Synology NAS: Access Your LAN from Anywhere by Creating OpenVPN Server

May 20, 2022

approximately 5 minutes of reading

How convenient the idea of accessing all of your local data from anywhere in the world sounds like? In this article I will show you how to setup a VPN Server on your Synology NAS as a way to access your LAN from any remote location.

Creating New User

Let's start by creating a new user on our Synology NAS.

Why do we need this user account for?

The only purpose for this user is to establish VPN connection with the server.

Fill in only the *Name* and the *Password* inputs and click *Next*. Go through the remaining steps of the wizard without changing anything. Finally on the last page *Confirm settings* click *Done* to save changes and create new user.

Installing VPN Server

Go to the Package Center and search for vpn server. Install the application and open it once the status is running.

Next, go to the General Settings tab and uncheck Grant VPN permission to newly added local users.

Be sure to also enable *auto block* feature. Follow information on the screen to find out more.

Under Privilege tab, remove privileges to all users for all VPN servers except of granting it to the openvpn user under OpenVPN server type.

Enabling OpenVPN Server

Under Set up VPN Server section, click on the OpenVPN tab.

By default the port number is `1194`. There's no need to modify it unless you have a good reason. We will use this port number later for the port forwarding procedure.

Click on Enable OpenVPN server and ensure the Dynamic IP address does not conflict any of your existing network settings. Ensure what's the port number and enable the following settings:

Enable compression on the VPN link
Allow clients to access server's LAN

Last but not least click on the Export Configuration button to pull the openvpn.zip file. This file is crucial for clients to setup the connection and be able to establish communication with the OpenVPN server.

DDNS

Now the goal is to establish a static hostname (needed for the VPN connection) as a solution for our home public IP address that may be changed dynamically at any time by your ISP). Go to Control Panel and under External Access click on the DDNS tab.

Test the connection to ensure the status is *Normal*.

Under Service Provider pick a provider of your choice and type a Hostname you want to use for the VPN connection.

Port Forwarding

This part of the tutorial is going to be different for everybody, because of using different routers. Follow user's manual that is dedidated for your router to figure out how to set port forwarding on your device.

Under *Device* column, I have selected my Synology NAS.

Use port number 1194 and set protocol to UDP.

Configuration Adjustments

Extract previosly downloaded openvpn.zip and edit the VPNConfig.ovpn file.

The following code shows example content of this file.

dev tun
tls-client

remote yourhost.synology.me 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

dhcp-option DNS 192.168.1.4

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2

comp-lzo

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass

setenv CLIENT_CERT 0
<ca>
-----BEGIN CERTIFICATE-----
[cut]
-----END CERTIFICATE-----
</ca>

Things to adjust in this file:

set remote line to the static hostname of your choice as well as the port you have selected in previous steps
ensure line #redirect-gateway def1 is commented out so that we use Split Tunnel instead of Full Tunnel (uncomment this line to change accordingly)
ensure line dhcp-option DNS is uncommented and contains the IP address of your Synology NAS
at the bottom of the file (but before the certificate), define a new variable setenv CLIENT_CERT 0 - this prevents a modal popup to appear because of missing external certificate

Save all changes to the VPNConfig.ovpn file (⌘+S).

Client Setup (macOS & iOS)

Download OpenVPN Connect for macOS. The App Store version for iOS is available for installation as well.

Once the profile is imported, provide the password you have set for the openvpn user.

Let's follow the same steps for an iOS device. First install the app from the App Store.

Locate the extracted content for the openvpn.zip file using Files app.

Tap on it to open using OpenVPN app.

Finally import the profile.

Import the profile and in the next step provide credentials for the `openvpn` user.

The Connection

Now let's assume that we are somewhere in a remote location and would like to access files on our NAS. I am going to share the LTE connection from my iPhone to iPad by using the Personal Hotspot option, so that I can pretend that I am outside of my LAN.

Go to OpenVPN app and connect to your NAS by enabling the VPN connection.

OK, so now what?

At this point, we have established a tunnel connection directly into your LAN. This means that all your local resources are available the same way as you would be connected to your home network. Go to Files app and mount any of your shared folder as usual.

Click on Connect to Server