Product Properties
| Package name | VPN Server |
| Application name | VPN Server |
| Volume selectable | yes |
| Dependencies | no |
| Service name (SSH) | VPNCenter |
| Shared Folder | no |
| Home Folder | no |
| Licensing | no |
| Hyper Backup support | yes |
| Certificate selection | yes |
| Privileges | no |
| Application portal | no |
| Firewall port | TCP 1723 (PPTP), UDP 1194 (OpenVPN), UDP 1701, 4500, 500 (L2TP/IPsec) |
| Date | 02 Feb 2022 |
| Version | 1.4.4 |
| DSM | 7.0.1 |
Functionality
The VPN Server package creates a VPN Server on your Synology DiskStation, and it allows VPN remote access into the DiskStation from any VPN client. The VPN Server supports PPTP, OpenVPN, and L2TP/IPSec connections.
Preparation
To set up a VPN connection successfully you need to give your NAS a fixed or static IP address on the LAN. Next, you need to make a port forwarding rule for incoming traffic. The ports to forward depend on the VPN protocol you use. Last, you need to discover the external IP address of your internet router or, if it is not a static address, you enable a DDNS service.
Installation
Install the package VPN Server from Package Center. This adds the VPN Server application to the main menu and installs a service.
During installation, the Firewall Notification screen may appear, depending on your firewall configuration, with the suggestion to enable ports. Enable only the ports for the VPN type that you intend to use, and click OK. In the case of OpenVPN, that is only UDP 1194.
If you use Hyper Backup on your NAS, consider adding the VPN Server application to a backup task.
Certificate
During installation, the VPN Server is automatically linked to the default certificate. To configure a different certificate, go to Control Panel > Security > Certificate and click on the Configure (DSM 6) or Settings (DSM 7) button.
The VPN Server uses the certificate mentioned above in the .ovpn configuration file for the VPN client. This file contains the certificate for the connection and must match the certificate in Control Panel. Therefore, be aware that when you change the certificate for the VPN Server in Control Panel all VPN clients that use a configuration made with the previous certificate will fail to connect.
Renewal of a current Let’s Encrypt certificate had no negative effect on connecting with an older configuration. Renewal renews the date of expiration but does not change the contents of the certificate.
Configuration
Start the VPN Server application from the main menu. In the left column you have a number of items, collected in two groups: Manage VPN Server and Set up VPN Server. Each will open a page at the right.
Manage VPN Server
- Overview
gives a status overview of VPN, with IP range and amount of connections - Connection List
shows the current VPN connections with the ability to disconnect a connection - Log
log of VPN connections with user name and IP address - General Settings
network interface used for VPN and account type - Privilege
where you configure which users have the privilege to use VPN, and which type of VPN
Set up VPN Server
- PPTP
this is an older type of VPN which is less secure - OpenVPN
- Enable OpenVPN server
this will switch OpenVPN server on; if you temporarily like to revoke the use of the VPN server, you can disable it here while retaining the configuration - Dynamic IP address
this is the address of the VPN server on an internal network for VPN; the default address range for OpenVPN is 10.8.0.0/24 and the server is at 10.8.0.1; it routes to your internal network at home or office; only change this in case your internal network range is already 10.8.0.0/24 - Maximum connection number
default is 5, other options are 10, 15, 20, 25, or 30 - Max connections of an account
default is 3, you can choose any number up to the maximum connection number - Port
default is 1194, but you can change it here; make sure you forward the same port in the router - Protocol
default is UDP, other option is TCP; make sure you forward the same protocol in the router - Encryption
default is AES-256-CBC, but there is a list of options available; however, the default is probably the best option - Authentication
default is SHA512, but there is a list of options available - Enable compression on the VPN link
default enabled; sounds like a good idea to keep it that way - Allow clients to access server’s LAN
default disabled; when enabled access over the VPN connection is not limited to the VPN server; seems necessary to enable to even access resources on the VPN Server itself - Enable IPv6 server mode
default disabled; when enabled, enter the prefix - Export configuration
button to download the configuration files for the VPN to the computer
- Enable OpenVPN server
- L2TP/IPSec
another secure VPN protocol
When ready click Apply for the changes to take effect. Notice that the Export configuration button is now available. Click the button and download openvpn.zip to your computer.
The openvpn.zip file contains the following files:
- README.txt
- VPNConfig.ovpn
configuration file for the VPN client
Logging and notification
The VPN Server has its own logging that you find in the application.
Stop and run
You can both stop and start the VPN Server service from the Package Center. Look it up among the installed packages. Select it and when Package Center opens its page, change its status with the arrow next to the Open button.
Uninstall and removal
Before you uninstall VPN Server make sure that it is not included in any backup task of Hyper Backup. Remove VPN Server from that task to prevent errors during backup.
From Package Center open de VPN Server page. Choose Uninstall with the arrow next to the button. During uninstall, you can remove the VPN Server database.
Notes
This is only the server-side of the VPN setup. Additional steps are port forwarding in the router and installing and configuring the VPN client with openvpn.zip.
The app OpenVPN (https://openvpn.net/vpn-client/) can read the *.ovpn configuration file. When using this app, I can access all NAS devices on the local network (this is optional). There is only a single VPN server required and a single port forwarding. Aliases like /file, /drive, and /photo work via a VPN connection.
Thanks for reading
This post is donation-ware, and I made it to help you. Please consider leaving a comment or buying me a coffee if it did. I will be eternally grateful.
Paul Steunebrink / Storage Alchemist