I'm sorry I did never write the guide I promised. The problem is I have far less time than I hoped.
A few days ago I received a private message with this request:
I would like help to install openvpn addon (DNS-320L).
I replied to write in public but he never came back.
I'm glad to help you if I can, I have some notes that can be useful when my memory can't help. Unfortunately I need a lot of time to build a full guide as I hoped (and I have little time even now), but I can definitely answer to specific questions. Please reply to the topic, any question must be public so that anyone can read the answer too.
SOOOOOOOOOOOOOOOOOOOOOO... Let me try to make this guide, I'll try to expand topics when they are raised.
Please note that some certificate settings may not be required, it's just one way to do it. I believe security is still enough with these settings. Every suggestion is still welcome.
I never followed this guide as it is yet, so you can find errors. Please report any error you may find.
-----------------------------------------------------------------------------------------
Guide to install OpenVPN 2.3.10 on D-Link DNS-320L
== STEP 1 ==
Install in the NAS the "DNS-320L OpenVPN Package v1.01_03062016" package (md5 A498FFD1E16DB5A036A47FB67012D3E1). I downloaded from http://dlink.vtverdohleb.org.ua/ (unfortunately login is required). Download links:
[1],
[2]I'm not explaining how you do the install, however you will need to upload the downloaded file to your NAS through the browser interface.
== STEP 2 ==
Create the certificates/keys. I wasn't able to create them in the NAS itself, so I ended up creating those files in a separate Linux machine (a Raspberry Pi to be precise).
Steps on this separate Linux machine (not the NAS).
1. Update packages and install openvpn
sudo apt-get update && sudo apt-get upgrade
apt-get install openvpn -y
cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
cp openssl-1.0.0.cnf openssl.cnf
2. Edit the vars config:
nano vars
modify:
export EASY_RSA="`pwd`"
with:
export EASY_RSA="/etc/openvpn/easy-rsa"
and set your parameters, example given:
export KEY_SIZE=1024
export KEY_COUNTRY="IT"
export KEY_PROVINCE="RM"
export KEY_CITY="Rome"
export KEY_ORG="MY CUSTOM OPENVPN"
export KEY_EMAIL="noreply@no-spam-please.org"
export KEY_OU="vpn"
save and close nano (CTRL+O, CTRL+X)
3. Build the CA certificate:
source ./vars
./clean-all
./build-ca
Leave all default values (press Enter), except
Name: MyCustomServerName
Please note I am using empty challenge password and empty passphrase since they are not needed with this setup. Not sure when you will be prompted about them, so I put this note here.
4. Build the Server certificate:
./build-key-server MyCustomServerName
Again, leave all default values (press Enter), except
Name: MyCustomServerName
Reply YES:
Sign the certificate? y
Commit? y
5. Build the Client certificate:
./build-key MyCustomClientName
Leave all default values (press Enter), except
Name: MyCustomClientName
6. Build the Diffie-Hellman parameters for the server side (I actually run this in the NAS, but I guess it should be here)
./build-dh
7. Export all files to a tgz package file
cd /etc/openvpn/easy-rsa/keys
tar zcvf ../keys.tgz ./*
and copy this /etc/openvpn/easy-rsa/keys.tgz file into your NAS.
== STEP 3 ==
Configure your NAS.
1. Access your NAS, i.e. with Windows, and create this folder Z:\openvpn_key\ (assuming letter Z:)
If you enter from the SSH access you will find it as /mnt/HD/HD_a2/openvpn_key/
2. Paste the compressed keys.tgz file inside this Z:\openvpn_key\ folder
3. Access through SSH (I assume you know how) as root and run:
cd /mnt/HD/HD_a2/Nas_Prog/OpenVPN/genkey/keys
rm -f *
tar -xvf /mnt/HD/HD_a2/openvpn_key/keys.tgz
4. Edit this setting
vi /mnt/HD/HD_a2/Nas_Prog/OpenVPN/genkey/openssl.cnf
type "i" so that you can modify:
dir = ./demoCA
with:
dir = /mnt/HD/HD_a2/Nas_Prog/OpenVPN/ssl/misc/demoCA
exit vi and save (press ESC, type :wq and press ENTER)
5. Backup your key and certificates
cp /mnt/HD/HD_a2/Nas_Prog/OpenVPN/genkey/keys/ca.crt /mnt/HD/HD_a2/openvpn_key/
cp /mnt/HD/HD_a2/Nas_Prog/OpenVPN/genkey/keys/MyCustomClientName.crt /mnt/HD/HD_a2/openvpn_key/
cp /mnt/HD/HD_a2/Nas_Prog/OpenVPN/genkey/keys/MyCustomClientName.key /mnt/HD/HD_a2/openvpn_key/
cp /mnt/HD/HD_a2/Nas_Prog/OpenVPN/genkey/keys/dh1024.pem /mnt/HD/HD_a2/openvpn_key/
6. Edit server configuration
vi /mnt/HD/HD_a2/Nas_Prog/OpenVPN/etc/server.conf
Remove everything (:1,$d) and write this:
port 1194
proto udp
dev tun
ca /mnt/HD/HD_a2/Nas_Prog/OpenVPN/genkey/keys/ca.crt
cert /mnt/HD/HD_a2/Nas_Prog/OpenVPN/genkey/keys/MyCustomClientName.crt
key /mnt/HD/HD_a2/Nas_Prog/OpenVPN/genkey/keys/MyCustomClientName.key # This file should be kept secret
dh /mnt/HD/HD_a2/Nas_Prog/OpenVPN/genkey/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /mnt/HD/HD_a2/Nas_Prog/OpenVPN/etc/ipp.txt
keepalive 10 120
cipher AES-128-CBC
persist-key
persist-tun
status /var/tmp/openvpn-status.log
log /var/tmp/openvpn.log
log-append /var/tmp/openvpn.log
verb 3
== STEP 4 ==
Run the daemon
1. Execute
cd /mnt/HD/HD_a2/Nas_Prog/OpenVPN
./start.sh ./
To stop it, run
/mnt/HD/HD_a2/Nas_Prog/OpenVPN/stop.sh
2. Check if it's all fine and running:
netstat -tulpn | grep 1194
You should see something like this:
udp 0 0 0.0.0.0:1194 0.0.0.0:* 6162/openvpn
Please note that I still have no idea how I can run this service at startup, so I currently run it every time my NAS needs to be restarted.
== STEP 5 ==
Client configuration
1. In your OS (e.g. Windows) create this empty text file and rename it as MyCustomClientName.ovpn.
Paste the following:
client
remote 166.166.166.166 1194
proto udp
dev tun
##### From ca.crt
<ca>
-----BEGIN CERTIFICATE-----
MII1D...
-----END CERTIFICATE-----
</ca>
##### From MyCustomClientName.crt
<cert>
-----BEGIN CERTIFICATE-----
MIILE...
-----END CERTIFICATE-----
</cert>
##### From MyCustomClientName.key
<key>
-----BEGIN PRIVATE KEY-----
MIIAC...
-----END PRIVATE KEY-----
</key>
cipher AES-128-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
mute 20
verb 3
Now, replace your
external public IP: (example 166.166.166.166)
external port on router: (1194)
ca certificate: (paste from your ca.crt file)
client certificate: (paste from your MyCustomClientName.crt file)
client private key: (paste from your MyCustomClientName.key file)
Use this file in your OpenVPN client. I tested it in Windows, Linux, iPhone, Andoid clients.
== Final notes ==
Some steps are omitted, e.g. router port configuration.
PLEASE... if you find any simple improvement or a mistake, report it so that I can improve this guide.