Setting up login credentials for OPEN VPN

ADOZ2AD · ‎2024-02-29

Hello,
I have a Nighthawk R7000 rooter with a default OS (which I can't change).
I have for several years activated the vpn service with open vpn which works very well.
However, I'd like to increase security to connect to my rooter (and therefore to the connected nas server): set up a login and password connection.
Is there a (simple) solution for this type of connection via open vpn?
Is it possible to give rights to certain identifiers or remove them?
I'd like to stop distributing the identification key, but to grant connection rights.

Thank you in advance for your reply.

Translated with DeepL.com (free version)

schumaku · ‎2024-03-01

Needless to say you need to configure the port forwarding on your router to the Syno LAN IP address

Voila https://kb.synology.com/fr-fr/DSM/help/VPNCenter/vpn_setup?version=7#b_17

Here a very old OpenVPN Client Syno config example (no guarantee):

==========

dev tun
tls-client

remote XXXXXXXX.synology.me 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS DNS_IP_ADDRESS

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2

comp-lzo

reneg-sec 0

cipher BF-CBC

auth SHA1

auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
MIIDTTCCAragAwIBAgIJAOQ2welR+cy6MA0GCSqGSIb3DQEBCwUAMIGnMQswCQYD
xxx

-----END CERTIFICATE-----
</ca>

==========

Bonne chance!

Please note: This was never adopted to the "newer" (modern) OpenVPN standard, however it's still workable:

View solution in original post

Kitsap · ‎2024-02-29

@ADOZ2AD wrote:
Hello,
I have a Nighthawk R7000 rooter with a default OS (which I can't change).
I have for several years activated the vpn service with open vpn which works very well.
However, I'd like to increase security to connect to my rooter (and therefore to the connected nas server): set up a login and password connection.
Is there a (simple) solution for this type of connection via open vpn?
Is it possible to give rights to certain identifiers or remove them?
I'd like to stop distributing the identification key, but to grant connection rights.
Thank you in advance for your reply.
Translated with DeepL.com (free version)

A couple of resource links that could help you find answers.

https://forums.openvpn.net/

https://www.snbforums.com/forums/vpn.12/

michaelkenward · ‎2024-02-29

The people behind your NAS and its OS may also have useful things to say.

ADOZ2AD · ‎2024-03-01

I've come to ask for help here because I use the basic netgear os and the basic openvpn vpn option.

michaelkenward · ‎2024-03-01

You referred to "the connected nas server". Most NAS network attached storage (NAS) devices have their own OS.

If you mean the DLNA sever on the router, that's something else. Not really NAS.

ADOZ2AD · ‎2024-03-01

No, I'm talking about the Nas, which has its own system and I connect to it via its IP (physically linked to the rooter).
To access the Nas, I go through the rooter and connect to it with OpenVpn.
OpenVpn is configured using the rooter's original settings, so it's an open vpn key connection.
I'd like to change this connection to an ID and password system, is that possible?

schumaku · ‎2024-03-01

On a generic OpenVPN implementation, you could add

auth-user-pass

to your OpenVPN client config, and very easy to implement when operating OpenVPN for example on the NAS (like Synology or QNAP for example), adding a reference on the server side on where to find and the name of the username password file.

ADOZ2AD · ‎2024-03-01

o! that would be perfect!

I use a Synology nas server!

Do you have a link to the procedure?
Thanks in advance

schumaku · ‎2024-03-01

Needless to say you need to configure the port forwarding on your router to the Syno LAN IP address

Voila https://kb.synology.com/fr-fr/DSM/help/VPNCenter/vpn_setup?version=7#b_17

Here a very old OpenVPN Client Syno config example (no guarantee):

==========

dev tun
tls-client

remote XXXXXXXX.synology.me 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS DNS_IP_ADDRESS

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2

comp-lzo

reneg-sec 0

cipher BF-CBC

auth SHA1

auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
MIIDTTCCAragAwIBAgIJAOQ2welR+cy6MA0GCSqGSIb3DQEBCwUAMIGnMQswCQYD
xxx

-----END CERTIFICATE-----
</ca>

==========

Bonne chance!

Please note: This was never adopted to the "newer" (modern) OpenVPN standard, however it's still workable:

FURRYe38 · ‎2024-03-01

FW is old as well. May need to update FW to ensure any VPN configurations work. Try the suggestions first, then if something doesn't work, update FW and try again.

@ADOZ2AD wrote:

No, I'm talking about the Nas, which has its own system and I connect to it via its IP (physically linked to the rooter).
To access the Nas, I go through the rooter and connect to it with OpenVpn.
OpenVpn is configured using the rooter's original settings, so it's an open vpn key connection.
I'd like to change this connection to an ID and password system, is that possible?

Setting up login credentials for OPEN VPN

Setting up login credentials for OPEN VPN

Re: Setting up login credentials for OPEN VPN

Re: Setting up login credentials for OPEN VPN

Re: Setting up login credentials for OPEN VPN

Re: Setting up login credentials for OPEN VPN

Re: Setting up login credentials for OPEN VPN

Re: Setting up login credentials for OPEN VPN

Re: Setting up login credentials for OPEN VPN

Re: Setting up login credentials for OPEN VPN

Re: Setting up login credentials for OPEN VPN

Re: Setting up login credentials for OPEN VPN