Knowledge Center

How do I set up Synology SSL VPN and WebVPN using Synology DDNS?

Last updated:Oct 12, 2022

How do I set up Synology SSL VPN and WebVPN using Synology DDNS?

Purpose

This article shows you how to set up a Synology DDNS1 hostname on a Synology Router, apply it to SSL VPN and WebVPN, and get a certificate with the DDNS hostname.

Contents

Resolution

A. Before you start

Make sure that you have done the following:

  • Set up your Synology Router and installed the latest version of Synology Router Manager (SRM).
  • Installed and activated the latest version of VPN Plus Server.
  • Made your Synology Router's DDNS address accessible to Internet users.
  • Checked if there is an intermediary router between the Internet and your Synology Router. If yes, create a port forwarding rule on the intermediary router to allow VPN access. Make sure you're using the same port number for the external and internal ports in your SSL VPN's (or WebVPN's) port forwarding rule.

B. Add a Synology DDNS hostname for your Synology Router

  1. Sign in to SRM, and go to Network Center > Internet > QuickConnect & DDNS.
  2. Under the DDNS section, click Add.1.png
  3. Select Synology from the Service provider drop-down menu.
  4. Enter the following information:
    • Hostname: Customize your hostname.2
    • Username/Email: Sign in to your Synology Account or register one by following the wizard's instructions.
  5. Tick the checkbox at the bottom of the window to agree to Synology's terms of service and the privacy policy. You can also tick Request a certificate from Let's Encrypt and set it as default to obtain a certificate for your DDNS hostname.
  6. Click OK.2.png
  7. Under the DDNS section, you can find your DDNS hostname. To access your Synology Router via DDNS, enter the DDNS hostname along with the SRM port (e.g., synol321.synology.me:8000) in the browser address bar.3.png

C. Set up Synology SSL VPN using a DDNS hostname

  1. Launch VPN Plus Server.
  2. Click Synology VPN on the left panel and go to SSL VPN.
  3. Select Enable Synology SSL VPN and complete the settings by clicking Apply at the bottom of the page (see this article for detailed instructions).
  4. A customized URL for the VPN Plus web portal will appear on the current page. Now you can reach the VPN Plus web portal for SSL VPN access by clicking the URL or typing it in the search bar of a web browser.4.png

D. Set up WebVPN using a DDNS hostname

  1. Launch VPN Plus Server.
  2. Click Synology VPN on the left panel and go to WebVPN.
  3. Select Enable WebVPN and complete the settings (see this article for detailed instructions).
  4. A customized URL based on the DDNS hostname will appear at the WebVPN tab.
  5. Now you can use this hostname-based URL to reach the VPN Plus web portal for WebVPN access.5.png

E. Get a certificate for Synology SSL VPN and WebVPN

With a certificate, all users can have smooth VPN access to network resources without repeated browser alerts. This section provides you with two methods for getting a third-party authorized certificate.

Method 1 - get a certificate from Let's Encrypt

You can get free and secure SSL/TLS certificates automatically from Let's Encrypt, an open and well-trusted certificate authority (see the notes about its regulations). Please follow the steps below:

  1. Go to Control Panel > Services > Certificate.
  2. Under the Action section, click Create Certificate.6.png
  3. Select Get a certificate from Let's Encrypt.
  4. Specify the following information:
    • Domain name: Enter your Synology DDNS (e.g., synol321.synology.me).
    • Email: Enter the email address used for certificate registration.
    • Subject alternative name: To allow one certificate to cover multiple domains, enter the other domain names here. You can also enter the wildcard version of your Synology DDNS (e.g., *.synol321.synology.me) in this field.
  5. Click Apply to save the settings. Once confirmed, the certificate will be imported to your Synology Router.7.png

Method 2 - import a third-party certificate

  1. Purchase a certificate from a trusted third-party authority for your Synology DDNS hostname. Provide a suitable DDNS hostname as instructed below:
    • A certificate for Synology SSL VPN only: Provide your full Synology DDNS hostname (e.g., synol321.synology.me). This certificate will secure this domain.
    • A wildcard certificate for WebVPN (and Synology SSL VPN): Provide the wildcard version of your Synology DDNS hostname (e.g., *.synol321.synology.me). This certificate secures all subdomains under your Synology DDNS hostname.
  2. Go to SRM Control Panel > Services > Certificate.
  3. Under the Action section, click Import Certificate.8.png
  4. Click Browse and import the private key and the purchased certificate to your Synology Router.
  5. Click OK to import the certificate.

Notes:

  1. Synology DDNS (Dynamic Domain Name System) maps a hostname to a Synology Router's IP address, allowing easy Internet access. Moreover, Synology provides a variety of charge-free DDNS hostnames (e.g. *.synol321.synology.me) for registered users. With a Synology DDNS hostname, you can access not only your Synology Router but also Synology SSL VPN and WebVPN, without the need to remember the IP address.
  2. Synology DDNS auto-generates a wildcard record (e.g., *.synol321.synology.me) for the specified hostname (e.g., synol321.synology.me), allowing access to all subdomains under your Synology Router. If you wish to set up a non-Synology DDNS hostname for WebVPN, make sure the wildcard hostname is supported.
  3. Regulations of Let's Encrypt certificates
    • There is a limit to the number of certificates registered through each email account. If the limit is exceeded, use another email account to get more certificates.
    • You can only register for a limited number of certificates per domain from Let's Encrypt. If the limit is exceeded, please do either of the following:
      1. Enter the current domain name as the subject alternative name (SAN) and use another domain name for the certificate request.
      2. Enter "*.Synology DDNS hostname" as the SAN to apply for a wildcard certificate, e.g., "*.synol321.synology.me".
    • Let's Encrypt will perform domain validation before issuing certificates for your domains. Please make sure Port 80 of your Synology Router is open for domain validation from the Internet. All the other communications with Let's Encrypt go over HTTPS and will keep your Synology Router secure.
    • Certificates issued by Let's Encrypt are valid for 90 days. Before the certificates expire, SRM will automatically renew such certificates after successful domain validation. Please make sure Port 80 of your Synology Router is open for certificate renewal.
    • Only Synology DDNS is supported by wildcard Let's Encrypt certificates.
Purpose
Contents
Resolution
A. Before you start
B. Add a Synology DDNS hostname for your Synology Router
C. Set up Synology SSL VPN using a DDNS hostname
D. Set up WebVPN using a DDNS hostname
E. Get a certificate for Synology SSL VPN and WebVPN