networkssecurity

Synology SRM router with site-to-site VPN for layer2 connection

I have got a Synology RT2600AC router with VPN Plus server with S2S option. that option is using IPSec, which would not connect my networks over Layer 2. In addition, the Synology VPNPlus S2S service is not free (even though it uses the libreswan package). I have DLNA/ UPnP servers on my network which should be visible automatically on all LANs (even remote ones). To have broadcast packets transmitted to all networks, I have to have them on same local LAN subnet, which is shared among all LANs connected via VPN.That is achievable with OpenVPN, which is available for free on Synology VPN Plus Server. Synology S2S feature is not free as beer (even it is using libreswan package). The other two routers I have picked TP-Link TL-WR1043ND v4. I have replaced original firmware on them with LEDE-Project one, so I could tune fine my configurations.

OpenVPN server configuration on RT2600AC

drwxr-xr-x    3 root     system        4096 Oct  7 07:35 .drwxr-xr-x   11 root     system        4096 Nov  6 12:59 ..drwxr-xr-x    2 root     system        4096 Nov  1 16:24 keys-rw-r--r--    1 root     system         949 Oct  8 21:25 openvpn.conf-rwxr-xr-x    1 root     root            48 Oct  6 15:33 openvpn.up
dev tapsyno_vpnplus_syncmanagement 127.0.0.1 1195server 10.51.8.0 255.255.255.0max-clients 20cipher AES-256-CBCauth SHA512dh /var/packages/VPNPlusServer/target/etc/openvpn/keys/dh3072.pemca /var/packages/VPNPlusServer/target/etc/openvpn/keys/ca.crtcert /var/packages/VPNPlusServer/target/etc/openvpn/keys/server.crtkey /var/packages/VPNPlusServer/target/etc/openvpn/keys/server.key #this is shared key, must be uploaded to clientstls-auth /var/packages/VPNPlusServer/target/etc/openvpn/keys/ta.key 0persist-tunpersist-keyverb 3script-security 2up /var/packages/VPNPlusServer/etc/openvpn/openvpn.up #log-append /var/log/openvpn.logkeepalive 10 60reneg-sec 0plugin /var/packages/VPNPlusServer/target/lib/radiusplugin.so /var/packages/VPNPlusServer/target/etc/openvpn/radiusplugin.cnfclient-cert-not-requiredusername-as-common-nameduplicate-cnproto udpport 1194status /tmp/ovpn_status_2_result 5status-version 2client-to-clientpush "route 10.51.8.0 255.255.255.0"
#!/bin/sh/usr/syno/sbin/brctl addif lbr0 tap0/usr/syno/sbin/brctl stp lbr0 on/usr/syno/sbin/brctl setmaxage lbr0 40

OpenVPN client configuration on TL-WR1043ND

clientdev taptls-clientremote xxxxx.xxx 1194pullproto udpscript-security 2reneg-sec 0auth SHA512cipher AES-256-CBCauth-user-pass /etc/openvpn/xxxxx-xxx.secretkey-direction 1ca /etc/openvpn/xxxxx-xxx.catls-auth /etc/openvpn/xxxxx-xxx.keyexplicit-exit-notify

3 thoughts on “Synology SRM router with site-to-site VPN for layer2 connection

  1. {:gb}Adding client-to-client settings to pass traffic from one VPN net to another VPN net into server conf file{:}{:cs}Přidal jsem nastavení client-to-client do konfiguračního souboru serveru, aby procházely pakety z jedné VPN sítě do druhé{:}

  2. which files should I put to openvpn server at openwrt to make it work?
    only /var/packages/VPNPlusServer/target/etc/openvpn/keys/server.key ?

    1. Hi Paul, you have put on OpenWRT /etc/openvpn/xxxxxx.ca mergered files server.crt and ca.crt (ca_bundle.crt) from /var/packages/VPNPlusServer/target/etc/openvpn/keys/ and copy a static key ta.key to /etc/openvpn/xxxxxx.key

Comments are closed.