VPN server ignores permissions on Synology

Filip · July 18, 2024, 1:58pm

I have a problem with OpenVPN and L2TP/IPsec on my DS218+.

I have one shared folder with multiple subfolders. I created groups with access to certain subfolders for employees.

When they access DS218+ over LAN through DSM portal or File Explorer, or even Mac OS Finder, they can see and have access only to folders of their concerne. If they connect via Windows VPN L2TP/IPsec (shared secret and individual username and password) or OpenVPN (again with individual username and password), they can see and access all shared folders and ALL content inside of them.

I checked properties, used Permission Inspector, and tested all accounts under DSM or Windows File Explorer, and Mac OS Finder, it is always the same - local permissions are good, but using some VPN - is not good.

I tried it again on clean DS218+ and it’s the same. Somehow VPN bypasses permissions.

When we VPN to Office LAN through Office Building VPN provider, there is no problem. Everybody has access just to files they need to.

I’m slightly losing my mind.

bsauve · July 22, 2024, 7:31pm

Hi Filip,
I just test what you describe and I don’t observe this. All permission are respected.

DS920+
OpenVPN
From MacOS Catalina
I test with one user by adding/removing R/W permission to one shared folder. I got a message that the forder was not available when the user had no permission to it.

My test has only one Shared Folder, no sub-folders.

Regards
Ben

Filip · July 25, 2024, 10:26am

Thanks Ben for the effort.
Can you tell me which DSM you have, mine is DSM 7.2-64561

Regards,
Filip

bsauve · July 25, 2024, 2:53pm

I have 7.2.1-69057 Update 5.

Filip · August 2, 2024, 12:15pm

Thank you, Ben.

I’ve figured it out. After connecting with user privileges, Windows 11 and Mac Sonoma find users with higher privileges in Credential Manager and Keychain and override connection to the server.

I accidentally found that out when trying for 1000000 time on my Mac. After I connected through VPN it asked me for credentials (I was logged out with my higher privilege login), I entered my lower privilege username and password and chose which folder to mount. After it was mounted I saw “Connected As ” in Finders top right corner.

After I deleted my high privilege username and login from Keychain, lower privilege account was connected.

This took days, not hours to solve. My logic was in totaly different direction. I need a vacation