How to use your own certificates for connecting
Typing your credentials every time you connect can be annoying. This modification describes a method to authenticate in a safe way without typing and saving passwords in plain text.
Please be sure to read the General Disclaimer before executing these modifications!
Command Line Interface access is required for this modification.
You will need Basic commands for Synology CLI and Basic commands for Linux vi Editor.
Authentication method of the openVPN server on the Synology network station is based on SSL/TLS and has been developed in the following way:
- From server to client: By means of a public certificate, signed with Synology CA.
- From client to server: With the user login credentials, checked with an openVPN plugin, which uses the internal RADIUS server.
In order to avoid typing your credentials every time you connect, you can add a file name after the 'auth-users-pass' in the config.ovpn file at client side. And then save your credentials in the file (first line user name, second line password):
auth-user-pass SecretPasswordFile.txt |
However saving your user name and password in plain text is not safe. I did not find any way to encrypt the password for use with a RADIUS server.
But another way to perform authentication and encryption is using two public/private keys for server and client to complete a SSL/TLS transaction. Both public keys can be exchanged in the form of a certificate, which are signed from the same CA root certificate. Note that you better make an own CA root certificate (which is self-signed) and not use a certificate from a company, because otherwise every certificate which is signed by the CA of that company can be used to login, if you do not provide deeper levels of security! The private keys can be exchanged once, over a secure channel.
Copy and edit the openssl configuration file
> cd /usr/syno/ > mkdir ssl > cd ssl > wget http://123adm.free.fr/home/pages/documents/syno-cert_fichiers/openssl.cnf |
/usr/syno/ssl/openssl.cnf
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/my-ca.crt # The CA certificate
serial = $dir/serial # The current serial number
#crlnumber = $dir/crlnumber # the current crl number must be
# commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/my-ca.key# The private key
RANDFILE = $dir/private/.rand # private random number file
...
default_days = 36500 # how long to certify for
|
create directories:
- volume1/<USERFOLDER>/demoCA/
- volume1/<USERFOLDER>/demoCA/newcerts/
- volume1/<USERFOLDER>/demoCA/private/
create two files:
- volume1/<USERFOLDER>/demoCA/serial with content 01
- volume1/<USERFOLDER>/demoCA/index.txt with no content (use touch-command to create file!)
Create an own CA root certificate
goto folder volume1/<USERFOLDER>/
> openssl req -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -days 3650 |
This will create a master certificate authority certificate/private-key pair valid for 10 years.
Fill in all the user details.
Move my-ca.key to volume1/<USERFOLDER>/demoCA/private/
Create public and private keys for client and server, and sign them with the CA
goto folder volume1/<USERFOLDER>/
- server:
> openssl req -nodes -new -keyout syn.key -out syn.csr (create private key) > openssl ca -out syn.crt -in syn.csr (create a public key certificate and sign it) |
- client:
> openssl req -nodes -new -keyout <name>.key -out <name>.csr (create private key) > openssl ca -out <name>.crt -in <name>.csr (create a public key certificate and sign it) |
Notes:
- The country code must be the same as used for the creation of the CA root certificate!
- Skip the two extended fields when creating a certificate.
- Perform this action for every user, and fill in <name>.
Copy the public and private keys to the client
You can use the existing VPN setup to move the following files in the same folder of the .ovpn-file on the client:
- dh1024.pem (from /var/packages/VPNCenter/target/etc/openvpn/keys/)
- my-ca.crt (root certificate, from /volume1/<USERFOLDER>/demoCA/)
- <name>.crt (certificate with public key, from /volume1/<USERFOLDER>/demoCA/)
- <name>.key (private key, from /volume1/<USERFOLDER>/demoCA/ - keep it secret!)
Modifiy the client and server configuration files
- Client: .../configuration.ovpn
... #ca ca.crt #added by <name> dh dh1024.pem ca my-ca.crt cert <name>.crt key <name>.key verb 3 #added by <name> #We disabled authentication with radius server because password need to be saved in plain text! #auth-user-pass SecretPasswordFile.txt |
- Server: /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf
... #ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt ca /volume1/<USERFOLDER>/demoCA/my-ca.crt #cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt cert /volume1/<USERFOLDER>/syn.crt #key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key key /volume1/<USERFOLDER>/syn.key #you can enable this line temporary to view log with "tail -f -n 100 /var/log/openvpn.log": #log-append /var/log/openvpn.log #plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf #client-cert-not-required #username-as-common-name #added by <name> user nobody group nobody #added by <name> |
Restart the openVPN server and login
Restart the server in the webinterface: disable + apply and enable + apply
Now the client is able to connect without entering user credentials!
