Knowledge Base

How to set up the Synology NAS as the VPN Server

Overview

A VPN (virtual private network) is a private network that uses a public network infrastructure (usually the Internet) to provide secure and encrypted connections for data transmission. Businesses often implement VPN to provide a method for employees to securely access servers or other resources located within the company's private network even when they are traveling or at home.

With Synology's VPN Server package, your DiskStation can become a VPN server, allowing DSM users to remotely and securely access resources shared within the DiskStation's local area network. By integrating common VPN protocols - PPTP, OpenVPN, L2TP/IPSec - VPN Server provides options to establish and manage VPN service tailored to your individual needs.

In the guide below, we'll teach you how to get started with Synology's VPN Server.

Contents

  1. Before you start
  2. Install VPN Server
  3. Set up VPN Server
  4. Test your settings

1. Before you start

This article assumes that you have already done the following:

  • Set up your Synology DiskStation and installed Synology DiskStation Manager (DSM). (For details, please see the Quick Installation Guide for your model.)
  • If you want to connect to VPN Server from outside your local network, you'll need to configure port forwarding and make your DiskStation accessible over the Internet. (For more about easily setting up port forwarding, please see this tutorial about EZ-Internet.) 

Note: Only DSM users belonging to the administrators group can install and set up VPN Server.

Return to top

2. Install VPN Server

Follow the steps below to install VPN Server on your DiskStation.

  1. Log into DSM with an account belonging to the administrators group.
  2. Go to Main Menu > Package Center to find and install VPN Server. For detailed instructions regarding package installation, please see this tutorial.

Return to top

3. Set up VPN Server

Now go to Main Menu > VPN Server to open VPN Server. On the left panel, you'll see the following commonly used protocols: PPTP, OpenVPN, and L2TP/IPSec. In the sections below, we'll explain how to get started with each protocol.

3.1 PPTP

PPTP (Point-to-Point Tunneling Protocol) is a commonly used VPN solution supported by most clients (including Windows, Mac, Linux, and mobile devices).

  1. Click PPTP under the Settings section on the left panel.
  2. Tick Enable PPTP VPN server.
  3. Now modify the below advanced options according to your needs.
    • Dynamic IP address: Enter a network address here. VPN Server will assign virtual IP addresses to VPN clients according to the value entered. For example, if you enter "10.0.0.0," the virtual IP address assigned to VPN clients will range from "10.0.0.1" to "10.0.0.[Maximum connection number]" for PPTP.
    • Maximum connection number: Specify the maximum number of concurrent VPN connections.
    • Authentication: Choose one of the following options:
      • PAP: This authentication method does not encrypt VPN clients' passwords during authentication.
      • MS-CHAP v2: This authentication method encrypts VPN clients' passwords during authentication using Microsoft CHAP version 2.
    • Encryption: If you selected MS-CHAP v2 above, choose one of the following encryption options:
      • No MPPE: VPN connections will not be protected with any encryption mechanism.
      • Require MPPE (40/128 bit): VPN connections will be protected with a 40-bit or 128-bit encryption mechanism, depending on the client's settings.
      • Maximum MPPE (128 bit): VPN connections will be protected with 128-bit encryption mechanism, which provides the highest level of security.
    • MTU: Specify the maximum transmission unit to limit the size of data packets transmitted via the VPN.
    • Use manual DNS: Specify the IP address of a DNS server to push to VPN clients. If this option is disabled, the DNS server used by the DiskStation will be pushed to clients.
  4. Click Apply.
Note:
  • When connecting to the VPN, the authentication and encryption settings of VPN clients must be identical to the settings specified on VPN Server, or else clients will not be able to connect successfully.
  • To be compatible with most PPTP clients running Windows, Mac OS, Mac iOS, and Android operating systems, the default MTU is set to 1400. For more complicated network environments, a smaller MTU might be required. Try to reduce the MTU size if you keep receiving timeout errors or experience unstable connections.
  • Check the port forwarding and firewall settings on your DiskStation and router to make sure the TCP port 1723 is open.
  • PPTP VPN service is built-in on some routers, so the port 1723 might be occupied. To ensure VPN Server works properly, you might need to disable the built-in PPTP VPN service through the router's management interface. In addition, some old routers block GRE protocol (IP protocol 47), which will cause VPN connection failure. We recommended using a router that supports VPN pass-through.

3.2 OpenVPN

OpenVPN is an open source solution for implementing VPN. It protects the VPN connection with the SSL/TLS encryption mechanism.

  1. Click OpenVPN under the Settings section on the left panel.
  2. Tick Enable OpenVPN server.
  3. Now modify the below advanced options according to your needs.
    • Dynamic IP address: Enter a network address here. VPN Server will assign virtual IP addresses to VPN clients according to the value entered. For example, if you enter "10.0.0.0," the virtual IP address assigned to VPN clients will range from "10.0.0.1" to "10.0.0.[Maximum connection number]" for PPTP.
    • Maximum connection number: Specify the maximum number of concurrent VPN connections.
    • Use manual DNS: Specify the IP address of a DNS server to push to VPN clients. If this option is disabled, the DNS server used by the DiskStation will be pushed to clients.
    • Enable compression on VPN link: Enable this option if you want to compress data during transfer. This option can increase transmission speed, but might consume more system resources.
  4. Click Apply.
Note:
  • VPN Server does not support bridge mode for site-to-site connections.
  • Check the port forwarding and firewall settings on your DiskStation and router to make sure the UDP port 1194 is open.
  • When using OpenVPN GUI on Windows Vista or Windows 7, please note that UAC (User Account Control) is enabled by default. If enabled, you need to use the "Run as administrator" option to properly connect with OpenVPN GUI.

3.3 L2TP/IPSec

L2TP (Layer 2 Tunneling Protocol) over IPSec provides virtual private networks with increased security and is supported by most clients (such as Windows, Mac, Linux, and mobile devices).

Note: To use L2TP/IPSec, make sure your DiskStation is running DSM 4.3 or later.
  1. Click L2TP/IPSec under the Settings section on the left panel.
  2. Tick Enable L2TP/IPSec VPN server.
  3. Now modify the below advanced options according to your needs.
    • Dynamic IP address: Enter a network address here. VPN Server will assign virtual IP addresses to VPN clients according to the value entered. For example, if you enter "10.0.0.0," the virtual IP address assigned to VPN clients will range from "10.0.0.1" to "10.0.0.[Maximum connection number]" for PPTP.
    • Maximum connection number: Specify the maximum number of concurrent VPN connections.
    • Authentication: Choose one of the following options:
      • PAP: This authentication method does not encrypt VPN clients' passwords during authentication.
      • MS-CHAP v2: This authentication method encrypts VPN clients' passwords during authentication using Microsoft CHAP version 2.
    • Use manual DNS: Specify the IP address of a DNS server to push to VPN clients. If this option is disabled, the DNS server used by the DiskStation will be pushed to clients.
    • IKE authentication: Enter and confirm a pre-shared key. This secret key should be given to the VPN user in order to authenticate the connection.
  4. Click Apply.
Note:
  • When connecting to the VPN, the authentication and encryption settings of VPN clients must be identical to the settings specified on VPN Server, or else clients will not be able to connect successfully.
  • To be compatible with most L2TP/IPSec clients running Windows, Mac OS, Mac iOS, and Android operating systems, the default MTU is set to 1400. For more complicated network environments, a smaller MTU might be required. Try to reduce the MTU size if you keep receiving timeout errors or experience unstable connection.
  • Check the port forwarding and firewall settings on your DiskStation and router to make sure the UDP port 1701, 500, and 4500 are open.
  • L2TP or IPSec VPN service is built-in on some routers, so the port 1701, 500 or 4500 might be occupied. To ensure VPN Server works properly, you might need to disable the built-in L2TP or IPSec VPN service through the router's management interface. We recommended using a router that supports VPN pass-through.

Return to top

4. Test your settings

Now that we've set up VPN server, we should make sure the connection settings work properly. In this section, we'll test out a L2TP/IPSec connection using a device (e.g. computer, mobile phone) in the local network.

  1. If L2TP/IPSec has already been enabled, the status of the protocol should read Enabled. See the example screenshot below.
  2. Now go to the Privilege page to make sure the correct DSM users have permission to connect to VPN Server. For example, we want to allow the user account Achilles to connect via L2TP/IPSec, so we should make sure the appropriate checkbox has been ticked.
  3. Try connecting to VPN Server with another device. In this example, we'll use an Android smartphone. A VPN profile can be created and managed at Settings > Wireless & networks > VPN. Remember to select and enter the correct protocol, server address, and pre-shared key.
  4. After creating the profile, we'll connect to VPN Server using our DSM username and password.
  5. Assuming that all of the settings and login credentials are correct, the connected user will appear at VPN Server > Connection List.

Return to top

Is this information useful for you? Yes No

Need technical support? Submit Support Form