OpenVPN Synology Server Poll Time out

[pinkgrae]

It’s better?

What's "better" depends on your use case - e.g.:

• Security / updates: Synology uses a proprietary vpn server implementation, which when I shifted away from it hadn't been updated for two years (I think they finally updated it another two years later). The vpn server implementation in the asus and merlin firmware is updated regularly.
• Throughput / speed: this will depend on your specific router and syno nas hardware. I haven't tested lately, but think my speeds are similar whether I run the vpn server on the router or on the nas. In both cases, speed and throughput are more than sufficient for my purposes.
• Convenience / maintenance: as you're seeing from the above, running your vpn server on a separate box behind the router adds a level of complexity - with the vpn server on the router you don't have to worry about port forwarding, nas firewalls, etc. Which reduces the potential for error and makes troubleshooting more straightforward.

I’ve thought about it but wouldn’t that slow down all other devices on the network, or just the one connected to the VPN?

Typically you'd use a vpn server to allow secure access into your lan from outside, so this wouldn't affect devices already on your network. However, it is a cpu intensive process so depending on what sort of use you have in mind I suppose it could impact on your router's general performance - in my case it hasn't though.

Unless given your question below you are thinking about a vpn client? If you use the merlin firmware you can choose which devices you run through the vpn service provider (e.g. Nord) and which ones you run through your wan. Any slower speeds resulting from using the vpn service provider would not affect the devices that you run through your wan.

Also, is it possible to have an OpenVPN and a VPN client like NordVPN on the same router?

You can run a vpn server and a vpn client on your router at the same time - I am at the moment. In fact the merlin firmware allows you to run 2x vpn servers and 5x vpn clients simultaneously.

 

[Windsbee]

What's "better" depends on your use case - e.g.:

• Security / updates: Synology uses a proprietary vpn server implementation, which when I shifted away from it hadn't been updated for two years (I think they finally updated it another two years later). The vpn server implementation in the asus and merlin firmware is updated regularly.
• Throughput / speed: this will depend on your specific router and syno nas hardware. I haven't tested lately, but think my speeds are similar whether I run the vpn server on the router or on the nas. In both cases, speed and throughput are more than sufficient for my purposes.
• Convenience / maintenance: as you're seeing from the above, running your vpn server on a separate box behind the router adds a level of complexity - with the vpn server on the router you don't have to worry about port forwarding, nas firewalls, etc. Which reduces the potential for error and makes troubleshooting more straightforward.

Typically you'd use a vpn server to allow secure access into your lan from outside, so this wouldn't affect devices already on your network. However, it is a cpu intensive process so depending on what sort of use you have in mind I suppose it could impact on your router's general performance - in my case it hasn't though.

Unless given your question below you are thinking about a vpn client? If you use the merlin firmware you can choose which devices you run through the vpn service provider (e.g. Nord) and which ones you run through your wan. Any slower speeds resulting from using the vpn service provider would not affect the devices that you run through your wan.

You can run a vpn server and a vpn client on your router at the same time - I am at the moment. In fact the merlin firmware allows you to run 2x vpn servers and 5x vpn clients simultaneously.

Thanks for the thorough reply. I just followed a quick guide and set up an OpenVPN server on my Asus router and after exporting the config file to my phone I'm getting the same error message in the log as before ''Server poll timeout.'' I'm guessing it's the router that's at fault. Unrelated to VPN but I also noticed my connection speed is significantly slower after updating the firmware a few days ago than before. Every website used to load instantly, now it takes 1-3 seconds depending on the website.

 

[Tech Junky]

now it takes 1-3 seconds depending on the website.

Sounds like you need to disable all the built in junk to get your speeds back.

 

[pinkgrae]

Thanks for the thorough reply. I just followed a quick guide and set up an OpenVPN server on my Asus router and after exporting the config file to my phone I'm getting the same error message in the log as before ''Server poll timeout.''

Just checking the obvious - I assume you stopped forwarding port 1194 to the syno?

I'm guessing it's the router that's at fault.

If yes to the above then you've ruled out the syno as being the issue. Could still be the phone though, so maybe try from a different device. I remember a while ago my iPhone would not connect to my VPN server but android no problems (or maybe the other way around - can't remember).

Unrelated to VPN but I also noticed my connection speed is significantly slower after updating the firmware a few days ago than before. Every website used to load instantly, now it takes 1-3 seconds depending on the website.

What firmware version are you running?

Sounds like you need to disable all the built in junk to get your speeds back.

Agree. @Windsbee: the idea here is to save your router settings, flash a different firmware version, factory reset, and try the router with a minimal configuration. If symptoms persist you may have a hardware issue. If symptoms go away you'll know it's your old configuration. In either case you'll be able to go back to your current configuration as you saved your settings or reenter your previous settings if you prefer (probably better practice).

 

[Windsbee]

Sounds like you need to disable all the built in junk to get your speeds back.

Just checking the obvious - I assume you stopped forwarding port 1194 to the syno?

If yes to the above then you've ruled out the syno as being the issue. Could still be the phone though, so maybe try from a different device. I remember a while ago my iPhone would not connect to my VPN server but android no problems (or maybe the other way around - can't remember).

What firmware version are you running?

Agree. @Windsbee: the idea here is to save your router settings, flash a different firmware version, factory reset, and try the router with a minimal configuration. If symptoms persist you may have a hardware issue. If symptoms go away you'll know it's your old configuration. In either case you'll be able to go back to your current configuration as you saved your settings or reenter your previous settings if you prefer (probably better practice).

Yes I stopped forwarding 1194.

Running:
Signature version: 2.282

Current Version : 3.0.0.4.386_46065-ge51f2dc

Alright, so I saved the settings and hard factory reset the router, didn't import the settings, setup the router as brand new. Entered all the previous wifi names and passwords, enabled OpenVPN, created username and password, pressed apply, imported the config file to the app, and nope, doesn't work, ''server poll time out.'' Tried it with an Android phone but there the file can not be recognized, despite the app being downloaded. When I save the file and import it from the phone directly I get ''Error, file is binary.''

So I tried OpenVPN on my PC, but connecting to my iPhone's hotspot just says ''can't connect to network'' despite any other device being able to, and when setting up a hotspot on the Android phone, my PC can't find it, it simply refuses to show up, despite restarting the PC. All other devices can see it, just not the PC. Network drivers are up to date.

So at this point, I have no clue if it's a router hardware issue, or the iPhone is at fault.

Ugh, I didn't imagine it would be this difficult.

 

[pinkgrae]

I stopped forwarding 1194 ... and hard factory reset the router, didn't import the settings, setup the router as brand new.

Good - you previously ruled out the syno as being the problem, and you have now ruled out any legacy issues with your settings in the router.

imported the config file to the app, and nope, doesn't work, ''server poll time out.''

That error message typically means that the openvpn client successfully imported the certificate and then proceeded with the first step in the protocol, which is to 'ping' the openvpn server. However, it then gave up as it received no response at all, meaning it couldn't even start talking with your vpn server - basic connectivity issue.

Are you able to post the contents of your .ovpn file? You'll want to remove personal identifiers (e.g. ddns address) as well as most of the certificate (the gobbledygook between <ca> and </ca>).

Tried it with an Android phone but there the file can not be recognized, despite the app being downloaded. When I save the file and import it from the phone directly I get ''Error, file is binary.''

That sounds like a transfer error - used to happen to me when I emailed the .ovpn files to my phone.

So I tried OpenVPN on my PC, but connecting to my iPhone's hotspot just says ''can't connect to network'' despite any other device being able to, and when setting up a hotspot on the Android phone, my PC can't find it, it simply refuses to show up, despite restarting the PC. All other devices can see it, just not the PC. Network drivers are up to date.

You're not having much luck, are you...

So at this point, I have no clue if it's a router hardware issue, or the iPhone is at fault.

I think your issues around openvpn are related to connectivity rather than hardware. My earlier comment was in response to the other issues you reported with your router - hopefully the fresh install resolved those?

Ugh, I didn't imagine it would be this difficult.

Yes, there is a learning curve with openvpn first up, though it's great when it's up and running. However, if you're just wanting a quick and easy solution you could look into something like Tailscale, which takes care of all the firewall and certificate stuff for you. It's proprietary but free for personal use (I think 10 devices), and there's a synology package.

 

[Windsbee]

personal identifiers (e.g. ddns address)

I have created a DDNS address in the router settings. Do I have to include it in the exported ovpn file, or how does that work?

Are you able to post the contents of your .ovpn file?

Sure here: (I've replaced several letters and deleted rows in the cert and key stuff below for privacy just in case)

remote (Removed remote IP address) 1194
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 10 30

# for OpenVPN 2.4 or older
comp-lzo yes
# for OpenVPN 2.4 or newer
;compress lzo

auth-user-pass
client
auth SHA1
cipher AES-128-CBC
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
(Removed the entire ca)
-----END CERTIFICATE-----

</ca>

<cert>
-----BEGIN CERTIFICATE-----
MIIEijCCA3KggIBAjANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJUVzEL
MAkGA1UEcxDzANBgNVBAcTBlRhaXBlaTENMAsGA1UEChMEQVNVUzERMA8G
A1UEAxMIUlQtQUM2OFUxITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFp
bjAeFw0yMjAzMDQxNzUxNTNaFw0zMjAzMDExNzUxNTNaMG4xCzAJBgNVBAYTAlRX
MQswCQYDVQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVpMQ0wCwYDVQQKEwRBU1VTMQ8w
DQYDVQQDEwZjbGllbnQxITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFp
bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoChhEBAMSwpdIN53mBU7KmZlP0
ledG2LL2Wn3bx1eBW+FbnHGNO0MFDOW8GMNXtbgqwW9gA6HkxaYIsKdBxA77L/o1
Fr1erCc//AQsUbkQp4CCbTKqWe2PrkyATcyeHQK3UwdRozCoIvqWTWlggqYTe4VM
2ZOD/y4aTioRvcoPIx40yLV9oTsFlXQUczbHsK8ARVymq/ey1jUC711FDrBYRzia
5/LmWwIllGInzqeLHHb0zfL45D3IvhgaGhfu+2DwtaadPOkL+xor4RWTSsyVDvl8
hsuc3u2ucDHbeXRb2fEJBCovzxSbfiDJmdAo739QVvQlkGKkQXQN0QIOReoPpRlZ
oNMCAwEAAaOCAS8wggErMAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3kt
UlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUFhAVva0D+rvvWZYM
xbt8Ib1T9V0wga0GA1UdIwSBpTCBooAUw2yB1vqWpsNfKda4+gPDdWjzC1ahdKRy
MHAxCzAJBgNVBAYTAlRXMQswCQYDVQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVpMQ0w
CwYDVQQKEwRBU1VTMREwDwYDVQQDEwhSVC1BQzY4VTEhMB8GCSqGSIb3DQEJARYS
bWVAbXlob3N0Lm15ZG9tYWlughRfvgJhn1KjK6PhCrPbWo0FUlV+SjATBgNVHSUE
DDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQEFBQADggEBAFSO
WAVTyVte1sFv38p22RE4P9A9qLcYdAxxykomXiIWj3oq98OH7CexVFcVsu0uWvBs
dAoBCHG/ohSYDYKiqn6T9nR+a32u7HlVcFKZkW9wAmkMAwRdcFbcu80EK+wne0TU
ScfEKRsCmmJR60MGiI/sMJkjeZrk2ff6+5pI42ZimkayJe9RXvEqCb6Qb7zofjnr
s3bQN14YEldP8Uy0Y5mVgjHdRtiv0O5ASWJo/ndJHz2FF7HIM/pLR8BkjkOinlAB
TOURSfJlX77mMm4PdM4bNoeHeuEngF3MLzTOI7YsdTchkjKSDT00aGKdDHbk0N0r
9lGUOL+ztS5ePZsk8GA=
-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKAoIBAQDEsKXSDed5gVOy
pmZT9JXnRtiy9lp928dXgVvhW5xxjTtDBQzlvBjDV7W4KsFvYAOh5MWmCLCnQcQO
+y/6NRa9XqwnP/wELFG5EKeAgm0yqlntj65MgE3Mnh0Ct1MHUaMwqCL6lk1pYIKm
E3uFTNmTg/8uGk4qEb3KDyMeNMi1faE7BZV0FHM2x7CvAEVcpqv3stY1Au9dRQ6w
WEc4mufy5lsCJZRiJ86nixx29M3y+OQ9yL4YGhoX7vtg8LWmnTzpC/saK+EVk0rM
lQ75fIbLnN7trnAx23l0W9nxCQQqL88Um34gyZnQKO9/UFb0JZBipEF0DdECDkXq
D6UZWaDTAgMBAAECggEAb6UVerYJvh56s91gGCetLyo3tt2/X9FwxWrYDINDufDA
wroLKBwssjUHIRKj2eRWK37/8c7c9xONhjNueEfKMJOchGr9UiEWAkZBzeA6u5eW
lBIKjcIGZy8YqIIGzxC34NaPhE3sgvQVNM+6PV/x4Jn8Lt8fnyGS6S7OcEbl5p35
zU6Y6dOCQ2eQgjdv98JzgVDUS7MVOWkvZ3qkInJEO3yi9G4iEj4kfPKJvGs2/Uku
s3zVs2kRuOK3vK2L1/umai3rjSLKzq24tEZ5ybxCOBWfekjLUFansk1Ycam8f/CN
ti8uTU++WT1DWYsqLjVbN2XVBTLvCkD8QUq5dlU9gQKBgQDtn8Mjo/WxeyFBDQtq
/EcRHFjh3ii7Fc+0LdxFoRnVGPGGCVcSex/hVwGYmt3fMgCKBEPmaQhM1JQIzmfp
WxbfDJcTu3e+tIFz5WZeABmK6J+xm1hgpuUoctteR5H/dTC46WMsmOAM14NVuyZ4
yw9b2sYnKIImMjqbxlv6l9YylQKBgQDT5oPqbs9JOlD3N8IUFA1jHdOVq7HJ1EwA
qErRfq+aaMKGBHh3/X3OTE4C0iVVUMT1uCxc6YuLoCU19l2TxZUhz/wTjpygcTJh
Z5LK2RVizqzbSsq8dXpHsfg0wnG+8T7a4nXWdG/NNlZYwYf772TB0i7WEAhjz9Oe
rC/nRypTxwKBgQDZDg5aB/Lt4+NEYH4Fg9wGrTYjW6MpAYtwslN65uRT2fcE0JNQ
tlcwpyE2HIB+2FXVvH+pgFeslqGCSchxSFtj80QtKhj/gjKdgvY29zBdyo/U1Gmu
H8VDZWcsf4PFLW8L+WQ14I8IK/Qz43gI7rNg3D4UltQLv+X5VP+/r+Jg4QKBgHKn
5zcBUE3aLRcnZ28/zmKUL/lrVp7TrXApn5oth0zwZFjpsFmUou7uYMOr+6FnO7uN
NQvtHqGlPJ0vOkEMBv6tsELQxrUVquIDje0Oe0DkfamGlZ5Vnp2OkbPShoN/u7fq
E0K/7ALI5P3PcgoC5azuUoNnV3LScDoKBz2IR0HfAoGAOEsojSBmTqwH5zV/2NDY
wrtebuvk0TsoIqKjNUjY8JmoifQtyanMKCChzDeRYD5UeHHRGvWXO/P9JTz4MHOo
1wBjFSpS1W2E8/tEpC8TftRh8XN2EicG0PFp4sx9y8aoZ09FZJI6G63g+R9Xtpiz
ai0fiNXx+blCTGIkxO/C7QY=
-----END PRIVATE KEY-----

</key>

You're not having much luck, are you...

No, no I'm not..

Yes, there is a learning curve with openvpn first up, though it's great when it's up and running. However, if you're just wanting a quick and easy solution you could look into something like Tailscale, which takes care of all the firewall and certificate stuff for you. It's proprietary but free for personal use (I think 10 devices), and there's a synology package.

I've previously installed the TailScale package on Synology and the app on the iPhone and it works great to connect to the server outside of the network, took 5 seconds to setup, but here's my two problems with it:

1. (Bear with me on this one because I might be mistaken) - OpenVPN is like connecting to your home network while not at home, correct? When using Plex, you have the option to access your media library outside of the network via the Plex settings. No VPN needed, simply click enable and boom you can stream movies wherever you are. Using OpenVPN, it was to my understanding that you can access your Plex media library without enabling remote access in the settings, because your phone thinks it's at home, so that your library is not exposed to the internet. But when using TailScale, this doesn't work. I still have to enable remote access in the Plex settings regardless of being connected to TailScale or not. Am I mistaken here, or shouldn't I be able to connect to my Plex media library outside of my network using TailScale without enabling remote access in the Plex settings, or does it only work using OpenVPN, or neither?

2. Every time I see a forum/reddit post or comment regarding TailScale it feels like reading an advertisement. All that's missing is a guy with his thumbs up, bright smile and a gold chain in the background. Your comment being the exception. How safe is it to use? Do they have access to all my content? What if they're hacked?

 

[pinkgrae]

I have created a DDNS address in the router settings. Do I have to include it in the exported ovpn file, or how does that work?

Not sure how it works with stock firmware, but with Merlin it shows you whether it's registered successfully once you enable the ddns client. However, if your vpn server doesn't work with your wan ip, then it's not going to work with a ddns service pointing to that same ip. Suggest you wait with setting up the ddns until you have this working direct with your wan ip.

Question: does your wan connection happen to be CG-NAT?

Sure here: (I've replaced several letters and deleted rows in the cert and key stuff below for privacy just in case)

Yes, better safe than sorry... Anyway, I don't see anything obviously wrong in your cert; the only thing you might try is using LZ4 compression instead of LZ0 - I've had issues with LZ0 in the past.

shouldn't I be able to connect to my Plex media library outside of my network using TailScale without enabling remote access in the Plex settings, or does it only work using OpenVPN, or neither?

With tailscale, if your plex server runs on your synology, then you should be able to point the plex client on your iphone to the 100.xx.xx:[plex port] tailscale ip address for the synology without enabling remote access.

With openvpn the only difference is that you'd point the plex client to the syno's 192.168.xxx:[plex port] ip address instead, again without enabling remote access.

To me the whole point of running these services over a vpn is the security of not having to enable remote access.

Every time I see a forum/reddit post or comment regarding TailScale it feels like reading an advertisement. All that's missing is a guy with his thumbs up, bright smile and a gold chain in the background. Your comment being the exception. How safe is it to use? Do they have access to all my content? What if they're hacked?

Yes I know what you mean about the guy with the gold chain - a lot of the commentary about tailscale has been either an overenthusiastic endorsement (because it is so easy to set up) or all out paranoia about security and / or loss of control (as tailgate does need to collect some information in order to make the easy set up thing work and is not open source).

But then again, vpn providers also collect data (even if they say they don't maintain logs), and we all know google does, so it really boils down to your assessment as to what you're comfortable with. Maybe start with looking at some of the more 'neutral' assessments of tailgate out there, which I think might answer some of your questions about security - e.g. see here and here.

I think there's a balance here; personally I'm comfortable enough to use tailscale for several purposes - mainly because wireguard, end-to-end encryption, actual data doesn't go through their servers. But as I don't trust anyone I do keep an offline backup of all my stuff.

 

[Windsbee]

Question: does your wan connection happen to be CG-NAT?

My WAN IP is 100.65.xx.xx

On https://www.whatsmyip.org/ my IP is 155.4.xxx.xxx

What does this mean? Does it mean that all along my problems have been due to the massive ball and chain around my ankle provided by the lovely people over at my ISP?
Is the ISP responsible for me putting the local psychiatric ward on speed dial over this crap?

With tailscale, if your plex server runs on your synology, then you should be able to point the plex client on your iphone to the 100.xx.xx:[plex port] tailscale ip address for the synology without enabling remote access.

Alright so I downloaded TailScale again, and can connect to my NAS via the 100.xxx.xx.xx IP address on my iPhone. I can also connect to Plex in the iPhone web browser using 100.xxx.xx.xx:32400. However in the Plex app, I went into settings - advanced - server connections - and tried adding the IP and port, but get Error 401, and it seems like I'm not alone on this one:

https://www.reddit.com/r/PleX/comments/r82fp7

So I guess wait until it's fixed? Although it seems to have been an issue for a while.

To me the whole point of running these services over a vpn is the security of not having to enable remote access.

That's the only reason I started this whole thing. That's what I want, specifically with Plex.

I think there's a balance here; personally I'm comfortable enough to use tailscale for several purposes - mainly because wireguard, end-to-end encryption, actual data doesn't go through their servers. But as I don't trust anyone I do keep an offline backup of all my stuff.

Sounds good. Yeah, I'm about to backup all my stuff as well.

 

[pinkgrae]

My WAN IP is 100.65.xx.xx On https://www.whatsmyip.org/ my IP is 155.4.xxx.xxx What does this mean? Is the ISP responsible for me putting the local psychiatric ward on speed dial over this crap?

Since the two addresses are different, I'd say you are likely on a cg nat network. And yes, this would be a 'feature' your ISP provides, and would definitely explain the connectivity issues you've been having with openvpn.

Prior to seeking psychiatric help I'd suggest you confirm the situation with your ISP and if confirmed ask them to provide you with a unique private ip address. Or you could switch ISPs or looking into renting a VSP.

Alright so I downloaded TailScale again, and can connect to my NAS via the 100.xxx.xx.xx IP address on my iPhone. I can also connect to Plex in the iPhone web browser using 100.xxx.xx.xx:32400.

Cool, that means you've got tailscale working.

However in the Plex app, I went into settings - advanced - server connections - and tried adding the IP and port, but get Error 401

Sorry - can't help you there as I don't use Plex, and this issue doesn't arise with Jellyfin. It does sound like something that tailscale and plex will need to fix between them.

 

[ColinTaylor]

My WAN IP is 100.65.xx.xx

This is a CGNAT address and is therefore not accessible from outside your LAN.

Carrier-grade NAT - Wikipedia

en.wikipedia.org

 

[sfx2000]

My WAN IP is 100.65.xx.xx

On https://www.whatsmyip.org/ my IP is 155.4.xxx.xxx

What does this mean?

CGNAT - so you'll be able to do outbound VPN, but will not be able to be an inbound VPN host over IPV4

 

[Windsbee]

Since the two addresses are different, I'd say you are likely on a cg nat network. And yes, this would be a 'feature' your ISP provides, and would definitely explain the connectivity issues you've been having with openvpn.

This is a CGNAT address and is therefore not accessible from outside your LAN.

CGNAT - so you'll be able to do outbound VPN, but will not be able to be an inbound VPN host over IPV4

I contacted my ISP and got a public ipv4 address from them. I can now finally use OpenVPN and all is well.

Although after receiving the ipv4, new issues arose that I brought up in a more fitting part of the forums. The issues are solved, just asking how they're solved: https://www.snbforums.com/threads/p...es-not-function-properly-fixed-but-how.77808/

Thank you so much for your help!