- What’s available
- Configuring Server
- Configuring Clients
Remote access to home network supporting choice of split/full tunnel.
- Ease of deployment. Preferably 1-click.
- Support for MacOS, iOS and, secondarily Windows.
- Strong encryption; compression is a plus.
- User authentication; either by passkey or public key. In case of a passkey autoblock should be configured after few failed attempts.
- Supported/commercial solution is a plus (as opposed to hacking one together and supporting it forever)
The following equipment supports Remote acces VPN:
Unifi USG gateway: Supports PPTP and L2TP with Radius. PPTP is not serious and L2TP clashes with Back to My Mac ports
Sophos XG firewall: Supports all sorts of IPSEC but can’t terminate VPN connections in the bridge mode, until version 18.
VPN Server on Synology Diskstation: Supports PPTP, L2TP and OpenVPN, with various user authentication options - Radius, LDAP, internal user base (which uses Radius as a backend anyway, as a plugin).
OpenVPN seems like obvious choice – the only downside being Synology can either be VPN Server or VPN Client but not both. This breaks a few useful scenarios such as mutual replication but we’ll deal with this later.
We will make the following assumptions:
LAN: 10.0.17.0/24, suffix - home.example.com VPN: 10.0.22.0/24 DNS: 10.0.17.1 Synology: 10.0.17.130 FDQN: home.example.com User1: greg; email@example.com User2: emili; firstname.lastname@example.org IPv6: We don't bother for now
Setup OpenVPN Server
This is fairly straightforward – from the Package Manager install OpenVPN server.
Launch it; on the General settings select:
- Network Interface to bind to
- Account types. Supported are Local Users, LDAP and Radius, if configured.
- Configure AutoBlock
On the Privilege page select users.
On the OpenVPN page configure the server. Sample configuration on the screenshot:
- Configure IP
- Port: leave at default,
AES-256-CBCis recommended as secure and performant enough
- Enable Compression.
- Set “allow clients to access Server’s LAN”.
Generate and edit .ovpn profiles
Now some trickery.
You will get four files
Read through the VPNConfig.ovpn and make changes as directed below:
dev tun tls-client
Add FDQN pointing to your external interface - likely on a gateway. It shall be configured to update via DDNS
remote home.example.com 1194
The float option is useful for mobile clients - I haven’t played with it much yet.
# The "float" tells OpenVPN to accept authenticated packets from any address, # not only the address which was specified in the --remote option. # This is useful when you are connecting to a peer which holds a dynamic address # such as a dial-in user or DHCP client. # (Please refer to the manual of OpenVPN for more information.) #float
The next option is important. You would want to make a two copies of .ovpn profiles, one we will use for split tunnel, in which
redirect-gateway shall be commented out. In the other one, for full tunnel, leave it uncommented.
# If redirect-gateway is enabled, the client will redirect it's # default network gateway through the VPN. # It means the VPN connection will firstly connect to the VPN Server # and then to the internet. # (Please refer to the manual of OpenVPN for more information.) redirect-gateway def1
dhcp-option DNS is configured automatically, but you would want to add the next two lines to facilitate split tunnel functionality:
# dhcp-option DNS: To set primary domain name server address. # Repeat this option to set secondary DNS server addresses. dhcp-option DNS 10.0.17.1 dhcp-option DOMAIN home.example.com dhcp-option DOMAIN-SEARCH home.example.com pull
Next, I would comment out
script-security statement - we don’t really need that, and this will avoid warnings in the clients. I would also add
auth-nocache. Leave the rest of options intact.
# If you want to connect by Server's IPv6 address, you should use # "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode proto udp #script-security 2 reneg-sec 0 auth-nocache comp-lzo cipher AES-256-CBC auth SHA256 auth-user-pass
If you see references to certificate files - insert contents of ca_bundle.crt inline.
<ca> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </ca>
Now you should have
Configure DDNS and Firewall
On your gateway and/or firewall allow OpenVPN traffic from WAN to Synology box, and forward port
Deploy both profiles, and select one or the other depending on whether full or split tunnel is required.
Synology recommends Tunnelblick but I had some weird issues with it, and instead suggest using Viscosity (this is a non-affiliate link) for both MacOS and Windows.
Install it and drop .ovpn file onto it. That’s pretty much the end of it, nothing else needs to change – the default are sensible.
You would need to configure username and password - and the rest should just work, including split channel mode.
To confirm, on a Mac run
scutil --dns – observe the sequence of dns suffix and resolvers in the very top.
So, does split tunnel actually work? Well, lets try. I’m connected to corporate network corporate.com and started OpenVPN split tunnel connection to home.example.com. chipmunk.home.example.com is another machine at home. hedgehog.corporate.com is a machine at the local lan.
$ ping chipmunk PING chipmunk.home.example.com (10.0.17.12): 56 data bytes ^C $ ping hedgehog PING hedgehog.corporate.com (172.16.11.21): 56 data bytes ^
Ain’t that grate!
On iOS it is a bit more involved.
- Install OpenVPN Connect
- Airdrop yourself .ovpn profile and open it with OpenVPN app. This works most of the time; if it does not – email it to yourself – preferably not via internet, use local mailserver instead in the LAN. Opening profile from the email never failed.
Note, you would need to initiate connection from OpenVPN app; attempting to start VPN session from Settings -> VPN will not work, at least when using
Does split tunnel actually work here as well? Yes. You can verify by pinging similar hosts via your favourite tool (such as Network Tools).
Havent’ tried myself, but I’m pretty sure Viscosity would do just fine.