DS VPN Server OpenVPN configuration

Tutorial DS VPN Server OpenVPN configuration

Difficulty: medium
Prerequisites: router port forwarding knowledge and a high-level understanding of the DS firewall is recommended.

Hi,

In this guide I’ll share how I configured my VPN Server package to allow access to my DS and LAN (with the firewall enabled).

If you’ve enabled remote access (via DDNS) and haven’t enabled the firewall, forget about this. Go work on configuring the firewall first. That’s by far, more important. Check this thread.

The OpenVPN protocol is relatively new and considered to be very secure for now. It’s gaining popularity and is based on open standards (hence the “open” in the name).

I’ve mainly configured this to use on my iPad, so I’ll use it as an example. However, I believe it’s similar for Android and other desktop operating systems (all you need is the relevant operating system OpenVPN client).

Note that I didn’t want to complicate things with VPN certificates, I feel that for my needs and use, this is very secure, so I didn’t try to configure any (and I didn’t research how to do it). If you want to use certificates, please check the OpenVPN website.

You may also check the OpenVPN FAQ pages for iOS and Android.

OpenVPN support isn’t integrated into most operating systems and requires a third party app (OpenVPN app).
The app is free and can be downloaded for iOS and Android.

Once you have the VPN configured, you’ll be able to connect and access your DS and the hosts on your LAN, remotely, like if you are connected locally (with the added security that comes with OpenVPN of course). If you only need VPN access to your DS without LAN access, keep reading, it’s optional. But that’s one big advantage of using a VPN to your server— to access your LAN.

Let’s start…

The VPN Server package configuration...
  • Install the VPN Server package from Synology’s package center.
  • Open it.
  • Click on “OpenVPN” and configure the settings.
Here’s a screenshot of my configuration.

IMG_0250.JPG

  • Fill the fields and Export the Configuration (click export button)
  • This will export a Zip file
  • Decompress and find VPNConfig.ovpn
  • Use a text editor to open the file. I’ve used TextEdit on macOS.
  • The third line will have something like “remote YOUR_SERVER_IP 1194”.
  • Replace “YOUR_SERVER_IP” with your DDNS FQDN (e.g. myds.synology.me).
  • Save the file, making sure it’s still in text format and has the “ovpn” extension. We don’t need the other two files for our configuration.
Find a way to send this file to your iOS device (AirDrop, iTunes or some other method). I’ve used AirDrop on my iMac. Don’t know about Android, but I think you can copy anything directly without restrictions :)
  • OpenVPN app on your iOS device should prompt you asking if you want to add the profile.
  • Add it and configure your username and password (or leave the password blank to be asked for it every time).
  • Make sure to check the app settings too. There are a few nice and important options. For instance I’ve enabled dark mode, left compression to no and disabled DNS fallback (it uses Google's DNS servers 😱).

The DS Firewall…
First, you’ll need to forward UDP port 1194 on your router to your DS. I’d leave that to you :)
However, you can use any port (e.g. TCP 443). That’s one advantage to OpenVPN. I’m using the default (UDP 1194). Try it. If the connection is unreliable or you need to slip through a firewall that’s blocking UDP change your configuration to use a TCP port (TCP is going to be slower, because it incorporates error correction but more reliable, however, it all depends on what are you accessing and your link's reliability). If you change the port after testing, don't forget to change the forwarding rule on the router too, and export the configuration again to edit and import to the OpenVPN client.
  • Now we’ll need to add two “allow” rules to our DS firewall.
  • First rule to allow port 1194. For VPN connection establishment.
  • Go to Control Panel > Security > Firewall tab > Edit Rules > create.
IMG_0255.JPG


Second "allow" rule to enable access to the LAN. If you only need access to your DS, you can skip this step, but I’d suggest that you add it (it's just one line), test it and uncheck it. Leave it ready in case you ever need it.
  • Edit the firewall rules and add the dynamic ip range that you used in the OpenVPN configuration. I’ve added a range for 10 clients (I’m the only one using it for now).
IMG_0244.JPG


IMG_0245.JPG


IMG_0246.JPG


You should end up with something like this:
IMG_0248.JPG


Apply and you’re all set.
Test it by disabling WiFi on your device (to use mobile data) or go to the coffee shop at the corner and use their WiFi :)

Refine this by checking the privileges.

IMG_0249.JPG


Enable only the users who need VPN access. Or create a special VPN user with certain privileges that you can keep to minimum according to your needs (control panel > user > create).

I hope the above is clear enough. Of course and as usual, there’s a myriad of ways to configure and use any solution. The above works for me, you can fine tune it to your needs :)

If you have any questions, suggestions, comments, corrections, amendments or subtractions, please go ahead :)


Update
I had some time to quickly test the behavior and relationship of the firewall and the “allow clients to access LAN” option.

Firewall enabled (with correct rules) / Allow clients to access LAN enabled.
Can access LAN clients.

Firewall enabled (with correct rules) / Allow clients to access LAN disabled.
Can’t access LAN clients.

Firewall completely disabled / Allow clients to access LAN enabled
Can access LAN clients.

Firewall completely disabled / Allow clients to access LAN disabled
Can’t access LAN clients.

Important
With “allow clients to access LAN” enabled, you’ll be able to access your DS (the one you’re connected to via OpenVPN) by using its IP address on its subnet, like if you’re sitting on the same LAN.

However, once you choose to disable “allow clients to access LAN”, that option is gone. You’ll be able to access your DS by using the dynamic address assigned to it. In our configuration example it’s going to be 192.168.5.1 (the first IP address in the dynamic range is assigned to the DS apparently).

Update:
For instructions on how to use the domain name while on a VPN connection, please check these instructions by @BobW.



Latest reviews

Top job m8!
WST16
WST16
Thank you @rusty. That’s the seal of endorsement for me :)
Upvote 0

Similar resources

Add catch-all address to Mail Server fredbert
No matching DSM account for an incoming email ... send it to a catch-all account
0.00 star(s) 0 ratings
Updated
BitWarden - self hosted password manager using vaultwarden/server image Rusty
5.00 star(s) 11 ratings
Updated
Moving Mail Server user mail files fredbert
Moving mail server local users to LDAP users, but relevant the other way or just to new user
0.00 star(s) 0 ratings
Updated
Back
Top