working QNAP VPN

OneHansOneHans
in Other Devices VPN Setup
i found a working guide so i came to share it with whoever has a problem with QNAP VPN client


Figuring out VPN how to get it working with PIA

Postby herrmastertje » Tue Jan 19, 2016 8:41 pm

I've figured out how to create a VPN client connection on your QNAP with a PIA account


First create a VPN client server connection with your account details for PIA on your QNAP.
For the correct settings see the screenshot

Screen Shot 01-19-16 at 08.24 PM.PNG


Dont fo'rget to upload the CA certificate.


That will not work.
To get it working, the following must be done

Make an connection with Putty or WinSCP to your QNAP.

Go to /mnt/HDA_ROOT/.config/openvpn/clients
There you will find the file`client1` that was just created.

You have to edit some settings.

First below the original file, with in red the lines marked to be removed..

dev tun2001
proto udp
remote nl.privateinternetaccess.com 1194
client
nobind
cipher none
writepid /var/run/openvpn.client1.pid
reneg-sec 0
tls-cipher
tls-exit
remap-usr1 SIGTERM
connect-retry-max 1
auth-retry nointeract
resolv-retry infinite
route-noexec
auth-user-pass /etc/config/openvpn/clients/client1.auth
script-security 3
up /etc/openvpn/openvpn_up
down /etc/openvpn/openvpn_down
daemon openvpn-client
plugin /usr/lib/vpn_ext.so 1
<ca>
-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----
</ca>



Ok now the new file with in red the lines to be added.

dev tun2001
proto udp
remote nl.privateinternetaccess.com 1194
client
nobind
tls-client
writepid /var/run/openvpn.client1.pid
reneg-sec 0
remap-usr1 SIGTERM
connect-retry-max 1
auth-retry nointeract
resolv-retry infinite
route-noexec
auth-user-pass /etc/config/openvpn/clients/client1.auth
comp-lzo
keepalive 10 60
script-security 3
up /etc/openvpn/openvpn_up
down /etc/openvpn/openvpn_down
daemon openvpn-client
log-append /share/Download/openvpn.log
tls-exit
plugin /usr/lib/vpn_ext.so 1
<ca>
-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----
</ca>


I have added the line 
"log-append /share/Download/openvpn.log"
So that you can check problems if it won't run.


Attempt to make a connection with use of the GUI
It wil look something like this.

Comments

  • OneHansOneHans
    http://forum.qnap.com/viewtopic.php?f=231&t=102248&hilit=pia&start=210#p530528
  • shirohigeshirohige
    In my many iterations of getting OpenVPN for PIA working on my QNAP, my final client1 file looked much like yours except that I included these additional three lines immediately after the "tls-client" line:

    persist-key
    persist-tun
    remote-cert-tls server
  • s13m11t7s13m11t7
    edited July 2016
    So, with PIA finally opening up more secure security options for other devices, we can now get the QNAP VPN client connecting with AES-256, SHA256 and RSA 4096.......

    2. Copy ca.rsa.4096.crt and crl.rsa.4096.pem files to /etc/config/openvpn/keys/ directory on your QNAP
    3. Config the VPN via the gui as per normal with 1197 as the udp port and import the RSA4096 crt on the gui page.
    4. Hit the Connect button to establish the VPN - it should connect but you won't receive any packets... Hit the Disconnect button now
    5. SSH or Telnet (or SCP) to the QNAP and modify the /etc/config/openvpn/clients/client1 file:

    Original file should look something like the following:

    dev tun2001
    proto udp
    remote remote-server-address 1197
    client
    nobind
    comp-lzo
    writepid /var/run/openvpn.client1.pid
    reneg-sec 0
    tls-cipher TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
    tls-exit
    remap-usr1 SIGTERM
    connect-retry-max 1
    auth-retry nointeract
    resolv-retry infinite
    route-noexec
    auth-user-pass /etc/config/openvpn/clients/client1.auth
    script-security 3
    up /etc/openvpn/openvpn_up
    down /etc/openvpn/openvpn_down
    daemon openvpn-client
    plugin /usr/lib/vpn_ext.so 1
    <ca>
    -----BEGIN CERTIFICATE-----
    xxx
    xx
    xx
    -----END CERTIFICATE-----
    </ca>


    You need to modify the file to look like:

    dev tun2001
    proto udp
    remote remote-server-address 1197
    client
    nobind
    cipher AES-256-CBC
    auth SHA256
    comp-lzo
    writepid /var/run/openvpn.client1.pid
    reneg-sec 0
    persist-key
    persist-tun
    cipher aes-256-cbc
    auth sha256
    tls-client
    remote-cert-tls server
    tls-exit
    remap-usr1 SIGTERM
    connect-retry-max 1
    auth-retry nointeract
    resolv-retry infinite
    route-noexec
    auth-user-pass /etc/config/openvpn/clients/client1.auth
    script-security 3
    up /etc/openvpn/openvpn_up
    down /etc/openvpn/openvpn_down
    daemon openvpn-client
    plugin /usr/lib/vpn_ext.so 1
    ca /etc/config/openvpn/keys/ca.rsa.4096.crt
    crl-verify /etc/config/openvpn/keys/crl.rsa.4096.pem


    6. - Finished....

    If you log the connection, you do get errors with the SHA256, and AES256 inital configuration options - but you get the same errors with the PIA windows client anyhow - and it connects at the more secure settings anyway ( I think!! )
  • WIKEDWIKED
    edited August 2016
    Thanks OneHans for the info. I changed mine as it was dropping the connection every 2 mins.

    Works like a charm and still connected after 6 hours so far.  


  • tgbennetttgbennett
    I'm not sure if anyone is following this post or not. But hopefully someone has some insight. I tried the above and can connect and get an IP. In the QNAP UI for the VPN Client It shows data sent but 0 data received. If I ping www.google.com i don't get a response until I disconnect the VPN client. I made the changes as explained above but noticed that the client1 file gets overwritten when I connect. Any ideas on where the default config comes from?

    When I connect it gets changed from what is above to this
    dev tun2001
    proto udp
    remote us-east.privateinternetaccess.com 1194
    client
    nobind
    cipher AES-128-CBC
    writepid /var/run/openvpn.client1.pid
    reneg-sec 0
    tls-cipher TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
    tls-exit
    remap-usr1 SIGTERM
    connect-retry-max 1
    auth-retry nointeract
    resolv-retry infinite
    route-noexec
    auth-user-pass /etc/config/openvpn/clients/client1.auth
    script-security 3
    up /etc/openvpn/openvpn_up
    down /etc/openvpn/openvpn_down
    daemon openvpn-client
    plugin /usr/lib/vpn_ext.so 1
  • WhrrrWhrrr
    I cannot find how to:

    2. Copy ca.rsa.4096.crt and crl.rsa.4096.pem files to /etc/config/openvpn/keys/ directory on your QNAP

    How do you copy these files over?  I cannot see it in Finder.

    Any help would be much appreciated.

    Mark
  • industrialplaneindustrialplane
    edited March 2018
    I would suggest that we start embedding the cert and pem in the ovpn file as that's an option.  Other vpn providers do this natively, and I'm not sure why PIA doesn't.   It simplifies things tremendously. 

    Something long these lines:


    client
    dev tun2001
    proto udp
    remote swiss.privateinternetaccess.com 1197
    remote 179.43.151.34 1194
    remote-random
    resolv-retry infinite
    nobind
    persist-key
    persist-tun

    cipher aes-256-cbc
    auth sha256
    tls-client
    remote-cert-tls server
    tls-exit
    auth-user-pass
    comp-lzo
    verb 1
    writepid /var/run/openvpn.client1.pid
    remap-usr1 SIGTERM

    #ping if no packets received in X seconds to keep control channel up.
    ping 15
    ping-restart 0
    ping-timer-rem
    reneg-sec 0

    #pulls routes from server, must be a trusted source
    pull
    #experimentally option to optimize TUN/TAP/UDP io writes... improve efficiency by 5-10% on UDP traffic.  Not on windows. 
    fast-io

    #inline certificates
    <ca>
    -----BEGIN CERTIFICATE-----
    xxx
    xx
    xx
    -----END CERTIFICATE-----
    </ca>

    key-direction 1

    #Check peer certificate against the file crl in PEM format
    <crl-verify>
    -----BEGIN X509 CRL-----
    xxx
    xx
    xx
    -----END X509 CRL-----
    </crl-verify>

Sign In or Register to comment.