Using VPN With Synology NAS

Using VPN with Synology NAS teaches you to set up a VPN connection between a VPN client and a Synology NAS that hosts a VPN server. This instruction focuses on a VPN connection based on the OpenVPN standard and this standard combines a good level of security with ease of installation.

synology, vpn server application and logo, dsm7

Using VPN with Synology NAS

Compared to other remote access solutions like DDNS or reverse proxy, a VPN or Virtual Private Network takes an entirely different approach to overcome the challenges of accessing your internal network over the internet.

As the name suggests, you create a private network, virtually, over the internet. The VPN connection you make is between the VPN client on your computer and the VPN server on your internal network, while encryption secures the connection between the endpoints.

For connecting over the internet, a VPN connection is considered more secure compared to the DDNS/port forwarding way because:

  • the listening port is password protected
  • all traffic to and from the private network is encrypted

Another benefit of a VPN connection is that you access your DiskStation as if you are on the internal network.

Despite the benefits of VPN, it may be complex to set up and troubleshoot. A VPN is not for the faint of heart, it seems. Hopefully, this post helps more users overcome to achieve their goal for a safe remote connection.

Note that there are other options where the VPN server in the network runs in a Docker container on your NAS, or on the internet router.

There are advantages to these options, but it makes the installation more complex. This post covers the VPN Server application as part of DSM.

For a quick overview of the Synology VPN Server application, please reference the VPN Server datasheet.

Process Overview

Before we start clicking on buttons, I outline the process of using a VPN with Synology NAS.

First, you make some preparations on your network and NAS. Next, you install the VPN server, export the VPN connection details in a configuration file, and edit the configuration.

Moving over from the VPN server to your computer, you download and install the VPN client and apply the configuration file. And last but not least, you test your connection.

If the connection fails, you find some troubleshooting tips at the end.

Prepare Your Network And NAS

There are some preparations to make before you install Synology’s VPN Server package on your NAS.

Secure your Synology NAS

The moment that you decide to connect your NAS to the internet, in whatever way, you should take any possible measure to prevent unwanted access to your device. And in case this happens, you should have your recovery plan ready.

Securing your NAS starts with a solid backup and recovery strategy, a passwords policy, 2-factor authentication, disabling SSH, and enabling notifications, among others. Please refer to my post Secure your Synology NAS [sorry, in preparation].

Fixate internal IP address

Before installing a VPN service, you need to ensure that the NAS will always have the same IP address on your local network because your internet router will redirect incoming VPN traffic to a specific IP address.
In general, IP addresses are dynamic on your local network, which is fine most of the time. But in this instance, you must fixate the address.

Please see my post How To Configure A Fixed IP Address for details on achieving this goal.

Discover external IP address

Your internet router is the linking pin between your internal network and the internet or external network. On both sides, the router has an IP address.
Knowledge of the external or internet-facing address of the VPN server location is essential because that is where the VPN client on your computer has to go to.

my external IP address

To discover the external IP address of the location where you create the VPN server, open your browser and point it to https://myip.com. Copy your IP address from the top of the page and save it in a note for later reference unless you use DDNS.

If your external IP address is dynamic, meaning it can change over time, as is with most consumer connections, you need DDNS. I discuss enabling DDNS below. If you have a static IP address, skip the section on DDNS and keep the external IP address for reference later.

Forward port on router

Port forwarding is a very crucial step in the process. Once the VPN client on your computer goes out to connect, it looks for your internet router. The router listens at a specific port and forwards traffic coming in on that port to the NAS. Now, you have to instruct your router to do precisely that.

router, port forwarding, using vpn with synology nas

Unfortunately, there are countless routers, and they are all different. You can do an internet search for a manual for your brand and model. Generic steps are:

  • While on the network where the NAS is, open your browser, type in the IP address of your router. This is mostly the default gateway and log in.
  • look for a port forwarding tab; it is often part of features like IP, network, NAT, or firewall
  • enter UDP port 1194 and forward the port to the IP address of your NAS
  • save your settings

You need to forward UDP port 1194 to the same port on your NAS for OpenVPN. Fill in the IP address of your NAS that you made static earlier.

Enable DDNS On NAS

Most of us do not have a fixed external IP address. If we use the current IP address in the VPN configuration of the VPN client, chances are that at one moment in the future, you will not be able to connect.

We enable DDNS or Dynamic DNS on the NAS and use it as an in-between to resolve this issue. DDNS registers your current external IP address to a name. If your IP address changes, it automatically records the new address to that name. The DNS name of DDNS remains the same.

synology, control panel, external access, add dens, dsm7

Log in to DSM with an administrator account. Open Control Panel, External Access under Connectivity. In the pane at the right, select the DDNS tab. Click on the Add button. The DDNS page (DSM 6) or Add DDNS page (DSM 7) opens.

On the Add DDNS page, select a Service Provider. I choose Synology, listed at the top, but you can choose a different provider.

Under Hostname, enter a hostname. As an example, I filled in yourname. Please fill in your own hostname.
The synology.me domain is automatically added because you chose Synology as the service provider in the previous field. Notice that the full name will become yourname.synology.me.

Under Email, either the email address of your Synology account appears, or you are requested to sign in.

Notice that under External IP address (IPv4), you can find your external IP address as well.

You do not have to request a certificate from Let’s Encrypt because you do not use DDNS to connect to the NAS. We use a VPN for that. Keep the heartbeat enabled. It is a bonus feature.

Click OK to save the configuration and wait a few seconds for the DDNS connection to appear on the DDNS page.

VPN Server On NAS

After the preparations outlined above, you are ready to set up the VPN Server application and service and start using VPN with your Synology NAS.

Install the VPN Server package

Log in to the DSM desktop with an administrator account and open Package Center.

synology, install vpn server, dsm7

In the search bar at the top, search for VPN. On the VPN Server package, click Install. The VPN Server – Install wizard starts.

synology, install vpn server, dsm7

You can select a volume to install the VPN Server on the first screen. Note that this screen does not appear if you have a single volume in your NAS. Click Next.

synology, install vpn server, dsm7

Ensure that the Run after installation box is checked and click Done.

You return to Package Center, and you can follow the progress of the installation. When the installation finishes, select the Open button. Note that you can open VPN Server from the main menu in the top-left corner of the screen.

You can now close Package Center.

Configure VPN Server certificate

You installed the VPN Server package. The next step is a formality perhaps, but necessary anyway. DSM assigns a certificate to the VPN Server. We are going to check on that.

Go to Control Panel > Security > Certificate and click on the Configure (DSM 6) or Settings (DSM 7) button.

synology, control panel, security, certificate, settings, dsm7

In the list of Services look for the VPN Server and the certificate that is assigned to it. If this is the right certificate you like to use for the service, close Control Panel and continue.
If it is not the right certificate, click on the drop-down list next to the VPN Server and select the appropriate certificate.

As far as I am concerned there is no right or wrong certificate. The VPN Server uses the certificate in the .ovpn configuration file for the VPN client. This file contains the certificate for the connection and must match the certificate in Control Panel. Therefore, be aware that when you change the certificate for the VPN Server in Control Panel all VPN clients that use a configuration made with the previous certificate will fail to connect.

Renewal of a current (read: not expired) Let’s Encrypt certificate had no negative effect on connecting with an older configuration. Renewal renews the date of expiration but does apparently not change the contents of the certificate.

Configure the VPN Server

When you open the VPN Server application, you first see the Overview page. Notice that there are three protocols, PPTP, OpenVPN, and L2TP/IPSec. They are all disabled at this stage but that will change.

synology, configure vpn server, dsm7

In the column at the left, you can select different items grouped under Manage VPN Service and Set up VPN Server.

synology, vpn server, general settings, dsm7

In the left column, our first stop is General Settings. The Network interface setting is only relevant when you have multiple network interfaces. Select the interface that is connected to the internet router that receives the incoming VPN connections.

You can grant the VPN permission to new users that you add in the future. This prevents you from separately enabling them on the Privilege page. But perhaps you like to only give selected users explicit permission. If so, uncheck this box.

Auto Block should be enabled in Control Panel. This is part of securing your NAS that I mentioned at the beginning of this tutorial.

synology, vpn server, privilege, dsm7

In the left column, select Privilege under Manage VPN Service. On the Privilege page at the right, you see the user accounts and three columns for the respective VPN protocols. You enable on a per-user and per-protocol basis who can use the VPN service. Set a checkmark for the users you want to grant VPN access to.

Uncheck both PPTP and L2TP/IPSec, unless you use either of these protocols in addition to OpenVPN.

In the left column, select below Set up VPN Server the option OpenVPN.

synology, configure vpn server, dsm7

Check the box Enable OpenVPN server at the top of the OpenVPN screen. There are several predefined settings, and you can leave it as is in most cases.

The Maximum connection number default is 5, the lowest value. When you expect more simultaneous users, raise the amount. The Maximum connections of an account default are 3. You could lower it if you see a reason for it. The port and protocol are 1194 and UDP. I suggest that you only change the port if you insist on not having the default port number or if you have more than one OpenVPN server on the network. In that case, you need a different port for at least one of the VPN servers. The values for Encryption and Authentication are set very secure by default.

At the bottom of the page, there are five other checkboxes. Leave Enable compression on the VPN link checked, and enable Allow clients to access the server’s LAN. This last setting lets you go from the VPN server to the NAS on your network. If you have other devices like a second NAS, this will be accessible.

Review the settings and, in particular, the Dynamic IP address 10.8.0.1 at the top. In general, this is good and needs no change. Only if your local network, where the NAS with the VPN Server resides, happens to have a network segment in the 10.8.0.0 range; you do not need to change this. In other words, the VPN server must have an address in a different range than your local network. Click the Apply button.

synology, configure vpn server, firewall, dsm7

Notice the port forwarding and firewall warning for UDP port 1194. Click OK to close the message.

synology, configure vpn server, dsm7

Notice that the Export Configuration button is available at the bottom of the OpenVPN screen of the VPN Server application. Click on the button to download the openvpn.zip file. We will configure its contents in a minute.
You can close the VPN Server application now.

Configure VPN Server backup

If you use Hyper Backup on your NAS, you can include the application settings in a data backup task.

From your DSM desktop, open Hyper Backup, select an existing data task and click Edit. Go to the Applications tab, and check the box for VPN Server.

synology, hyper backup, application tab, dsm7

Click OK to save the task and close Hyper Backup.

VPN Client On Computer Or Mobile

You install a VPN client application on the computer, tablet, or smartphone, making a secure connection to the VPN server. Once the connection is established, you continue working as you would in the location where your NAS and VPN server reside.

You first edit the VPN configuration file you exported from the VPN server. Next, you install the VPN client and import the configuration. As you will see, I create a second profile for redundancy. Last but not least, you test the connection.

If the connection is not successful, you find some troubleshooting tips at the end.

Editing the VPN configuration

In a previous step, you exported the configuration file. The export downloaded openvpn.zip to your computer. This zip archive contains two files, README.txt and VPNConfig.ovpn. Open VPNConfig.ovpn in a plain text editor like TextEdit or BBEdit on macOS or Notepad on Windows. Change the following line:

  • remote YOUR_SERVER_IP 1194

Replace YOUR_SERVER_IP with the external IP address of your router. You can get your external IP address via https://www.myip.com assuming you are at the location and network of the VPN Server.
Instead of the IP address, you can fill in the DDNS name if you configured that earlier. As you know, DDNS is preferred if you have a dynamic external IP address on your router.

  • redirect-gateway def1

During the VPN connection, you create a virtual tunnel to your destination, where your NAS resides. However, you might want to access the internet for other tasks like browsing the web or mail with an active VPN connection. The redirect-gateway def1 line affects how the VPN connection handles that internet traffic.

When you enable the redirect-gateway def1 line by removing the # character, you create a so-called full-tunnel VPN. Internet traffic is direct via the tunnel to the location where the VPN server resides, typically your home or office. Next, from that trusted location, you browse the web.
This is a great configuration when you access the internet from an untrusted hotspot.

However, when you are at a trusted location, your home, for example, making a VPN to your office, you do not have to redirect other internet traffic through the VPN tunnel to the office. In that scenario, you leave the redirect-gateway def1 line marked out by the # character. This creates a so-called split-tunnel VPN. You access the internet for other, non-VPN-related, traffic, direct from your current location.

Alternatively, you could make two configuration files, one disabled (trusted location, with #, known as split-tunnel VPN) and one enabled (untrusted location, without #, full-tunnel VPN).

  • client-cert-not-required

The configuration we use does not have a separate certificate file, since the certificate is inside the configuration file. As a result, the VPN client generates a warning when we connect. To suppress that warning, add the client-cert-not-required statement at the end of the configuration lines.

Installing and configuring the VPN Client

Download the OpenVPN client from https://openvpn.net/vpn-client/. On macOS, it installs the OpenVPN Connect application in the Applications/OpenVPN Connect folder, including a shortcut. On Windows, it installs in the C:\Program Files\OpenVPN Connect folder and places a shortcut on the desktop.

Start the application.

When you start the application for the first time, you get four screens with helpful information. On the last screen, click Get Started.

OpenVPN connect, import profile, macOS

When you get the Import Profile screen, select the File tab, drag or import the .ovpn file you edited earlier, or use the Browse button. If you like to import another profile, click on the three bars in the top-left corner, and choose Import Profile.

Note that the application remembers the user name in the profile. The next time, you only have to enter the password. To change the user name, edit the profile.

To connect, click on Connect. Enter the username and password of your user account on the NAS, and click OK.

OpenVPN connect, connected, macOS

When the message Connected in green appears, you are connected to the NAS by means of a VPN. Notice the connection statistics. You can disconnect by clicking the green button in the top-left corner and confirming the disconnect.

I have a remark for the safety-conscious among us. After importing the configuration file into the VPN profile, consider deleting the .ovpn file. You do not need them any longer, you can export them again if needed, and it contains security information (the password for the connection). Don’t have them laying around longer than necessary.

Using the VPN connection

Normally, when you connect to the NAS from the same network, without a VPN, you can use its name or IP address. But via a VPN connection, you can use the IP address only. There is a solution to circumvent this limitation by settings up a DNS server on the NAS or else in the network, but that is out of the scope of this tutorial.

Aliases and port numbers in the browser for applications on the NAS work via the VPN connection as they work from the local network.

Monitor Your Connections

The VPN server on your NAS and the VPN client keeps a log for monitoring and troubleshooting. Often you can test and connect with server and client on the same local network because many internet routers allow for loopback. But to insist on a full-proof test, either go to a different location and network or use your smartphone’s hotspot.

With your smartphone as a hotspot, you can connect any computer over WiFi via the smartphone to the internet.

Monitor the VPN server

As an administrator, log in to DSM and open the VPN Server application from the main menu.

synology, vpn server, connection list, dsm7

Go to Connection List to see the current connections. Notice the refresh icon in the bottom-right corner. On this page, you see which users are connected, how long, and which protocol they use. If necessary, you can disconnect with the Disconnect button at the top. Disconnecting can be helpful if a connection gets stuck, preventing the user from connecting again.

synology, vpn server, log, dsm7

Go to Log to see the VPN server log. The log shows similar information to the connection list but includes a history. You can clear and export the log. You can filter the log per protocol from the drop-down list in the top-right corner to make browsing through the events easier.

Monitor the VPN Connect client

It can happen that you cannot connect to the VPN server of the NAS. The OpenVPN Connect app on your computer can generate different error messages. I show them below with an explanation.

OpenVPN connect, connection timeout, macOS

A Connection Timeout means that the VPN client could not connect to the VPN server. A timeout happens if the VPN server is not running, the router does not forward traffic properly, or the IP address or DNS name the client attempts to connect to does not listen to the assigned port.

Check the VPN server, router configuration, the external IP address, or (D)DNS name.

OpenVPN connect, authentication failed, macOS

An Authentication Failed message means a successful connection with the VPN server, but the user authentication failed. Possible causes are that the user has no privilege for the link, has too many connections, or has too many connections in total for the VPN server. A wrong password is also a possibility.

OpenVPN connect, connection failed, macOS

The Connection Failed message means that there initially was a connection but it was dropped immediately. The explanation is in the error message. It is about a certificate. Both the VPN Server on the NAS and the VPN client on the computer have a certificate, and they are peers.

This error occurs when the certificates do not correlate. A possible cause is that the certificate for the VPN Server on the NAS is changed since the connection details for the VPN connection were exported.
To solve the issue, export the connection details again and reconfigure the VPN connection on the VPN client.

OpenVPN connect, profiles overview, macOS

The OpenVPN Connect client has a built-in log. Click on the icon in the top-right corner to open the log.

The log is quite extensive and can be overwhelming. It can be helpful for an experienced administrator to solve any issues you may have.

Troubleshoot your connection

To wrap up monitoring and troubleshooting, some tips to solve issues with your connection.

  • Is the computer with the VPN client connected to the internet? Note that a local network connection does not guarantee access to the internet. Browse a popular website, or go to https://myip.com to read your external address as this gives a good indication of a healthy connection to the internet.
  • Is the IP address the VPN client connects to still valid? The external IP address of your destination site can have changed. When this happens, the connection fails. On the side of the VPN Server and NAS, go to https://myip.com and compare the address with the one configured in the VPN client.
  • If you connect to a DDNS name, is the DDNS service still active? Check the DDNS set up on the NAS, assuming you use that service from the NAS.
  • Are you the only one who has connection problems, assuming you have coworkers? Maybe you have a VPN client installed on a smartphone or tablet. Try to connect from one of these devices to see if that works.
  • Is the port forwarding in the internet router on the destination site still active? Does it point towards the right IP address of the VPN Server, in our case also the NAS?
  • Is the NAS still up and running? Is the VPN server on the NAS still up and running? The NAS might be hibernating. Wait a minute and try again.

Thanks for reading

This post is donation-ware, and I made it to help you. If it did, please consider leaving a comment or even buying me a coffee. I will be eternally grateful.

Paul Steunebrink / Storage Alchemist

Leave a Comment

Your email address will not be published. Required fields are marked *