How to configure OpenVPN server and L2TP IPsec on Synology NAS

The very first thing we should do to correctly configure the VPN server on a Synology NAS, is to configure a dynamic DNS. Normally the home connections of the houses have public dynamic IP, which means it adjustments with every restart of the router or each sure time. Therefore, so as not to have to at all times know our IP tackle, it’s obligatory to use a dynamic DNS.

Normally most routers permit you to use a dynamic DNS of DynDNS or No-IP amongst others, you probably have modified the router of your Internet firm, you’ll have a router that has a dynamic DNS of the producer, nevertheless, at all times you should purchase one completely free in No-IP or others. If you do not have a dynamic DNS, Synology supplies us with a completely free one, as well as, we have now entry to totally different Synology domains.

This tutorial is made utilizing the Synology DS720 + NAS server that we have now beforehand analyzed in RedesZone.

Step 1: Configure DDNS and entry with dynamic DNS

To configure the dynamic DNS of Synology, or of every other supplier, we should go to «Control Panel / External Access«. In this menu we could have to go to the «DDNS»And click on on«Add«, As you may see right here:

Once we have now clicked on “Add”, a menu will seem the place we should select the service supplier, in our case we have now chosen Synology since it’s utterly free. We will choose a number title that we wish, logically it have to be out there, due to this fact, whether it is occupied by one other person we won’t be able to use it. We should additionally select the area, by default it’s “”.

Right beneath we could have to log in or register a Synology account, in any other case we won’t be able to use the producer’s DDNS service. The “Hearbeat” is vital to have it activated in order that Synology will notify us in case of getting any type of downside. Just beneath we’ll see the exterior IPv4 that we at the moment have, and additionally the IPv6 if we go to the Internet by way of this protocol.

In case you need to use a special area like “”, we will additionally choose it from the drop-down checklist, as you may see right here:

Once configured, click on on “If you examine right here, you settle for the phrases of service”, and click on on “OK” to add it. Before ending, it would inform us if we wish to create an SSL certificates with Let’s Encrypt, we will do it or not, this determination doesn’t affect the dynamic DNS service or the VPN connection in any respect.

Once we have now our DDNS service operating, it’s the flip to configure the VPN server, each with the OpenVPN protocol and additionally with L2TP / IPsec.

OpenVPN server configuration

To configure the OpenVPN server, the very first thing we have now to do is set up the appliance that has the totally different providers. We go to the part «Package Center«, We search«VPN Server»And we set up it like every regular utility, till it seems within the checklist of packages put in on the NAS server.

Within «VPN Server» we will see the final standing of the three VPN servers that we will put into operation concurrently, we will additionally see the checklist of connections in actual time that we have now, a small file that may inform us if there’s a downside and when the totally different VPN purchasers have been related and disconnected, we even have a normal configuration in case we’re utilizing the 2 Gigabit ports, in order that the VPN service is simply working on one interface.

Finally, in «Privilege»Is the place we can provide permissions to the totally different native customers that we have now created on the NAS server. This is essential, we could have some customers that we don’t need to have VPN entry, that is the place we must always permit or deny such entry.

We are going to configure the OpenVPN server, for this we go to the “OpenVPN” part and allow the server. Now we could have to select totally different parameters:

  • Dynamic IP tackle: the very first thing we should select is the VPN subnet, by default it’s at all times, we will go away it like that or change it for a personal addressing community that we wish.
  • Maximum variety of connections: we will configure the utmost variety of simultaneous connections to the VPN server that we have now configured.
  • Maximum variety of connections for an account: we will configure the utmost variety of simultaneous connections to the VPN server from the identical username / password. For instance, we will have the identical username and password on the pc, on our smartphone and additionally on a pill, this might act as three simultaneous connections.
  • Port: we should select a port quantity, by default it’s 1194, however we will change it to no matter we wish. It is very really useful to change it to a special one, since it’s doable that attackers attempt to join to the OpenVPN server with out success since it’s the default port.
  • Protocol: we will select between UDP or TCP, UDP is really useful as a result of it’s quicker and often offers much less issues and greater efficiency within the connection.
  • Encryption: AES-256-CBC is powerful cipher, different ciphers can be found, however they don’t seem to be really useful. We go away it at that.
  • Authentication: SHA512, this is without doubt one of the finest out there. We go away it at that.

At the underside we have now extra configuration choices, in our opinion, it is strongly recommended disable VPN hyperlink compression, assaults have been made making the most of one of these compression, and there’s not a lot achieve in pace. We also can present prospects with the potential to entry the server LANIf we wish to entry the sources of the native community, we should activate it.

Open the chosen port and protocol on the router

Once we have now determined the port and the TCP or UDP protocol, we should go instantly to our router to open the port corresponding to the IP tackle of the Synology NAS serverOtherwise, we won’t be able to join from the Internet to our OpenVPN server. In RedesZone we have now made a whole tutorial of how to open TCP or UDP ports on any routerBy following these similar steps, whatever the router you could have, you may obtain it with out issues. The solely issues try to be clear about are: OpenVPN port, OpenVPN protocol (TCP or UDP), and the non-public IP tackle of the NAS server.

An vital element is that in case your operator has you throughout the CG-NAT, you won’t be able to join or open ports on your router, your operator should give you a public IP sure or sure. Once the port is open, we will proceed with the tutorial to join.

Connect to the OpenVPN server from Windows, Mac or different machine

When we have now configured it as we wish, click on on “Apply”, and then click on on “Export configuration”.

It will export a compressed OpenVPN .zip file, inside we have now the ca.crt, a README file and additionally the VPNConfig configuration file.

At this level, we should now obtain the official OpenVPN shopper, both for Windows, Linux, Mac, Android or iOS. We suggest access the official OpenVPN website the place you can see all of the out there downloads.

Once downloaded, the “VPNConfig” file have to be edited by following the README directions that we even have. Basically what we have now to do is edit two directives, the primary of them is the one that’s accountable for connecting to the OpenVPN server remotely:

distant 11944

We should incorporate the dynamic DNS title that we created earlier. We also can make all Internet visitors redirect by way of the VPN, to achieve this we should uncomment (take away the #) from the directive “redirect-gateway def1” leaving the # in entrance of it. Once these adjustments are made, we save the file and double-click since OpenVPN will robotically acknowledge it.

In case of not recognizing the file, we should transfer the file VPNConfig instantly to the route: «C: UsersBronOpenVPNconfig»In Windows working programs, however in README we will even discover the directions to do it on Mac. Once that is executed, we will right-click on the icon within the backside right-hand bar of Windows and click on on« Connect ».

When connecting, it would ask us for a username and password, which correspond to the person credentials that we have now created on the NAS server.

After a number of seconds, we could have related to the VPN server accurately and with none downside, as you may see right here:

If we enter the Synology NAS server, we will see the standing of the OpenVPN server, the shopper that has related, and additionally the log of the connection and the OpenVPN server itself.

As you could have seen, it is rather simple to configure an OpenVPN server on a NAS from the Synology producer, the one factor we should take into consideration is the opening of ports on the router, and additionally that the firewall of the NAS server permits incoming connections, if obligatory. Otherwise we won’t be able to join both. By default the NAS firewall is disabled.

L2TP / IPsec VPN Server Configuration

If as a substitute of utilizing OpenVPN, you need to use L2TP / IPsec protocol, Synology’s DSM working system additionally helps one of these VPN. In this case, we’ll go to the “L2TP / IPsec” part and allow the server, on this case we have now the next choices:

  • Dynamic IP tackle: the subnet the place the VPN purchasers can be, by default we will go away it this manner, so long as it doesn’t coincide with any actual community.
  • Maximum variety of connections: we will configure the utmost variety of simultaneous connections to the VPN server that we have now configured.
  • Maximum variety of connections for an account: we will configure the utmost variety of simultaneous connections to the VPN server from the identical username / password, as with OpenVPN.
  • Authentication: MS-CHAP v2, we go away it at that.
  • MTU: 1400, we go away it at that
  • Shared key: this key’s the one that each one the purchasers that need to join to the L2TP / IPsec server could have to put, it’s shared with all of them, and it’s extremely really useful that or not it’s a robust password. In cell gadgets or shopper applications, it would point out “IPsec pre-shared key” or one thing comparable, it refers exactly to this.

Finally, we have now the choice to allow a suitable mode, though if the VPN shopper meets the usual it shouldn’t be obligatory to activate it.

Once we have now configured all the things, click on on “Apply”, and it would point out one thing essential, we have now to open a number of ports for the VPN connection to work accurately, each within the firewall configuration of the Synology NAS (if we have now it activated), and additionally in our router if we wish to entry remotely.

We have to open the next ports on our router:

  • Port 500 UDP
  • Port 4500 UDP
  • Port 1701 UDP

The course of to open these ports is identical as in OpenVPN, however as a substitute of getting to open a single TCP or UDP, we should open a complete of three UDP ports, and particularly we have now to open these, there is no such thing as a risk of choosing one other as sure it occurred with OpenVPN.

Once we have now executed it, we will entry our NAS server through L2TP / IPsec VPN, and additionally all of the shared sources of the native community if we wish.