Synology NAS OpenVPN Setup & Configuration!

In this tutorial, we will look at the Synology NAS OpenVPN setup and configuration instructions.

After my recent Ultimate Synology NAS Setup & Configuration Guide tutorial, I received a ton of great feedback from users who were interested in safely and securely accessing their NAS from outside of their network. I’ve been using the Synology VPN Server application with OpenVPN for the past year and have had no issues at all. I can safely access my NAS anywhere in the world and more importantly, I control access.

I will quickly explain what a VPN server does and the different types of VPN server configurations, but if you already know, you can skip down to the OpenVPN Server instructions for the Synology NAS.

1. What is a VPN Server

A VPN is a Virtual Private Network that extends your private network to a public network. In layman’s terms, it allows you to securely connect back to your local network from an outside network. There are two types of VPN networks:

1.1 VPN Connection Types

Split-Tunnel VPN: Traffic is only sent through your network if it is attempting to access an internal resource. Your IP address when navigating to a site outside of your network will be the IP address of the network that you are currently on.

Full-Tunnel VPN: All traffic is sent through your home network. Your IP address for internal and external requests will be your home networks.

I created a very basic image below that explains this, but we will look at how to configure both in later steps. It’s important to note that both connection types will allow you to access your local network. This only shows how traffic is routed differently to external networks.

NOTE: This is not the exact network flow. I am simplifying the process as much as I can.

Synology NAS OpenVPN

2. Synology NAS OpenVPN Setup – Instructions

1. Open the Package Center and Install the VPN Server application.

Synology NAS OpenVPN

2. Open the application and navigate to the OpenVPN section.

3. Enable OpenVPN Server. Change the Dynamic IP address range and maximum connection properties if you’d like. Since we are trying to access our Synology NAS outside of our network, we need to enable Allow clients to access server’s LAN. The rest can stay as default. Click Apply.

Synology NAS OpenVPN

4. Navigate to the privilege section and ensure that the user account that you’d like to connect to the VPN with has permission for OpenVPN.

Synology NAS OpenVPN

3. Synology NAS OpenVPN Firewall Configuration

Our VPN Server is now configured, but we need to ensure that our firewall allows access to UDP port 1194. If you aren’t sure how to configure Synology’s Firewall, you can learn how in our Ultimate Synology NAS Setup & Configuration Guide.

5. If you are using Synology’s firewall, open the Control Panel, Security, then navigate to the Firewall and Edit Rules.

VPN5

6. Create an Allow rule for the VPN Server (OpenVPN) application, UDP port 1194.

VPN6

7. When completed, the rule should be above the deny all rule.

VPN7

4. Port Forwarding

We just configured our Synology firewall to allow connections on UDP port 1194. We now need to port forward UDP port 1194 on our router to our Synology NAS. Synology has UPnP functionality, which gives your NAS the ability to open ports on your router automatically. If you have a UPnP compatible router, it’s very easy to set this up. However, there is a lot of debate on the security of UPnP, so I will not be going over it in this tutorial. If you’d like to do it this way, you can read Synology’s help article here.

Now, port forwarding will be completely different on every brand’s router settings page. This is a great guide that shows how to port forward on a few different brands of routers, but the best thing to do is try and google the name of your router and port forwarding. Example: Netgear port forwarding

This process requires you to have a static IP address setup. If you don’t currently have a static IP address setup, read how to set up a static IP address here.

8. Create a port forwarding rule for UDP port 1194 to your Synology NAS’s IP address. In the example below, 192.168.1.220 is the IP address of my Synology NAS.

VPN12

Assuming that you were able to open UDP port 1194 and configure the Synology firewall rule successfully, the port configuration is now complete!

5. Synology NAS OpenVPN Configuration File Changes

Now that we have our server configured, we need to modify our configuration file. Before we get into the steps, you need to ensure that you have DDNS configured. Most people have dynamic external IP addresses, so creating a DDNS hostname is required because you need to ensure that you are always accessing your external IP address. If you’d like to configure DDNS using a free synology.me hostname, you can follow Synology’s instructions here. If you’d like to use DuckDNS, I wrote up a tutorial on how you can do it here. If you are absolutely positive that you have a static external IP address that never changes, you do not have to setup DDNS. Simply use your external IP address as YOUR_SERVER_IP.

It’s also important to note that the DDNS provider is irrelevant, you just need to ensure that you have a DDNS hostname configured!

9. Open the VPN Server application and select OpenVPN. Select Export configuration.

Synology NAS OpenVPN

10. Extract the contents of the folder. We will only be editing the OpenVPN.ovpn file, so open that file with a text editor.

11. By default, you will receive a default OpenVPN configuration file with a unique certificate at the bottom. This document shouldn’t be shared with anyone other than users who you would like to authenticate with your VPN. We need to change the items below that are highlighted in pink.

  • YOUR_SERVER_IP: This should be the DDNS hostname that you configured.
  • redirect-gateway def1: This is what determines if you are configuring a split-tunnel or full-tunnel VPN. If you aren’t sure which you’d like, reference the image above to see the differences. I create two separate configuration files (one for split-tunnel and one for full-tunnel) and depending on the situation, use one or the other. To enable full-tunnel, remove the “#” sign (this is the symbol for a comment). Just removing the comment symbol will enable the full-tunnel VPN. NOTE: If you are using an iPhone and have iOS 7 or above, you will need to add redirect-gateway ipv6 under redirect-gateway def1.
  • dhcp-option: If you have a local DNS server that you’d like to use, you can add the IP address of your DNS server there. If you don’t have a local DNS server, leave this line commented out. NOTE: If you don’t have a local DNS server configured, OpenVPN will default to using Google’s public DNS records. This means that you won’t be able to access any of your local network resources by hostname, only IP address. If you’d like to configure a local DNS server, you can check out my tutorial on Pi-hole here. NOTE: This is a very basic example of how DNS can be used.
  • client-cert-not-required: This option is not added by default but should be added if you will be using the new OpenVPN clients (most people will be). If you don’t add this option, you will receive an error message when you connect. While you can proceed through the error message, this will stop the error from occurring.
dev tun
tls-client
remote YOUR_SERVER_IP 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
#redirect-gateway def1
#redirect-gateway ipv6 #REQUIRED for iOS 7 and above.

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp
script-security 2
comp-lzo
reneg-sec 0
cipher AES-256-CBC
auth SHA512
auth-user-pass
client-cert-not-required
-----BEGIN CERTIFICATE-----
[YOUR CERTIFICATE WILL BE HERE. LEAVE THIS ALL AS DEFAULT]
-----END CERTIFICATE-----

12. Save the configuration file and add it to any devices that you’d like to test the VPN connection with. I normally test the connection with my cellphone, as you cannot be on the same network as your VPN server. You MUST be testing this from an external network (cell phone/hotspot is a great option).

6. Synology NAS OpenVPN Client Configuration and Testing

Now that we have configured everything, we need to test our connection. Download the OpenVPN client on your cell phone or on a PC that you can connect to a different network. Remember, you must be connected to a different network to test this.

13. Download the OpenVPN client software for your device here.

14. Select the add button at the bottom and then choose File. You should now be prompted to browse for the .ovpn file that we created earlier. Upload the file and then login with your DSM username and password.

VPN14

15. You should be able to connect to your VPN now.

VPN15

16. I am going to show two examples below. First, I am connected to my VPN Server using my split tunnel connection. You can see that my external IP address is my mobile network (as I am accessing an external webpage).

VPN17

17. In this screenshot, I am connected to my VPN Server using my full-tunnel connection. My external IP address is my ISP’s, as all traffic is being routed through my home network.

VPN16

Both, split tunnel and full tunnel VPN connections allow you to access your local resources, but full tunnel VPN connections should be used if you’re trying to secure your network traffic (like when you’re on public Wi-Fi).

7. Static Route Configuration - Synology NAS OpenVPN Setup

This step is not required unless you need to access VPN devices from your home network.

Your home network and VPN network will be on different subnets which means that your local devices will only be able to talk to the machines on its subnet (VPN network will see both). In order to have your local network talk to your VPN network (in my case, 192.168.1.X and 10.5.0.X), a static route will need to be configured in your router. I cannot go over the setup steps for this as each router is different, but below is a screenshot of the static route that I configured. The Gateway IP Address will be the IP address of your Synology NAS (since that’s where your VPN is running). The 10.5.0.0/24 subnet is where you will need to enter the IP range you are using (as defined in the OpenVPN settings).

StaticRoute

8. Synology NAS OpenVPN Setup - Conclusion

This was a long tutorial that went through a lot of steps. Configuring Synology’s VPN Server allows you to securely connect to your home network to access your NAS and local resources. It also completely bypasses the need for QuickConnect or exposing your NAS to the internet (which is a security risk). As an added benefit, the full tunnel VPN connection will also secure your connection when on public Wi-Fi devices!

There’s one thing that I want to mention in regards to the security of this VPN. Synology does a pretty poor job of letting the user configure this as securely as possible. With the way that this is configured, technically, you are exposed to a man-in-the-middle attack. There’s a lot that has to happen in order for you to be exposed to that type of attack, but I want to mention that it is a valid concern. If complete security is your top concern, I would look into implementing OpenVPN on a Raspberry Pi or your router (if applicable). The device running OpenVPN doesn’t really matter, it just needs to be able to easily configure the server/client certificates.

If you have any questions, please leave them in the comments! If you liked the content, please share it!

This Post Has 181 Comments

  1. Hi WT,

    Your instruction is very clear to follow and I’m finally able to setup my OpenVPN and connect to it. But I do encounter some questions/problems throughout the process.

    1. I understand and tested out the “client-cert-not-required” setting, but my question is that when I leave it as “”, I get different output when connect on different platform. Why is that?
    – On my Win7 PC with Windows OpenVPN GUI, I can connect but took a little longer for some reason.
    – On my android device, it did shows the “Select Certificate” message but able to connect after selecting Continue. The connection took just a few seconds.
    – On my iOS device, it didn’t shows the error message but instead just connect directly and also took just a few seconds.

    2. Once I connected, I was having issue to actually access the shared folder no matter what I tried. In the end I have to setup port forwarding and enable firewall for Windows File Server in order to access it. The question is that, based on several other tutorials, they are able to access without going through these setting. Did I mess up somewhere?

    3. In your tutorial, you are able to connect to DSM with local IP and port, but I can’t seems to do that even with my firewall and port forwarding setup already. However if I’m on the actual local network, I can access DSM with local IP just fine. What could be the reason behind it?

    1. Hello!

      1. The timing will be slightly different, so I wouldn’t worry too much if one is quicker than the other. As for the “client-cert-not-required” option, it’s now deprecated. I need to update the documentation (thanks for reminding me), but you can use this option instead:

      –verify-client-cert none

      2. You should NOT need to port forward anything to access the services. Are you connecting via IP address or hostname? Can you ping the other servers?

      3. It would probably be a good idea to take a step back and make sure that you’re successfully connecting (check inside of the VPN Server application). It almost sounds like you’re not successfully connecting.

      1. 1. Thanks for the new option and just to confirm, you mean to type it as below right?
        verify-client-cert none
        2. I’m connection using my NAS local IP and mapped it like \\192.168.1.100\home. But I can’t seem to ping the server when connected with VPN.
        3. I check in DSM under VPN Server app and able to show the connected device from different platform.
        I tried look up in Google again and apparently someone mention to turn off DoS protection/block in router setting. I did that together with removing WFS port forwarding on router and firewall in DSM. Turns out these did the trick.
        The connecting timing on my Win7 PC get significant boost compare to before and I can access mapped drive almost instantly. However, I still can’t get to ping my server or any remote client for some reason and not sure what in my DoS protection setting is causing the issue.

        1. 1. Yes, that is correct!
          2. If you can’t ping the NAS, there is some sort of problem. Did you select the option to allow access to the LAN? Any firewall that could be blocking traffic?
          3. If the device is connected, I’d look at the firewall and see if there are any rules blocking access from that subnet. If not, you’re going to have to try and isolate what could be blocking it (since you’re able to connect to the VPN).

  2. You’re right about the firewall. Apparently it’s my Synology NAS firewall that is blocking the ICMP protocol. I can now ping any network devices without any issue.
    The only problem now is that my Windows File Explorer is not showing any network devices on the VPN side, including my Synology NAS. Per Synology Support, seems like it’s not possible to show Synology NAS if through VPN connection. Not sure if this happen to you and if same on all other network devices as well?

    1. Are you using network discovery for that? You should be able to access everything on the NAS. Are you able to connect via SMB?

  3. Great tutorial, very thorough.

    When I followed your instructions my Android devices can connect with my NAS just fine. However, my Windows 10 laptop using the same ovpn file cannot. The error log contains:

    DEPRECATED OPTION: –client-cert-not-required, use –verify-client-cert instead
    Options error: –client-cert-not-required and –verify-client-cert require –mode server

    So I substituted:
    verify-client-cert none

    Which results in the same log entry. I’ve tried OpenVPN versions 2.4.6 and 2.5.2 with the same results

    If I leave the option out altogether it connects but I get a Warning.

    How should I proceed?

    Thanks.

    1. Are you able to proceed through the error and it works, or the error holds up connecting altogether? You aren’t on the same network as the VPN server, right? You need to make sure you’re testing from a network outside of your local network.

      1. Correct, I’m not on the LAN. I’m using my phone as hotspot for the laptop to connect to the internet.

        If I leave the ‘verify-client-cert none’ option in, I cannot connect and get the log entry posted above. But as I mentioned above, if I leave the option out altogether it connects but I get a Warning in the log file. The warning is as follows:

        WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm

        FWIW the OpenVPN server is on my Synology NAS from which I generated the .opvn file using the Synology’s certificate.

        Thanks in advance for any advice.

        1. This is really nothing other than an assumption, but I am suspecting that the command isn’t working because Synology hasn’t updated their OpenVPN package inside of VPN Server. That would explain why a “new” command isn’t being recognized. If “client-cert-not-required” doesn’t work and the new command doesn’t work either, it might just be worth clicking through the error. I do think that there’s a chance (maybe in DSM 7) that the application is updated to recognize that command, but that’s just a hope. I will try and do some testing at some point to see if I can get “verify-client-cert none” to work. I always used “client-cert-not-required” and it worked properly for me.

  4. Great help. I had set up my VPN and it worked well, but I was looking for the configuration to access the VPN client (aka another remote NAS).

    Found the solution what to put into my firewall here. Thanks!

    Just one additional question: I am using L2TP/IPSec instead of OpenVPN, and the VPN-Client-NAS must reconnect every night due to IP change by the provider (no static IP there yet 🙁 ). After approx. 50 successful attempts this procedure fails, and I have to restart the IPSec server. Has anyone experienced similar issues?

    1. I haven’t seen that error, though I don’t use L2TP/IPSec. I assume that you’re using DDNS so that it automatically gets the new IP address?

  5. I am having the same experience. The log says: Options error: –verify-client-cert requires –mode server. The status says: Connecting to management interface failed. It also says: OpenVPN exited with error: exit code =1

    1. If you remove that line entirely and click through the error, does it allow you to connect?

      1. Yes, thanks!

  6. Great instructions. I have a different setup. My ISP provided me a IPv6 DS Lite connection. Portforwarding router to NAS does not work anymore. What I did is a connection with my own domain using a VPS Server and 6tunnel. Any change to setup a VPN as well with this setup? Thanks again

    1. I haven’t personally seen a way that you can get that working, but I’m sure that it’s technically possibly somehow. Though it wouldn’t be a traditional setup process/procedure since you’d have to try and form some connection between the VPS and your local network. You might have more luck trying to run this on a dedicated Linux machine since the NAS might limit your options. Again, just guesses unfortunately. Sorry for not being much help!

  7. Thanks for the great video. I am having a 3 years Netgear Orbi RBK50 mesh router and strangely the “Advance Setup” disabled the “Port Forwarding/Port Triggering” and “VPN Service” function. Any idea why this is happening?

    1. Unfortunately, I’m not familiar with that router. Is there any type of product that they have that might be closing them to try and “protect” you?

  8. Just a comment on a setting I was stuck for a while: I was able to access my home network by IP but not any website by DNS. I was using Pi-Hole as DNS server and I had to turn on “Listen on all interfaces, permit all origins” on Pi-Hole settings / DNS configuration. Otherwise my requests over VPN were being ignored.

    1. Thank you for sharing that! Very helpful!

  9. Hi WunderTech, great tutorials! been followed your other tutorials as well.
    I believe I followed all the steps and watched the video quite a few times, but unfortunately not able to get the openVPN work.
    I tried to use my iphone’s celluar data as hotspot and connect from my pc to test it.

    ### 1. when test on Linux client:
    “`
    openvpn –config /path/to/VPNConfig.ovpn
    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    TCP/UDP: Preserving recently used remote address: [AF_INET]my.ip.address:1194
    UDP link local (bound): [AF_INET][undef]:1194
    UDP link remote: [AF_INET]my.ip.address:1194
    TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    TLS Error: TLS handshake failed
    SIGUSR1[soft,tls-error] received, process restarting
    ….keep repeating these messages ….
    “`
    note I have comment the “client-cert-not-required” line due to the “–server mode” error

    ### 2. when test on Win10 client:
    after drag in the same .ovpn file, it pops a window for the certficate, I choose “continue”, then keep waiting, the log said:
    Connecting to [my.ip.address]:1194 (my.ip.address) via UDPv4
    EVENT: CONNECTION_TIMEOUT BYTES_OUT: 840 PACKETS_OUT: 60 CONNECTION_TIMEOUT:1 N_RECONNECT:5
    then it keeps say “connection failed to establish withing given time”, “Retry / Cancel”

    I tried to disable Firewall temporarily, not work. I also tried to turn on other related port forward than just 1194, also not work.
    please advise?

    1. The first thing to check would be to ensure that the port is opened properly. Can you check this website, enter in your external IP address and then port 1194 and confirm that it’s open? https://www.ipvoid.com/udp-port-scan/

      1. Thank you, from the website you provided, it said:
        Port Type Status Service
        1194 UDP Open|filtered openvpn

  10. some extra info if it could be helpful:
    – I can connect to openVPN if I change the UDP to TCP protocol without a problem!

    – I suspect it is a MTU issue, I have router port 1194 open to both UDP and TCP, then tried http://www.letmecheck.it/mtu-test.php with my Synology external IP; report:
    Sending 32 bytes to nas.external.ip.address 1472 fails): ping -f 192.168.***.*** -l 1472
    where 192.168.***.*** is my NAS internal IP address.

    – also tried to test UDP connection from linux machine when connecting to my phone’s cellular network:
    $:nc -vzu nas.external.ip.address 1194
    Connection to nas.external.ip.address 1194 port [udp/openvpn] succeeded!
    $:nc -vzu nas.external.ip.address 1234 #a random port
    Connection to nas.external.ip.address 1234 port [udp/*] succeeded!

    1. That’s interesting. So when you connect via TCP, does it work properly? Meaning can you access everything? Do you think there’s any chance your ISP is limiting traffic on UDP 1194?

      1. I am not sure about the ISP and port restriction, and I feel it probably not a reason. I feel this is beyond my knowledge, and will accept the gently slower and less safe TCP for now and see whether further package update can solve this issue. Thank you for the great feedback! I will keep watching your channel! –Chui

        1. Absolutely nothing wrong with using TCP, so I wouldn’t view it as downside. Glad you have it working!

Comments are closed.

Close Menu