Confused about the VPN

Currently reading
Confused about the VPN

10
0
NAS
DS214play
Operating system
  1. macOS
Mobile operating system
  1. iOS
Good evening, guys, as ransomware is a menace that shouldn't be underestimated I've decided to protect my NAS (Synology DS214play) a little bit more so I've installed the VPN server package.
To cut things short, I'll tell you that I've followed the indications contained in the official knowledge base guide, I've tested the connection using the OpenVPN app on both my MacBook Pro laptop and my iPhone, but there's something though I cannot understand yet.
As the VPN is on now, I should be able to connect to my NAS (outside of my home network), only by using the app; what I'm noticing is that, even though the VPN on, I can connect outside my LAN without using any "special" VPN app.
Could you please help me understand that?
Thank you very much.
 
Enabling the VPN doesn't disable any other methods of connecting; it just ADDS VPN as an available option. You have to turn the others off by, e.g., turning off port forwarding to the Diskstation in your router.
 
Thanks for your replies, guys. Yes, I've enabled port forwarding (1194 UDP) on my router, am not using Quickconnect.
The strange thing (for me) is that, once the VPN has been turned on, the Disk-station should be invisible on the Internet, instead it keeps the same old public IP address, which is totally useless, IMVHO.
 
instead it keeps the same old public IP address, which is totally useless
public IP address will ofc be present and has nothing to do with your NAS directly. It is your household connection to the internet.

As already said by others, you need to terminate all other connections other then port forward via VPN on your router. This includes QC, DDNS port forwards, or any reverse proxy entries that you have (again these are probably going via forwarded port that should be turned off).

So the question is, while VPN is down, how are you exactly testing this connection back to your house and getting a connection?
 
Thank you, Rusty.
I have several devices "published" on the Internet, all working flawlessly.
Of course, the first thing that I've done has been to open and forward the ports (ssh, webdav, https and so on).
There's one thing I don't understand, though...
Just to give you an example, if I turn on ExpressVPN on my Raspberry Pi (which is what I sometimes do), the device is not reachable through the public IP address which has been previously assigned by my DDNS service but only through a tunnel and a specific IP address.
That's what VPN's are for.
In the Synology case, my NAS (VPN on) "keeps" the same public IP address as it had been previously assigned, which makes the VPN service completely useless, IMHO.
To answer your question: my NAS (when the VPN is off) is reachable through Webdav and SSH; of course I've opened and forwarded the ports that make these services possible.
 
Last edited by a moderator:
As others have already said, you need to disable / turn off the other non-VPN modes of remote access you have set up previously. Setting up an OpenVPN connection on the Syno does just that - it adds OpenVPN as an additional remote connection method. It doesnt also switch off / remove the other stuff you've setup. You have to do this yourself.

Fwiw It's not advsable to have services like SSH and Webdav running directly behind ports forwarded from the internet. Your IP address and open ports have already been scraped by eg Shodan and will be being subjected to daily bot bruteforce password attacks. This is already happening to your machine. Hence the recommendation to use a VPN.

I'd strongly recommend that you disable any internet-facing services / ports other than the OpenVPN ports, and access these services exclusively via your OVPN connection.
 
Just to give you an example, if I turn on ExpressVPN on my Raspberry Pi (which is what I sometimes do), the device is not reachable through the public IP address which has been previously assigned by my DDNS service but only through a tunnel and a specific IP address.
This is expected. Client side VPN (outgoing from your NAS) is not the same as an incoming VPN that you have installed on your NAS to get to your LAN.

When you activate a commercial client VPN from your NAS towards a provider (like Express), your communication will be tunneled and all traffic from outside your lan will stop working (on custom ports), because Express will not port forward those ports/traffic on their end. Like I said, expected.

Having and outgoing and incoming vpn on the same layer on DSM is not possible (as you might have already guessed it by trying), so the question here is again, how are you exactly testing this access to your resources "while VPN is down"?

Looks like there are still forwarded ports in use with DDNS name, but ofc that will (for the most part) render VPN useless if those services are reachable over published ports.

Also not clear what VPN you are talking about in this case. Incoming (VPN server package), or outgoing, towards a commercial VPN provider.
 
Thanks, Rusty, as I'm beginning to understand a little bit more.
My testing, as I've written before, is being done by using forwarded ports on my router and a DDNS provider which makes my public IP address "permanent".
Of course, whenever it's possible, I don't use the ports specific for that service, but this is a different thing.
As far as I understand, what Synology offers is not a VPN service but a sort of RAS (Remote Access Server).
 
Of course, whenever it's possible, I don't use the ports specific for that service
If security is a priority, then closing the ports is the way to go and setting up incoming vpn.

Synology offers is not a VPN service
It offers a vpn server (incoming) option that allows access back to your LAN or non-internet hosted services. When connected you will have a sort of RAS options, yes, but VPN server itself is not RAS.
 
You are confusing what a VPN actually is with the way people often use it.

People tend to use VPN to refer to a method used to hide your traffic from prying eyes. eg to download torrents or visit geo-locked websites/streamers from another country.

VPN in reality means Virtual Private Network, ie a non-physical network where computers can operate as if they were on the same physical network. By setting up a VPN you are simply creating a system whereby devices from outside your network can connect to your DSM and operate as if they were in the same network (within limitations). Clearly with the right settings these connections will be encrypted and secure.

The VPN does not obfuscate or otherwise change your IP address, that is sort of impossible, from DSM anyway.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
So you have two sites with identical local IP subnets and even IP assignments? If trying to connect from...
Replies
2
Views
1,053
Did you try to directly connect using the NAS's LAN IP? And that also fails? How exactly are you...
Replies
3
Views
1,542
  • Question
Can't offer any solution, but can you try a different VPN type? OpenVPN? Is your router on the latest...
Replies
2
Views
1,445
That would be an option as well ofc. Still depends on the router and how much OP has control over it, but...
Replies
5
Views
1,763
No VPN client setup on the router is "one for all", not SSID specific.
Replies
1
Views
1,317
Update: ISP changed IP address and other issues on the router, problem solved.
Replies
6
Views
2,529

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top