Set up VPN Server

With the VPN Server package, you can easily turn your Synology NAS into a VPN server to allow DSM users to remotely and securely access resources shared within the local area network of your Synology NAS. By integrating common VPN protocols - PPTP, OpenVPN and L2TP/IPSec - VPN Server provides options to establish and manage VPN services tailored to your individual needs. To choose any of the following types of VPN server and to enable VPN services on your Synology NAS, install and launch VPN Server.

Note:

PPTP

PPTP (Point-to-Point Tunneling Protocol) is a commonly used VPN solution supported by most clients (including Windows, Mac, Linux, and mobile devices). For more information about PPTP, refer to here.

To enable PPTP VPN server:

  1. Open VPN Server and then go to Settings > PPTP on the left panel.
  2. Tick Enable PPTP VPN server.
  3. Specify a virtual IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
  4. Set Maximum connection number to limit the number of concurrent VPN connections.
  5. Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.
  6. Choose either of the following from the Authentication drop-down menu to authenticate VPN clients:
  7. If you selected MS-CHAP v2 for authentication above, choose any of the following from the Encryption drop-down menu to encrypt VPN connection:
  8. Set MTU (Maximum Transmission Unit) to limit data packet size transmitted via the VPN.
  9. Tick Use manual DNS and specify the IP address of a DNS server to push DNS to PPTP clients. If this option is disabled, the DNS server used by the Synology NAS will be pushed to clients.
  10. Click Apply for the changes to take effect.

Note:

OpenVPN

OpenVPN is an open source solution for implementing VPN service. It protects the VPN connection with the SSL/TLS encryption mechanism. For more information about OpenVPN, visit here.

To enable OpenVPN VPN server:

  1. Open VPN Server and then go to Settings > OpenVPN on the left panel.
  2. Tick Enable OpenVPN server.
  3. Specify a virtual internal IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
  4. Set Maximum connection number to limit the number of concurrent VPN connections.
  5. Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.
  6. Tick Enable compression on the VPN link if you want to compress data during transfer. This option can increase transmission speed, but might consume more system resources.
  7. Tick Allow clients to access server's LAN to permit clients to access the server's LAN.
  8. Tick Enable IPv6 server mode to enable OpenVPN server to send IPv6 addresses. You will first need to get a prefix via 6in4/6to4/DHCP-PD in Control Panel > Network > Network Interface. Then select the prefix in this page.
  9. Click Apply for the changes to take effect.

Note:

To export configuration file:

Click Export Configuration. OpenVPN allows VPN server to issue an authentication certificate to the clients. The exported file is a zip file that contains ca.crt (certificate file for VPN server), openvpn.ovpn (configuration file for the client), and README.txt (simple instruction on how to set up OpenVPN connection for the client). For more information, refer to here.

Note:

L2TP/IPSec

L2TP (Layer 2 Tunneling Protocol) over IPSec provides virtual private networks with increased security and is supported by most clients (such as Windows, Mac, Linux, and mobile devices). For more information about L2TP, refer to here.

Note:

To enable L2TP/IPSec VPN server:

  1. Open VPN Server and then go to Settings > L2TP/IPSec on the left panel.
  2. Tick Enable L2TP/IPSec VPN server.
  3. Specify a virtual IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
  4. Set Maximum connection number to limit the number of concurrent VPN connections.
  5. Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.
  6. Choose either of the following from the Authentication drop-down menu to authenticate VPN clients:
  7. Set MTU (Maximum Transmission Unit) to limit data packet size transmitted via the VPN.
  8. Tick Use manual DNS and specify the IP address of a DNS server to push DNS to L2TP/IPSec clients. If this option is disabled, the DNS server used by the Synology NAS will be pushed to clients.
  9. Enter and confirm a pre-shared key. This secret key should be given to your L2TP/IPSec VPN user to authenticate the connection.
  10. Click Apply for the changes to take effect.

Note:

About Dynamic IP Address

Depending on the number you entered in Dynamic IP address, VPN Server will choose from a range of virtual IP addresses while assigning IP addresses to VPN clients. For example, if the dynamic IP address of VPN server is set as "10.0.0.0", a VPN client's virtual IP address could range from "10.0.0.1" to "10.0.0.[maximum connection number]" for PPTP, and from "10.0.0.2" to "10.0.0.255" for OpenVPN.

Important:Before specifying the dynamic IP address of VPN server, please note:

  1. Dynamic IP addresses allowed for VPN server should be any of the following:
    • From "10.0.0.0" to "10.255.255.0"
    • From "172.16.0.0" to "172.31.255.0"
    • From "192.168.0.0" to "192.168.255.0"
  2. The specified dynamic IP address of VPN server and the assigned virtual IP addresses for VPN clients should not conflict with any IP addresses currently used within your local area network.

About Client's Gateway Setting for VPN Connection

Before connecting to the local area network of Synology NAS via VPN, the clients might need to change their gateway setting for VPN connection. Otherwise, they might not be able to connect to the Internet when VPN connection is established. For detailed information, refer to here.