Connecting to DSM/local network via OpenVPN

Currently reading
Connecting to DSM/local network via OpenVPN

291
89
NAS
DS920+, DS416slim
Operating system
  1. Windows
Mobile operating system
  1. Android
So I'm predictably having some difficulties setting up a VPN connection on my DSM (7)

I have managed to set up an OpenVPN server on the DSM and connect to it from my laptop.

What I am having difficulty doing is viewing either the DSM or the network devices from the laptop I am connecting from. I am also unable to connect to the internet when the VPN is connected. Basically it is achieving very little :)

I've used the default settings in both DSM and the ovpn file:

openvpn.JPG


And my settings in the ovpn file are:

Code:
dev tun
tls-client
remote MYSERVER.xxx.yyy ####
#float
redirect-gateway def1
dhcp-option DNS 8.8.8.8
pull
proto udp
script-security 2
comp-lzo
reneg-sec 0
cipher AES-256-CBC
auth SHA512
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
CERTIFICATE
</ca>

For the part in red, i have tried enabling it, disabling, enabling it with/out "redirect-gateway local def1" just for the local network... but nothing works - there is simply no internet (ping google.com returns nothing) and i can't see any devices on the remote network, with either \\device, \\192.168.1.xxx (my usual local network), or \\10.8.0.xxx (the openvpn dyn address).

Any ideas what I'm doing wrong please???
 
Make sure to allow your VPN subnet (10.8.0.0/24) access to your LAN subnet in DSM firewall (if you have it up and running).

Thanks - but I'm really struggling to do this.

If i go to Firewall -> Edit rules -> Create
1. I can add a VPN rule ("Select from a list of built-in applications") but cannot see how I give it access to the subnet - all I can do is restrict the specific IP or location that is let through.
2. Using "Custom" I only seem to be able to edit a port range, not access to a LAN subnet.

Would you mind giving some more detail please?
 
Before you get all wrapped up in firewall rules, disable your NAS firewall. Can you connect? If not, your problem lies beyond the firewall.

Good shout - disabled the firewall and it was exactly the same.

At risk of sounding naive, I'm checking if this is working or not by

a) going to any website (not working)
b) typing "\\mynas" in the explorer bar to see if it will find the nas (not working)

If it's not the firewall, I'm totally stumped. I was stumped before anyway. Is this the kind of thing that's impossible to give answers to without being at the machine??
 
Just follow these instructions on youtube. It's easy to set up the Open VPN
To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 
Just follow these instructions on youtube. It's easy to set up the Open VPN
To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Thanks very much for this, it's the Static Route part (at 11m 37s) on the router that I hadn't done. And that's not available on my router so I guess that's it!
 
Hi
From my understanding of your wants, the Static Route is not necessary. I read that you want to be able to use a remote machine and VPN into your network. From there you want to be able to access network resources.
The part of the video you reference is for when your PC is on the local network and you want to access a resource on a machine that is connected via VPN. This is quite different.

Have you set a port forward in your router from the outside world to your Synology for your VPN port (typically 1194)?
 
@silverj

Correct - I want to be able to use a remote machine to VPN into DSM and then access the DSM and the local network.

Port forwarding is set up, 1194 TCP and UDP to 1194 on the DSM.

The VPN connects (from the remote machine to the VPN), so I think the port forwarding is set up properly, but once it has connected I can't see any of the local network or connect to the internet. Basically the PVN is connected but there is no useful* traffic.

* The OpenVPN app shows a minimal amount of ongoing data transfer but I have no idea what this is...
 
I want to be able to use a remote machine to VPN into DSM and then access the DSM and the local network.
Please check this resource and see if it works. Ask if it’s not clear.
 
@ed.j looking at your config code, you have a dns of 8.8.8.8 can you change the dns to you router or whatever inside your network is handling dns. A dns server other than your own networks’ will never resolve your local networked devices or dsm (in this particular case). A public Dns server 8.8.8.8 will never know what your local devices are, only your local dns server would.

As an example for me it’s my router 192.168.1.1 which is also the gateway to the internet. Make this change and test again, disable the firewall to rule everything else out. If this works then enable the firewall and see if it still works. If it doesn’t then we work on the firewall rules.
 
Hi @Gerard , thank you for the pointers and sorry for the delay in responding - I've been away from home for a while but reading the thread!

I've finally managed to try your suggestions. Changing the DNS to that of my router AND disabling the firewall on the DS made it work (woohoo!!) so it was just the firewall to tweak.

Using the two firewall rules as described in the tutorial by @WST16 (and changing the Dynamic IP address to 192.168.5.1) finally got it to work.

Thanks very much guys. You can try to follow all the right instructions but sometimes a tutorial will miss out something key. WST16 coming with the goods! :cool:
 
Sorry to resurrect this thread. I have almost exactly the same problem. My OpenVPN setup is on an IP address range from 10.8.0.# whereas the local IP address range is on 192.168.1.#.

I originally had the same DNS issues, but got around it by having a local hosts file, then later updating the OpenVPN config with the default gateway IP of the router that was doing the DNS.

So all was good (on Windows), and could access all the devices on the 192.168.1.# network (even though I had a dynamic IP on the 10.8.0.# network when connected via VPN). However, the sole MacOS client would only access the NAS via its 10.8.0.# IP address).

Doing some digging and it appears the workaround is a static route defined within the router, to bridge the networks. Though there does not appear to be this option on the BT Home Hub 2 router.... So I am at a loss as to what to do for this MacOS client. I cannot fudge it with the hosts trick. Any suggestions would be much appreciated.

Cheers,

Mark
 
Sorry to resurrect this thread. I have almost exactly the same problem. My OpenVPN setup is on an IP address range from 10.8.0.# whereas the local IP address range is on 192.168.1.#.

I originally had the same DNS issues, but got around it by having a local hosts file, then later updating the OpenVPN config with the default gateway IP of the router that was doing the DNS.

So all was good (on Windows), and could access all the devices on the 192.168.1.# network (even though I had a dynamic IP on the 10.8.0.# network when connected via VPN). However, the sole MacOS client would only access the NAS via its 10.8.0.# IP address).

Doing some digging and it appears the workaround is a static route defined within the router, to bridge the networks. Though there does not appear to be this option on the BT Home Hub 2 router.... So I am at a loss as to what to do for this MacOS client. I cannot fudge it with the hosts trick. Any suggestions would be much appreciated.

Cheers,

Mark

Did you allow the vpn subnet on the nas firewall ? Can you disable the nas firewall entirely to test if you can access the local network & dsm from vpn?
 
Did you allow the vpn subnet on the nas firewall ? Can you disable the nas firewall entirely to test if you can access the local network & dsm from vpn?
Firewall is disabled on the NAS (never really seen the point in having firewall behind a firewall, but open to learning why this is useful). Can access NAS only when connected via VPN.

I should have been clearer. I want to access the other devices on the 192.168.1.# network and the DSM on it's 193.168.1.# address. It's too complicated for the user to have two ways of accessing their shared drives if I create links for local and remote depending on what IP they are using.
 
However, the sole MacOS client would only access the NAS via its 10.8.0.# IP address).
If the “allow clients to access LAN” is checked and the firewall is not enabled it should provide access without the need to configure any static routes. That’s how it works on my Mac (and DSM 6).

Are you trying to reach the LAN clients using their IP addresses or FQDM?
Can you try with another device? Mobile phone or tablet?
 
Last edited:
If the “allow clients to access LAN” is checked and the firewall is not enabled it should provide access without the need to configure any static routes. That’s how it works on my Mac (and DSM 6).

Are you trying to reach the LAN clients using their IP addresses or FQDM?
Can you try with another device? Mobile phone or tablet?
It does allow access, but only using the 10.8.0.# IP address. For example the NAS drive IP is 192.168.1.190 whereas its VPN IP is 10.8.0.1. I cannot access it using 192.168.1.190 (in MacOS) when connected through the VPN, only by using the other IP address 10.8.0.1.
 
Yes, that's what I'm talking about. It should allow access to your DiskStation using its LAN-side IP address not only the dynamic address assigned by the VPN.

While connected (VPN), can you try pinging a device on the LAN that you're sure answers when pinged from the LAN?

Edit: by NAS drive, I assume you mean the NAS itself not the Synology Drive application. Right?
What a stupid name for an application by Synology.
 
Last edited:
Yes, I've already tried all that (for example pinging router on 192.168.1.254). Nothing works, I can only ping the NAS itself on 10.8.0.1 and can access the SAMBA shares as normal (on 10.8.0.1) but cannot see SAMBA shares or (ping) any other device on the 192.168.1.# network.

This all works fine on the windows clients, its only the MacOS one that has issues.....
-- post merged: --

When I was talking about a static route/bridge I was reading from this link:

But now I've read it again I see its for allowing local addresses to see devices connected through the VPN (and not the other way around as I originally thought). This states that it should work the other way around out of the box, but it isn't for me with this MacOS client. I do have a Raspberry Pi knocking around. I could try with that to see if it has the same issues.....

I'm not using Synology Drive. It's a pretty vanilla box, just used for storing files from a few office laptops.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Just thought about another location to change IP if you have a specific app NAS control panel - Login...
Replies
1
Views
485
What I've found out: 1.) If I turn off the Kill Switch, then I'm good to go with the local devices 2.) If...
Replies
2
Views
2,309
Replies
35
Views
3,611
  • Question
I think the subject probably says it all, but to further explain: for security reasons, we need users to...
Replies
0
Views
812
  • Question
Interesting, since I now map the NAS folders by IP using eg smb://192.168.x.xx/photo instead of using...
Replies
4
Views
1,777

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top