Synology NAS OpenVPN Setup & Configuration!

In this tutorial, we will look at the Synology NAS OpenVPN setup and configuration instructions.

After my recent Ultimate Synology NAS Setup & Configuration Guide tutorial, I received a ton of great feedback from users who were interested in safely and securely accessing their NAS from outside of their network. I’ve been using the Synology VPN Server application with OpenVPN for the past year and have had no issues at all. I can safely access my NAS anywhere in the world and more importantly, I control access.

I will quickly explain what a VPN server does and the different types of VPN server configurations, but if you already know, you can skip down to the OpenVPN Server instructions for the Synology NAS.

1. What is a VPN Server

A VPN is a Virtual Private Network that extends your private network to a public network. In layman’s terms, it allows you to securely connect back to your local network from an outside network. There are two types of VPN networks:

1.1 VPN Connection Types

Split-Tunnel VPN: Traffic is only sent through your network if it is attempting to access an internal resource. Your IP address when navigating to a site outside of your network will be the IP address of the network that you are currently on.

Full-Tunnel VPN: All traffic is sent through your home network. Your IP address for internal and external requests will be your home networks.

I created a very basic image below that explains this, but we will look at how to configure both in later steps. It’s important to note that both connection types will allow you to access your local network. This only shows how traffic is routed differently to external networks.

NOTE: This is not the exact network flow. I am simplifying the process as much as I can.

Synology NAS OpenVPN

2. Synology NAS OpenVPN Setup – Instructions

1. Open the Package Center and Install the VPN Server application.

Synology NAS OpenVPN

2. Open the application and navigate to the OpenVPN section.

3. Enable OpenVPN Server. Change the Dynamic IP address range and maximum connection properties if you’d like. Since we are trying to access our Synology NAS outside of our network, we need to enable Allow clients to access server’s LAN. The rest can stay as default. Click Apply.

Synology NAS OpenVPN

4. Navigate to the privilege section and ensure that the user account that you’d like to connect to the VPN with has permission for OpenVPN.

Synology NAS OpenVPN

3. Synology NAS OpenVPN Firewall Configuration

Our VPN Server is now configured, but we need to ensure that our firewall allows access to UDP port 1194. If you aren’t sure how to configure Synology’s Firewall, you can learn how in our Ultimate Synology NAS Setup & Configuration Guide.

5. If you are using Synology’s firewall, open the Control Panel, Security, then navigate to the Firewall and Edit Rules.

VPN5

6. Create an Allow rule for the VPN Server (OpenVPN) application, UDP port 1194.

VPN6

7. When completed, the rule should be above the deny all rule.

VPN7

4. Port Forwarding

We just configured our Synology firewall to allow connections on UDP port 1194. We now need to port forward UDP port 1194 on our router to our Synology NAS. Synology has UPnP functionality, which gives your NAS the ability to open ports on your router automatically. If you have a UPnP compatible router, it’s very easy to set this up. However, there is a lot of debate on the security of UPnP, so I will not be going over it in this tutorial. If you’d like to do it this way, you can read Synology’s help article here.

Now, port forwarding will be completely different on every brand’s router settings page. This is a great guide that shows how to port forward on a few different brands of routers, but the best thing to do is try and google the name of your router and port forwarding. Example: Netgear port forwarding

This process requires you to have a static IP address setup. If you don’t currently have a static IP address setup, read how to set up a static IP address here.

8. Create a port forwarding rule for UDP port 1194 to your Synology NAS’s IP address. In the example below, 192.168.1.220 is the IP address of my Synology NAS.

VPN12

Assuming that you were able to open UDP port 1194 and configure the Synology firewall rule successfully, the port configuration is now complete!

5. Synology NAS OpenVPN Configuration File Changes

Now that we have our server configured, we need to modify our configuration file. Before we get into the steps, you need to ensure that you have DDNS configured. Most people have dynamic external IP addresses, so creating a DDNS hostname is required because you need to ensure that you are always accessing your external IP address. If you’d like to configure DDNS using a free synology.me hostname, you can follow Synology’s instructions here. If you’d like to use DuckDNS, I wrote up a tutorial on how you can do it here. If you are absolutely positive that you have a static external IP address that never changes, you do not have to setup DDNS. Simply use your external IP address as YOUR_SERVER_IP.

It’s also important to note that the DDNS provider is irrelevant, you just need to ensure that you have a DDNS hostname configured!

9. Open the VPN Server application and select OpenVPN. Select Export configuration.

Synology NAS OpenVPN

10. Extract the contents of the folder. We will only be editing the OpenVPN.ovpn file, so open that file with a text editor.

11. By default, you will receive a default OpenVPN configuration file with a unique certificate at the bottom. This document shouldn’t be shared with anyone other than users who you would like to authenticate with your VPN. We need to change the items below that are highlighted in pink.

  • YOUR_SERVER_IP: This should be the DDNS hostname that you configured.
  • redirect-gateway def1: This is what determines if you are configuring a split-tunnel or full-tunnel VPN. If you aren’t sure which you’d like, reference the image above to see the differences. I create two separate configuration files (one for split-tunnel and one for full-tunnel) and depending on the situation, use one or the other. To enable full-tunnel, remove the “#” sign (this is the symbol for a comment). Just removing the comment symbol will enable the full-tunnel VPN. NOTE: If you are using an iPhone and have iOS 7 or above, you will need to add redirect-gateway ipv6 under redirect-gateway def1.
  • dhcp-option: If you have a local DNS server that you’d like to use, you can add the IP address of your DNS server there. If you don’t have a local DNS server, leave this line commented out. NOTE: If you don’t have a local DNS server configured, OpenVPN will default to using Google’s public DNS records. This means that you won’t be able to access any of your local network resources by hostname, only IP address. If you’d like to configure a local DNS server, you can check out my tutorial on Pi-hole here. NOTE: This is a very basic example of how DNS can be used.
  • client-cert-not-required: This option is not added by default but should be added if you will be using the new OpenVPN clients (most people will be). If you don’t add this option, you will receive an error message when you connect. While you can proceed through the error message, this will stop the error from occurring.
dev tun
tls-client
remote YOUR_SERVER_IP 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
#redirect-gateway def1
#redirect-gateway ipv6 #REQUIRED for iOS 7 and above.

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp
script-security 2
comp-lzo
reneg-sec 0
cipher AES-256-CBC
auth SHA512
auth-user-pass
client-cert-not-required
-----BEGIN CERTIFICATE-----
[YOUR CERTIFICATE WILL BE HERE. LEAVE THIS ALL AS DEFAULT]
-----END CERTIFICATE-----

12. Save the configuration file and add it to any devices that you’d like to test the VPN connection with. I normally test the connection with my cellphone, as you cannot be on the same network as your VPN server. You MUST be testing this from an external network (cell phone/hotspot is a great option).

6. Synology NAS OpenVPN Client Configuration and Testing

Now that we have configured everything, we need to test our connection. Download the OpenVPN client on your cell phone or on a PC that you can connect to a different network. Remember, you must be connected to a different network to test this.

13. Download the OpenVPN client software for your device here.

14. Select the add button at the bottom and then choose File. You should now be prompted to browse for the .ovpn file that we created earlier. Upload the file and then login with your DSM username and password.

VPN14

15. You should be able to connect to your VPN now.

VPN15

16. I am going to show two examples below. First, I am connected to my VPN Server using my split tunnel connection. You can see that my external IP address is my mobile network (as I am accessing an external webpage).

VPN17

17. In this screenshot, I am connected to my VPN Server using my full-tunnel connection. My external IP address is my ISP’s, as all traffic is being routed through my home network.

VPN16

Both, split tunnel and full tunnel VPN connections allow you to access your local resources, but full tunnel VPN connections should be used if you’re trying to secure your network traffic (like when you’re on public Wi-Fi).

7. Static Route Configuration - Synology NAS OpenVPN Setup

This step is not required unless you need to access VPN devices from your home network.

Your home network and VPN network will be on different subnets which means that your local devices will only be able to talk to the machines on its subnet (VPN network will see both). In order to have your local network talk to your VPN network (in my case, 192.168.1.X and 10.5.0.X), a static route will need to be configured in your router. I cannot go over the setup steps for this as each router is different, but below is a screenshot of the static route that I configured. The Gateway IP Address will be the IP address of your Synology NAS (since that’s where your VPN is running). The 10.5.0.0/24 subnet is where you will need to enter the IP range you are using (as defined in the OpenVPN settings).

StaticRoute

8. Synology NAS OpenVPN Setup - Conclusion

This was a long tutorial that went through a lot of steps. Configuring Synology’s VPN Server allows you to securely connect to your home network to access your NAS and local resources. It also completely bypasses the need for QuickConnect or exposing your NAS to the internet (which is a security risk). As an added benefit, the full tunnel VPN connection will also secure your connection when on public Wi-Fi devices!

There’s one thing that I want to mention in regards to the security of this VPN. Synology does a pretty poor job of letting the user configure this as securely as possible. With the way that this is configured, technically, you are exposed to a man-in-the-middle attack. There’s a lot that has to happen in order for you to be exposed to that type of attack, but I want to mention that it is a valid concern. If complete security is your top concern, I would look into implementing OpenVPN on a Raspberry Pi or your router (if applicable). The device running OpenVPN doesn’t really matter, it just needs to be able to easily configure the server/client certificates.

If you have any questions, please leave them in the comments! If you liked the content, please share it!

This Post Has 181 Comments

  1. I am not a techie. I do appreciate your tutorials because you guide a person well on how to set up the NAS. Question – what if I have a Static IP address? Do I still click apply Enable OpenVPN with the Dynamic IP address? If I am good with just using the dynamic IP am I ok with leaving the Port as 1194? I get a prompt asking me if I’m sure 1194 is available.

    1. If we take a step back, when you say static IP address, do you mean static external IP address?

  2. Thanks for writing this guide. I ran into a couple issues I was able to resolve including:
    – Import intermediate certificate: I had renewed my SSL, but my DS was giving me an error saying I was missing the intermediate certificate. I had to re-import my certificate but making sure to include the intermediate certificate from Sectigo (ca-bundle file).
    – Missing client certificate: Using OpenVPN Access 3 client on my Mac, I was getting an error saying that I needed a client certificate. There are 3 workarounds here:
    1) Ignore this “Connection error – Missing external certificate” message and just click “Continue” instead of “Select certificate” every time you connect.
    2) Edit your .opvn file to add “setenv CLIENT_CERT 0” and then it will stop asking you for a client certificate each time
    3) Add a client certificate – I used instructions from the following Medium post and added the p12 certificate generated through easyrsa to Keychain access and it works beautifully! https://medium.com/aws-tips-and-tricks/aws-client-vpn-connect-using-openvpn-3c411100220a

    1. Thanks so much for sharing this great info!

  3. Hi, I would like to do a static routing, because I want to see vpn devices from local devices and vice versa. But the problem is I don’t have static routing option in my router. Can I do it in my NAS? It will be/should be the same? (the NAS running the VPN server)

    1. I haven’t had experience with Synology’s Static Route feature and if I’m being honest, I don’t think that it will work. With that said, you can definitely try it – you can set up the static route in DSM (you might have to reboot) and see if it works.

  4. I’m using a cloudflare origin certificate for ssl/tls certification. And It simply won’t let VPN Server to run at all, unless you change the vpn server’s certificate to a non-origin server certificate. Does anyone know why it simply does not work but keeps asking intermetiate certificate when we don’t have one at all?

    1. I haven’t tried this, but I can imagine it would be a problem. The truth is, Synology’s implementation of OpenVPN is not the best. Do you want to use the origin certificate for VPN, or are you just trying to bypass it?

  5. From VPN connect on cell phone, I get this error:
    There was an error attempting to connect to the selected server. Error message:
    OpenSSLContext:SSL read_cleartext BIO_read failed, cap-2576 status==1; error: 1416F086:SSL routines tls_process_server_certificate very failed

    Can you suggest what steps I may be not implementing correctly?

    1. I haven’t seen that error – can you confirm what certificate is assigned to OpenVPN in DSM?

      1. I have the exact error message on my iPhone app (I’m using DS1517+)…

        There was an error attempting to connect to the selected server.
        Error message:
        OpenSSLContext:SSL read_cleartext BIO_read failed, cap-2576 status=-1; error: 1416F086:SSL routines tls_process_server_certificate very failed

        I’m not tech savvy at all, I’m not sure where I’ve gone wrong, but I really want OpenVPN installed so I can access my docker containers while away. Do I need to enable IPv6 within the VPN Server?

      2. The only way I’ve managed to make it work is by configuring the VPN Server Certificate to synology.com, is this okay or safe?

        1. Yes, that should be fine! Glad you got it working.

  6. Thanks for responding so quickly. I am traveling out of town for about 2 weeks so I won’t be able to follow up for a bit. AFAIK, I just exported the certificate as you said and used that in the app. I only changed the one line to remote ****.DSmyNAS.com 1194

  7. I used the tutorial to connect to my Clients OpenVPN and DS718+, it went like a dream and “What-is-my-IP” confirmed that I am in full-tunnel mode via the client’s fixed IP

    My client already uses his Server from home to his office after hours with WebDAV but also now wants to use an office printer from remote(his home). Although I am in the remote network, I see nothing of the remote networks’s assets.

    What am I missing??

    LG aus München

    1. If you can see all devices connected to that network, you should be able to print, though I admit that I’m not an expert on printers/printing through VPN. It could be a routing issue on the destination side (where VPN server is located), but that’s really just a guess if I’m being honest.

  8. Hey Frank. Thank you for the step by step tutorial. Everything seems to be working as expected. I have one question though. After setting up DDNS and OpenVPN, is it correct, that I can access my NAS through these three methods?

    1) hostname.synology.me:xxxxx
    2) xx.xxx.xxx.xxx:xxxxx (External Address (DDNS) + Port)
    3) xxx.xxx.xx.xx:xxxxx (NAS IP Address + Port)

    If outside of my own network, I would connect to the VPN and use method 3) to access my NAS.

    When entering 3) without anything prior to the IP Address, I get “400 Bad Request – The plain HTTP request was sent to HTTPS port” I have to enter “https://xxx.xxx.xx.xx:xxxxx” (NAS IP Adress + Port) to get access. This shows a warning as no certificate exists. Is this correct? In your video, which explains the setup, you’re not entering “https://”

    I’m looking forward to your reply. Thanks!

    1. With OpenVPN, you will access your NAS the way you normally access it on your home network. So technically, the first two options will not work unless you port forward the DSM port (which isn’t recommended). How do you access your NAS? If it’s by local IP address, that should function when you try and access it. As for the 400 error, just change the URL to HTTPS instead of HTTP (https://LOCAL_IP:%5BPORT%5D).

  9. Hi WunderTech! First off I want to thank you for all your tutorials. They have been amazing in assisting me with properly securing my Synology DS220+ NAS. I am currently trying to set up OpenVPN and am having issues with certificates. I’ve followed the tutorial to the letter. I have checked to see that my port 1194 is open using the ipvoid port scanner and it is indeed open. I have added “client-cert-not-required” into my VPNConfig.ovpn file that was generated by exporting my configuration. It appears that it is connecting to my server, but it is failing the certificate verification. See error log below. I have replaced my IP with XX’s in the log. Any insight would be greatly appreciated, thanks!

    ⏎[Oct 10, 2021, 07:07:36] Frame=512/2048/512 mssfix-ctrl=1250
    ⏎[Oct 10, 2021, 07:07:36] UNUSED OPTIONS
    1 [tls-client]
    3 [pull]
    5 [script-security] [2]
    ⏎[Oct 10, 2021, 07:07:36] EVENT: RESOLVE ⏎[Oct 10, 2021, 07:07:36] Contacting XX.XXX.XXX.XXX:1194 via UDP
    ⏎[Oct 10, 2021, 07:07:36] EVENT: WAIT ⏎[Oct 10, 2021, 07:07:36] WinCommandAgent: transmitting bypass route to XX.XXX.XXX.XXX
    {
    “host” : “XX.XXX.XXX.XXX”,
    “ipv6” : false
    }

    ⏎[Oct 10, 2021, 07:07:37] Connecting to [XX.XXX.XXX.XXX]:1194 (XX.XXX.XXX.XXX) via UDPv4
    ⏎[Oct 10, 2021, 07:07:37] EVENT: CONNECTING ⏎[Oct 10, 2021, 07:07:37] Tunnel Options:V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client
    ⏎[Oct 10, 2021, 07:07:37] Creds: Username/Password
    ⏎[Oct 10, 2021, 07:07:37] Peer Info:
    IV_VER=3.git::c2153df1
    IV_PLAT=win
    IV_NCP=2
    IV_TCPNL=1
    IV_PROTO=30
    IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
    IV_LZO_STUB=1
    IV_COMP_STUB=1
    IV_COMP_STUBv2=1
    IV_GUI_VER=OCWindows_3.3.2-2475
    IV_SSO=openurl,crtext

    ⏎[Oct 10, 2021, 07:07:37] Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
    ⏎[Oct 10, 2021, 07:07:37] EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed⏎[Oct 10, 2021, 07:07:37] EVENT: DISCONNECTED ⏎

    1. I believe that your synopsis is correct. One thing to check is the certificate that OpenVPN is using on your NAS. If you go to Control Panel > Security > Certificates > Configure, are you using the default “Synology” certificate or are you using a different one? If it’s a different one, can you try replacing it with the Synology one and exporting a new config file, then retrying?

Comments are closed.

Close Menu