Download station with vpn client

Post your questions about using our Download Station here.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
dinithion
I'm New!
I'm New!
Posts: 3
Joined: Wed May 25, 2016 7:44 pm

Re: Download station with vpn client

Postby dinithion » Wed May 25, 2016 8:07 pm

I've been working on a solution for this but it's ongoing work at this stage. For the time being I've managed to get it to work on my laptop so I hope it's doable to adapt it to the synology. Unfortunently you need to get your hands dirty and it requires a fair portion of elbow grease.

The basic consept is to
1. Open a VPN connection but keep the old routing table
2. Use iptables and mark packages belonging to the DownloadStation user
3. Add a routing rule to route the marked packages from DownloadStation through the VPN
4. Profit!

On my laptops openvpn.ovpn I've added "route-nopull", unfortunently my laptop doesn't seem to respect that so I've got to manually recreate the routing table. Let's hope that won't be the case for the diskstation. The following script is not tested with my PIA vpn, but currently I just tried it from a different wifi using my diskstation as openvpn server. I need to do some grepping magic to get the various IP addresses. I hope that in the near future I can finish this and get a workable solution that can be runned as a script. Still missing is the killswitch, but that should in principle be a one-liner iptable command. Maybe two or three or maybe four. In and out for both UDP and TCP. As of now I've got the following script on my laptop:

Code: Select all

#!/bin/bash
# Various route and ip route commands to delete the new additions to the routing table (See comment above)
iptables -t mangle -A OUTPUT -m owner --uid-owner DownloadStation -j MARK --set-mark 1
iptables -t nat -A POSTROUTING -m mark --mark 1 -j MASQUERADE
ip rule add fwmark 0x1 table 100
route add -net <VPN-ip-net>/<subnetmask> dev tun0 metric 100
ip route add default via <LAN IP> dev eth0
ip route add default via <VPN IP> table 100 dev tun0


I'm a pretty novice when it comes to system administration. I've googled this for hours and couldn't see that anybody had done the same, so the point of this post is to plant the idea out there with hardcore admins. Maybe someone can enhance it. But I will still try and get this to a workable state, though it will probably always require one to login to a shell and run the script.
dinithion
I'm New!
I'm New!
Posts: 3
Joined: Wed May 25, 2016 7:44 pm

Re: Download station with vpn client

Postby dinithion » Wed Jun 01, 2016 9:24 pm

So a small update of the progress.

I've started to experiment on my diskstation now. The routing table there is simpler than on my laptop, and it seems I might be able to fix the routing table in a bash 'until' loop. The problem now is that synology doesn't provide a kernel module needed by iptables. Iptables need a module to filter packets by user, so to get this to work it seems I need to compile the iptable_mangle kernel module. That requires me to download the synology software and do some magic. Unfortunently I don't have the luxury of having a lot of spare time at the moment, so I don't know when I've got the time to continue with this work.
larsalex
Trainee
Trainee
Posts: 15
Joined: Fri Apr 30, 2010 11:08 pm

Re: Download station with vpn client

Postby larsalex » Sat Jun 04, 2016 4:51 pm

damartin wrote:
This is the perfect solution - install a docker image that has a bittorrent downloader and vpn client installed. enjoy....

https://hub.docker.com/r/haugene/transmission-openvpn/

That way - only the docker container is connected over VPN - leaving everything working as normal.

Excellent solution! I finally took the plunge and updated to DSM 5.2 JUST so I could try out this and Docker... AWSOME!

Thanks MUCH!


Is it required to have a DiskStation that supports Docker? Like the 916+? or would this also work on a non-Docker supported DS as the 416play for example?
DS 916+ 8GB / DS 211 / DS 210j
toolpusher
Apprentice
Apprentice
Posts: 92
Joined: Sun Feb 24, 2013 3:56 pm

Re: Download station with vpn client

Postby toolpusher » Sat Jun 04, 2016 5:42 pm

What am I missing here guys? I have open VPN running and when I check on ipleak using torrent detection download link as its turned on and off the IP changes from my static IP to something else which proves it working, Yes? I can also access my DS remotely and the other DS apps and also access Plex remotely as well. Is that normal sorry thought that was how it was meant to work?
TP
DS716+
dinithion
I'm New!
I'm New!
Posts: 3
Joined: Wed May 25, 2016 7:44 pm

Re: Download station with vpn client

Postby dinithion » Sat Jun 04, 2016 6:01 pm

larsalex wrote:Is it required to have a DiskStation that supports Docker? Like the 916+? or would this also work on a non-Docker supported DS as the 416play for example?


No, this should work on a much lower level and it's fundamentally different. Here the concept is to let the linux kernel see which user is the owner of any given packet, and then based on that choose different routing tables. Thus the default route would be to use your normal gateway with your ISP, but if the packet belongs to DownloadStation, the routing would be through the VPN connection.

toolpusher wrote:What am I missing here guys? I have open VPN running and when I check on ipleak using torrent detection download link as its turned on and off the IP changes from my static IP to something else which proves it working, Yes? I can also access my DS remotely and the other DS apps and also access Plex remotely as well. Is that normal sorry thought that was how it was meant to work?


Yes, that's all well and fine, but with the limited information you are giving here (Granted I haven't read the whole thread), I guess ALL the data from your synology is running through the VPN. Unless you are using a different bittorent client that some have suggested, or use the Docker methed mentioned above.

The problem with this is that the IP you get from your VPN is not nesescarily predictable and some VPNs doesn't even support listening ports on their customers computers because of NATing. If you never access your synology away from home, that's not a problem. I sync my calendar and contact list with my synology, and frequently access files there. Accessing files is still possible as I can use the "backdoor", through my stationary computer. But syncing calendars and notestation while traviling is desired.
lbates4296
I'm New!
I'm New!
Posts: 2
Joined: Tue Aug 16, 2016 6:29 pm

Re: Download station with vpn client

Postby lbates4296 » Tue Aug 16, 2016 6:48 pm

I am trying to use a router to route traffic from the Synology DL Station package through a VPN tunnel.

I can easily route traffic from the Synology device to the tunnel using the source IP address. But then all traffic is routed to the tunnel.

If I the port numbers as the source it doesn't route any traffic across the tunnel and it all simply goes out from my wan.

Any suggestions?

Using a Ubiquiti EdgeMax Router
User avatar
briankfree
Beginner
Beginner
Posts: 21
Joined: Thu Jan 10, 2013 6:21 pm

Re: Download station with vpn client

Postby briankfree » Tue Aug 16, 2016 11:17 pm

I have a dedicated Virtual DSM running on top of a DS1515+ with a dedicated IP. It's sole purpose is for download station. I then use an Asus router to create a VPN tunnel and enable policy based routing using the IP address of my dedicated Synology instance. This allows me to use my primary device running on my main network and secondary running only through the VPN tunnel. You can also have it kill traffic if the tunnel goes down.

Here is how it's setup: https://torguard.net/knowledgebase.php? ... cle&id=216

Until download station has something built in to bind itself to the VPN tunnel and tolerate disconnects, this is the best solution I've come up with.
lbates4296
I'm New!
I'm New!
Posts: 2
Joined: Tue Aug 16, 2016 6:29 pm

Re: Download station with vpn client

Postby lbates4296 » Thu Aug 18, 2016 1:52 am

I was able to get this working and have tested using https://ipleak.net/ with no leaks detected.

I have a Ubiquiti EdgeMax router ( https://www.amazon.com/Ubiquiti-Network ... B00E77N3WE ) and have it configured to only put the DL Station downloading traffic across the VPN Tunnel.

If anyone has interest you can find the info on how to accomplish here: http://community.ubnt.com/t5/EdgeMAX/Po ... 1#U1648031
starsys
I'm New!
I'm New!
Posts: 1
Joined: Sat Oct 15, 2016 2:00 pm

Re: Download station with vpn client

Postby starsys » Sat Oct 15, 2016 2:03 pm

slburke wrote:
damartin wrote:This is the perfect solution - install a docker image that has a bittorrent downloader and vpn client installed. enjoy....

https://hub.docker.com/r/haugene/transmission-openvpn/

That way - only the docker container is connected over VPN - leaving everything working as normal.

Excellent solution! I finally took the plunge and updated to DSM 5.2 JUST so I could try out this and Docker... AWSOME!

Thanks MUCH!


Hello.
I'm just trying this image on my DS411 II+.
I cannot make it run, have you done that as explained on this image web page ? :

"Make it work on Synology NAS
Here are the steps to run it on a Synology NAS (Tested on DSM 6) :
Connect as admin to your Synology SSH
Switch to root with command sudo su -
Enter your admin password when prompted
Create a TUN.sh file anywhere in your synology file system by typing vim /volume1/foldername/TUN.sh
replacing foldername with any folder you created on your Synology
Paste @timkelty 's script :
```
#!/bin/sh"

Do I have to install an OpenVPN package ?
Thanks for your help.
Duffy
I'm New!
I'm New!
Posts: 4
Joined: Mon Jul 13, 2015 12:16 am

Re: Download station with vpn client

Postby Duffy » Wed Oct 26, 2016 12:18 pm

I have only quickly skimmed this topic, so apologies if I am repeating a previous post, but this is how I route my download traffic through a VPN and connect remotely.

Key is to have the right router/software.
I have an ASUS RT-AC3200 router (purchased specifically for this purpose).
This router comes with asuswrt software, which is ASUS's cut down version of the open source DD-WRT software.
Install Asuswrt-merlin software (http://asuswrt.lostrealm.ca/) on the router which opens up the full features.
With the new software on the router, you can configure up to 5 VPNs - I only need 2: one for the Disk Station and one for everything else. I am with Private Internet Access.
When the VPN to which the DS is connected goes down (not that it does), the internet connection to the DS is stopped and hence all downloading is stopped (you are not exposed!).
When the VPN to which everything else is connected goes down, everything else just goes over to normal internet (so the family is still happy).

Also note that the ASUS has a neat app to control the router via your phone and great parental controls - time schedules are easy to configure and can be assigned to a MAC address. You can use your phone to stop internet access for a given MAC address, create guess wireless passwords, all sorts of things parents have been crying out for.

For remote connecting to the DS, I use putty to ssh into the router and then tunnel to the DS. Google how to set up a tunnel with Putty.
You will need a static address or a DDNS account to ssh in remotely - ASUS provides a DDNS account with the router.

The downside of all of this is that the entire DS is going through the VPN, so any synology apps on your phone will not connect directly to the DS.
You will also need to install putty on your phone (I use ConnectBot) and tunnel to the DS with DS Audio, DS Note, etc.
I have set up the synology apps so they can directly connect to the DS when I am home and only tunnel when remote.

Hope this gives some guidance.
I don't check in too often to this forum, but I trust the above is sufficient for those who want to go down this path.

Duffy

PS:
For the avoidance of doubt, I don't use any of the router features on the DS - too restrictive (and why this topic is 8 pages long).
Far better to use a dedicated router.
Also note that my router is only a router. You will also need a separate modem.

PPS: I have no IT background, just time to investigate.
laurie_lewis
Student
Student
Posts: 67
Joined: Tue Mar 18, 2008 11:34 pm

Re: Download station with vpn client

Postby laurie_lewis » Fri Oct 28, 2016 4:56 am

Is anyone else having problems with the following package in Docker

https://hub.docker.com/r/haugene/transmission-openvpn/

I had it working and went away on holidays and came back and now it no longer works.

I have reinstalled it just to check but still not working. Followed all the instructions to get it working.

When I look at the logs I see the following error

2016-10-28 02:36:28 stdout Fri Oct 28 02:36:27 2016 Socket Buffers: R=[212992->131072] S=[212992->131072]
2016-10-28 02:36:27 stdout Fri Oct 28 02:36:27 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2016-10-28 02:36:25 stdout Fri Oct 28 02:36:25 2016 Restart pause, 2 second(s)
2016-10-28 02:36:25 stdout Fri Oct 28 02:36:25 2016 SIGUSR1[soft,tls-error] received, process restarting
2016-10-28 02:36:25 stdout Fri Oct 28 02:36:25 2016 TLS Error: TLS handshake failed
2016-10-28 02:36:25 stdout Fri Oct 28 02:36:25 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2016-10-28 02:35:26 stdout Fri Oct 28 02:35:25 2016 UDPv4 link remote: [AF_INET]XX.XXX.XX.XX:1194
2016-10-28 02:35:26 stdout Fri Oct 28 02:35:25 2016 UDPv4 link local: [undef]
2016-10-28 02:35:26 stdout Fri Oct 28 02:35:25 2016 TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XX.XX.XX:1194
2016-10-28 02:35:26 stdout Fri Oct 28 02:35:25 2016 Socket Buffers: R=[212992->131072] S=[212992->131072]



DSM Version: DSM 6.0.2-8451 Update 2

thanks
charrington
I'm New!
I'm New!
Posts: 5
Joined: Sun May 06, 2012 5:33 am

Re: Download station with vpn client

Postby charrington » Fri Dec 16, 2016 5:08 pm

Just curious - why not have all Synology traffic go through a VPN?
jata
I'm New!
I'm New!
Posts: 1
Joined: Mon Dec 19, 2016 6:23 am

Re: Download station with vpn client

Postby jata » Mon Dec 19, 2016 6:31 am

GingerNutter
I'm New!
I'm New!
Posts: 5
Joined: Tue Apr 16, 2013 6:30 am

Re: Download station with vpn client

Postby GingerNutter » Tue Dec 20, 2016 3:40 am


Yes this worked for me too. Finally after 2 years of looking for a solution and also being told by support its not even possible!
slburke
Trainee
Trainee
Posts: 17
Joined: Thu May 17, 2012 8:55 pm

Re: Download station with vpn client

Postby slburke » Mon Dec 26, 2016 3:26 pm

GingerNutter wrote:

Yes this worked for me too. Finally after 2 years of looking for a solution and also being told by support its not even possible!


You two obviously missed the following in that thread... https://www.reddit.com/r/synology/comments/2qgfyi/download_manager_vpns_and_access_to_your_nas_from/?st=ix6674ao&sh=18e91749#cn7us86

Return to “Download Station”

Who is online

Users browsing this forum: No registered users and 5 guests