Help needed choosing a VPN option

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

bandarbalu

New Around Here
Hi, new member here. Apologies in advance if my ignorance is obvious.

I currently have two OpenVPN servers running on my LAN - one on a QNAP TS-251+ NAS and one on a Synology DS720+. I run a small business from my home. The Synology is the business server and the QNAP is personal. I have a dozen user accounts that connect to VPN when my business runs training sessions. These training sessions use a multiplayer game which is hosted by one of the users. The host needs to be able to acquire a fixed IP address when they connect to VPN.

I'm about a year into this project. We haven't been doing this training very often, so the lazy workaround, which is to ensure the host gets the correct IP by having that person connect to VPN first, has gotten me by. I followed the guide at Wundertech to assign fixed IP addresses by user profile and got assistance from the author when I ran into trouble on the Synology, but we couldn't get it to work right. According to the connection logs, the proper user was getting the assigned IP address for the first few sessions, but then it went back to whoever connected first. All the changes I made are still in place, but I don't really understand what the changes are doing anyway, so it could have been wrong from the start and I just didn't notice. The Wundertech author couldn't find anything wrong with the modified files I sent him either.

I just upgraded my wireless router to an RT-AX88U and started looking into the VPN server on that. It's awesome to find such detailed information on the ASUS router VPN service on this forum, but I'd really like to know if it would actually make a difference between the QNAP, Synology, or ASUS for this specific case of needing fixed VPN IPs. Another consideration is that we're getting more business now, so I'll need more fixed IP addresses. I'm hoping to be able to stick with my in-house VPN service until we have half a dozen sessions going simultaneously and maybe 50-75 total users connected.

I'm looking for advice before diving back into troubleshooting. Will it make a difference whether I try to solve the fixed IP address problem on the QNAP, the Synology or the ASUS? At first glance, none of the interfaces seem to have any advantages for this problem. I've figured out how to create users, assign privileges, create and distribute config files, and walk new users through setting up their client and connecting on all three. I was over my head with the SSH and PuTTy work on the Synology, but I can follow detailed instructions.
 

bandarbalu

New Around Here
Hi, new member here. Apologies in advance if my ignorance is obvious.

I currently have two OpenVPN servers running on my LAN - one on a QNAP TS-251+ NAS and one on a Synology DS720+. I run a small business from my home. The Synology is the business server and the QNAP is personal. I have a dozen user accounts that connect to VPN when my business runs training sessions. These training sessions use a multiplayer game which is hosted by one of the users. The host needs to be able to acquire a fixed IP address when they connect to VPN.

I'm about a year into this project. We haven't been doing this training very often, so the lazy workaround, which is to ensure the host gets the correct IP by having that person connect to VPN first, has gotten me by. I followed the guide at Wundertech to assign fixed IP addresses by user profile and got assistance from the author when I ran into trouble on the Synology, but we couldn't get it to work right. According to the connection logs, the proper user was getting the assigned IP address for the first few sessions, but then it went back to whoever connected first. All the changes I made are still in place, but I don't really understand what the changes are doing anyway, so it could have been wrong from the start and I just didn't notice. The Wundertech author couldn't find anything wrong with the modified files I sent him either.

I just upgraded my wireless router to an RT-AX88U and started looking into the VPN server on that. It's awesome to find such detailed information on the ASUS router VPN service on this forum, but I'd really like to know if it would actually make a difference between the QNAP, Synology, or ASUS for this specific case of needing fixed VPN IPs. Another consideration is that we're getting more business now, so I'll need more fixed IP addresses. I'm hoping to be able to stick with my in-house VPN service until we have half a dozen sessions going simultaneously and maybe 50-75 total users connected.

I'm looking for advice before diving back into troubleshooting. Will it make a difference whether I try to solve the fixed IP address problem on the QNAP, the Synology or the ASUS? At first glance, none of the interfaces seem to have any advantages for this problem. I've figured out how to create users, assign privileges, create and distribute config files, and walk new users through setting up their client and connecting on all three. I was over my head with the SSH and PuTTy work on the Synology, but I can follow detailed instructions.
Nudge. Anyone? Was the question too long? Too complicated? Too specific? Too ignorant?
 

eibgrad

Very Senior Member
The concept of providing fixed/static IP assignments to OpenVPN clients is the same across all platforms.

You create a directory to store client-specific configuration settings. Each client has its own file in that directory based on the common-name on its client cert. Of course, this *assumes* each client in fact has a unique client cert (more about that in a minute). For the purposes of specifying a fixed/static IP, that file must contain an ifconfig-push directive. And the format of that directive must be consistent w/ the topology used by the OpenVPN server (net30, subnet, etc.). You configure the OpenVPN server w/ a client-config-dir directive to tell it where this directory of client configuration files resides.

Regarding client certs, it's possible to use *one* client cert for all users, but differentiate them by username/password. And in that case, you can add the username-as-common-name directive to the OpenVPN server configuration so it does just that; uses the username as the filename to be accessed for the client-specific configuration settings.

All that said, I can't speak to the specific requirements of other devices as to where things are stored, permissions, what topology they use (or if it can be changed), whether they're relying on a single client cert and username/password, etc. Every device has its own way of configuring OpenVPN, and if provided via a GUI, may limit the changes you can make. That's simply beyond the scope of what information I can provide since I don't own a Synology or QNAP device. I can only speak from the perspective of third-party firmware routers running Merlin, FreshTomato, and DD-WRT.

IOW, I can't help you w/ respect to what might have gone wrong on those other platforms. Esp. if it was working one day and NOT the next. Perhaps there was a firmware upgrade that changed things. Who knows.

In general, I prefer (and recommend) the use of the router for your OpenVPN server if only because it centralizes control and management, esp. if you have a need to access devices other than the NAS. Those OpenVPN servers tend to be device-centric as to their purpose. But OpenVPN is a fairly demanding application and doesn't always run well on the router. Esp. older routers w/ more limited resources. So in that case, the NAS devices *might* have an advantage. Hard to be sure since we'd have to compare their specs side by side. But that aside, in general, I'd prefer to have my router manage VPN access if at all possible.
 

bandarbalu

New Around Here
The concept of providing fixed/static IP assignments to OpenVPN clients is the same across all platforms.

You create a directory to store client-specific configuration settings. Each client has its own file in that directory based on the common-name on its client cert. Of course, this *assumes* each client in fact has a unique client cert (more about that in a minute). For the purposes of specifying a fixed/static IP, that file must contain an ifconfig-push directive. And the format of that directive must be consistent w/ the topology used by the OpenVPN server (net30, subnet, etc.). You configure the OpenVPN server w/ a client-config-dir directive to tell it where this directory of client configuration files resides.

Regarding client certs, it's possible to use *one* client cert for all users, but differentiate them by username/password. And in that case, you can add the username-as-common-name directive to the OpenVPN server configuration so it does just that; uses the username as the filename to be accessed for the client-specific configuration settings.

All that said, I can't speak to the specific requirements of other devices as to where things are stored, permissions, what topology they use (or if it can be changed), whether they're relying on a single client cert and username/password, etc. Every device has its own way of configuring OpenVPN, and if provided via a GUI, may limit the changes you can make. That's simply beyond the scope of what information I can provide since I don't own a Synology or QNAP device. I can only speak from the perspective of third-party firmware routers running Merlin, FreshTomato, and DD-WRT.

IOW, I can't help you w/ respect to what might have gone wrong on those other platforms. Esp. if it was working one day and NOT the next. Perhaps there was a firmware upgrade that changed things. Who knows.

In general, I prefer (and recommend) the use of the router for your OpenVPN server if only because it centralizes control and management, esp. if you have a need to access devices other than the NAS. Those OpenVPN servers tend to be device-centric as to their purpose. But OpenVPN is a fairly demanding application and doesn't always run well on the router. Esp. older routers w/ more limited resources. So in that case, the NAS devices *might* have an advantage. Hard to be sure since we'd have to compare their specs side by side. But that aside, in general, I'd prefer to have my router manage VPN access if at all possible.
Many thanks eibgrad, that's the kind of information and advice I needed. I've read through threads in forums, watched YouTube videos, and read blogs about almost all the topics and considerations you mentioned, but this organized it into a much more understandable and connected explanation. Now I can go back and learn about each part with a clear picture of why they matter, and how they will help me set the service up properly.
 

eibgrad

Very Senior Member
FYI. I just noticed something about how those OpenVPN clients are being assigned IPs in the Wundertech link.

I believe his approach is only going to work if *all* the OpenVPN clients are assigned static IPs. I say that because 10.5.0.x is defined as the *dynamic* IP pool. And if some clients are assigned static IPs from that same pool, I don't know how the OpenVPN client could *reserve* them unless it scanned all possible CCD files looking for static IP assignments, which I doubt it's going to do. If it's going to work at all, you would be wise to use the high-numbered IP addresses for static IP assignment, since the dynamic assignments are going to be allotted from low to high.

Even better, create a new IP group solely for the purpose of static IP assignments rather than using the dynamic pool, by adding the following to the OpenVPN server config.

Code:
route 10.5.1.0 255.255.255.0

And then specify your static IPs from that range.

Code:
ifconfig-push 10.5.1.2 10.5.1.1

That would make your firewall rules easier too, since you could treat the 10.5.0.0/24 and 10.5.1.0/24 networks as distinct groups, rather than on a "per client IP" basis.

I'm basing all this off the following link.


That may explain why it works for a while but eventually fails. I suspect the OpenVPN server ends up dynamically allocating an IP address from 10.5.0.x that's supposed to be reserved as a static IP for a client that as yet hasn't connected. While that's just a guess, my instincts tell me it's just NOT a good idea to be using the dynamic pool for static IP assignments. I don't think OpenVPN server is smart enough to reserve these IP assignments the way DNSMasq (DHCP) does, and as such, it's possible for OpenVPN server to mess up the IP assignments unless you keep the two groups (dynamic vs. static) segregated within their own IP ranges.
 

bandarbalu

New Around Here
Thanks for looking deeper into it. I think setting the two IP groups would work for my application, and it would actually give me even more scalability than I expected to get from a single VPN server. I'll report back.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top