OpenVPN configuration Synology VPN server

Client configuration settings: 

remote <dns or ip address>  1194

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

redirect-gateway def1

When the local network of the OpenVPN client is the same as the local network of the OpenVPN server than you can add the following line to the ovpn configuration file.

route <ip address> 

for example both networks have the same local network: 192.168.1.0/24 and traffic is not sent inside the VPN tunnel you can add to reach 192.168.1.10 on the local network of the VPN server 

route 192.168.1.10 

When you have problems with DNS for example with the DNS servers of Ziggo who only allow queries from their own network. You can change your DNS settings to the nameservers of Google. Name servers are 8.8.8.8 and 8.8.4.4 

Warning message in the log file: 

WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

You see this message when you connect with a standard OpenVPN server from Synology and is showed because of the way Synology implemented their OpenVPN server. 

Synology Hardening

Synology Hardening

Synology Hardening steps to change the default settings to improve security on a Synology NAS. 

Synology Hardening

Synology DSM 6.1 hardening settings:

Using the  Security Advisor:

Install and run the Synology Security Advisor and consider changing the advised mentioned settings. 

Control Panel:
Control Panel, Update & Restore, DSM Update:
  • Update Settings. Change the settings accordingly with in mind that security fixes are applied as soon a possible. 
Control Panel, user:
  • make a new user with full administrative rights, test this new user and disable admin. 
  • Advanced, Password Settings, Select Allow non-administrator users to reset forgotten passwords via email. 
  • Avanced, Password Settings, Apply password strength rules, select;
    • Exclude name and description of user from password. 
    • Include mixed case
    • Include numeric characters
    • Include special characters
    • Exclude common password
    • Minimal password length: 8
    • Password history (times): 1
  • Advanced,Password Expiration, select;
    • Enable password expiration 
    • Maximum password valid duration (days): 183 (except administrator users). Check administrator user Password is always valid. Manually change this password regularly. 
    • Minimum password valid duration (days): 1
    • Prompt users to change password upon login before expiration (days): 14
    • Send expiration notification emails; sent at 12:00, Days before the expiration; 14,10,5,3,2,1 
  • Advanced, 2-Step Verification,
    • Enforce 2-step verification for the following users, all users
Control Panel, Terminal & SNMP, Terminal:
  • (in case) SSH service, advanced settings, High
Control Panel, Security, Security:
  • Improve protection against cross-site request forgery attacks
  • Improve security with HTTP Content Security Policy (CSP) header.
  • Do not allow DSM to be embedded with iFrame.
  • Clear all saved user login sessions upon system restart. 
Control Panel, Security,Firewall:
  • consider enabling firewall which depends on the IT infrastructure. Firewall rules can be enabled for VPN services which can improve security or protect a access for Hyperbackup. This can be implemented with an allow and deny rule for certain services. 
Control Panel, Security, Protection:
  • consider enable DoS protection depending on your IT infrastructure. 
Control Panel, Security,Account, Auto Block:
  • select Enable auto block, login attempts: 10, Within (minutes): 5. Enable block expiration, Unblock after (days): 1. Consider using an allow/block list. 
Control Panel, Security, Account, Enable Account Protection, Untrusted Clients:
  • login attempts:5
  • Within (minutes):1
  • Cancel account protection (minutes later):30 
Control Panel, Security, Account, Account Protection, Trusted clients:
  •  Login attempts:10
  • Within (minutes):1
  • Unblock (minutes later):30 
Control Panel, security, advanced, TLS/ SSL Cipher Suites:
  • Select Modern compatibility 
Control Panel, Network, DSM settings,
  • Selecteer Automatically redirect HTTP connections to HTTPS ( Web Station and Photo Station excluded ). 
Webbrowser:
  • Enable browser's incognito mode or using guest browsing feature when accessing Synology NAS with a public computer

Synology DSM 6 LDAP security

Use an LDAP editor like LDAPadmin.

Connect to LDAP server running on Synology NAS.

Host: Synology Nas server

Port: 389

base: cn=config

Simple authentication

TLS selected or deselected

Username: cn=config

password= same as root user LDAP server

After logging in

select cn=config and edit entry

add attribute or change value attribute olcTLSCipherSuite with your values.