Synology Inc. Online Community Forum

[dino]

for sure it's possible that openvpn is the cause

[iugrifma]

THANKS DINO !
Your the man, works perfectly. Cheers,
Griffo.

[dino]

I hope Synology read some of my posts. I try to help people getting the most out of their product by compiling a lot of stuff for different kind of Synology products and taking time to write extended tuto's howto. Right now I'll stop doing this since they refuse to give me some configs about new x86 products.

I hope they change mind (but I'm pretty sure they won't) and send me this information.

Glad it helped you.

[iugrifma]

ADDITIONAL USEFUL REFERENCE MATERIAL.

Guys,
if (like me) your looking to use the OpenVPN install instructions to generate keys etc...
The OpenVPN documentation makes use of a set of shell scripts which are not included in the this base installation.
However, you can find a copy of them here:
http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html

Have fun!
Griffo.

[GianniWork]

Hello Dino, I am an Italian user and I have a Synology ds209 +. I read your guide .. but I have the following errors. I am not sure how I change the file server.conf

DiskStation> /usr/local/etc/rc.d/openvpn.sh restart

Killing OpenVPN processes....success

Unloading OpenVPN kernel modules...
tun.ko: success

Loading OpenVPN kernel modules:
tun.ko: success

Starting OpenVPN in daemon mode....failed



DiskStation> /opt/sbin/openvpn --cd /opt/etc/openvpn --daemon --config /opt/etc/openvpn/server.conf --script-security 2 --log-append /opt/var/log/openvpn.log
/opt/sbin/openvpn: error while loading shared libraries: liblzo.so.1: cannot open shared object file: No such file or directory


# Which local IP address should OpenVPN
# Listen on? (optional)
Local 192.168.0.10 <- this is my address of the Synology

then the line 96 What should I change?
server 10.8.0.1/24 <----is correct?

sorry for my English
thanks

[vecnar]

Hi guys,
I have exactly the same problem.
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon --config /opt/etc/openvpn/server.conf --script-security 2 --log-append /opt/var/log/openvpn.log
/opt/sbin/openvpn: error while loading shared libraries: liblzo.so.1: cannot open shared object file: No such file or directory

First of all i am a newby to linux so i might have done stupid things but this is where i think is the problem.
I did search for liblzo.so.1 library and i found that there is no file but only symbolic link in /lib/liblzo.so.1 which is pointing to /usr/local/lib/liblzo.so.1
But there is no directory /usr/local/lib so it means that there is no library liblzo.so.1.
I copied liblzo.so.1.0.0 from centos 5.2 and placed this file in /usr/local/lib/liblzo.so.1.0.0 and created symbolic link liblzo.so.1 but after lunching it showed me an error something about indians , i read that it is because i copied library from centos and it is not compatible.

Could anyone point me where i could download liblzo.so.1.0.0 for synology? And if anyone could explain what packages are compatible with synology distro?
Regards,
Oleg

[iugrifma]

Dino, hi!
Just a quick note to let you know that the tun.ko driver is now included as standard in the new 2.3-1139 firmware. So I pointed your start/stop script at the synology standard one in /lib/modules and everything continues to work, as before. If you don't and you try to continue with your install, there's a conflict and the kernel panics.

Griffo.

[dino]

Yep, I've noticed. I removed all kernel modules from my providers FTP server. I'll make updated kernel modules available again after the release of the GPL sources for MoBlock / Asterisk Dahdi drivers / USB etc...

[vecnar]

Hi Dino,
I tried to install openvpn on ds209+II (pc model MPC8533; kernel 2.6.24) using your instructions but i couldn't manage to run openvpn in daemon so i used ipkg to install openvpn and used your startup script and tun.ko provided. I am able to start tun.ko and openvpn but the problem is that tun.ko driver crashes, i can see that in dmesg and when executing ifconifg tun0 is not there.
I am not able to ping server once established connection (certificates verified and accepted) even though i have firewall disabled on the client side. On server side i just added a rule to eth0 to accept udp 1194 but i can't disable firewall on tun0 interface. To me it looks like a firewall issue and looking at openvpn wiki they advise to add iptables rules which i did but when i looked in /etc/firewall_dump it is not applied and in there is no tun0 in /etc/firewall/.
The way i try to establish connection is client XP---------router----WAN-----router(on synology side)-----synology. I added synology's ip to dmz on router from synology side and opened upd 1194.

My questions are:
1) Is there tun.ko which doesn't crash under 2.6.24 kernel?
2) Is it possible to disable firewall on tun0 interface? Or any other way to test if synology's firewall is not preventing ping from client.

Thanks in advance and let me know if you need any further information.

[dino]

Update to DSM2.3 and put the following script in /usr/local/etc/rc.d/S03openvpn.sh

the tun.ko kernel module is provided by Synology starting from DSM2.3-1139

Code: Select all

#!/opt/bin/bash

MODULES_BASE="/lib/modules"
KERNEL_VERSION=`uname -r`

case "$KERNEL_VERSION" in
"2.6.24")
   KERNEL_MODULES_OPENVPN="tun.ko"
   ;;
esac

success() {
   [ -n $1 ] && echo "success" || echo "$1: success"
}

failure() {
   [ -n $1 ] && echo "failed" || echo "$1: failed"
}

insmod_syno() {
   local modules=$1
   local mod
   local err=0

   for mod in $modules; do
      echo -n "$mod: "
      /opt/sbin/insmod ${MODULES_BASE}/${mod} > /dev/null 2>&1
      ret=$?
      [ $ret -eq 0 ] && success $mod || failure $mod
      err=`expr $err + $ret`;
   done

   return $err
}

rmmod_syno() {
   local modules=$1
   local mod
   local err=0
   
   for mod in $modules; do
      echo -n "$mod: "
      /opt/sbin/rmmod ${MODULES_BASE}/${mod} > /dev/null 2>&1
      ret=$?
      [ $ret -eq 0 ] && success $mod || failure $mod
      err=`expr $err + $ret`;
   done
   
   return $err
}

start() {
   local ret=0;

   echo ""
   echo "Loading OpenVPN kernel modules:"
   insmod_syno "$KERNEL_MODULES_OPENVPN"
   
   # Make sure IP forwarding is enabled
   echo 1 > /proc/sys/net/ipv4/ip_forward

   # Make TUN device if not present (not devfs)
   if ( [ ! -c /dev/net/tun ] ) then
      # Make /dev/net directory if needed
      if ( [ ! -d /dev/net ] ) then
         mkdir -m 755 /dev/net
      fi
      mknod /dev/net/tun c 10 200
   fi
   
   echo ""
   echo -n "Starting OpenVPN in daemon mode...."
   /opt/sbin/openvpn --cd /opt/etc/openvpn --daemon --writepid /opt/var/run/openvpn.pid --config /opt/etc/openvpn/server.conf --script-security 2 > /dev/null 2>&1
   ret=$?
   [ $ret -eq 0 ] && success || failure

   echo -n "Inserting OpenVPN IPTable rules...."
#   iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE > /dev/null 2>&1
   ret=$?
   [ $ret -eq 0 ] && success || failure
   
   return $err
}

stop() {
   
   echo ""
   echo -n "Removing OpenVPN IPTable rules..."
   iptables -F -t nat > /dev/null 2>&1
   ret=$?
   [ $ret -eq 0 ] && success || failure
   
   echo -n "Killing OpenVPN processes...."
   if [ -n "`pidof openvpn`" ]; then
      /usr/bin/killall openvpn 2>/dev/null
   fi
   ret=$?
   [ $ret -eq 0 ] && success || failure
   
   sleep 1

   echo ""
   echo "Unloading OpenVPN kernel modules... "
   rmmod_syno "$KERNEL_MODULES_OPENVPN"

   return $ret
}

restart() {
   stop
   sleep 3
   start
}

case "$1" in
   start)
      start
      RETVAL=$?
      ;;
   stop)
      stop
      RETVAL=$?
      ;;
   restart)
      restart
      RETVAL=$?
      ;;
   *)
      echo $"Usage: ${0##*/} {start|stop|restart}"
      RETVAL=2
      ;;
esac

exit $RETVAL



[vecnar]

Hi Dino,

Thanks for reply.
I found it myself yesterday and modified your script to reflect changes in path to tun.ko driver so i am up and running now and it is great. I would advise you to modify your tutorial in first post to reflect changes.
1. bootstrap you synology
2. update firmware
3. ipkg install coreutils
4. ipkg install module-init-tools
5. ipkg install openvpn
6. copy sample config files to /opt/etc/openvpn
7. remove startup script installed by openvpn
8. copy your startup script (modified to reflect changes to tun.ko driver path)
9. once up and running with your certificates generate your own ones which is explained in openvpn wiki (http://openvpn.net/index.php/open-sourc ... o.html#pki), there would be a requirement to copy easyrsa (scripts allowing to generate certificates)
Regards,
Oleg

[TRiPgod]

Now we just need to update the bridge-kernel-module for kernel 2.6.24 to enable bridge tap. The one in the repo is for 2.6.15.

[buck83]

Hi,
the link for "kernel-modules" is dead....
Help me!

I try installed openvpn for DS209+II witch the DSM 2.3

(Sorry i'm French, my english is very bad!)

[d.tamm]

Same here, the openvpn-kernel-modules link is dead. Is there anyone who has the zip file?

[dino]

Guys, once the new 2.3 gpl sources are released I'll recompile those kernel modules again. For OpenVPN, DSM2.3 included the tun.ko kernel module, so no need to download it from my isp's ftp server. I removed the link to make sure you won't crash your synology inserting those modules since the kernel configuration changed a bit.