OpenVPN + QNAP

How to use a VPN to circumvent net neutrality violations, and generally anonymize your traffic on the internet.

Choosing a VPN Provider

Odly, I first started looking into VPNs for my parents. They both emigrated to the United States in the 1970s from Italy and still like to watch Italian TV. Until recently, they were able to do so over the internet without much issue thanks to the DailyMotion app on Android and FireTV. Unfortunately, that recently changed due to dispute with a local affiliate and so my parents were left with a service they pay for but can no longer fully use.

Enter the VPN. By routing their traffic through a 'POP' (Point of Precense) in Europe they would be able to use the service fully...at least until their pre-paid period expired.

I won't get into all the details of selecitng a VPN provider but I will say that you should pay close attention to the following:

  • Do they keep logs?
  • What country are they located in?
  • What POPs do they offer?
  • What speeds do they offer?
  • How many connections do they allow?
  • Is there a re-connect or server change limitation?
  • Do they offer native clients? support for OpenVPN?
  • If you are try to circumvent firewalls, etc... you will want to know if they offer support for STunnel (VPN over SSH) or even VPN of HTTPS.

*I was impressed with AirVPN's policies and their general focus on net neutrality, especially in countries that have restrictive content filters.

QNAP Setup

My parents use the VPN via OpenVPN Connect For Android, which is pretty simple to setup but I wanted to use the VPN from my QNAP so that I could selectively route some traffic out over my local ISP provided IP but have other traffic go out over the VPN. This was mostly for a proof of concept for setting up my own MPLS network overlay... but I'm not ready to talk about that project just yet. For now, I just want to share a simple way to setup OpenVNP for your QNAP.

Limitations & Assumptions

The method I'm about to demonstrate has two pretty significant limitations.

  • You will not be able to use the QNAP UI to manage the VPN Tunnel. Their software fails to expose a sufficient portion of OpenVPN's configuration, rendering it useless.
  • You will only be able to have 1 VPN configured for your QNAP to use for outbound traffic.
  • By default you want to route traffic out through your ISP, and only selectively route other address out over the VPN.
  • This procedure has been tested with QNAP 4.2.0 and 4.2.1 only.

Step 1 - Setup a 'Shim Client VPN' in QNAP UI.

Go into the QNAP UI and setup a VPN client, the settings here won't really matter much. We'll need to edit the configuration files created by the UI at the command line. Created this 'shim' entry in the UI just saves us the trouble of creating these files.

Once you create the shim entry, ssh into your QNAP and cd to /mnt/HDA_ROOT/.config

Open vpn.conf

[OPENVPN]
interface = bond0
Enable = FALSE
Client IP 1 = XX.XX.XX.XX
Client IP 2 = XX.XX.XX.XX
VPN Proto Type = udp
VPN Port = XXXX
Max Client = 5
Encryption = 1
Re-direct gateway = TRUE
Broadcast support = TRUE
Enable compressed VPN link = TRUE
Enable Manual DNS = FALSE
Use Manual DNS = XX.XX.XX.XX
[PPTP]
Enable = FALSE
Client IP 1 = XX.XX.XX.XX
Client IP 2 = XX.XX.XX.XX
Max Client = X
Authentcation = X
Encryption = X
Broadcast = TRUE
Enable Mabual DNS = FALSE
Mabual DNS = 0.0.0.0

[OPENVPN_CLIENT1]
Enable = TRUE
Status = 1
Index = 1
Gateway = 1
Allow Connect = 0
Reconnect = 1
Server Address = ***YOUR VPN PROVIDER***
Profile File = ***Profile Name From UI***
VPN Proto Type = TCP
VPN Port = 443
Compress = 0
Re-direct gateway = 0
...Some Lines Omitted...

You'll want to edit the [OPENVPN_CLIENT1] section, as this was created by your 'Shim' VPN Client from the UI. Most of the settings here should be self explainatory based on the OpenVPN instructions from your VPN provider.

Lastly, and this is a rather hacky solution... you'll need to edit /etc/init.d/vpnopenvpnclient.sh and edit the location of the open vpn client config.

OPENVPN=/usr/sbin/openvpnclient
PIDFILE="/var/run/openvpn.client.pid"
OPENVPN_CONF="***Point To Your OpenVPN Client Config***"
OPENVPN_CONF_PATH="/etc/openvpn"
VPN_CONF="/etc/config/vpn.conf"
VPN_NUM="$2"
VPN_CLIENT="OPENVPN_CLIENT""${VPN_NUM}"
MAX_VPN_INDEX="255"

This hack will prevent all but 1 VPN client, the one we are hard coding.

Step 2 - Start & Test Out VPN Tunnel

Now you should be able to run the following command to start the VPN Tunnel.

/etc/init.d/vpnopenvpnclient.sh start 1

The '1' at the end corresponds to the ordinal of the 'Shim' VPN config from step one. Its an artifact of the way Qnap supports multiple configs.

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.4.XX.XXX  P-t-P:10.4.XX.XXX Mask:255.255.0.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:91795380 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45603692 errors:0 dropped:2361 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:126876304529 (118.1 GiB)  TX bytes:2511602244 (2.3 GiB)

If everything worked as expected, then you'll see a new interface (tun0) with an IP Address that is different from your ISP provided connection.

Step 3 - Selective Routing

At this point, all outbound traffic will go over the tunnel. This may or may not be desirable. In my case, I only wanted to send certain traffic over the tunnel. The easiest way to do this is by updating your linux routing table in the QNAP using the route command.

In particular, you'll want to see which route has the highest priority for destination 0.0.0.0. This route controls where your QNAP will send traffic that is not for a locally attached network.

[/mnt/HDA_ROOT/.config] # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    1      0        0 bond0

In the above example, I've already adjusted my QNAP to prefer my local router via bond0 (physical interface).

you will likely need to run a variation of the below command to remove the route that causes the tunnel (tun0) to be preferred for 0.0.0.0

route del -net 0.0.0.0 gw 10.4.0.1 netmask 128.0.0.0 dev tun0

Then you can selectively add in routes for destinations that you want to be anonymized, for example. If you did not want CNN to know you were in the US. You could add the following route where XXX.XXX.XXX.XXX is CNN's IP. You'll need 1 entry per IP since CNN likely has several IPs for redundancy.

route add -net XXX.XXX.XXX.XXX gw 10.4.0.1 netmask 255.255.255.255 dev tun0

And thats it, now you know how to setup a VPN on your QNAP and selectively route traffic over or around the VPN.

Posted on Aug 19
Written by Anthony Virtuoso