VPN Connection

You can easily turn your Synology NAS into a VPN client and connect to an existing VPN (Virtual Private Network) server via PPTP, OpenVPN, or L2TP/IPSec protocols. If you have multiple VPN servers, you can also create specific VPN profiles for each server to quickly switch and connect to different VPN servers with a simple click.

What is VPN?

A VPN, or virtual private network, is a solution to meet the need to securely access resources on your private network from the Internet. For businesses or some individuals, with the need for expanding networking capabilities growing, the cost of this physical networking system and their technical support will increase exponentially. When considering the cost-efficiency and the long-term maintenances, VPN is a smart and increasingly attractive solution. With encryption and other security mechanisms, VPN technology allows business members to easily access the central network of the company and leveraging the resources in it just as in LAN. Individuals can also access resources on their home LAN when being far away from home.

Note:

  • Synology NAS can only connect to OpenVPN servers which support tun-style tunnels on Layer 3.
  • Before installing the VPN package, make sure you have a VPN server to connect to. For better compatibility, you are suggested to connect to VPN services hosted on a Synology NAS running the VPN Server package. To set up another Synology NAS as a VPN server, please see DSM Help > VPN Server > Set up VPN Server for instructions.

To create VPN profiles:

  1. Go to Control Panel > Network.
  2. Under the Network Interface tab, click Create and choose Create VPN profile.
  3. When creating a new VPN profile, you can choose one of the following connection types:
    • PPTP: PPTP (Point-to-Point Tunneling Protocol) is a commonly used VPN solution supported by most clients (including Windows, Mac, Linux, and mobile devices).
    • OpenVPN: OpenVPN is an open source solution for implementing VPN service. It protects the VPN connection with the SSL/TLS encryption mechanism.
    • L2TP/IPSec: L2TP (Layer 2 Tunneling Protocol) over IPSec provides virtual private networks with increased security and is supported by most clients (such as Windows, Mac, Linux, and mobile devices).
  4. Refer to the sections below for instructions to set up any of the three type of VPN connections.

To create a PPTP profile:

  1. When prompted to choose a VPN connection method, choose PPTP, and then click Next.
  2. Pick a name for the new profile, specify the address of the VPN server you want to establish connection with, and enter your username and password for the server. Click Next to continue.
  3. Note:

    • The username, password, and address of the VPN server should be provided by the administrator of the VPN server.
    • The content of imported CA certificate or client certificate files should start with "-----BEGIN CERTIFICATE----" as the first line.
  4. Choose one of the following authentication protocols from the Authentication menu to protect VPN client's password during authentication:
    • PAP: The password will not be encrypted during authentication.
    • CHAP: The password will be encrypted using CHAP (Challenge-Handshake Authentication Protocol).
    • MS CHAP: The password will be encrypted using Microsoft CHAP version 1.
    • MS CHAP v2: The password will be encrypted using Microsoft CHAP version 2.
  5. If you chose MS CHAP or MS CHAP v2, then select one of the following from the Encryption menu to encrypt VPN connection:
    • No MPPE: VPN connection will not be protected with Microsoft Point to Point Encryption.
    • Require MPPE (40/128 bit): VPN connection will be protected with 40-bit or 128-bit Microsoft Point to Point Encryption.
    • Maximum MPPE (128 bit): VPN connection will be protected with 128-bit Microsoft Point to Point Encryption, which provides the highest level of security.
  6. Note:

    • The authentication and encryption settings here must the same as the settings specified on the VPN server. For details, please contact the administrator of the VPN server.
  7. Tick any of the following checkboxes depending on your needs:
    • Use default gateway on remote network: Enable this option to route the network traffic of the Synology NAS to the specified VPN server.
    • Allow other network devices to connect through this Synology server's Internet connection: Enable this option to allow network devices that are within the same local network as your Synology NAS to connect to the same VPN server.
    • Reconnect when the VPN connection is lost: If the VPN connection is unexpectedly lost, the system will attempt to reestablish the connection five times, attempting once every 30 seconds.
  8. Click Apply.

To create an OpenVPN (via .ovpn) profile:

  1. When prompted to choose a VPN connection method, choose OpenVPN (via importing a .ovpn file), and then click Next.
  2. Pick a name for the new profile, and in the Import .ovpn file field, click Browse to select and import an .ovpn file exported from the VPN server.
  3. Enter the following information provided by your VPN server administrator: your username, password and import the CA certificate file (e.g. ca.crt).
  4. If the VPN server provider has also provided you with a TLS-auth key, client key, client certificate, or a certificate revocation list, please click Advanced options and import them into their respective fields.
  5. Click Next to continue.
  6. Note:

    • The username, password, address, and any additonal files such as certificates or keys should be provided by the administrator of the VPN server.
  7. Tick any of the following checkboxes depending on your needs:
    • Use default gateway on remote network: Enable this option to route the network traffic of the Synology NAS to the specified VPN server.
    • Allow other network devices to connect through this Synology server's Internet connection: Enable this option to allow network devices that are within the same local network as your Synology NAS to connect to the same VPN server.
    • Reconnect when the VPN connection is lost: If the VPN connection is unexpectedly lost, the system will attempt to reestablish the connection five times, attempting once every 30 seconds.
  8. Click Apply.

To create an L2TP/IPSec profile:

  1. When prompted to choose a VPN connection method, choose L2TP/IPSec, and then click Next.
  2. Pick a name for the new profile, specify the address of the VPN server you want to establish connection with, and enter your username and password for the server. You'll also need to enter the pre-shared key for the VPN server. Then click Next.
  3. Note:

    • The username, password, address, and pre-shared key of the VPN server should be provided by the administrator of the VPN server.
  4. Choose one of the following authentication protocols from the Authentication menu to protect VPN client's password during authentication:
    • PAP: The password will not be encrypted.
    • CHAP: The password will be encrypted using CHAP (Challenge-Handshake Authentication Protocol).
    • MS CHAP: The password will be encrypted using Microsoft CHAP version 1.
    • MS CHAP v2: The password will be encrypted using Microsoft CHAP version 2.
  5. Note:

    • The authentication and encryption settings here must the same as the settings specified on the VPN server. For details, please contact the administrator of your VPN server.
  6. Tick any of the following checkboxes depending on your needs:
    • Use default gateway on remote network: Enable this option to route the network traffic of the Synology NAS to the specified VPN server.
    • Allow other network devices to connect through this Synology server's Internet connection: Enable this option to allow network devices that are within the same local network as your Synology NAS to connect to the same VPN server.
    • Server is behind NAT device: By default, L2TP/IPSec protocol does not allow connecting to a VPN server behind a NAT device. Enable this option to bypass this limitation, allowing the Synology NAS to connect to an L2TP/IPSec VPN server behind a NAT device.
    • Reconnect when the VPN connection is lost: If the VPN connection is unexpectedly lost, the system will attempt to reestablish the connection five times, attempting once every 30 seconds.
  7. Click Apply.

To connect or disconnect to a VPN server:

  1. Select a VPN profile.
  2. Click Connect or Disconnect.

Note:

  • Only one profile can be connected at a time.

To modify a VPN profile:

  1. Select a VPN profile.
  2. Click Edit.