Aangepaste OpenVPN werkt na update DSM niet meer

[André PE1PQX]

Afgelopen dagen heeft Syno een DSM update vrij gegeven n.l. de 6.2.4-25556. Hierbij is ook het VPN server package bijgewerkt.
Na deze update werkt OpenVPN welke is aangepast volgens deze manier niet meer.
Client kan geen contact krijgen op een één of andere manier, en het loggen in /var/log/openvpn.log gebeurt ook niet meer. (laatste toevoeging in het log stamt van 8 maart j.l.).
Ik moet nog het log van een Win10 client los peuteren om te zien wat daar in staat.

Zijn er meer die dit zien??

[André PE1PQX]

Aanvulling: Na het terug zetten van de vorige versie van het OpenVPN package (v. 1.3.11-2777) werkt het wel.
Ergens is er in de update (v 1.3.12-2780) dus iets veranderd waardoor er iets niet meer werkt, maar wat weet ik dus niet!

[Briolet]

Dat is het nadeel van handmatige aanpassingen. Synology houdt hier natuurlijk geen rekening mee als ze paden of andere zaken veranderen bij een update.

Het blijft leerzaam te weten of het aan de aanpassing ligt, of dat het probleem meer algemeen is.

[Rubensky]

Ben wel zeer geïnteresseerd. Mijn DS214Play, draaiend op DSM 6.2.3-25426 Update 3. Maakt nog geen melding van een update. Ik wilde morgen aan de hier gelinkte procedure beginnen.

Toch maar even afwachten of het een algemeen probleem is.

Overigens staat er in de release notes dit over VPN en Proxy.

Code: [Selecteer]

When logging in through VPN or Proxy server, some functionalities may have authentication issues. To fix this issue, please go to Control Panel > Security, and click the Trusted Proxies button to add the trusted proxy server to the list.

Mogelijk helpt dat je in de goede richting.

[Pippin]

André,

Controleer alle paden.

Wat geeft

Code: [Selecteer]

openvpn --versionop de DS?

Pas het pad naar het log eens aan naar

Code: [Selecteer]

log /usr/syno/etc/packages/VPNCenter/VPNcerts/openvpn.log
.

Welke versie op de client?
Log met

Code: [Selecteer]

verb 4
Post beide logs eens, verwijder keys en IP.

[André PE1PQX]

@Pippin ik heb de voorlaatste weer terug gezet. Ik zal op mijn 918+ dit ook nog eens instellen maar dan met de laatste versie om te zien wat er dan gebeurt.

Daarna zal ik de logs/uitkomsten van je verzoeken even melden.

[Pippin]

Post ook even

Code: [Selecteer]

openvpn --show-ciphers
En welke ciphers zijn er beschikbaar in VPN Server? (screenshots)

[André PE1PQX]

@Pippin Geef me AUB even de tijd, zal de gevraagde data even verzamelen.

Zal de data vanuit mijn (nu werkende) VPN op mijn DS218+ en de gegevens uit een nog in te stellen DS918+ melden.

[André PE1PQX]

Version uit mijn DS918 met VPN v 1.3.12-2780:

Code: [Selecteer]

openvpn --version
OpenVPN 2.3.17 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar  2 2021
library versions: OpenSSL 1.0.2u-fips  20 Dec 2019, LZO 2.09
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
git revision: refs/heads/DSM6-2-4-official/8533768265ff2951
Cypher op de zelfde NAS en VPN versie:

Code: [Selecteer]

openvpn --show-ciphers
The following ciphers and cipher modes are available
for use with OpenVPN.  Each cipher shown below may be
used as a parameter to the --cipher option.  The default
key size is shown as well as whether or not it can be
changed with the --keysize directive.  Using a CBC mode
is recommended. In static key mode only CBC mode is allowed.

AES-128-CBC  (128 bit key, 128 bit block)
AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC  (192 bit key, 128 bit block)
AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC  (256 bit key, 128 bit block)
AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CBC  (128 bit key, 128 bit block)
CAMELLIA-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CBC  (192 bit key, 128 bit block)
CAMELLIA-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CBC  (256 bit key, 128 bit block)
CAMELLIA-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
SEED-CBC  (128 bit key, 128 bit block)
SEED-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
SEED-OFB  (128 bit key, 128 bit block, TLS client/server mode only)

The following ciphers have a block size of less than 128 bits,
and are therefore deprecated.  Do not use unless you have to.

BF-CBC  (128 bit key by default, 64 bit block)
BF-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
BF-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-CBC  (128 bit key by default, 64 bit block)
CAST5-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
DES-CBC  (64 bit key, 64 bit block)
DES-CFB  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB1  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB8  (64 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-CBC  (128 bit key, 64 bit block)
DES-EDE-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CBC  (192 bit key, 64 bit block)
DES-EDE3-CFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB1  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB8  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-OFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-OFB  (64 bit key, 64 bit block, TLS client/server mode only)
DESX-CBC  (192 bit key, 64 bit block)
RC2-40-CBC  (40 bit key by default, 64 bit block)
RC2-64-CBC  (64 bit key by default, 64 bit block)
RC2-CBC  (128 bit key by default, 64 bit block)
RC2-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
RC2-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
Het gekke is, dit komt exact overeen met de aangepaste VPN in de DS218.

Android Client is OpenVPN version 3.2.4.(5891)
Windows Client is OpenVPN version 3.2.3.1851

Met de logs ben ik mee bezig....

[Pippin]

Had de gedachte dat Synology (eindelijk) een update had gedaan naar versie 2.4.x of zelfs 2.5.x
Maar helaas...
Gebruik zelf VPN Server niet meer.

Dus naar de 918 werkt het wel maar naar de 218 niet?
Dan zou ik eerst alle instellingen nalopen, vooral netwerk en firewall.
Synology heeft nog wel eens de gewoonte instellingen te veranderen na een update.

Als de OpenVPN server is gestart ook eens kijken naar

Code: [Selecteer]

netstat -atunp

[André PE1PQX]

Ik heb de DS918+ (voor VPN testdoeleinden) nog niet verder aangepast volgens jouw mooie omschrijving.
Hier kom om morgen pas aan toe.

De DS218+ werk inmiddels wel zoals bedoeld en gewenst en is aangepast.

Die 'netstat -atunp', voer ik die in putty uit op de server?? (Dacht het wel, maar twijfel)

[Pippin]

Ok, dus 218 werkt.

Die 'netstat -atunp', voer ik die in putty uit op de server?? (Dacht het wel, maar twijfel)

Ja in putty/terminal, daar zou dan openvpn op moeten duiken.

[André PE1PQX]

Ik zal vanavond de 918 ook eens opstellen als VPN server MET die aanpassingen, maar dan met v. 1.3.12.
Log van de 218 (VPN Server)  en Android (client) reeds gemaakt, komt er zo aan.

[André PE1PQX]

Hier 2 logs van een WERKENDE verbinding, inclusief opbouwen en verbreken van de verbinding.

VPN Server:

Code: [Selecteer]

Thu Mar 11 16:21:27 2021 us=512012 MULTI: multi_create_instance called
Thu Mar 11 16:21:27 2021 us=512116 Vodafone_4G_IP:42065 Re-using SSL/TLS context
Thu Mar 11 16:21:27 2021 us=512144 Vodafone_4G_IP:42065 LZO compression initialized
Thu Mar 11 16:21:27 2021 us=512240 Vodafone_4G_IP:42065 Control Channel MTU parms [ L:1570 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Thu Mar 11 16:21:27 2021 us=512260 Vodafone_4G_IP:42065 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Mar 11 16:21:27 2021 us=512301 Vodafone_4G_IP:42065 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Thu Mar 11 16:21:27 2021 us=512317 Vodafone_4G_IP:42065 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Thu Mar 11 16:21:27 2021 us=512343 Vodafone_4G_IP:42065 Local Options hash (VER=V4): '8a3b3cca'
Thu Mar 11 16:21:27 2021 us=512365 Vodafone_4G_IP:42065 Expected Remote Options hash (VER=V4): '73e43c96'
Thu Mar 11 16:21:27 2021 us=512422 Vodafone_4G_IP:42065 TLS: Initial packet from [AF_INET]Vodafone_4G_IP:42065, sid=a8cae596 2c39246f
Thu Mar 11 16:21:27 2021 us=803161 Vodafone_4G_IP:42065 PID_ERR replay-window backtrack occurred [1] [TLS_AUTH-0] [0_00000000] 1615476086:10 1615476086:9 t=1615476087[0] r=[0,64,15,1,1] sl=[54,10,64,528]
Thu Mar 11 16:21:27 2021 us=803576 Vodafone_4G_IP:42065 VERIFY OK: depth=1, C=??, ST=??, L=??, O=OVPN, OU=Security, CN=CA, emailAddress=rootca@vpn.vpn
Thu Mar 11 16:21:27 2021 us=803970 Vodafone_4G_IP:42065 Validating certificate key usage
Thu Mar 11 16:21:27 2021 us=803989 Vodafone_4G_IP:42065 ++ Certificate has key usage  0088, expects 0080
Thu Mar 11 16:21:27 2021 us=804004 Vodafone_4G_IP:42065 ++ Certificate has key usage  0088, expects 0008
Thu Mar 11 16:21:27 2021 us=804019 Vodafone_4G_IP:42065 ++ Certificate has key usage  0088, expects 0088
Thu Mar 11 16:21:27 2021 us=804033 Vodafone_4G_IP:42065 VERIFY KU OK
Thu Mar 11 16:21:27 2021 us=804051 Vodafone_4G_IP:42065 Validating certificate extended key usage
Thu Mar 11 16:21:27 2021 us=804068 Vodafone_4G_IP:42065 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Thu Mar 11 16:21:27 2021 us=804106 Vodafone_4G_IP:42065 VERIFY EKU OK
Thu Mar 11 16:21:27 2021 us=804124 Vodafone_4G_IP:42065 VERIFY OK: depth=0, C=??, ST=??, L=??, O=OVPN, OU=Security, CN=VPN_USER, emailAddress=Andre@domain.eu
Thu Mar 11 16:21:27 2021 RADIUS-PLUGIN: FOREGROUND THREAD: New user.
Thu Mar 11 16:21:28 2021 RADIUS-PLUGIN: No attributes Acct Interim Interval or bad length.
Thu Mar 11 16:21:28 2021 RADIUS-PLUGIN: Client config file was not written, overwriteccfiles is false
.Thu Mar 11 16:21:28 2021 RADIUS-PLUGIN: FOREGROUND THREAD: Add user to map.
Thu Mar 11 16:21:28 2021 us=135358 Vodafone_4G_IP:42065 PLUGIN_CALL: POST /var/packages/VPNCenter/target/lib/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Thu Mar 11 16:21:28 2021 us=135469 Vodafone_4G_IP:42065 TLS: Username/Password authentication succeeded for username 'VPN_USER'
Thu Mar 11 16:21:28 2021 us=135597 Vodafone_4G_IP:42065 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Mar 11 16:21:28 2021 us=135619 Vodafone_4G_IP:42065 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 11 16:21:28 2021 us=135711 Vodafone_4G_IP:42065 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Mar 11 16:21:28 2021 us=135731 Vodafone_4G_IP:42065 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 11 16:21:28 2021 us=167751 Vodafone_4G_IP:42065 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Mar 11 16:21:28 2021 us=167827 Vodafone_4G_IP:42065 [VPN_USER] Peer Connection Initiated with [AF_INET]Vodafone_4G_IP:42065
Thu Mar 11 16:21:28 2021 us=167878 VPN_USER/Vodafone_4G_IP:42065 MULTI_sva: pool returned IPv4=192.168.160.2, IPv6=(Not enabled)
Thu Mar 11 16:21:28 2021 us=170667 VPN_USER/Vodafone_4G_IP:42065 PLUGIN_CALL: POST /var/packages/VPNCenter/target/lib/radiusplugin.so/PLUGIN_CLIENT_CONNECT status=0
Thu Mar 11 16:21:28 2021 us=170746 VPN_USER/Vodafone_4G_IP:42065 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_6b150ea630c7212a601ff54fbaea6c57.tmp
Thu Mar 11 16:21:28 2021 us=170851 VPN_USER/Vodafone_4G_IP:42065 MULTI: Learn: 192.168.160.2 -> VPN_USER/Vodafone_4G_IP:42065
Thu Mar 11 16:21:28 2021 us=170871 VPN_USER/Vodafone_4G_IP:42065 MULTI: primary virtual IP for VPN_USER/Vodafone_4G_IP:42065: 192.168.160.2
Thu Mar 11 16:21:28 2021 us=175844 VPN_USER/Vodafone_4G_IP:42065 PUSH: Received control message: 'PUSH_REQUEST'
Thu Mar 11 16:21:28 2021 us=175914 VPN_USER/Vodafone_4G_IP:42065 send_push_reply(): safe_cap=940
Thu Mar 11 16:21:28 2021 us=175968 VPN_USER/Vodafone_4G_IP:42065 SENT CONTROL [VPN_USER]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.160.0 255.255.255.0,sndbuf 0,rcvbuf 0,route-gateway 192.168.160.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.160.2 255.255.255.0' (status=1)
Thu Mar 11 16:21:46 2021 us=213924 VPN_USER/Vodafone_4G_IP:42065 SIGTERM[soft,remote-exit] received, client-instance exiting
Thu Mar 11 16:21:46 2021 RADIUS-PLUGIN: BACKGROUND ACCT: No accounting data was found for VPN_USER,Vodafone_4G_IP:42065.
Thu Mar 11 16:21:46 2021 us=216661 PLUGIN_CALL: POST /var/packages/VPNCenter/target/lib/radiusplugin.so/PLUGIN_CLIENT_DISCONNECT status=0

VPN Client (Android)

Code: [Selecteer]

16:21:26.953 -- ----- OpenVPN Start -----

16:21:26.953 -- EVENT: CORE_THREAD_ACTIVE

16:21:26.956 -- OpenVPN core 3.git:released:662eae9a:Release android arm64 64-bit PT_PROXY

16:21:26.957 -- Frame=512/2048/512 mssfix-ctrl=1250

16:21:26.957 -- UNUSED OPTIONS
6 [verb] [4]
7 [nobind]
9 [block-outside-dns]
10 [register-dns]
14 [pull]
15 [tls-client]
18 [prng] [SHA256] [32]
23 [fast-io]
26 [auth-nocache]

16:21:26.957 -- EVENT: RESOLVE

16:21:26.961 -- Contacting WAN_IP_ADRES:1194 via UDP

16:21:26.961 -- EVENT: WAIT

16:21:26.964 -- Connecting to [mijn_domein]:1194 (WAN_IP_ADRES) via UDPv4

16:21:27.085 -- EVENT: CONNECTING

16:21:27.088 -- Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client

16:21:27.088 -- Creds: Username/Password

16:21:27.089 -- Peer Info:
IV_VER=3.git:released:662eae9a:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891
IV_SSO=openurl

16:21:27.210 -- VERIFY OK: depth=0, /C=??/ST=??/L=??/O=OVPN/OU=Security/CN=Server/emailAddress=Andre@domain.eu

16:21:27.711 -- SSL Handshake: CN=Server, TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

16:21:27.713 -- Session is ACTIVE

16:21:27.715 -- EVENT: GET_CONFIG

16:21:27.722 -- Sending PUSH_REQUEST to server...

16:21:27.749 -- OPTIONS:
0 [redirect-gateway] [def1]
1 [dhcp-option] [DNS] [192.168.1.4]
2 [dhcp-option] [DNS] [192.168.1.5]
3 [route] [192.168.1.0] [255.255.255.0]
4 [route] [192.168.160.0] [255.255.255.0]
5 [sndbuf] [0]
6 [rcvbuf] [0]
7 [route-gateway] [192.168.160.1]
8 [topology] [subnet]
9 [ping] [10]
10 [ping-restart] [60]
11 [ifconfig] [192.168.160.2] [255.255.255.0]

16:21:27.751 -- PROTOCOL OPTIONS:
  cipher: AES-256-CBC
  digest: SHA256
  compress: LZO_STUB
  peer ID: -1

16:21:27.753 -- EVENT: ASSIGN_IP

16:21:27.781 -- Connected via tun

16:21:27.783 -- LZO-ASYM init swap=0 asym=1

16:21:27.785 -- Comp-stub init swap=0

16:21:27.787 -- EVENT: CONNECTED info='USER@mijndomein:1194 (WAN_IP_ADRESS) via /UDPv4 on tun/192.168.160.2/ gw=[192.168.160.1/]'

16:21:45.785 -- EVENT: DISCONNECTED

16:21:45.787 -- Tunnel bytes per CPU second: 0

16:21:45.788 -- ----- OpenVPN Stop -----

Ik ga nu de DS918+ met de nieuwe versie opzetten, momentje AUB.

[André PE1PQX]

Hieronder het log van de Androd client bij een falende verbinding.
Op een één of andere manier word er op de server geen OpenVPN log aangemaakt in /var/log.

Code: [Selecteer]

19:04:07.016 -- ----- OpenVPN Start -----

19:04:07.017 -- EVENT: CORE_THREAD_ACTIVE

19:04:07.019 -- OpenVPN core 3.git:released:662eae9a:Release android arm64 64-bit PT_PROXY

19:04:07.019 -- Frame=512/2048/512 mssfix-ctrl=1250

19:04:07.021 -- UNUSED OPTIONS
6 [verb] [4]
7 [nobind]
9 [block-outside-dns]
10 [register-dns]
14 [pull]
15 [tls-client]
18 [prng] [SHA256] [32]
23 [fast-io]
26 [auth-nocache]

19:04:07.021 -- EVENT: RESOLVE

19:04:07.106 -- Contacting WAN_IP_ADRESS:1194 via UDP

19:04:07.107 -- EVENT: WAIT

19:04:07.110 -- Connecting to [mijn_domein]:1194 (WAN_IP_ADRESS) via UDPv4

19:04:07.142 -- EVENT: CONNECTING

19:04:47.022 -- Session invalidated: KEEPALIVE_TIMEOUT

19:04:47.023 -- Client terminated, restarting in 2000 ms...

19:04:49.023 -- EVENT: RECONNECTING

19:04:49.031 -- EVENT: RESOLVE

19:04:49.045 -- Contacting WAN_IP_ADRESS:1194 via UDP

19:04:49.045 -- EVENT: WAIT

19:04:49.051 -- Connecting to [mijn_domein]:1194 (WAN_IP_ADRESS) via UDPv4

19:04:49.093 -- EVENT: CONNECTING

19:05:07.023 -- EVENT: PAUSE

19:05:55.635 -- EVENT: RESUME

19:05:55.638 -- EVENT: RECONNECTING

19:05:55.641 -- EVENT: RESOLVE

19:05:55.647 -- Contacting WAN_IP_ADRESS:1194 via UDP

19:05:55.648 -- EVENT: WAIT

19:05:55.650 -- Connecting to [mijn_domein]:1194 (WAN_IP_ADRESS) via UDPv4

19:05:55.683 -- EVENT: CONNECTING

19:06:35.638 -- Session invalidated: KEEPALIVE_TIMEOUT

19:06:35.639 -- Client terminated, restarting in 2000 ms...

19:06:37.637 -- EVENT: RECONNECTING

19:06:37.644 -- EVENT: RESOLVE

19:06:37.656 -- Contacting WAN_IP_ADRESS:1194 via UDP

19:06:37.658 -- EVENT: WAIT

19:06:37.664 -- Connecting to [mijn_domein]:1194 (WAN_IP_ADRESS) via UDPv4

19:06:37.701 -- EVENT: CONNECTING

19:06:55.638 -- EVENT: CONNECTION_TIMEOUT

19:06:55.647 -- EVENT: DISCONNECTED

19:06:55.648 -- Tunnel bytes per CPU second: 0

19:06:55.649 -- ----- OpenVPN Stop ----

En voordat een slim persoon roept "heb je de router wel aangepast en de poort 1194 wel naar je DS918+ door gestuurd?" Jawel, dat heb ik, toch bedankt voor het herinneren.
(Ondertussen weer terug gezet naar een werkende DS218+)