### Sven Gehring's Blog

I write about software, engineering and stupidly fun side projects.

A few weeks ago, I decided to build a little tool for my Synology Download Station, since I was not quite satisfied with the features DS Download offered me for simple monitoring. However, while testing out the API as it was documented in official API docs, I stumbled upon some rather unusual behaviour, that allows you to access details of any download task, even if it does not belong to the user you’re authenticated as. Continue reading

# Synology DSM6x VPN via Command Line

Synology DSM offers you a quite simple interface for managing your VPN connections, however, aside the fact that it is missing a lot of advanced options, that are needed for certain providers, it also lacks the possibility of automation. For example, the reason I am writing this is, I am using an OpenVPN connection on my second Synology station together with multiple gateways. That’s all fine and good, however, as soon as the VPN client gets into a timeout, it will try to resolve the host name in the config via the VPN gateway, which is now inaccessible. The only way I found to fix this, is simply reconnecting to the VPN server. Sadly, Synology doesn’t make that simply exactly simple.

## Basics of Synology VPN handling

Synology is using various scripts and flags for handling vpn connections. All of the relevant files for this are found in /usr/syno/etc/synovpnclient. Also, the binary file the disk station uses for connection handling is found at /usr/syno/bin/synovpnc, aliased to synovpnc.

A list of the files and directories in this directory:

• l2tp - Holds configs for l2tp connections
• pptp - Holds configs for pptp connections
• openvpn - Holds configs for openvpn connections
• scripts - Internal scripts by the VPN client
• vpnc_connecting - A (only temporary) flag file, this will be very important later!

Simply typing the synovpnc command will give us sufficient information about its usage.

[MISSING IMAGE]

## Disconnecting a VPN connection

In order to disconnect a VPN connection, we can use the kill_client function of synovpnc. The script requires either the name of the connection, as it is saved in the UI via --name=MYVPN or the id via --id=XXX.

 1 2 3 4 5  cybrox@nyx:/usr/syno/etc/synovpnclient$sudo synovpnc kill_client --id=o1462043059 Password: get arguemnt id: o1462943059 kill client ...OK ## Connecting to a VPN server Now, disconnecting is pretty straightforward. Connecting however, is a bit more tricky, since synovpnc completely ignores arguments and only reads its parameters from a flag file at /usr/syno/etc/synovpnclient/vpnc_connecting. If we attempt a connection, as we would expect it to work, we get the following response:  1 2  cybrox@nyx:/usr/syno/etc/synovpnclient$ sudo synovpnc connect --id=o1462043059 get arguemnt id: o1462043059

And nothing happens…

What we actually have to do is, write our parameter into the flag file mentioned above and then tell the script to connect or reconnect. When we cat /usr/syno/etc/synovpnclient/vpnc_connecting while connection to the VPN from the UI, we actually see, which parameters are put in there. The script expects the config id and name, as well as the protocol type to connect in the flag file.

 1 2 3 4  sudo sh -c "echo conf_id=o1462043059 > /usr/syno/etc/synovpnclient/vpnc_connecting" sudo sh -c "echo conf_name=HIDE >> /usr/syno/etc/synovpnclient/vpnc_connecting" sudo sh -c "echo proto=openvpn >> /usr/syno/etc/synovpnclient/vpnc_connecting" sudo synovpnc connect --id=o1462043059

In fact, if you open the UI alongside the terminal, you will see, that the UI state changes to connecting, after we write the first line into the file. After executing the connect command, it should switch to connected.

[MISSING IMAGE]

## Automatically reconnecting a VPN connection

The problem mentioned in the preamble of this article, is rather easy to solve, once we know how to connect and disconnect the VPN client via command line. For my example, I simply added a task that will execute the following bash script every 10 minutes:

Simplified, the script reads the last line from the openvpn log, since I am using an openvpn connection. If the log message contains the expected error, it will disconnect the VPN connection, wait for 20 seconds (which should be more than sufficient) and then write all the flags and cause the tool to reconnect. In the end, it will check if a successful connection was established and output a status message.

This is only one of the many examples of how you can use the power of manually manipulating VPN connections. The really important part is, that you are able to do it, despite Synology not providing any information on this whatsoever.

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24  LASTLINE=tail -n 1 /usr/syno/etc/synovpnclient/openvpn/openvpn.log CONNFILE=/usr/syno/etc/synovpnclient/vpnc_connecting if [[ "$LASTLINE" == *"RESOLVE: Cannot"* ]]; then echo "OK: Triggering disconnect" synovpnc kill_client --name=HIDE echo "OK: Waiting 20 seconds" sleep 20 echo "OK: Triggering connect" echo conf_id=o1462043059 >$CONNFILE echo conf_name=HIDE >> $CONNFILE echo proto=openvpn >>$CONNFILE synovpnc connect --id=o1462043059 echo "OK: Waiting 20 seconds" sleep 20 LASTLINE=tail -n 1 /usr/syno/etc/synovpnclient/openvpn/openvpn.log if [[ "\$LASTLINE" == *"Initialization Sequence Completed" ]]; then echo "OK: Reconnect successful" else echo "ER: Reconnect failed" fi fi