0

I followed official Synology documentation and I created an OpenVPN Server to connect remotely to a NAS, that is in a LAN with its NAS_LOCAL_IP_ADDRESS. The VPN server configuration is like the following one:

enter image description here

Now, I'm trying to connect from my Mac via Tunnelblick following their instructions. In particular, they say:

Open the exported file openvpn.ovpn with TextEdit and replace YOUR_SERVER_IP with the public IP address of your Synology NAS. If you wish to send all traffic over VPN, remove # from #redirect-gateway def1.

enter image description here

Here is my VPNConfig.ovpn:

dev tun
tls-client

remote YOUR_SERVER_IP 1194

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2


comp-lzo

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass

I do not want to reroute all the traffic to the VPN, I just wanna route requests to my NAS_LOCAL_IP_ADDRESS.

If I leave #redirect-gateway def1 commented, the VPN seems working this way. This is what I want but I cannot understand why it happens, since I've never specified the NAS_LOCAL_IP_ADDRESS anywhere in the config file.

Can you folks help me understand how things work under the hood?

floatingpurr
  • 103
  • 1
  • 5
  • 1
    Please show VPN server configuration. OpenVPN can *push* routes (and other settings) to clients, that's why, even while you didn't configured any on the client, they may appear after connecting. Also, please **paste all configs as text**. Don't use pictures for that. Replace a screenshot with the copy-paste text. That way it will be indexed by search engines and may eventually help someone else. Thank you. – Nikita Kipriyanov Feb 19 '21 at 18:09
  • Hi @NikitaKipriyanov I updated the original post w/ the client config file. It's nothing more than the default one you can download from the Synology VPN Server. My question is: how does my OS know that **only the IP `NAS_LOCAL_IP_ADDRESS`** need to be rerouted through the VPN? If I understand correctly your suggestion, it is a kind of static route pushed back to my OS after the first connection to the VPN Server – floatingpurr Feb 19 '21 at 22:23
  • 1
    OpenVPN itself is configured with text config file or command line options (or both). I meant I need those to help. Synology did a GUI which obscures these things, because it isn't clear what GUI elements correspond to which OpenVPN options. What this "Allow other clients to access server's LAN" does? Does it push any routes? I'll say it again, that is possible in OpenVPN, but since you showed DSM config and not OpenVPN's one it is only a speculation. From this screenshot I just can't tell how your OpenVPN server is configured. – Nikita Kipriyanov Feb 20 '21 at 06:15
  • I see, but I don’t know how where to get the file you requested in the Synology ecosystem. – floatingpurr Feb 20 '21 at 13:28

1 Answers1

1

Most likely, you've selected the Allow clients to access server's LAN options on the NAS side.

This means that upon connecting, the server (NAS) pushes down a route like NAS_LOCAL_NETWORK is reachable via NAS_VPN_IP_ADDRESS.

So when you try to contact NAS_LOCAL_IP_ADDRESS your client identifies it as part of NAS_LOCAL_NETWORK and sends it to NAS_VPN_IP_ADDRESS. On the other end of the tunnel, your NAS knows that NAS_LOCAL_IP_ADDRESS doesn't need to be routed but is a local ip address, i.e. answers the request directly.

grasbueschel
  • 208
  • 2
  • 8
  • Hi. I've just update the original question w/ more details such as the VPN Server configuration. Yes, I selected that option. How can I check the extra routes injected upon the connection to the VPN server? – floatingpurr Feb 19 '21 at 22:34
  • 1
    Either you set the client logging level (add `verb 3` to the config) and check the log (search for `PUSH: Received control message`), or you observe your routing table (`ip ro` Linux, `route print` Win, `netstat -rn` macOS). – grasbueschel Feb 20 '21 at 07:13