OpenVPN tunnel between an OpenWrt and a Synology NAS (Application VPN Server)

cotriseffuka · January 1, 2022, 11:15am

Hello,

Happy New Year !!!

I would like help from the community to finally succeed in setting up my OpenVPN tunnel. I've been trying hard for 24 hours and I can't understand what is stuck or missing in my configuration.

Network architecture:
LAN A -> OpenWRT (OpenVPN Client) -> Internet -> NAS Synology (VPN Server App / OpenVPN Server) -> LAN B

OpenWRT:
LAN: 192.168.1.253/24 (LAN A)
WAN: DHCP (GW 192.168.1.1/24 (yep same subnet as LAN)

Synology NAS:
LAN: 192.168.10.200/24 (LAN B)

What I want to do:
I want the machines on LAN A to be able to reach the machines on LAN B through the OpenVPN tunnel.
The OpenWRT router being in client mode for OpenVPN
Synology NAS being in server mode for OpenVPN

My configuration:
This configuration is currently implemented in several peripherals (smartphone, pc, laptop) and is perfectly functional except of course on OpenWRT

dev tun
tls-client

remote mysubdomain.mydomain.com 1194

dhcp-option DNS 192.168.10.254
dhcp-option DOMAIN home.lan

pull

proto udp

script-security 2

comp-lzo

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass /etc/openvpn/Credentials.auth

client-cert-not-required

<ca>
-----BEGIN CERTIFICATE-----
<my-certificate>
-----END CERTIFICATE-----

</ca>

The logs:

Sat Jan  1 11:05:35 2022 daemon.warn openvpn(MyOpenVPN)[2828]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Sat Jan  1 11:05:35 2022 daemon.err openvpn(MyOpenVPN)[2828]: REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead
Sat Jan  1 11:05:35 2022 daemon.notice openvpn(MyOpenVPN)[2828]: Exiting due to fatal error
Sat Jan  1 11:05:40 2022 daemon.warn openvpn(MyOpenVPN)[2848]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Sat Jan  1 11:05:40 2022 daemon.err openvpn(MyOpenVPN)[2848]: REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead

psherman · January 1, 2022, 2:50pm

This isn’t right. Before we go any farther, the lan and wan subnets must be different for a router to function (this is true of all routers).

What is upstream of the openwrt router?

cotriseffuka · January 2, 2022, 1:36pm

Hi @psherman ,

Many thx for your reply !

What is upstream of the OpenWRT is a router from my ISP :
OpenWRT(DHCP) <--> (LAN A 192.168.1.1/24)ISP Router(Public IP) <--> Internet

So to test following your message, I configured the LAN interface of OpenWRT with a third party subnet: 192.168.180.254/24

I tested my VPN profile again: still KO

But looking at OpenWRT's System logs I see that it doesn't like an option in my OpenVPN profile:

daemon.err openvpn (MyOpenVPN) [2828]: OPTION DELETED: --client-cert-not-required, use '--verify-client-cert none' instead

I initially replaced the "client-not-required" option with "verify-client-cert none", but he didn't like that either. So I commented on the line:
# client-certificate-not-required

So now my VPN tunnel is finally going up!

The PING of my PCs in 192.168.10.X / 24 is OK.

I will thoroughly test everything and I will put a final closing comment to help the next ones;).

This OpenWRT is in fact a VM which serves just as a Gateway to make a Site-to-Site tunnel between my first home and my second home.

It comes in parallel / annex of my usual LAN A: I will use this tunnel for backup.