VPN Access - SOLVED!

Discussion room for Synology VPN package in DSM 3.1-1725 or above.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.

VPN Access - SOLVED!

Postby robin339 » Mon Apr 08, 2013 7:25 am

Hi Guys,
I am using a DSM213. I can connect from a Win 7 using PPTP just fine. But here is the issue, I cannot access any files let alone the folders show up in My Network Places.

I am not sure how to even access it. Here are my settings:

DSM Private IP : 192.168.1.5
DSM Public IP : 50.78.x.x

Dialing the public IP from a Windows 7 PC with the private IP 192.168.1.104
I got the following ipconfig:

PPP adapter VPN Connection:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.0.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0


I tried accessing \\Diskstaion , no luck
Also, I dont know what Private IP i'd be using to access the DSM (after connecting with VPN). Please see screengrabs below.
Thanks !!

Image
Image
Image
Last edited by robin339 on Fri May 31, 2013 6:26 am, edited 1 time in total.
DS 211J
DS 412+
CCNA, MCSE, MCTS, MCP2.0, MCITP, A+, Net+, Sec+
robin339
Novice
Novice
 
Posts: 55
Joined: Sun Apr 24, 2011 12:42 am

Re: VPN Access

Postby aol » Fri Apr 12, 2013 3:38 pm

I'm going to take a stab at this just to keep the discussion going. There are several posts already in this subforum about bridging the "home network" (the network the DS sits on) and the VPN network (the virtual network the DS creates when you connect to it using the VPN). I believe you have a home network 192.168.1.*, with the DS being given a 192.168.1.5 address. This means you can http:// or ssh or whatever to 192.168.1.5, from another client on the 192.168.1.* subnet. I believe you said your DS VPN Server is handing out 10.0.0.* addresses. So for example, a client to the VPN server might get 10.0.0.1. Routers handle traffic: when a router with ip address (LAN address, as opposed to WAN address which is it's external IP address typically seen by the public internet) of 192.168.1.1 gets a request for 192.168.1.5 from another client on the 192.168.1.* subnet, it knows to redirect that request to your DS. But in this case, your IP address (since you connected to the VPN) is 10.0.0.1, and when the router gets the request for 192.168.1.5, it looks at it's routing table and fails to direct it to 192.168.1.5. The two subnets (192.168.1.* and 10.0.0.*) need to be bridged. I'm pretty sure I have this part right. What I don't understand is the Right Way to bridge this traffic.

One solution involves adding a static route, telling Something (not sure if it's the client or the router or what) that traffic from one subnet should be routed to another subnet. The command looks something like
route add -p 192.168.1.0 netmask 255.255.255.0 10.0.0.0
The syntax varies by OS. But I'm not sure where this should be done. It seems onerous to do it on every client to the VPN.

It seems that another solution should simply involve netmasks. In my case, my home network is 192.168.1.*, and the VPN hands out 192.168.2.* addresses. So it seems like I should just be able to change the netmask from 255.255.255.0 to 255.255.0.0, say, on the router, and it will route stuff properly. But I haven't had much luck with that.

A third solution, which used to work perfectly until DSM 4.2, but appears to be unsupported and officially discouraged by Synology, is to edit the VPN configuration and make the VPN server hand out ip addresses on the home network. You do this by manually editing (ssh into the DS) the pptp.conf file (assuming you're using pptp and not openvpn), and changing localip and remoteip. For example,
localip 192.168.1.5
remoteip 192.168.1.100-105
where localip is the DS's ip address on the home network, and the remoteip is a range of addresses on the home network's subnet that you know are not being used. This way, when you connect to the VPN, instead of getting a 10.0.0.1 address, you get a 192.168.1.100 address, and routing Just Works.

Confusing all of this is the apparent reality based on other forum threads that bugs in 4.2 are causing the firewall to misbehave, causing issues with the VPN. I got a patch after submitting a ticket, but I'm not sure how to apply it, and the support rep indicated that a general DSM patch is scheduled for 4/15, so at this point I'm in the mood to just wait for the 4/15 patch and see if things improve.

Love to have others correct me and offer information. Is the Right Way to add static routes? If so, do I really need to do it on every VPN client? If the client has the "route all traffic through VPN" turned on, does that simplify things or complicate things?

Cheers.
aol
Beginner
Beginner
 
Posts: 20
Joined: Thu Apr 29, 2010 7:59 pm

Re: VPN Access

Postby outie » Fri Apr 12, 2013 5:52 pm

You need to access your Diskstation with the VPN IP: 10.0.0.0 after you VPN into it.

\\10.0.0.0

and for webui: http://10.0.0.0:5000
outie
Trainee
Trainee
 
Posts: 16
Joined: Wed Jul 13, 2011 9:50 pm

Re: VPN Access

Postby robin339 » Fri Apr 12, 2013 5:56 pm

outie wrote:You need to access your Diskstation with the VPN IP: 10.0.0.0 after you VPN into it.

\\10.0.0.0

and for webui: http://10.0.0.0:5000

I have tried that, every different way with no luck.
Is there a "Special Permission" or additional settings I need to apply on the DSM, or DMS (already shared) folders?
Thanks !
~Robin
Last edited by robin339 on Fri Apr 12, 2013 6:01 pm, edited 1 time in total.
DS 211J
DS 412+
CCNA, MCSE, MCTS, MCP2.0, MCITP, A+, Net+, Sec+
robin339
Novice
Novice
 
Posts: 55
Joined: Sun Apr 24, 2011 12:42 am

Re: VPN Access

Postby robin339 » Fri Apr 12, 2013 6:00 pm

aol wrote:I'm going to take a stab at this just to keep the discussion going. There are several posts already in this subforum about bridging the "home network" (the network the DS sits on) and the VPN network (the virtual network the DS creates when you connect to it using the VPN). I believe you have a home network 192.168.1.*, with the DS being given a 192.168.1.5 address. This means you can http:// or ssh or whatever to 192.168.1.5, from another client on the 192.168.1.* subnet. I believe you said your DS VPN Server is handing out 10.0.0.* addresses. So for example, a client to the VPN server might get 10.0.0.1. Routers handle traffic: when a router with ip address (LAN address, as opposed to WAN address which is it's external IP address typically seen by the public internet) of 192.168.1.1 gets a request for 192.168.1.5 from another client on the 192.168.1.* subnet, it knows to redirect that request to your DS. But in this case, your IP address (since you connected to the VPN) is 10.0.0.1, and when the router gets the request for 192.168.1.5, it looks at it's routing table and fails to direct it to 192.168.1.5. The two subnets (192.168.1.* and 10.0.0.*) need to be bridged. I'm pretty sure I have this part right. What I don't understand is the Right Way to bridge this traffic.


Very nicely described exactly what I am trying to do.

aol wrote:A third solution, which used to work perfectly until DSM 4.2, but appears to be unsupported and officially discouraged by Synology, is to edit the VPN configuration and make the VPN server hand out ip addresses on the home network. You do this by manually editing (ssh into the DS) the pptp.conf file (assuming you're using pptp and not openvpn), and changing localip and remoteip. For example,
localip 192.168.1.5
remoteip 192.168.1.100-105
where localip is the DS's ip address on the home network, and the remoteip is a range of addresses on the home network's subnet that you know are not being used. This way, when you connect to the VPN, instead of getting a 10.0.0.1 address, you get a 192.168.1.100 address, and routing Just Works.

Cheers.

Can't seem to find the pptp.conf (pptpd.conf even)
I looked in /usr/syno/etc/synovpn/pptp/, not there :roll:

Thanks for taking the time out to address my issue so carefully.
~ Robin
DS 211J
DS 412+
CCNA, MCSE, MCTS, MCP2.0, MCITP, A+, Net+, Sec+
robin339
Novice
Novice
 
Posts: 55
Joined: Sun Apr 24, 2011 12:42 am

Re: VPN Access

Postby aol » Fri Apr 12, 2013 7:28 pm

I'm not at my DS right now but I thought it was in something something packages/VPNServer/pptp/pptp.conf. I'll take a look tonight if I remember to.

I did some more reading since posting, and I'm wondering if the VPN Server is supposed to be routing the traffic, and that you need to modify the subnet on the VPN Server configuration page. I recall that you set the IP address (there are 3 boxes and a .0, so you can set 10.0.0 (with .0) or 192.168.2 ( with .0). In my case, my home network is 192.168.1, and the VPN server creates 192.168.2. If I set the subnet mask on this page, not to 255.255.255.0 (which is so common most people automatically plug it in) but to 255.255.252.0, then it seems to me that traffic should route between both networks. You can go to wikipedia.com but my understanding is that 255.255.252.0 is equal to /22 (255.255.255.0 = /24). If you want 192.168.1 to see 192.168.2, you can't use 255.255.255.0. 255.255.255.0 means 192.168.1.* only sees 192.168.1.*. (and by "see" what I mean is, the router will internally direct traffic for those IP addresses, and anything else, route to the WAN port)

I'm further beginning to conclude that the client gets the netmask from the router. So if my router address is 192.168.1.1, and it's DHCP server hands out 192.168.1.* addresses with 255.255.255.0 addresses, then no clients will see 192.168.2.* hosts. So the router's DHCP server needs to hand out 192.168.1.* with netmask 255.255.252.0 (or 255.255.254.0)

255.255.252.0 netmask should mean that 192.168.1.* hosts can see 192.168.2.* hosts and vice versa, as well as .3.*, .4.*, .5.*, .6.* and .7.* but not 192.168.8.* hosts or higher. You could also just do 255.255.254.0, which means you only have .1.*, .2.* and .3.*. For 192.168.1.* to see 10.0.0.* and vice versa, I guess you'd have to use netmask /0 or 0.0.0.0!!!
aol
Beginner
Beginner
 
Posts: 20
Joined: Thu Apr 29, 2010 7:59 pm

Re: VPN Access

Postby outie » Fri Apr 12, 2013 8:03 pm

robin339 wrote:
outie wrote:You need to access your Diskstation with the VPN IP: 10.0.0.0 after you VPN into it.

\\10.0.0.0

and for webui: http://10.0.0.0:5000

I have tried that, every different way with no luck.
Is there a "Special Permission" or additional settings I need to apply on the DSM, or DMS (already shared) folders?
Thanks !
~Robin

What is the IP range you are in at your VPN client that's trying to connect to the Synology?

If your local LAN is also in the 10.0.0.x range it will get confused and you won't be able to access 10.0.0.0 via VPN.
outie
Trainee
Trainee
 
Posts: 16
Joined: Wed Jul 13, 2011 9:50 pm

Re: VPN Access

Postby robin339 » Fri Apr 12, 2013 8:12 pm

outie wrote:What is the IP range you are in at your VPN client that's trying to connect to the Synology?

If your local LAN is also in the 10.0.0.x range it will get confused and you won't be able to access 10.0.0.0 via VPN.


I am using 192.168.1.x for the local and 10.0.0.x for the VPN.
Thanks
DS 211J
DS 412+
CCNA, MCSE, MCTS, MCP2.0, MCITP, A+, Net+, Sec+
robin339
Novice
Novice
 
Posts: 55
Joined: Sun Apr 24, 2011 12:42 am

Re: VPN Access

Postby outie » Sat Apr 13, 2013 12:13 am

That's strange.

Open a command prompt and do a
tracert 10.0.0.0

and see what you got there.
outie
Trainee
Trainee
 
Posts: 16
Joined: Wed Jul 13, 2011 9:50 pm

Re: VPN Access

Postby chercm » Sat Apr 13, 2013 1:17 pm

i am having the same issue and for the ping test and got request timed out
chercm
Trainee
Trainee
 
Posts: 19
Joined: Sun Mar 24, 2013 12:13 pm

Re: VPN Access

Postby robin339 » Mon Apr 15, 2013 7:49 pm

Still no luck :(
DS 211J
DS 412+
CCNA, MCSE, MCTS, MCP2.0, MCITP, A+, Net+, Sec+
robin339
Novice
Novice
 
Posts: 55
Joined: Sun Apr 24, 2011 12:42 am

Re: VPN Access

Postby robin339 » Sun May 26, 2013 5:23 pm

chercm wrote:i am having the same issue and for the ping test and got request timed out

Yea, my pings are timing out as well.
I tried adding a static route in my Windows PC (the client)
Code: Select all
route add 192.168.1.0 Mask 255.255.255.0 10.0.0.0


192.168.1.0 being the local network and 10.0.0.0 being the dynamic VPN network.

Any ideas ?
Thanks !
~Robin
DS 211J
DS 412+
CCNA, MCSE, MCTS, MCP2.0, MCITP, A+, Net+, Sec+
robin339
Novice
Novice
 
Posts: 55
Joined: Sun Apr 24, 2011 12:42 am

Re: VPN Access

Postby aol » Tue May 28, 2013 5:12 pm

From http://www.howtogeek.com/howto/windows/ ... ing-table/

For example, if you were on the 192.168.1.0 network, and you had a gateway on 192.168.1.12 configured to access the 10.10.10.0/24 network, you would use a route add statement like this:

route ADD 10.10.10.0 MASK 255.255.255.0 192.168.1.12

So it appears you have it backwards. You want

route ADD 10.0.0.0 MASK 255.255.255.0 192.168.1.0

assuming 192.168.1.0 is your router's IP address, and that your router has access to the 10.0.0.0 network.

(use the -p flag to make the route ADD command permanent to survive a reboot, and you may need to bring the interface down and back up to see the change)

What I think this command says is, if you get a packet for 10.0.0.0/24 (meaning, any address from 10.0.0.0 through 10.0.0.255), send it to the router at 192.168.1.0. Then your router sends it to the destination, assuming the router is configured to access 10.0.0.0/24.
aol
Beginner
Beginner
 
Posts: 20
Joined: Thu Apr 29, 2010 7:59 pm

Re: VPN Access

Postby robin339 » Fri May 31, 2013 6:25 am

Fixed !

All I needed to do is use a DNS server in the DS.

Thanks for all your help !

~ Robin
DS 211J
DS 412+
CCNA, MCSE, MCTS, MCP2.0, MCITP, A+, Net+, Sec+
robin339
Novice
Novice
 
Posts: 55
Joined: Sun Apr 24, 2011 12:42 am

Re: VPN Access

Postby stathismes » Thu Aug 08, 2013 7:00 pm

robin339 wrote:Fixed !

All I needed to do is use a DNS server in the DS.


~ Robin


What exactly did you do with DNS? Please I'm still struggling..... :(
stathismes
I'm New!
I'm New!
 
Posts: 2
Joined: Sat Aug 03, 2013 1:31 pm

Next

Return to VPN Server

Who is online

Users browsing this forum: No registered users and 0 guests