me )

Thanks for your information about the port 443 forwarding...

And I will post into the 2 french forum to hve more help

See you soon.
Greg

[poupou_gogui]

I'm back and I have a good new !!!

I can connect to my VPN Provider : Torguard... (but i have another trouble... read at the end of this reply)

I followed this tutorial : https://support.nordvpn.com/hc/en-us/ar ... -NAS-setup

BUT I have to connect the vpn manually by command openvpn --config /path/xxx.ovpn

And when I close "terminal" it close the vpn connection... It's not acceptable because I would like to keep the connection every day and night.

Can you help me to solve this problem ?
I don't know, perhaps a script ?
What do you think about this : i can create a .sh who contain the command openvpn --config and I run the script at each reboot (or every day at 2.00 am). The risk is that the script could run everytime, no ?
Do you have another idea ?

Thanks
Greg

[MrQuake]

Hi,

I have the same need: setup VPN with the GUI interface, not going to this command line, come on we are end user not developers.

It is available on Synology DSM, you can pick up a .openvpn file to setup up your openvpn connection.


I do expect qnap to update the interface to specify all options, or to load a file


Another feature would be also a killswitch, if vpn connection is getting down, then block all internet traffic instantly, or shutdown an application like download manager

Hope qnap will work on it, they are far from competitor, and at the end it is about SECURITY

BR

[Waynebacsi]

Hi,
I have the same problem in Gemany. Tried a tons of tutorials out, googled much but not succeeded yet. I found an another solution (untill it will be fixed): I made a virtual machine with windows 7 on my NAS, i connect with windows remote desktop into that and set up everything in normal way... It isnt the best way, costs many system resource, but works I hope your understand me.... my english could be better

[poupou_gogui]

Hi !
I forget the Idea... I would like To try with a raspberry but i didn't have time...
For now i'm downloading on a private tracker so i have no problem with the french law....
I'm waiting for qts 4.3.. (but Mr Quake : it's easy with a Synology and very hard with a qnap...)
Greg

[Waynebacsi]

I can connect now with PPTP.I followed this guide: https://www.expressvpn.com/support/vpn- ... qnap-pptp/ As i earlier wrote i installed a win7 on my nas (virtual mashine) and to controll if it works checked my IP... and its unfortunatelly my real IP without changes. How can it be if it shows connected to vpn? Doesnt go the whole NAS data stream though the VPN? Maybe just the part of them?

[schumaku]

As i earlier wrote i installed a win7 on my nas (virtual mashine) and to controll if it works checked my IP... and its unfortunatelly my real IP without changes. How can it be if it shows connected to vpn? Doesnt go the whole NAS data stream though the VPN? Maybe just the part of them?

A virtual machine has it's own network interface, either bridged to a shared NAS interface, or dedicated. In neither case, the VM can know anything about routing, VPNs or the like on the NAS. It's just like yet another computer on your network.

[ykcorse]

Same problem here, can make it work from command line with openvpn --config /path/xxx.ovpn, but then what is the UI for? what is the point on providing a user interface for setting up the openvpn client if at the end we all have do it via command line?
Anyways, my fix was to to modify the /etc/init.d/vpn_openvpn_client.sh so it invokes the openvpn command instead of vpn_util in the start method. It seems like this is the file executed when you click on "Connect" in the VPN Client UI.

Original /etc/init.d/vpn_openvpn_client.sh:

Code: Select all

start()
{
	init_environment
	init_kernel_modules
	
	/bin/echo "Start OpenVPN connection."
	
	for index in $(eval echo {${VPN_CONF_S}..${VPN_CONF_E}}); do
		local ENABLE=`getcfg -f "${VPN_CONF}" "OPENVPN_CLIENT${index}" "Enable"`
		[ x"${ENABLE}" != "xTRUE" ] && continue
		
		local SERVER=`getcfg -f "${VPN_CONF}" "OPENVPN_CLIENT${index}" "Server Address"`
		[ x"${SERVER}" == "x" ] && continue
		
		local PID_FILE="/var/run/openvpn.client${index}.pid"
		
		local PID=`cat "${PID_FILE}" 2>/dev/null`
		if [ x"${PID}" != "x" ]; then
			local PS=`ps | grep openvpnclient | grep "${PID}" | grep -v grep`
			[ x"${PS}" != "x" ] && continue
		fi
		
		/sbin/vpn_util openvpn_client_start "${index}"
	done
}

Modified/etc/init.d/vpn_openvpn_client.sh:

Code: Select all

start()
{
	init_environment
	init_kernel_modules
	
	/bin/echo "Start OpenVPN connection."
	
	for index in $(eval echo {${VPN_CONF_S}..${VPN_CONF_E}}); do
		#local ENABLE=`getcfg -f "${VPN_CONF}" "OPENVPN_CLIENT${index}" "Enable"`
		#[ x"${ENABLE}" != "xTRUE" ] && continue
		
		local SERVER=`getcfg -f "${VPN_CONF}" "OPENVPN_CLIENT${index}" "Server Address"`
		[ x"${SERVER}" == "x" ] && continue
		
		local PID_FILE="/var/run/openvpn.client${index}.pid"
		
		local PID=`cat "${PID_FILE}" 2>/dev/null`
		if [ x"${PID}" != "x" ]; then
			local PS=`ps | grep openvpnclient | grep "${PID}" | grep -v grep`
			[ x"${PS}" != "x" ] && continue
		fi
		
		# replace the ovpn file by yours
		openvpn --config /share/Download/VPN/us119udp.ovpn
		#/sbin/vpn_util openvpn_client_start "${index}"
	done
}

Of course, this is a very quick fix to launch the vpn connection from the command line, but it could be farther improved. At home I modified it a bit more so the ovpn file is retrieved from the vpn configuration files, and not hardcoded, and also some changed need to be done for the disconnect to work.

Now my question is... any body knows where to find any documentation on /sbin/vpn_util openvpn_client_start ? In my case it does nothing, and I can't fin anything on the internet about it.

[kirifet]

Did any of you guys managed to connect to OpenVPN automatically? I'm still having to connect using openvpn --config /path/xxx.ovpn

[ykcorse]

The last verison of QTS (4.3.2) comes with QVPN Service, which supports .ovpn files. It works for me.

[paulcwchui]

Hi ykcorse,

Like you I am setting up my OpenVPN client connection on TS-251C v.4.3.2, however after clicking the connect button the vpn client keeps connecting and failed without a message returned. The attempts were trying it again and again. What I did was downloading a .ovpn file from the vpn server setup page and modified it with my vpn provider's configuration. The vpn client imported my .ovpn file successfully and asked me for user name and password and then I started to try connecting the vpn server. I can ping the vpn server successfully so I am sure the vpn server is alive.

What I suspect is there is some configuration I have missed in my .ovpn file or maybe I need to do some configuration to my router (I am not sure I have to do this or not).

You said your connection works with 4.3.2. Could you share your .ovpn file which I can refer for my own connection. I understand that different vpn providers vary on their setting.
And could you share your (special) steps before successfully connecting your vpn server? I would like to know any steps to take other than the .ovpn file setting, e.g. copying any files to specific directories in my NAS, the guide below for older firmware versions requires doing things like this. And finally is there any setting has to done to the router, e.g. port forward.

https://support.purevpn.com/qnap-nas-qt ... etup-guide

By the way, I can connect to the same vpn server via PPTP without problem, just don't know why OpenVPN does not work.

My NAS setup:
TS-251C
Firmware 4.3.2
VPN provider: PureVPN

Thank you very much for your help

[peelos]

As i earlier wrote i installed a win7 on my nas (virtual mashine) and to controll if it works checked my IP... and its unfortunatelly my real IP without changes. How can it be if it shows connected to vpn? Doesnt go the whole NAS data stream though the VPN? Maybe just the part of them?

A virtual machine has it's own network interface, either bridged to a shared NAS interface, or dedicated. In neither case, the VM can know anything about routing, VPNs or the like on the NAS. It's just like yet another computer on your network.

Sorry to resurrect an old thread but I have really hit a brick wall with trying to access a VM over a OpenVPN connection and Schumaku, you seem to be the person on this forum with the most understanding of my required setup which I tried to describe here: viewtopic.php?f=231&t=132457

Do you mean that a VM can bridge to an ethernet socket that is connected as an OpenVPN server? Or is this only when an ethernet port is used as a VPN client?

I am also based in Zurich, would happily be prepared to somehow compensate you for your time helping me to get this working!

thanks in advance

[schumaku]

Hi Peelos,

How is the VM configured on the Virtual Switch? If I'm right, the OpenVPN connection using the 10.0.8.0/24 as a connection network. From there any connection to other IP addresses (permitting the OPenVPN client is configured routing the traffic into the VPN) does go out on the OpenVPN-configured LAN interface of the NAS, everything is NATed 1:1 to that LAN IP address. From here, you can reach ie. other addresses on the LAN. With the VM configured to a dedicated interface (not to a Virtual Switche with it's own subnetwork typically NATed to another interface, or the same OpenVPN interface) I would assume the VM is able to be configured direct into the LAN subnetwork - and the VM should be reachable then.

Does this brief idea help?

Away from today for some days off - good stuff for some brainstorming. Can you get in touch with me by Sykpe chat? I expect to be online almost 24*7 but wont be able to answer in time.

Regards,
-Kurt