networkssecurity

Synology SRM router with site-to-site VPN for layer2 connection

I have got a Synology RT2600AC router with VPN Plus server with S2S option. that option is using IPSec, which would not connect my networks over Layer 2. In addition, the Synology VPNPlus S2S service is not free (even though it uses the libreswan package). I have DLNA/ UPnP servers on my network which should be visible automatically on all LANs (even remote ones). To have broadcast packets transmitted to all networks, I have to have them on same local LAN subnet, which is shared among all LANs connected via VPN.

That is achievable with OpenVPN, which is available for free on Synology VPN Plus Server. Synology S2S feature is not free as beer (even it is using libreswan package). The other two routers I have picked TP-Link TL-WR1043ND v4. I have replaced original firmware on them with LEDE-Project one, so I could tune fine my configurations.

OpenVPN server configuration on RT2600AC

drwxr-xr-x    3 root     system        4096 Oct  7 07:35 .
drwxr-xr-x   11 root     system        4096 Nov  6 12:59 ..
drwxr-xr-x    2 root     system        4096 Nov  1 16:24 keys
-rw-r--r--    1 root     system         949 Oct  8 21:25 openvpn.conf
-rwxr-xr-x    1 root     root            48 Oct  6 15:33 openvpn.up
dev tap

syno_vpnplus_sync
management 127.0.0.1 1195
server 10.51.8.0 255.255.255.0

max-clients 20
cipher AES-256-CBC
auth SHA512

dh /var/packages/VPNPlusServer/target/etc/openvpn/keys/dh3072.pem
ca /var/packages/VPNPlusServer/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNPlusServer/target/etc/openvpn/keys/server.crt
key /var/packages/VPNPlusServer/target/etc/openvpn/keys/server.key #this is shared key, must be uploaded to clients
tls-auth /var/packages/VPNPlusServer/target/etc/openvpn/keys/ta.key 0

persist-tun
persist-key

verb 3

script-security 2
up /var/packages/VPNPlusServer/etc/openvpn/openvpn.up 

#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /var/packages/VPNPlusServer/target/lib/radiusplugin.so /var/packages/VPNPlusServer/target/etc/openvpn/radiusplugin.cnf
client-cert-not-required
username-as-common-name
duplicate-cn

proto udp
port 1194

status /tmp/ovpn_status_2_result 5
status-version 2

client-to-client
push "route 10.51.8.0 255.255.255.0"
#!/bin/sh
/usr/syno/sbin/brctl addif lbr0 tap0
/usr/syno/sbin/brctl stp lbr0 on
/usr/syno/sbin/brctl setmaxage lbr0 40

OpenVPN client configuration on TL-WR1043ND

client
dev tap
tls-client

remote xxxxx.xxx 1194

pull

proto udp

script-security 2

reneg-sec 0

auth SHA512
cipher AES-256-CBC

auth-user-pass /etc/openvpn/xxxxx-xxx.secret

key-direction 1
ca /etc/openvpn/xxxxx-xxx.ca
tls-auth /etc/openvpn/xxxxx-xxx.key

explicit-exit-notify

One thought on “Synology SRM router with site-to-site VPN for layer2 connection

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.