Setup WireGuard VPN on Raspbian

I’m already using OpenVPN but heard only good things about WireGuard VPN. For my current project, I need a VPN connection to my home network. I do not want to mess with my currently working OpenVPN setup, so I tried to setup WireGuard VPN on Raspbian.

Start with updating your installed packages. Its especially important to install the raspberrypi-kernel-headers before the WireGuard installation.:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install raspberrypi-kernel-headers

I’ll use pivpn as setup script. You can install it with curl piping the script to bash like this:

curl -L https://install.pivpn.io | bash

However, if you don’t trust that source and doesn’t want to execute it unseen, you can also check the script content first or download the script separately to your machine first.

I’ve followed now the installation steps which are already pretty good explained by others:

What’s nice about this script is, that it will also detect installations of pi-hole running on the same machine.

I’ve used the script to setup WireGuard (as it also supports OpenVPN). I’ve selected the default port 51820 and created a port forwarding rule in my FritzBox router. After the installation completed, you’re asked to do a reboot.

Now we’ll create a new WireGuard profile using

sudo pivpn add

The script just asks for a profile name and will place the generated profiles in the users home under the config folder.

Setup on the client machine is similar. But instead of using the script for installation, we’ll use the version provided by the Debian repo. I’ve followed these instructions:

sudo apt-get install dirmngr
echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list
sudo apt-key adv --keyserver   keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC
sudo apt-key adv --keyserver   keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
sudo sh -c 'printf "Package: *\nPin: release a=unstable\nPin-Priority: 90\n" > /etc/apt/preferences.d/limit-unstable'
sudo apt-get update
sudo apt install wireguard

I’ve transferred the created config from the WireGuard host to the WireGuard client and ran

sudo wg-quick up <ProfileName>

And it established really fast a connection. However, my problem was now that the SSH connection broke because all of the traffic to and from the client was going through the WireGuard VPN (like you would have used it for your phone when you’re in an unsecured WiFi and want to redirect all traffic through the VPN).

Luckily I was able to stop the connection by SSHing from the WireGuard VPN to the assigned IP of the WireGuard client and by using

sudo wg-quick down <ProfileName>

The question is now, how can I configure WireGuard Client to just know the route through the VPN to resources in the host network or vice versa how I can configure the WireGuard Host to provide other machines in the network a route to the connected client…

Improve OpenVPN security on Synology DiskStations

I’m using OpenVPN on my Synology DiskStation with certificates instead of Preshared Keys. A few days ago I’ve wanted to login to my VPN and it wasn’t working. After checking the log file I’ve seen that there were some issues with the used configuration file for OpenVPN.

Tue Nov 20 23:04:27 2018 Cipher algorithm 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CB' not found
Tue Nov 20 23:04:27 2018 Exiting due to fatal error

How can this be? The configuration worked for months without problems? I’ve started to remember that I’ve started to increase the security of my OpenVPN configuration using a few parameters. The Cipher algorithm is one of them. This page describes some of the changes I’ve made (unfortunately only in German).

I’ve added the tls-cipher and tls-auth options as last parameter lines to my configuration file. The synology web UI tried to parse those parameters as cipher and auth parameter when it shows those values as part of the DSM UI.

I’ve reorderded the tls-auth and tls-cipher parameter to be above the auth and cipher parameters and the DSM UI is now able to show those values correct. This will enable you to restart the OpenVPN service from the WebUI without the need to login via SSH.

How do you get supported values for auth, cipher and tls-cipher you might wonder? Just execute

openvpn --show-tls

to get the supported tls-cipher you might line up with a : separated.

openvpn --show-digests

shows you the allowed values for auth and

openvpn --show-ciphers

will show the allowed values for cipher. However, cipher and auth can also be preselected from the DSM UI.

Don’t forget to use the same values in your OpenVPN configuration on your VPN client as well, otherwise the connection won’t work.

How to use client certificates with Synology VPN Server and OpenVPN

The holidays are near and I want to have access to my files on my Synology NAS, while I’m visiting my family. That’s why I’m showing you today how to configure the official Synology VPN server to use OpenVPN with client certificates instead of username/password.

 

1. Start with a custom root CA

First of all you need your own self-signed root CA. A useful tool is XCA but you can also do this from the terminal.

2. Create a certificate for your DiskStation

Create a new Certificate for your DiskStation. Be aware to use the assigned DNS name, otherwise your browser will complain when you try to connect to the web interface of the DiskStation.

3. Configure the DiskStation to use the server certificate

I’m using DSM 5. There’s a nice new Security setting in the system settings. You can define and upload a certificate there:

Import CertificateThe Private Key and Certificate fields are straight forward. However, the intermediate certificate is the tricky part I forgot. This is the certificate of your self signed root CA. Only with this additional certifacte the trust chain is complete.

4. Trusting the root CA

The next step depends on your computers OS. I’m using Mac OS where I can easily add the root CA certificate as an always trusted certificate.

5. Reload the web interface of your DiskStation

After you’ve set the certificate, the web interface should have been reloaded. Eventually you’ve been warned by your browser about a security issue (you did not trusted your root CA, therefore the web page was untrusted). After a reload and the instructions from step 4, this warning should go away. If you take a look at the certificate tab of the DiskStation’s security setting, you will see that your new server certificate is active.

6. Install the VPN Server

Install the VPN Server from Synology’s Package Center. Its configuration is done from the start menu.

7. Configure the VPN Server

Enable OpenVPN from the Settings of the VPN Server. For more details see Synology’s instructions.

8. Connect via SSH to your DiskStation

Disable user authentication on the DiskStation and enable the certificate based authentication (code taken from this wiki) in this file: /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf

#ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
ca /volume1/myCA/demoCA/my-ca.crt
#cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
cert /volume1/myCA/syn.crt
#key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key
key /volume1/myCA/syn.key

#you can enable this line temporary to view log with "tail -f -n 100 /var/log/openvpn.log":
#log-append /var/log/openvpn.log

#plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
#client-cert-not-required
#username-as-common-name

#added
user nobody
group nobody
#added

 

9. Configure your client

I’m only using iOS devices and Macs. Therefore this is again a little biased 🙂 The installation of the clients for Mac and Windows is explained on Synology’s page. iOS is explained on this page (only in german but with screenshots). The initial configuration can be downloaded from the OpenVPN settings page from the DiskStation web interface. The extracted zip file contains the servers official certificates but needs to be modified to add support for the client certificates. Text is taken again from same wiki as above.

#ca ca.crt

#added
dh dh1024.pem
ca my-ca.crt
cert my.crt
key my.key
verb 3
#added

#auth-user-pass

 

The DiffieHellmann Parameters (dh) can also be created with XCA. I would recommend 2048, since 4096 takes ages to generate.

10. Give it a try

Now you can test your VPN connection on your devices. It should not ask for a password, instead it should use the my.crt and my.key you’ve set in the configuration.