In this tutorial, we will look at how to set up OpenVPN on a Synology NAS. After my recent Ultimate Synology NAS Setup & Configuration Guide tutorial, I received a ton of great feedback from users who were interested in safely and securely accessing their NAS from outside of their network.
I used the VPN Server package to run OpenVPN for almost a year and had no issues at all. I was able to safely access my NAS anywhere in the world and more importantly, I could control access. This OpenVPN setup tutorial is not for a privacy VPN like NordVPN, but instead for a personal VPN to access your services from outside of your local network.
How to Set Up OpenVPN on a Synology NAS
The six steps below will walk you through the process of configuring OpenVPN, allowing access through Synology’s firewall, and ensuring that all port forwarding rules are successfully created.
Step 1: Install the OpenVPN Package
The first step is installing the VPN server package which is where we’ll modify the OpenVPN configuration.
- Open the Package Center and Install the VPN Server application.
- Open the application and navigate to the OpenVPN section.
- Enable OpenVPN Server. Change the Dynamic IP address range and maximum connection properties if you’d like.
Since we are trying to access our Synology NAS outside of our network, we need to enable Allow clients to access server’s LAN, as well as Verify TLS auth key. The rest can stay as default. Click Apply.
- Navigate to the privilege section and ensure that the user account that you’d like to connect to the VPN with has permission for OpenVPN.
NOTE: I normally configure an individual user that has permission to the VPN server ONLY. This ensures that I connect to the VPN server with this user, and then access the NAS and everything else using my regular NAS username. You do not have to do this, but this is how I normally manage it.
Step 2: Configure Synology’s Firewall for the OpenVPN Port
Now that the OpenVPN package is configured, we need to ensure that our firewall allows access to UDP port 1194. If you aren’t sure how to configure Synology’s Firewall, you can follow this tutorial.
- If you are using Synology’s firewall, open the Control Panel, Security, then navigate to the Firewall and Edit Rules.
- Create an Allow rule for the VPN Server (OpenVPN) application, UDP port 1194.
- When completed, the rule should be above the deny all rule.
Step 3: Port Forward the OpenVPN Port on your Router
We just configured our Synology firewall to allow connections on UDP port 1194 so that we can connect to OpenVPN.
We now need to port forward UDP port 1194 on our router to our Synology NAS. Synology has UPnP functionality, which gives your NAS the ability to open ports on your router automatically. If you have a UPnP compatible router, it’s very easy to set this up.
However, there is a lot of debate on the security of UPnP, so I will not be going over it in this tutorial. If you’d like to do it this way, you can read Synology’s help article here.
Now, port forwarding will be completely different on every brand’s router settings page. This is a great guide that shows how to port forward on a few different brands of routers, but the best thing to do is try and google the name of your router and port forwarding. Example: Netgear port forwarding
This process requires you to have a static IP address setup. If you don’t currently have a static IP address setup, read how to set up a static IP address here.
- Create a port forwarding rule for UDP port 1194 to your Synology NAS’s IP address. In the example below, 192.168.1.220 is the IP address of my Synology NAS.
Assuming that you were able to open UDP port 1194 and configure the Synology firewall rule successfully, the port configuration is now complete!
Step 4: Modify the OpenVPN Configuration File
Now that we have configured OpenVPN, we need to modify our configuration file. Before we get into the steps, you need to ensure that you have DDNS configured.
Most people have dynamic external IP addresses, so creating a DDNS hostname is required because you need to ensure that you are always accessing your external IP address.
If you’d like to configure DDNS using a free synology.me hostname, you can follow Synology’s instructions here or this tutorial for DDNS (just don’t complete the port forwarding section in the DDNS tutorial).
If you are absolutely positive that you have a static external IP address that never changes, you do not have to set up DDNS. Simply use your external IP address as YOUR_SERVER_IP.
It’s also important to note that the DDNS provider is irrelevant, you just need to ensure that you have a DDNS hostname configured!
- Open the VPN Server application and select OpenVPN. Select Export configuration.
- Extract the contents of the folder. We will only be editing the Synology NAS OpenVPN .ovpn file, so open that file with a text editor.
- By default, you will receive a default Synology NAS OpenVPN configuration file with a unique certificate at the bottom. This document shouldn’t be shared with anyone other than users who you would like to authenticate with your VPN. We need to change the items below that are highlighted in red.
- YOUR_SERVER_IP: This should be the DDNS hostname that you configured.
- redirect-gateway def1: This is what determines if you are configuring a split-tunnel or full-tunnel VPN.
- I create two separate configuration files (one for split-tunnel and one for full-tunnel) and depending on the situation, use one or the other. To enable full-tunnel, remove the “#” sign (this is the symbol for a comment). Just removing the comment symbol will enable the full-tunnel VPN.
- NOTE: If you are using an iPhone and have iOS 7 or above, you will need to add redirect-gateway ipv6 under redirect-gateway def1.
- I create two separate configuration files (one for split-tunnel and one for full-tunnel) and depending on the situation, use one or the other. To enable full-tunnel, remove the “#” sign (this is the symbol for a comment). Just removing the comment symbol will enable the full-tunnel VPN.
- dhcp-option: If you have a local DNS server that you’d like to use, you can add the IP address of your DNS server there. If you don’t have a local DNS server, leave this line commented out.
- NOTE: If you don’t have a local DNS server configured, OpenVPN will default to using Google’s public DNS records (configured on the individual OpenVPN app).
- This means that you won’t be able to access any of your local network resources by hostname, only IP address. If you’d like to configure a local DNS server, you can check out my tutorial on Pi-hole here.
- NOTE: This is a very basic example of how DNS can be used.
- NOTE: If you don’t have a local DNS server configured, OpenVPN will default to using Google’s public DNS records (configured on the individual OpenVPN app).
- client-cert-not-required: This option is not added by default but should be added if you will be using the new OpenVPN clients (most people will be). If you don’t add this option, you will receive an error message when you connect. While you can proceed through the error message, this will stop the error from occurring.
This is a sample configuration file, but yours will look different.
dev tun tls-client remote YOUR_SERVER_IP 1194 # The "float" tells OpenVPN to accept authenticated packets from any address, # not only the address which was specified in the --remote option. # This is useful when you are connecting to a peer which holds a dynamic address # such as a dial-in user or DHCP client. # (Please refer to the manual of OpenVPN for more information.) #float # If redirect-gateway is enabled, the client will redirect it's # default network gateway through the VPN. # It means the VPN connection will firstly connect to the VPN Server # and then to the internet. # (Please refer to the manual of OpenVPN for more information.) #redirect-gateway def1 #redirect-gateway ipv6 #REQUIRED for iOS 7 and above. # dhcp-option DNS: To set primary domain name server address. # Repeat this option to set secondary DNS server addresses. #dhcp-option DNS DNS_IP_ADDRESS pull # If you want to connect by Server's IPv6 address, you should use # "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode proto udp script-security 2 comp-lzo reneg-sec 0 cipher AES-256-CBC auth SHA512 auth-user-pass client-cert-not-required -----BEGIN CERTIFICATE----- [YOUR CERTIFICATE WILL BE HERE. LEAVE THIS ALL AS DEFAULT] -----END CERTIFICATE-----
- Save the configuration file and add it to any devices that you’d like to test the VPN connection with. I normally test the connection with my cellphone, as you cannot be on the same network as your VPN server. You MUST be testing this from an external network (cell phone/hotspot is a great option).
Step 5: Connect to the OpenVPN Server on an External Network
Now that we have configured everything, we need to test our connection. Download the OpenVPN client on your cell phone or on a PC that you can connect to a different network. Remember, you must be connected to a different network to test this.
- Download the OpenVPN client software for your device here.
- Select the add button at the bottom and then choose File. You should now be prompted to browse for the .ovpn file that we created earlier. Upload the file and then login with your DSM username and password.
- You should be able to connect to your VPN now.
- I am going to show two examples below. First, I am connected to my VPN Server using my split tunnel connection. You can see that my external IP address is my mobile network (as I am accessing an external webpage).
- In this screenshot, I am connected to my VPN Server using my full-tunnel connection. My external IP address is my ISP’s, as all traffic is being routed through my home network.
Both, split tunnel and full tunnel VPN connections allow you to access your local resources when using OpenVPN, but full tunnel VPN connections should be used if you’re trying to secure your network traffic (like when you’re on public Wi-Fi).
Step 6: Configure a Static Route for VPN Device Access
This step is not required unless you need to access VPN devices from your home network.
Your home network and VPN network will be on different subnets which means that your local devices will only be able to talk to the machines on its subnet (VPN network will see both).
In order to have your local network talk to your VPN network (in my case, 192.168.1.X and 10.5.0.X), a static route will need to be configured in your router. I cannot go over the setup steps for this as each router is different, but below is a screenshot of the static route that I configured.
The Gateway IP Address will be the IP address of your Synology NAS (since that’s where your VPN is running). The 10.5.0.0/24 subnet is where you will need to enter the IP range you are using (as defined in the OpenVPN settings).
Conclusion & Final Thoughts
This tutorial looked at how to set up OpenVPN on a Synology NAS. Configuring Synology’s OpenVPN Server allows you to securely connect to your home network to access your NAS and local resources.
It also completely bypasses the need for QuickConnect or exposing your NAS to the internet (which is a security risk). As an added benefit, the full tunnel VPN connection will also secure your connection when on public Wi-Fi devices!