Basic VPN Setup?

Currently reading
Basic VPN Setup?

2
0
NAS
DS281+, DS212
Operating system
  1. Windows
Mobile operating system
  1. Android
Last edited:
A very basic setup and configuration question about local network topology to use a DS218 NAS for VPN.

I have a router+firewall at the entry point to my house, and then it feeds into a 24-port HP 1920s switch, which then fans out connections to all the rooms and devices in the house (some with one further layer of local distribution switches).
My NAS (DS218+) sits at one node of this tree.
It would seem to me that I would need to setup VPN in the initial router/firewall to even be able to access anything in the local domain, so I am not sure why one would try to use a Synology NAS as a VPN server?
Seems like that would only make sense if it was somehow at the main entry point to the local network (else how to even access it?), and being able to VPN to it would only give access to that device itself (and its peers on the local network?).
So one approach would be to let the NAS be directly accessible through the firewall, and then it handles VPN access, or else just let the firewall itself which has to be there to protect the entire network provide the VPN service. And then once VPN’ed in from the top level firewall, one can access any local resources, including the NAS files & services.
What am I missing here??

Perhaps the difference is that if one wanted to only VPN expose access to the NAS, one would publish an address for it, and then enable the VPN access there - only on that NAS device.
( Synology Router Manager - Knowledge Base | Synology Inc.)
 
325
124
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
You might use the NAS as a VPN server if, for example, your router/firewall doesn't have its own built-in VPN server. In the router, you'd forward the VPN port to the NAS. Now, by logging into the NAS's VPN server from out on the internet, you can proxy all your internet traffic through your NAS. Or (or in addition), you can then have secure access to the other resources on your LAN.
 

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
This is similar to a previous thread. It was assuming the router was a Synology SRM-based device but the general situation is the same if the Internet router/firewall has VPN servers.

Welcome to the forum @guthrie .
 
1,510
647
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Hi,

Exactly what @akahan said. I’d add that you might want to choose the DiskStation’s VPN server too, if your router only offers poor VPN protocols support (e.g. PPTP), then a better (more secure) choice is OpenVPN provided by the DiskStation.

Now if we can have WireGuard support, it’ll be fantastic :)
 

Rusty

Moderator
NAS Support
2,486
746
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Now if we can have WireGuard support, it’ll be fantastic
Docker it and you are good to go ;)

Also NAS can be more powerful then the router so encrypted traffic can provide better speeds as well (in some cases).
 
53
15
NAS
DS218+
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
  2. iOS
for a reasonable cost,
one could setup a mini PC with a firewall router distro,
like OPNsense, pfSense, Sophos XG, Untangle
all these are free or have free versions

they have a learning curve but are easy to setup and use via the GUI

they can offer much more than a VPN server
and I think they are important to secure a server that is exposed to the internet, especially NASes that contain a lot of personal data

Also being in front of our network, offer another layer of protection, in case they are compromised or we made mistakes, then the intruder has to pass the NAS security afterwards
 
1,510
647
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Docker it and you are good to go
I read briefly about Docker’s support a few months back (and checked the iOS client) but was a bit hesitant to try it. During this pandemic, I rely so much on the VPN connection with heavy daily use and the OpenVPN server has been very solid so far.

So nothing is wrong with OpenVPN, but using WireGuard by other VPN services, one can’t help but notice its performance, low CPU usage and the connection setup speed (almost instantaneous). I wish Synology updates the VPN server to include it natively.

Also NAS can be more powerful then the router so encrypted traffic can provide better speeds as well (in some cases).
That’s a good point.
 

Rusty

Moderator
NAS Support
2,486
746
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I wish Synology updates the VPN server to include it natively.
Maybe DSM7 will bring that. In the current preview, WG is still not supported.
 
2
0
NAS
DS281+, DS212
Operating system
  1. Windows
Mobile operating system
  1. Android
You might use the NAS as a VPN server if, for example, your router/firewall doesn't have its own built-in VPN server. In the router, you'd forward the VPN port to the NAS. Now, by logging into the NAS's VPN server from out on the internet, you can proxy all your internet traffic through your NAS. Or (or in addition), you can then have secure access to the other resources on your LAN.
Thanks; I will have an ISP provided really good firewall/VPN capable unit (mikroTek-hEXs) at the head-end of entry - so just didn't see the value of forwarding traffic to the NAS to do that job.
-- post merged: --

for a reasonable cost,
one could setup a mini PC with a firewall router distro,
like OPNsense, pfSense, Sophos XG, Untangle
all these are free or have free versions

they have a learning curve but are easy to setup and use via the GUI

they can offer much more than a VPN server
and I think they are important to secure a server that is exposed to the internet, especially NASes that contain a lot of personal data

Also being in front of our network, offer another layer of protection, in case they are compromised or we made mistakes, then the intruder has to pass the NAS security afterwards
Yes; thanks.
Seems like the responses are basically- if you don't have a good front-end firewall/VPN, let the NAS do it. If you do, probably not much point.
 
325
124
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
I suppose the other use case would be if you want to permit access via VPN to your NAS, but to nothing else on your network.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Trending threads

Top