I recently encountered the task of encrypting all traffic from my QNap TS-253 Pro NAS using my current VPN provider Private Internet Access (PIA). Unfortunately, there’s no clear cut way of getting PIA setup on the QNap TS-253 Pro. After some digging and trial and error I was able to get this working.
1) Download PIA’s newest root certificates. This contains the root certificate for RSA 4096-bit encryption... https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
2) Use WinSCP or FileZilla to SCP in to your QNap and copy the ca.rsa.4096.crt and ca.rsa.4096.pem files to /etc/config/openvpn/keys
3) Open up the QNap Management Portal and configure the VPN client
System Settings -> Applications -> VPN Client
New -> OpenVPN Connection
Name: PIA VPN Connection
Server: ca-toronto.privateinternetaccess.com (or any other valid PIA server)
Port: 1197
Import ca.rsa.4096.crt
4) Click “Connect”, it may or may not connect, but if it does connect you won’t see any traffic. Click “Disconnect”
SCP into your Qnap
Open /etc/config/openvpn/clients/client1
Replace everything up to the <ca> line
dev tun2001
proto udp
remote ca-toronto.privateinternetaccess.com 1197
client
nobind
cipher AES-256-CBC
auth SHA256
comp-lzo
writepid /var/run/openvpn.client1.pid
reneg-sec 0
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server
tls-exit
remap-usr1 SIGTERM
connect-retry-max 1
auth-retry nointeract
resolv-retry infinite
route-noexec
auth-user-pass /etc/config/openvpn/clients/client1.auth
script-security 3
up /etc/openvpn/openvpn_up
down /etc/openvpn/openvpn_down
daemon openvpn-client
plugin /usr/lib/vpn_ext.so 1
ca /etc/config/openvpn/keys/ca.rsa.4096.crt
crl-verify /etc/config/openvpn/keys/crl.rsa.4096.pem
6) Save the file and close the session
7) Go back to your VPN Client in your QNap and click “Connect”
You should now start to see traffic
You may see SHA256/AES256 configuration errors in the logs, you can safely ignore these unless you’re seeing issues with connecting.
8) Test your connection by SSHing into your QNap and simply pinging www.google.com
Comments