Synology NAS OpenVPN Setup & Configuration!

In this tutorial, we will look at the Synology NAS OpenVPN setup and configuration instructions.

After my recent Ultimate Synology NAS Setup & Configuration Guide tutorial, I received a ton of great feedback from users who were interested in safely and securely accessing their NAS from outside of their network. I’ve been using the Synology VPN Server application with OpenVPN for the past year and have had no issues at all. I can safely access my NAS anywhere in the world and more importantly, I control access.

I will quickly explain what a VPN server does and the different types of VPN server configurations, but if you already know, you can skip down to the OpenVPN Server instructions for the Synology NAS.

1. What is a VPN Server

A VPN is a Virtual Private Network that extends your private network to a public network. In layman’s terms, it allows you to securely connect back to your local network from an outside network. There are two types of VPN networks:

1.1 VPN Connection Types

Split-Tunnel VPN: Traffic is only sent through your network if it is attempting to access an internal resource. Your IP address when navigating to a site outside of your network will be the IP address of the network that you are currently on.

Full-Tunnel VPN: All traffic is sent through your home network. Your IP address for internal and external requests will be your home networks.

I created a very basic image below that explains this, but we will look at how to configure both in later steps. It’s important to note that both connection types will allow you to access your local network. This only shows how traffic is routed differently to external networks.

NOTE: This is not the exact network flow. I am simplifying the process as much as I can.

Synology NAS OpenVPN

2. Synology NAS OpenVPN Setup – Instructions

1. Open the Package Center and Install the VPN Server application.

Synology NAS OpenVPN

2. Open the application and navigate to the OpenVPN section.

3. Enable OpenVPN Server. Change the Dynamic IP address range and maximum connection properties if you’d like. Since we are trying to access our Synology NAS outside of our network, we need to enable Allow clients to access server’s LAN. The rest can stay as default. Click Apply.

Synology NAS OpenVPN

4. Navigate to the privilege section and ensure that the user account that you’d like to connect to the VPN with has permission for OpenVPN.

Synology NAS OpenVPN

3. Synology NAS OpenVPN Firewall Configuration

Our VPN Server is now configured, but we need to ensure that our firewall allows access to UDP port 1194. If you aren’t sure how to configure Synology’s Firewall, you can learn how in our Ultimate Synology NAS Setup & Configuration Guide.

5. If you are using Synology’s firewall, open the Control Panel, Security, then navigate to the Firewall and Edit Rules.

6. Create an Allow rule for the VPN Server (OpenVPN) application, UDP port 1194.

7. When completed, the rule should be above the deny all rule.

4. Port Forwarding

We just configured our Synology firewall to allow connections on UDP port 1194. We now need to port forward UDP port 1194 on our router to our Synology NAS. Synology has UPnP functionality, which gives your NAS the ability to open ports on your router automatically. If you have a UPnP compatible router, it’s very easy to set this up. However, there is a lot of debate on the security of UPnP, so I will not be going over it in this tutorial. If you’d like to do it this way, you can read Synology’s help article here.

Now, port forwarding will be completely different on every brand’s router settings page. This is a great guide that shows how to port forward on a few different brands of routers, but the best thing to do is try and google the name of your router and port forwarding. Example: Netgear port forwarding

This process requires you to have a static IP address setup. If you don’t currently have a static IP address setup, read how to set up a static IP address here.

8. Create a port forwarding rule for UDP port 1194 to your Synology NAS’s IP address. In the example below, 192.168.1.220 is the IP address of my Synology NAS.

Assuming that you were able to open UDP port 1194 and configure the Synology firewall rule successfully, the port configuration is now complete!

5. Synology NAS OpenVPN Configuration File Changes

Now that we have our server configured, we need to modify our configuration file. Before we get into the steps, you need to ensure that you have DDNS configured. Most people have dynamic external IP addresses, so creating a DDNS hostname is required because you need to ensure that you are always accessing your external IP address. If you’d like to configure DDNS using a free synology.me hostname, you can follow Synology’s instructions here. If you’d like to use DuckDNS, I wrote up a tutorial on how you can do it here. If you are absolutely positive that you have a static external IP address that never changes, you do not have to setup DDNS. Simply use your external IP address as YOUR_SERVER_IP.

It’s also important to note that the DDNS provider is irrelevant, you just need to ensure that you have a DDNS hostname configured!

9. Open the VPN Server application and select OpenVPN. Select Export configuration.

Synology NAS OpenVPN

10. Extract the contents of the folder. We will only be editing the OpenVPN.ovpn file, so open that file with a text editor.

11. By default, you will receive a default OpenVPN configuration file with a unique certificate at the bottom. This document shouldn’t be shared with anyone other than users who you would like to authenticate with your VPN. We need to change the items below that are highlighted in pink.

  • YOUR_SERVER_IP: This should be the DDNS hostname that you configured.
  • redirect-gateway def1: This is what determines if you are configuring a split-tunnel or full-tunnel VPN. If you aren’t sure which you’d like, reference the image above to see the differences. I create two separate configuration files (one for split-tunnel and one for full-tunnel) and depending on the situation, use one or the other. To enable full-tunnel, remove the “#” sign (this is the symbol for a comment). Just removing the comment symbol will enable the full-tunnel VPN. NOTE: If you are using an iPhone and have iOS 7 or above, you will need to add redirect-gateway ipv6 under redirect-gateway def1.
  • dhcp-option: If you have a local DNS server that you’d like to use, you can add the IP address of your DNS server there. If you don’t have a local DNS server, leave this line commented out. NOTE: If you don’t have a local DNS server configured, OpenVPN will default to using Google’s public DNS records. This means that you won’t be able to access any of your local network resources by hostname, only IP address. If you’d like to configure a local DNS server, you can check out my tutorial on Pi-hole here. NOTE: This is a very basic example of how DNS can be used.
  • client-cert-not-required: This option is not added by default but should be added if you will be using the new OpenVPN clients (most people will be). If you don’t add this option, you will receive an error message when you connect. While you can proceed through the error message, this will stop the error from occurring.
dev tun
tls-client
remote YOUR_SERVER_IP 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
#redirect-gateway def1
#redirect-gateway ipv6 #REQUIRED for iOS 7 and above.

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp
script-security 2
comp-lzo
reneg-sec 0
cipher AES-256-CBC
auth SHA512
auth-user-pass
client-cert-not-required
-----BEGIN CERTIFICATE-----
[YOUR CERTIFICATE WILL BE HERE. LEAVE THIS ALL AS DEFAULT]
-----END CERTIFICATE-----

12. Save the configuration file and add it to any devices that you’d like to test the VPN connection with. I normally test the connection with my cellphone, as you cannot be on the same network as your VPN server. You MUST be testing this from an external network (cell phone/hotspot is a great option).

6. Synology NAS OpenVPN Client Configuration and Testing

Now that we have configured everything, we need to test our connection. Download the OpenVPN client on your cell phone or on a PC that you can connect to a different network. Remember, you must be connected to a different network to test this.

13. Download the OpenVPN client software for your device here.

14. Select the add button at the bottom and then choose File. You should now be prompted to browse for the .ovpn file that we created earlier. Upload the file and then login with your DSM username and password.

15. You should be able to connect to your VPN now.

16. I am going to show two examples below. First, I am connected to my VPN Server using my split tunnel connection. You can see that my external IP address is my mobile network (as I am accessing an external webpage).

17. In this screenshot, I am connected to my VPN Server using my full-tunnel connection. My external IP address is my ISP’s, as all traffic is being routed through my home network.

Both, split tunnel and full tunnel VPN connections allow you to access your local resources, but full tunnel VPN connections should be used if you’re trying to secure your network traffic (like when you’re on public Wi-Fi).

7. Static Route Configuration - Synology NAS OpenVPN Setup

This step is not required unless you need to access VPN devices from your home network.

Your home network and VPN network will be on different subnets which means that your local devices will only be able to talk to the machines on its subnet (VPN network will see both). In order to have your local network talk to your VPN network (in my case, 192.168.1.X and 10.5.0.X), a static route will need to be configured in your router. I cannot go over the setup steps for this as each router is different, but below is a screenshot of the static route that I configured. The Gateway IP Address will be the IP address of your Synology NAS (since that’s where your VPN is running). The 10.5.0.0/24 subnet is where you will need to enter the IP range you are using (as defined in the OpenVPN settings).

8. Synology NAS OpenVPN Setup - Conclusion

This was a long tutorial that went through a lot of steps. Configuring Synology’s VPN Server allows you to securely connect to your home network to access your NAS and local resources. It also completely bypasses the need for QuickConnect or exposing your NAS to the internet (which is a security risk). As an added benefit, the full tunnel VPN connection will also secure your connection when on public Wi-Fi devices!

There’s one thing that I want to mention in regards to the security of this VPN. Synology does a pretty poor job of letting the user configure this as securely as possible. With the way that this is configured, technically, you are exposed to a man-in-the-middle attack. There’s a lot that has to happen in order for you to be exposed to that type of attack, but I want to mention that it is a valid concern. If complete security is your top concern, I would look into implementing OpenVPN on a Raspberry Pi or your router (if applicable). The device running OpenVPN doesn’t really matter, it just needs to be able to easily configure the server/client certificates.

If you have any questions, please leave them in the comments! If you liked the content, please share it!

This Post Has 101 Comments

  1. Thank you for this. It is appreciated! Worked out great!

  2. Awesome tutorial. Just had 1 issue, had to add the dynamic ip address range from the VPN server to a firewall rule. Otherwise it would connect, but I wouldn’t get internet access even though allow lan access is enabled. Not sure what I missed. Great guide tho!

    1. That’s interesting. I didn’t run into any issues like that, but I appreciate you sharing for future visitors!

    2. Hi Alex, can you post an example of what you had to do to get the full tunnel working, I have exactly the same problem.

  3. What exactly does Step 7 here do? I followed these instructions and was able to get the VPN working. However, I noticed that if I want to navigate to my NAS from windows explorer, I have to go to “\\192.168.1.2” (my NAS’ IP), instead of being able to use “\\DS920” (the name of my NAS). Also, none of the other devices in my local network show up under Networks when connected to the VPN outside of the local network. Is this what Step 7 is meant to fix?

    1. Thanks for following the tutorial!

      Step 7 is a static route setup. Which basically says that devices on your local network can connect to your VPN network (ex: local PC needs to connect to your phone). This isn’t very common and most people don’t need this. It’s really only necessary if you have an off-site backup server that you need to connect to or something similar.

      The issue that you are running into is DNS related. DNS stands for domain name system, which is kind of like a phone book for IP addresses. When you connect to your NAS’s name (DS920 in your case), your DNS server will look up that name and find the IP address associated with it. Without knowing the DNS server to use, you will not be able to connect to DS920, but you WILL be able to connect to the IP address.

      You have two options: you can setup a DNS server (Pi-hole is a great option), but this means implementing a new system. Second option is to reconfigure your OpenVPN config file to enable split-tunnel DNS. I will do my best to explain it below, but feel free to ask any follow-up questions you might have.

      1. Open a windows command prompt and type in the command “ipconfig /all”. Note down the “Connection-specific DNS Suffix”, as well as the “Default Gateway”.
      2. Edit the OpenVPN config file that you have and add these three lines:

      dhcp-option DNS [DEFAULT_GATEWAY (found above)]
      dhcp-option DOMAIN [CONNECTION_SPECIFIC_DNS_SUFFIX (found above)]
      dhcp-option DOMAIN-SEARCH [CONNECTION_SPECIFIC_DNS_SUFFIX (found above)]

      You will end up with something like this:

      dhcp-option DNS 192.168.1.1
      dhcp-option DOMAIN home-router.home
      dhcp-option DOMAIN-SEARCH home-router.home

      Upload that new config file to your VPN device and retry. You should now be able to resolve the NAS by its name. If you have any issues, feel free to follow up. Thanks again for reading!

  4. Good tutorial, but just like Alex on 04th September I can’t get the full tunnel option to work. I can access my NAS but not the internet. The split tunnel option works fine.

    1. Are you using an iPhone/Mac to test by any chance? In iOS 7.0+ and MacOS, you need to add this line to the config file as well to get full-tunnel to work.

      redirect-gateway ipv6

      Let me know if this doesn’t work and I can try and help troubleshoot.

      1. No, I’m using OpenVPN on Android. I’ve tried various things like turning off ipv6 and changing dns server details in various places (as when I try to open an external website it returns that the name could not be resolved) so thought that may be a DNS issue, but I might be grasping at straws. Any help would be much appreciated 🙂

        1. Got it! A few things to check:

          1. If you are using a local DNS server in the config file, can you change it to Google’s (8.8.8.8) and see if you are able to resolve domain names? It sounds like it can be DNS related, so you’re on the right track.
          2. Another issue that I’ve run into in the past – by any chance, are you using Synology’s Firewall? If you are, can you disable the Firewall (only temporarily) and test to see if everything works?

          I apologize for starting with such rudimentary troubleshooting steps, but since you’re connecting properly, it’s most likely something like this. Let me know how it goes!

          1. Ok, I will try those, but before I do (and I’m sorry if this sounds like a dumb question but I’m new to world of all things NAS), am I ok to add the LetEncrypt certificate to my DDNS entry before I set the VPN back up? I’ve gone back to a pretty much fresh build of the NAS as I was changing so many things trying to get it to work, and just thought it easier than trying to revert back each of my individual changes (easier as there’s nothing saved to the NAS yet as it’s new).

            Cheers,

            Steven.

          2. Never a dumb question!

            Yes, you can add the Let’s Encrypt certificate before setting your VPN up. While you can change the certificate for your VPN Server in Synology’s settings, I’m not sure it’s actively used for OpenVPN. Since Synology only uses the .ovpn config file, I’m fairly certain that it bypasses this, which is why it’s not going to have any ill effects. Let me know if you have any questions and how it goes!

          3. Ok, so I recreated the VPN connection, and with the Firewall left enabled it didn’t work, so as per your suggestion I disabled the Firewall, restarted the VPN and it started to work.

            So I’m assuming I need to add something to the Firewall to get it to work when it’s enabled? I did add one or two things to the Firewall and got it to work when enabled, but not sure if I should be adding them, they were the application options under the Firewall for Webstation etc, (basically ports 80 and 443).

          4. If it works with the firewall disabled, the most likely cause is that your VPN network is not allowed to connect to your NAS. Try and create the rule below and see if this works. It’s kind of hard to explain through text (without images), but hopefully this makes sense:
            – Create an allow rule for all ports and the Source IP set as “specific IP”. Inside of that, select “Subnet”, and then enter the subnet of your VPN network. You can check the VPN Server package and OpenVPN for the “Dynamic IP address” (as this is your subnet), and then add your subnet in the firewall rule like this:
            IP Address: 10.5.0.0 (replace the 10.5.0.X with what is entered in VPN Server. Keep the 0 where the X is)
            Subnet mask/Prefix length: 255.255.255.0
            Basically, replace the 10.5.0 above with whatever your VPN server is setup with. Add the firewall rule, put it above the deny rule, and see if that works. My suspicion is that it will, but let me know if it doesn’t and we can further troubleshoot. Sorry for pretty terrible instructions, it’s just somewhat hard to explain. Let me know how it goes!

          5. Thanks a lot for the tip, I was struggling to get internet access through L2TP from my iphone. Opening all the port may not be a best security practice, I tried to select some with the application selection from the firewall configuration, but opening all ports seems the only viable option… any idea of wich port are required for outbound internet connection ?

          6. I haven’t used L2TP, but when you say that you tried to open some of the ports, which ones did you try to open? According to Synology’s documentation, these ports need to be opened (UDP): 1701, 500, and 4500.

            Let me know if that works and if it doesn’t, we can continue troubleshooting!

          7. Sorry, I was not very clear 🙂 …. I managed to connect from my Iphone to my Synology throught L2TP VPN protocol. Once connected, I managed to get access to my Synology resources BUT without access to Internet. Thanks to your post, I allowed all VPN assigned IP to ALL ports and with this configuration I have access to internet throught the VPN connection. I was simply wondering if we can limits to specific ports, I tried multiple one (HTTP/L2TP/…) but without success, only all ports open allow me to get this internet access.
            Thank you.

          8. Hmm, if I had to take a guess, I’d say port 53. Port 53 is used for DNS, so it was probably working as expected but was unable to resolve domain names since port 53 was closed. Opening “all” ports freed up port 53 which allowed DNS resolution and internet traffic worked properly.

            Try and narrow it down to port 53 only and let me know if that works!

  5. Sir, you are an absolute star, that worked a treat first time. The instructions were really easy to follow and not terrible at all, so no need to apologise for them. Big thumbs up from me.

    I now look forward to trying your Bitwarden tutorial 🙂

    1. That’s awesome, I’m glad to hear it worked! Good luck with Bitwarden – if you need any help, let me know!

  6. I have bit of a further update on this. After watching one of your recent videos on Firewalls I decided to do a bit more digging to secure things up a bit more. I’ve narrowed down the exact port required to be opened t(o the VPN IP addresses) to be Port 53, and after doing a quick search this looks to be the port used by the NAS for DNS as per this page:-

    https://www.synology.com/en-global/knowledgebase/DSM/help/DNSServer/dns_server_desc

    Hope this is of help to anyone else. But again, many thanks to WunderTech for pointing me in the right direction initially.

    1. This is very helpful – thanks a lot for sharing! Glad to hear it’s fixed and if you need anything else, please let me know!

  7. Thanks for posting this great step by step tutorial. I have tried many others, unsuccessfully, while setting up my NAS to allow others VPN access for our fledgling business, but you covered everything. We now have others accessing the NAS for data storage and transfer.

    A quirk has appeared though. After a couple of weeks of not directly accessing the NAS (direct IP address or Synology Assistant), neither of these will work now. The Assistant can no longer find the NAS and the direct IP address (still visible on the router), will not connect. I did shut off the router firewall for a moment to see if that restored access, but no luck. Any thoughts?

    1. Glad to hear that it was working! Hope we can get it resolved.

      When you say that it stopped working, do you mean through the VPN? Meaning that devices that were connected via OpenVPN could not access the NAS? Or do you mean that devices on the local network could not access the NAS? Also, is it not working for a specific service, or can you not access anything (DSM, file shares, etc)?

      Let me know and we can continue troubleshooting! Thank you for checking out the tutorial!

      1. Thanks for the reply. VPN access from outside works fine, I had just lost direct access to the NAS from my ethernet connection. Using the same PC that was used to set everything up, and while someone outside was accessing the NAS through the VPN, my Synology Assistant is unable to find the NAS (but could during setup) and I could not access it via the 192.168.0.nnn.

        I have regained access this morning though! For others who may be running into the same issue, I needed to use 192.168.0.nnn:nnnn to log in.

        The Synology Assistant still cannot locate the NAS, even when I have logged in via IP address. Interesting to say the least.

        1. That’s definitely a strange issue but I’m glad to hear that you got it worked out! If I can help with anything else, please let me know!

  8. Hi there, with Synology with 2 LAN Ports and different IP-Adress, shouldn’t it be possible to assign one of them to Pi-Hole only?

    1. I haven’t tried it, but I’m not sure that you can do it either way. When you use both LAN ports, DSM recognizes both of them. You’d in essence have to pass through the LAN port directly to docker (bypassing DSM) and I don’t think that’s possible.

      I might be overlooking something, but that’s how I understand it. Hope that helps, but if I can answer anything else, please let me know!

  9. Hi!

    Short question, i have a static IP adress from my internet provider. At step 5 “Synology NAS OpenVPN Configuration File Changes”
    YOUR_SERVER_IP do i have to just put in the external IP adress from my router?

    Thanks!

    1. You are correct! If you have a static IP, you can add that there. Most people have dynamic IP addresses so they normally have to setup DDNS, but since yours is static, you’re good!

      If you need anything else, please let me know! Thanks for checking out the tutorial!

  10. When I try to enable OpenVPN from the nas I get this message (To talk about the OpenVPN service, you must first import the intermediate certificate corresponding). I’ve made a let’s Encrypt certificate. No change.

    1. When you say that you get that when you try an enable it, do you mean when you try and check off “Enable OpenVPN Server”? If you go to the Certificate section in Control Panel and select “configure”, is a certificate assigned to the VPN Server?

      Let me know and we can continue troubleshooting!

      1. Hi, thanks for the guide! I’ve also hit the same issue, and do have a custom Let’s Encrypt certificate assigned to the VPN server in the Configure section of the Certificates.

        What else could I be missing?

        Thanks!

        1. I haven’t seen this error in specific. Do you think that you can give me a little more background? When the error occurs, how it occurs, etc?

          Let me know and we can continue troubleshooting!

          1. I had a quick play around, and found out that when configuring certificates, if I remove my custom Let’s Encrypt certificate, and move the VPN Server service certificate to the synology certificate, I am able to enable the OpenVPN connection. However not too sure why this is the case, and what is wrong with my custom certificiate.

          2. That partially makes sense. By any chance, did you export the OpenVPN config file before changing the certificate? If you did, you might have to export the configuration file AFTER setting the LE to be the VPN server’s default configuration.

            Keep in mind that it might be best to leave it as Synology, as LE certificates expire after three months and might cause you issues when they do. Let me know if I can help at all!

  11. Hi,
    First thanks a lot for the tutorial. It’s by far the best one stop solution to figure out VPN setup which I’ve seen so far.

    I’ve one question. I followed the tutorial to the T but I’m unable to access my NAS using FQDN I used for DDNS service on port 5000/5001
    Similarly, I can see using nslookup and OpenVpn android app that DNS lookup is successful. So I’m assuming that the DDNS is doing its job.
    I’ve setup port forwarding in my router but still no luck.
    Final observation, I can at least access using my NAS on port 5001 when I’m on the same network.

    What else I’m missing here.

    1. I’m glad to hear that it helped! A few questions that I am hoping we can use to narrow down what the issue is.

      1. When you say FQDN, are you talking about the DDNS hostname you set up with Synology (x.synology.me)?
      2. Do you have a local DNS record for that DDNS hostname? (x.synology.me mapped to the IP address of your NAS)

      My initial thoughts are that if you are using the synology.me hostname, that will point to your external IP address rather than the NAS’s internal IP address. You would need a local DNS record to ensure that FQDN is sent to the correct internal IP. Let me know and we can continue troubleshooting!

  12. Hi – Great guide

    I’m sctually having trouble with Step 2. When I try to create the openVPN profile, I get an error message that says” To enable OpenVPN service, please import the corresponding intermediate certificate first”.

    So you know what this means and why this might be happening to my system? Thanks

    1. The only thought that comes to my head is that you don’t have a certificate assigned. When you go to the Control Panel -> Security -> Certificates -> Configure, do you have a certificate assigned to VPN Server? If you don’t, you will have to add one.

      Let me know and we can continue troubleshooting!

  13. Hi, I truly appreciate the easy to follow guide here
    As a follow up to the set up process on Step 7, I can’t seem to be able to ping my client (192.168.2.X) devices through the local network (192.168.1.X). My Synology is sitting behind a router which had port forwarding set up. The router I’m using is an Asus router, on its configuration page for static route. I should set the Network/Host IP to the IP that OpenVPN will assign my clients, netmask to be 255.255.255.0 then the gateway to be the IP address of the Synology, correct? There is an extra options here on the Asus configuration page which are Metric and Interface. I left the Metric as empty and left the interface to be LAN.

    With all that’s said, I’m still unable to ping any client devices through my local network. Could I get your assistance on this?

    1. You are correct, you need to set up a static route but it looks like you set everything up correctly. It should look something like this:

      192.168.2.0 (I am assuming these are the IP addresses OpenVPN will be handing out. If not, use the OpenVPN IP Address range XXX.XXX.X.0).
      255.255.255.0
      IP Address of your Synology NAS.

      I can’t comment on the metric or interface, but default should be fine. By any chance, do you have multiple NIC’s for your Synology NAS? If you do, can you try using the other IP address for your Synology NAS? A reboot is sometimes required as well.

      Let me know and we can continue troubleshooting!

    2. Hi Rob, Did you get this solved. I’m in the same boat as you. The client router can ping the host router and NAS but the host router cannot ping the client so I wonder if my static route is setup correctly.

      Cheers

      1. Not sure if Rob will reply, but after you set up your static route, did you reboot your NAS? I needed to do that initially when I set up my static route.

  14. Love your website and YouTube Channel.
    I’m stuck on trying to get VPN to connect. I’m fairly positive I’ve followed the instructions to the T, but I cannot figure out why, when I try to connect to VPN, the connection is timing out in the OpenVPN client.
    I click the little log file icon to see what Open VPN is reporting and it jus shows that the connection is timing out. It is showing my Public IP for my ISP in the log, so that’s good, but it’s not making it further than there.

    I’m trying this while using external internet, per the instructions. I’m tried temporarily disabling Firewall on both my router and the firewal for the Synology, with no luck. I must be missing something, but i’m stumped.

    1. Thanks so much!

      First, let’s check to ensure UDP port 1194 is opened to the outside internet. If you can, please select “Advance” in the link below, enable “UDP Scan” and change the “Start Port” and “End Port” to 1194. If you scan, do you see that 1194/udp is open?

      https://www.ipfingerprints.com/portscan.php

      Let’s start there and if it’s opened, we will move on to further troubleshooting!

  15. Awesome tutorial! I read through the comments and I saw that there was a guy having issues with accessing some apps running on the NAS when firewall was enabled. I have this same issue. Anyway I took your advice and added a new rule which basically opens all ports using the vpn dynamic ip address as the subnet. This works well but having to open all ports does not seem to be the best solution. Do you know why this is a problem to start with? I thought that having VPN enabled would make it seem like my device was on LAN just like the other devices but something is different because when I actually am on LAN, I can access the apps with the firewall enabled.

    I saw that you mentioned port 53 which I enabled but that did not help. Any ideas? I have the same problem on both full or split tunnel.

    Thanks again!

    1. I just realized, could this have to do with the fact that the ip-addresses the vpn connected devices get is not the one of the ip-addresses that the devices that are actually on LAN get? Because in my firewall I have a rule that allows all devices on my subnet.

      Something like 192.168.1.1 and then 255.255.255.0 as subnet mask. I guess the internal devices connected through VPN gets another internal ip address?

      1. The reason this is an issue is because the VPN subnet is different than the local network’s subnet. Generally, it comes down to one specific port needing to be opened and that’s the issue.

        A few things to check:

        You said you have 192.168.1.1/255.255.255.0 – This should actually be 192.168.1.0/255.255.255.0. Can you please try that and let me know if anything changes?

        If you create a new rule for the IP address of your VPN subnet (default is 10.8.0.0/255.255.255.0 I believe, but I could be wrong), does it work? If it does, can you try and narrow it down to port 1194/53 and see if it works?

        Let me know how it goes and we can continue troubleshooting!

        1. I Understand! Thanks for the reply. I changed from 192.168.1.1 to 192.168.1.0 which did not make any difference. On the VPN subnet I have 10.8.0.1 not 10.8.0.0. When looking on the VPN server it says dynamic address 10.8.0 then there is a 1 at the end which I can’t change. I tried with 10.8.0.0. and allowed both 1194 and 53 but that did not make any difference. I am trying to reach NASIP:7878 which is a docker container. This only works when I allow 7878 in the VPN subnet. But yea it would be nice to not having to open all ports :).

          I mean 1194 is already allowed through a rule where I selected from a list of built in applications where I chose VPN Server OpenVPN.

        2. I replied but it seems like my response disappeared, I’ll try again.

          I changed 192.168.1.1 -> 192.168.1.0 which did not make any difference.

          In VPN Server under OpenVPN the dynamic address is 10.8.0.1 where I can’t change the last number (1).

          I tried both 53 and 1194 although I think 1194 were already allowed because I have a rule where I have enabled VPN server (OpenVPN) through the list of built in applications. Neither solution worked.

          I am trying to access port 7878, so basically IPNAS:7878 during VPN but it does not work unless I either allow 7878 in the firewall or all ports. Maybe I do have to allow each port that I want to access because the VPN subnet is different then the local networks subnet?

          1. You are correct! If you have a firewall rule and only allow one subnet, you will have to create one for both subnets. As long as the port isn’t opened on your router, there’s nothing wrong with keeping the port opened for “all” and only having one rule.

            Let me know if you have any other questions!

  16. Hey!

    I got a question regarding split tunnel. When I am on mobile data I can access my apps with
    localNASip:port for example 192.168.1.25:3000 when I activate split tunnel and full tunnel. However, if I connect to my parents wifi it does not work with split tunnel. Full tunnel still works but not split. Could it be that it is trying to find the ip adress on my parents LAN or what could be the problem?

    1. Hmm, that’s strange. When you say it does not work, do you mean that you can’t access resources on the local LAN or the outside internet? My assumption would be the local LAN but if it’s the internet, it could be DNS related. Let me know and I will try and help out!

      1. Its the resources on MY local lan. So basically when I activate split tunnel I cant access my docker applications on my synology with the ip address and port. This is only when I connect to another wifi that is not my LAN. It works on mobile data.

        Also I did add my router as the dns server in order to be able to access my synology with server name and port instead of ip address and port but this does not work all the time. It is very inclnsistent, sometimes when I am on my on wifi (LAN) I still cant access with servernname and port with vpn off. Sometimes it works sometimes it does not (iphone).

        1. Can you access ANY services on your LAN, or is it only Docker containers on your NAS that you can’t access? Also, are you using a macvlan network interface for any of those services? If you are, can you try and use the bridge network IP address and see if you can access them?

          As for DNS, do you have it setup like below in your OpenVPN config file? OpenVPN is fairly finicky and while it might work sometimes, you might run into issues if you don’t specify the exact domain (replace the IP address with your router and the example.com with your DNS server name (can be found using nslookup from a command prompt)).

          dhcp-option DNS 192.168.1.1
          dhcp-option DOMAIN example.com
          dhcp-option DOMAIN-SEARCH example.com

          1. I actually had specified the dhcp-option DNS 192.168.1.1 in my file but not the other two. I tried to find the DOMAIN and DOMAIN-SEARCH but CONNECTION_SPECIFIC_DNS_SUFFIX are empty if I run ipconfig /all. I can’t seem to find what to type in for:
            dhcp-option DOMAIN example.com
            dhcp-option DOMAIN-SEARCH example.com

            Is there another way to find this DNS server name? I have both a windows and a mac that I can use to check DNS but not sure how to get the DNS server name

          2. This is how you can find it on Windows 10:

            1. Type Computer
            2. Right click Computer from the results
            3. Click Properties
            4. You should see the fully qualified domain name next to the “full computer name”.

            Let me know how it goes!

          3. I could not reply to the latest comment. I followed your steps on windows 10 but I could not find anything there. I only found device name which is the name of my computer name. After that i only see the processor etc. Not sure I got the window you expected. Is there an image or so you can link to or a guide?

            I tried nslookup in the cmd and all i get is the “default server” which is the name of my router basically: RT-AC86U-D460 and then the address which is the IP address of my router.

          4. First off, I apologize. While we were doing something that could potentially help DNS resolution, I was making the wrong suggestion. I think I misunderstood your initial question and when I went back with a fresh head, I now understand what you’re asking.

            In summary, when you’re on your parents Wi-Fi, their subnet being the same is a problem. The device doesn’t know what to transfer through the tunnel since you’re using the same subnet. When you are using the full-tunnel connection, ALL traffic is routed through the VPN tunnel which is why it’s working. In my research, there is a solution, but it’s not pretty. While painful, my suggestion would probably be to use the full-tunnel VPN when you have to connect back to your local resources. If you need to stay connected and it’s hurting your performance, this page has a solution that should work: https://serverfault.com/questions/548888/connecting-to-a-remote-server-through-a-vpn-when-the-local-network-subnet-addres

            Once again, I apologize for the initial misunderstanding. If there’s anything I can do to assist, please let me know!

  17. Hi wundertech,

    i’m totally unable to get this working, i still get connected with my cell phone (android), but i cant access anything (neither local network, nor internet) :

    – I tried to change every single option from within the .ovpn profile, without success, i tried to change UDP for TCP connection too (server and client), i changed dhcp-option DNS DNS_IP_ADDRESS (is there any matter for this option if i only want to reach the other local lan ?) and the redirect-gateway def1 (with and without), no success
    – “Allow LAN access for clients” is check in DSM
    – Openvpn Port (1195 for me) is correctly forwarded to the nas through my internet box, and is open in the nas firewall (i tried from all source)
    – The Synology user (named vpn for me) got access and the correct permission for vpn server application in the nas
    – i changed 3 times the password of that synology user
    – i made a route to the vpn network into my internet box (gateway is the nas)
    – i tried to make a route too from the nas to the internet box router

    I still see the client connected through the vpn server panel of DSM (my cell phone got a right private IP address 10.10.0.6, and same in the android application, but i cant access anything on the other lan 192.168.1.0, handshake seems to be good (about 2 kb)

    when i tried some basic based ip url when im connected (192.168.1.1 eg, is my internet box just for test), its searching for something, last a long time and then fail with “Time delay exceeded” error

    what it could be ?

    1. I would try and revert everything back to what it was initially. The good thing is that when everything isn’t working, it’s a little easier to figure out what the problem is. Do you have Synology’s Firewall enabled by any chance? If you do, can you try temporarily disabling it and seeing if it works? It sounds like a firewall issue since you are connected but can’t access anything after you connect.

      Let me know if you do and we can continue troubleshooting!

      1. Hi wundertech,

        Thx for the answer, i finallly got an old rpi2 and i recycle it into a wireguard server at home, pretty much simple way with less configuration

  18. WunderTech,

    Great tutorials – both this one, and the initial setup. I learned some things, and I was able to make my NAS a little more secure – I greatly appreciate it.

    I am having an issue that relentless troubleshooting and the internet hasn’t been able to help me with: I have set up an OpenVPN on my laptop and my parent’s computers to be able to access the NAS (they live overseas). Unfortunately, it only allows access to the DSM – I cannot map the NAS or see the NAS in Network.
    Any ideas on how to fix this? Thanks in advance.

    1. Thanks so much! If you’re able to see the NAS, I’d say that’s a good thing. A few questions:

      1. Did you enable “Allow clients to access server’s LAN”?
      2. Do you have a firewall setup on your NAS? If you do, can you temporarily disable it, test to see if it works and then reenable it?

      Let me know how it goes and we can continue troubleshooting!

      1. Hiya Wondertech!

        I do have “Allow clients to access server’s LAN” enabled. I disabled my firewall and went looking for the NAS to pop up in “My Network Places” and no joy. I still have access through my web browser, but that’s about it. I don’t think it’s a firewall issue on my router side, since I have access to the DSM and I’ve tried on two separate networks (my wifi at another house and my phone’s wifi hotspot). It might be some adapter setting or a setting within the Network and Sharing Center, but I’m honestly not sure.

        Thanks again! Great help so far!

        1. Not a problem! Can you access them using their IP address? In looking over your issue again, as far as I know, “My Network Places” will not show devices on the destination server (your local network) by default. However, you WILL be able to connect to them by IP address.

          If you have SMB enabled on your NAS (and the port allowed on the Synology firewall), open a “Run” command in windows and type the following:

          \\YOUR_SYNOLOGY_NAS_IP

          You should be brought to all of your shared folders (after authenticating). If you are, you can right-click them and “Map” them so they show on your parents PC.

          Let me know how it goes!

          1. WunderTech,

            It worked! Thanks again, by far the best help I’ve gotten.

          2. Awesome! Glad to hear it worked!

  19. Thanks for the great tutorial! I got OpenVPN Full and Split tunnels working fine. I’m new to VPN and am probably making a noob mistake, but I can’t seem to figure out the following. I have a LE-issued SSL certificate installed for my (Synology) domain name, which works like a charm when I set up port forwarding to the NAS for the HTTPS port on my router. However, I don’t want to expose the NAS to the internet like this – so I delete the port forwarding for HTTPS and set up VPN Server. I can no longer get secure access to DSM on the LAN (which isn’t a big deal I guess), but when I connect the VPN and access DSM with the OpenVPN Dynamic IP, Chrome iOS generates privacy warnings – the certificate doesn’t seem to work, which does concern me – but should it? Connecting to DSM through the VPN using the domain name the certificate is issued for isn’t possible either. How can I access DSM through the VPN using a certificate-secured connection? Thanks in advance for your help! 🙂

    1. Thanks for checking out the tutorial! The short answer is no, it shouldn’t concern you. A certificate basically confirms the website that you’re navigating to is who they say they are. On external networks, this is incredibly important and you shouldn’t navigate to any sites where they DON’T have a valid certificate. Internally, you don’t have to worry about that, as you know that you’re connecting to the right server. If you use the HTTPS port (5001 by default), your traffic IS encrypted, it’s just not verified by a certificate.

      You can get around this by using self-signed certificates or implementing a local DNS server, but it’s slightly overkill and is really only needed if the Chrome privacy warning annoys you. It won’t provide any functional difference.

      Let me know if I can answer anything else!

      1. Happy new year and thanks a lot! 🙂

        1. Thank you! Happy New Year to you too!

  20. Hi Frank, I do have another 2 questions. I followed another of your great tutorials to install Bitwarden locally on my Synology. Thanks to your article, installing was a breeze and it works as expected. Just like in the above example (HTTPS), I have to forward another port in my router for Bitwarden (5554 in your example), which automatically allows external access using example.com:port (if I understand correctly).

    1) I would rather have DSM and Bitwarden to ONLY be available from outside my LAN once the VPN has been established. Is that possible, and if yes, how should I achieve it – or would you advise against it?

    2) When on the LAN, I also seem to require the port forwarding rules in my router in order to be able to reach Bitwarden or DNS using example.com:port from my browser. Could you point my in the right direction to fix this for local access without activating the port forwarding rules on the router?

    Thanks a lot in advance!!

    1. The short answer is that yes, you can do it, but it’s not as straight forward as you’d think. The bitwarden_rs container only exposes port 80 by default which is the HTTP port. The overall suggestion is to use a reverse proxy to get HTTPS to work, which also opens you up to using Let’s Encrypt. This is how the tutorial is written, but like you said, it exposes Bitwarden to the world.

      If you want to access it when connected to your VPN only, you have three main options:

      1. Use the HTTP IP address, but traffic to and from the container will not be encrypted. If you trust your local network, this option should be fine. Enable 2FA in all situations to keep the account secure. If you don’t trust your local network (shared internet, a lot of guests, etc.), I probably wouldn’t use this option.
      2. Enable HTTPS using the documentation that the creator of the container published: https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-HTTPS
      3. Keep the reverse proxy on, but limit traffic using Synology’s firewall on port 5554 to your local subnet and VPN subnet ONLY. The port will have to stay open on your router, but it should only connect if it’s coming from one of those IP addresses. This will in essence keep everything working exactly as it is, but limit traffic to your local network only. Everyone else will be blocked.

      Option 2 will require you to translate it into Synology terms (meaning you’d probably have to mount the certificates as a folder, etc), but it’s doable. To answer your second question, you will only be able to use the domain you setup on options 1 or 3 above. You can technically do it on option 2 as well, but you’d require a local DNS server.

      I realize this is probably a little more complex than you were hoping, but if I can answer any other questions, please let me know!

      1. Wow, thanks a lot for your comprehensive answer! 🙂 Will be playing around with this. Keep up the good work, highly appreciated!!

  21. I was stuck setting up a VPN server on my ds418 play and your guide helped me get it working. Thanks heaps!

    I’m using Google WiFi (router), pi-hole on a raspberry pi 3 (dhcp) and ds418 play (VPN server).

    I’ve followed your guide, but it still wasn’t working. THen, I went through the comments and found your mention about disabling the Firewall and giving it a go. BINGO! It was just a matter of adding a rule allowing traffic from the VPN network and magic happened. 🙂

    Thanks a lot!

    1. Awesome news! I’m glad it helped, thanks for checking out the tutorial!

  22. Hi,

    Thanks for the guide again, I’m still trying to get this working, however using a static IPv6 address rather than DDNS and wondering if you have any ideas?

    Steps I’ve done so far:

    – Enabled IPv6 to get a static IP from the ISP (Hyperoptic) on my Router (Google Nest).
    – Have a custom domain (`example.xyz`) where the IPv6 address is a AAAA record on Cloudflare (although I’m quite new to IPv6 and it seems that two different PC’s on my network have different ending 4 blocks if that makes sense), so not too sure if I’ve set the IP correctly here.
    – Port forwarded 1194 from the NAS to the router, and opened the firewall on the NAS (only UDP).
    – Enabled the OpenVPN service on the VPN Server.
    – Exported the configuration and updated the REMOTE_IP to exactly `example.xyz`, and updated to `proto udp6`.
    – Uploaded the configuration to my android phone and tried connecting while on another network however it doesn’t succeed.

    Other questions as well:

    – Do I need to `Enable Ipv6 Server mode` in the VPN Server settings?
    – Do I need some kind of custom SSL certificate for secure communications on the VPN? When clicking the connect button on the phone, it pops up saying `Select Certificate` which sounds like it’s not trying to use a certificate…

    I suppose at the moment my biggest issue is with IPv6, as I’m not exactly sure what to put in the AAAA record in Cloudflare, I think it’s something like xxxx:xxxx:xxxx::2 ?

    Any advice would be very much appreciated!

    Thanks 🙂

    1. I unfortunately haven’t set up IPv6, so I can’t comment on the exact steps but I think you’re on the right track. You most likely have to enable IPv6 and after you do, update the configuration file. Do you have the firewall setup? If you do, temporarily disable it to see if that resolves the issue.

      Generally, it should function similarly to IPv4, so it’s most likely a setting or a configuration file setting.

  23. Ah fair enough. I do have the firewall setup and have tried disabling it, but nothing seems to have happened there. I’ll have a play around with the configuration, and if I get anywhere with it, will report back. Thanks 🙂

  24. Hi Frank,

    I followed along with the video, and I’m pretty sure I’ve got it working correctly, but I have a question: I have a couple of services on my Synology serving via a remote proxy like https://service.mydomain.com. One is a Docker container, and the other is DSM. In my router, I’m forwarding Port 80, 443, and 1194 to my Synology, and I can access these just like I’d expect. The problem is that I can access them whether I’m connected to the VPN or not, regardless of whether I’m on my network or not.

    Is this the expected behavior, and if so, how can I have reverse proxy services that I can only access over the VPN? Thanks!

    1. Hi Chris!

      The reason that you can access these services both, remote and locally is because you have ports 80/443 opened and you’re using a reverse proxy server. Generally, people suggest using a VPN to connect to your home network, then connecting to the local service from there. However, you’re using what sounds like two technologies (reverse proxy, VPN) at the same time.

      A reverse proxy will expose certain services outside of your local network. So when you have 80/443 opened and create a reverse proxy, that service is exposed to the entire world. The VPN appears to be set up and working properly.

      If you DON’T want these services accessible by the entire world, you need to close ports 80/443, connect to your VPN and then connect to the service by using its internal IP address. If you want to use the service by domain name (https://service.mydomain.com), you would have to implement an internal DNS server which points that name to the internal IP address of the server.

      This is a lot of information and might cause a little confusion, so please feel free to ask any follow-up questions you have!

  25. Great tutorial, thank you! I now have a vpn up and running and learned a few things along the way.

    Quick question, and sorry if someone else asked this already in the comments. I am using the openvpn iphone app like you suggested. Is it possible to always have the vpn connection open while on my home network? Or is this a security risk / bad practice?

    1. It unfortunately won’t work on your local network. When you’re outside of your local network, you’re basically tunneling back to your local network which “secures” your connection. When you’re on your local network, enabling it either will not work, or it will “appear” like it’s enabled and the internet connection won’t work.

      Basically, when you’re outside of your home, if you’d like to “secure” your connection or access local resources, enable it. If you’re at home, there’s no need to enable it!

  26. Cool, thanks for the quick reply and help!

  27. Worked like a charm, thank you for being detailed yet easy to follow 🙂

  28. Anyone else gets openssl context CA not defined.

    I followed you’re instructions not sure what went wrong. Trying to get to my ds920+ via android phone.

    Thank you

    1. Where exactly are you getting that error? Is it on the Android side or the Synology server side?

  29. This was very helpful. I can connect with my Windows devices but I am running into an issue with my Mac when I try and connect via SMB it will say “There was a problem connecing to server “192.168.1.210” The server may not exist or it is unavailable at this time. Check the server name or IP address, check your network connection, and try again. I can see from the OpenVPN Connect app that I am connected and I see from the Synology DSM that I am connected, I just can’t navigate to the DSM from Finder. Any thoughts on what could be causing this?

    1. Are you using your Synology NAS by name and not IP address? You might have some issues with your DNS configuration if you are.

  30. Hi, your tutorial is great and i could easily follow along. Just one small problem: i would love to access my router via vpn, for now i can access my NAS without any problems (full and split), but i have no chance accessing my router (standard 192.168.188.1) with activated vpn, i only land on synology´s page: Webstation has been enabled (and so on)…. for my understanding very odd to type in the routers ip and land on a local synology page (: i tried setting a static route as described in step 7 but theres unfotunately no change. Any ideas? Thanks!

    1. You shouldn’t have to do anything special to access your router’s page. Do you know if it’s blocking requests from different IP subnets? Can you access all other network resources? It could be a setting on the router itself.

  31. Hi! First of all thanks for the tutorial

    I’ve tried to configure it as you say, but it doesn’t seem to work, it seems that the option client-cert-not-required has been deprecated, and I’ve tried to use the new replacement instead but it ask me for a –server mode option too, what can I do?

    1. When you say it doesn’t work, what exactly doesn’t work? The client-cert-not-required simply bypasses the error that appears, so it wouldn’t be that. Is it not connecting at all?

  32. Hey WunderTech, amazing tutorial and videos!
    I am however having an issue with OpenVPN on my Synology NAS, as I cannot reach any internet page (besides google?!) once connected via full-tunnel… The client I use, Tunnelblick, throws a lot of warnings regarding DNS, so I assume that’s where the problem lies:
    __
    *Tunnelblick: NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
    __
    *Tunnelblick: Warning: DNS server address 172.20.**.* is not a public IP address and is not being routed through the VPN.
    __
    *Tunnelblick: Warning: DNS server address fe80::1 is not a public DNS server known to Tunnelblick and is not being routed through the VPN
    __
    I am not running a DNS server in my NAS.
    I believe that my DNS are resolved by my ISP router, which is my gateway 192.168.0.1.

    I have tried all day changing the OpenVPN-config.ovpn file, with the dhcp-option commented:
    #dhcp-option DNS 192.168.0.1
    and uncommented:
    dhcp-option DNS 192.168.0.1

    I’ve also tried adding some public DNS servers:
    dhcp-option DNS 8.8.8.8
    dhcp-option DNS 8.8.4.4

    Nothing seems to work. Do you have any recommendation?
    Thanks a lot!

    1. Are you using Synology’s firewall? If you are, did you allow traffic to port 53 from your VPN subnet? It sounds like it might be a DNS issue, so that’s the first thing I’d try.

  33. Hi WunderTech – Great article.

    Have a Synology DS918+ and have had it setup behind a Router with an external static IP.

    The Synology NAS sits on the internal network with LAN IP : 192.168.11.220
    The OpenVPN Client port is changed to port 1695

    The routers IP GW Address : 192.168.11.254
    Port fowarding is enabled from external on 1695 to port forward internally to 192.168.11.220

    The NAS can be accessed internally from any device on 192.168.11.0/24 to 192.168.11.220.
    The NAS can also be accessed remotely via QuickConnect.

    ** WAS WORKING PERFECTLY – As follows **

    All devices internally on the LAN work ok – including accessing shares.
    DHCP server is done by the router. (Not the synology NAS)

    The OpenVPN client has been configured and connects ok to the Synology OpenVPN Service and allocates an IP of : 10.0.8.6

    So when a Win10 client connect remotely – all services direct to the Synology NAS are on IP 10.0.8.1
    I can connect to network shares on the NAS direct via the Client VPN on the Windows 10 PC.

    To access any 192.168.11.0/24 I added the following static route on the Windows 10 PC.

    cmd.exe (run as admin)
    route add 192.168.11.0/24 10.0.8.6
    route print (Then showed the static route)

    This worked magically for a couple of months.

    Once a Windows 10 PC worked remotely with an Internet Connection, launched the OpenVPN client
    Connected ok – and was able to access any resource remotely within the 192.168.11.0/24 network (LAN).

    This was great for accessing local printers on the LAN, access to internal reources.
    So network shares were mapped as s: \\192.168.11.220\shareddata
    Print drivers were pointed direct to the printers IP Address within 192.168.11.x network.

    ** THE PROBLEM **

    Then one day this stopped working when connecting remotely. Not able to access any resources remotely on the 192.168.11.0/24 network.
    I have tried removing and re-adding the static route on the pc.

    I haven’t tried anything on the Synology NAS yet?

    I can now only access resources direct on the 10.0.8.1 (Synology NAS) when the OpenVPN client is connected.
    Network drives are mapped direct to the \\10.0.8.1\sharename rather than the \\192.168.20.220\sharename

    But I really need remote printing working again to any local printers when working across the OpenVPN.

    Any pointers, suggestions welcome.

    1. It sounds like you have everything configured properly. I wouldn’t think it’s a static route issue since static routes are created for the reverse (local network accessing the VPN devices). Are you using Synology’s firewall by any chance? Did you limit traffic to only local IP addresses?

      What about pinging a device by IP address (VPN to local)? Any reply?

  34. Thanks so much for this. It was so easy to set up and now I’m wondering why I didn’t do this long ago. A couple extra questions:
    (1) Even though I added “client-cert-not-required” in the config file, my Android phone still pops up that question when I log on. Is there any other way to stop this pop-up, or how can I import the cert file(s) into the Android phone so it has them?
    (2) Along the same lines, I installed OpenVPN client on my laptop but it requires the cert files. I installed both cert files that Synology provided by double-clicking on them, which appeared to install fine, but yet I still get this message and cannot log on.

    Thanks again.

    1. Thanks so much!

      1. I am using that line on Android and it’s working properly, though it is deprecated at this point. You can try adding this line and see if it works: –verify-client-cert none
      2. The cert is not required, which is why you might be running into issues. If you can, try and add the line above and then use that config file on your laptop. My assumption is that it will work, but let me know if it doesn’t.

      Let me know if you need anything else!

Leave a Reply

Close Menu