QNAP and VPN?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Ola Malmstrom

Regular Contributor
Found it (I believe) :) - at least one direction.

From NAS01 on HIS network I can reach internal clients on MY network provided that
- The OpenVPN server on MY network has "Manage Client-specific options" = NO
- The OpenVPN client on HIS network has "Use default gateway on remote network" selected

Logic: When trying to communicate with NAS02 on my network (192.168.0.2 ) from HIS network (10.0.1.0/24), this makes the VPN client use the default gateway on MY network to direct the traffic to NAS02.

This works with the OpenVPN client running on NAS01. I can't test this for real until he has his new router. I then need to move the OpenVPN client there to be really sure, but I do believe it will work :).

Next step is to get it to work the other way as well..... I need to be able to access NAS01 on HIS network (10.0.1.186) from MY network (192.168.0.0/24). Need to dive into this as well.......
 

L&LD

Part of the Furniture
It will work! It has to! :D

 

Ola Malmstrom

Regular Contributor
Somehow doesn't work the other way. Found those articles explaining why and what to do:

https://openvpn.net/vpn-server-resources/reach-openvpn-clients-directly-from-a-private-network/
https://openvpn.net/vpn-server-resources/troubleshooting-reaching-systems-over-the-vpn-tunnel/

As far as I understand now, I need a route command on the local systems I want to connect to systems under the remote OpenVPN client.

I have set up a test environment consisting of my old ASUS RT-AC3200 (for the OpenVPN client), a PC and a mobile phone as WAN. The test environment works well, but I haven't managed to connect from a local system to a "remote" system using its internal IP address (yet).
 

Ola Malmstrom

Regular Contributor
I believe I have found the solution deep down at the end of a discussion in snbforums.

Target solution

The setup I want is this:
- Local NAS with an IP address within the 192.168.0.0/24 network
- Local router with IP address 192.168.0.1 also acting as OpenVPN server
- Remote router with IP address 10.0.1.1 also acting as OpenVPN client
- Remote NAS with an IP address within the 10.0.1.0/24 network

I want to be able to backup both ways - ie both from the local NAS to the remote one
as well as from the remote NAS to the local NAS using OpenVPN.

Tested solution

- The OpenVPN server on MY local network has "Manage Client-specific options" = NO
- The OpenVPN client on HIS remote network has both "Create NAT on tunnel" = NO, and
- "Inbound Firewall" = ALLOW

I also need to set up routes, probably on both routers. However when I try to enter a static route in MY router, the whole system collapses. I loose the internet connectivity and need to re-start the fiber modem - much to the "joy" of my family :eek::oops:

I have tried this twice on MY local router with the same result
- "Network 192.168.1.0 mask 255.255.255.0 Gateway 10.8.0.1 WAN or LAN
- The purpose is to send traffic to the remote network through the tunnel

All internet connectivity is lost........ and I need to re-start the fiber modem.

Am I doing this correctly? Is something missing?
 

Callinc

Occasional Visitor
@Ola Malmstrom, the lessons learned (additionally) should be that VPN should not be enabled on a NAS at all. No matter how powerful it is. :)

I feel that your brother-in-law is due for an RT-AC86U upgrade to his network (to match the OpenVPN performance of your RT-AX88U). :)
Why would you never want the vpn server to run on a nas or other lan server. Why run it on the edge of your network? I have two setups now that use the nas boxes and they do just fine. Of course one one is a TVs-471 and the other a ts-453b so they have decent CPU’s. 16 go ram and 8 gb respectively. My understanding is general consumer grade routers use low end low powered CPU’s and wouldn’t handle much bandwidth or many clients. Looking to the future I planed on moving my router to an x86 based processor for the performance and deep packet inspection that’s possible with good hardware. In any case, vpn server on a edge router vs server inside the network is something I’m still trying to figure out.


Sent from my iPhone using Tapatalk
 

Ola Malmstrom

Regular Contributor
Simple! The bottleneck is my NASes CPUs. They reduce the available speed to max 1.5 MB/sec. Over an internet connection of 250 Mbit/sec.

The remote NAS (a Qnap 219P2) is always using 100% CPU when backing up via VPN. The local one (a 231 P2) is also very loaded if I use it as a VPN server or client.

Both are far too weak for my backup plans. So in retrospect I should have NASes with decent CPUs and AES-NI which is definitely not the case. Both are 32 bit and doesn't have AES-NI. My ASUS RT-AX88U on the other hand (with AES-NI) shows very little additional CPU usage when backing up through VPN.

I agree with you, decent CPUs in the NASes would probably be best. However from my perspective the small ones I have fulfills (almost all) my needs.

It is also interesting to try to figure out how to set up OpenVPN so that it works for me with my current environment. I do believe I will get a better (usable) result if I manage to get answers to my remaining questions:
  1. I have a feeling I have missed something. Maybe register all clients to make them visible?
  2. Why does my usage of static routes crash my internet connection?
  3. How do I use the static routing on the routers to get it to work?
 

Ola Malmstrom

Regular Contributor
Haven't been able to test this. I need to have a second WAN connection, a separate router and a separate VPN server to test this. Unfortunately there are no ISPs here in Sweden that allows incoming traffic through a mobile phone / USB modem. This is necessary to be able to establish the VPN tunnel from the outside.

So I will need to live with what I have :confused:;)
 

Spile

New Around Here
Sorry to come to this thread late but one cost effective option I can recommend is to run a VPN server on a Raspberry Pi 4. I have been very impressed with PiVPN running Wireguard.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top