I know that there are many themes with OpenVPN settings. However, I myself was faced with the fact that there is basically no systematic information on the topic of the title and decided to share my experience first of all with those who are not gurus in OpenVPN administration, but would like to achieve connection of remote subnets like site-to-site on NAS Synology. At the same time, leave a note for yourself as a keepsake.
So. There is a NAS Synology DS918 + with the VPN Server package installed, configured with OpenVPN and users who can connect to the VPN server. I will not go into the details of setting up the server in the DSM interface (NAS server web portal). This information is available on the manufacturer's website.
The problem is that the DSM interface (version 6.2.3 at the time of publication) has a limited number of settings for managing the OpenVPN server. In our case, a site-to-site connection scheme is required, i.e. VPN client subnet hosts must see VPN server subnet hosts and vice versa. Typical settings available on the NAS allow access only from hosts on the VPN client subnet to hosts on the VPN server subnet.
To configure access to VPN clients' subnets from the VPN server subnet, we need to log into the NAS via SSH and manually configure the OpenVPN server configuration file.
To edit files on the NAS via SSH, it is more convenient for me to use the Midnight Commander. To do this, I connected the packages.synocommunity.com source in the Package Center and installed the Midnight Commander package.
We go to the NAS via SSH under an account with administrator rights.
Type sudo su and re- enter the administrator password:
Type the mc command and launch Midnight Commander:
Next, go to the / var / packages / VPNCenter / etc / openvpn / directory and find the openvpn.conf file:
According to the task, we need to connect 2 remote subnets. To do this, we create accounts on the NAS through DSM 2 with limited rights to all NAS services and give access only to the VPN connection in the VPN Server settings. For each client, we need to configure a static IP allocated by the VPN server and route traffic through this IP from the VPN server subnet to the VPN client subnet.
Initial data:
VPN server subnet: 192.168.1.0/24.
OpenVPN server address pool 10.8.0.0/24. The OpenVPN server itself receives the address 10.8.0.1.
VPN client 1 subnet (VPN user): 192.168.10.0/24, should receive a static address on the OpenVPN server 10.8.0.5
VPN client 2 subnet (VPN-GUST user): 192.168.5.0/24, should receive a 10.8 static address on the OpenVPN server .0.4
In the settings directory, create a ccd folder and create settings files with names corresponding to user logins.
For the VPN user, write the following settings in the file:
For the VPN-GUST user, write the following in the file:
It remains only to adjust the configuration of the OpenVPN server - add a parameter for reading client settings and add routing to client subnets:
In the screenshot above, the first 2 lines of config are configured using the interface DSM (putting a checkbox on the "Allow clients to access the server's local network" parameter in the OpenVPN server settings).
The client-config-dir ccd line indicates that the client settings are in the ccd folder.
Then 2 lines of configuration add routes to client subnets through the corresponding OpenVPN gateways.
Finally, the subnet topology must be applied to work properly.
We do not touch all other settings in the file.
After setting the settings, do not forget to restart the VPN Server service in the package manager. On the hosts or the gateway for the server subnet hosts, register routes to the client subnets via the NAS.
In my case, the router (192.168.1.1) acted as the gateway for all hosts on the subnet in which the NAS is located (its IP 192.168.1.3). On this router, I added routing entries for the 192.168.5.0/24 and 192.168.10.0/24 networks to the 192.168.1.3 (NAS) gateway to the static route table.
Do not forget that with the firewall on on the NAS, you will need to configure it too. Plus, on the client side, a firewall may be enabled, which will also need to be configured.
PS. I am not a professional in network technologies and in particular in working with OpenVPN, I just share my experience and publish the settings that I made, which allowed me to configure the connection between subnets as site-to-site. Perhaps there is a simpler and / or correct setting, I will only be glad if you share your experience in the comments.