Connecting to DSM/local network via OpenVPN

[WST16]

What’s the VPN client on the Mac, Tunnelblick?

 

[marky9074]

No, the standard OpenVPN client DMG file downloaded from their web site

 

[WST16]

Can you try modifying the ovpn configuration file to the following and test (keep your port as is of course). You can comment lines with the hash.

dev tun tls-client remote mynas.synology.me 1194 pull proto udp script-security 2 reneg-sec 0 cipher AES-256-CBC auth SHA512 auth-user-pass <ca>

 

[marky9074]

Can you try modifying the ovpn configuration file to the following and test (keep your port as is of course). You can comment lines with the hash.

dev tun tls-client remote mynas.synology.me 1194 pull proto udp script-security 2 reneg-sec 0 cipher AES-256-CBC auth SHA512 auth-user-pass <ca>

Hi there,

Sorry for the delay. My config is already identical to this (default export config out of DSM). The only difference is the addition of:

float
dhcp-option

Cheers,

Mark

 

[WST16]

I thought it worked when you didn't come back
We're running out of ideas here

What I'd do next is try installing Viscosity.

 

[marky9074]

Unfortunately I won't get a chance to get my hands on the MacOS client until the weekend. I might try connecting with L2TP over IPSec first to see if they same thing is happening there too.

 

[WST16]

If you have access to another Mac, try that too if you can please.

 

[marky9074]

An interesting update. I connected up with L2TP over IPSec on a different Mac. I could ping the router/default gateway on 192.168.1.254 but could not ping the NAS itself on 192.168.1.190 within that address scope. I could however, ping it on the VPN address scope IP of 10.2.0.0.

So I guess it wasn't working because the hosts file was defined on the 192.168.1.190 address (which was a great DNS hack on the windows client). However, if I change the hosts file to point it to 10.2.0.0 it won't work when trying to access locally....

If I browse the network I don't see it by its NETBIOS name, so I'm not sure how I can force a connection....

 

[WST16]

I’m not sure either. You shouldn’t need to implement any tweaks on the clients configuration. It should work right away if the firewall is disabled on the NAS and the ”allow clients access LAN” is checked.

Can you disable the router’s firewall briefly and try. Its a shot in the dark and I have no logical reason for doing this without knowing more about the setup, but no other ideas.

 

[marky9074]

Latest update. I went on the Mac client and removed the entry on the hosts file. I then created an L2TP over IPSec and also updated the OpenVPN with DNS server details and tested both using a WiFi hot spot on phone. Strangely I could ping/not ping different addresses on different connections, and ended up more confused than I was when I started.

In the end I just connected using OpenVPN. Used finder to add a server connection on the 10.8.0.1 and created a new link for him to use to access when outside the LAN. Granted it means he has two different links/routes whether inside or outside of the LAN, but at least it works (and he intends to loose the Mac soon anyway)....

Thanks for the help.

 

[Mikie Mike]

Sorry to resurrect this thread. But I have the same issue as reported by the OP. I've spent the past week looking at a millions forums, followed all the same training videos by several experts, and all does not work. I have confirmed I can connect to the my Synology NAS remotely via OpenVPN. I can access the DSM and the internet via full tunnel connection. What I cannot get to work is the access to the LAN devices, including my mapped NAS drive folders via VPN. I cannot see them when going to my Network view (PC, Windows 11). I have tried changing DNS to match my router's gateway and changing my VPN Dynamic IP to 192.168.5.1, same as what @ed.j did. I've also disabled the FW on the NAS device and it did not have an effect. Is there a specific port I need to open up on my router in order allow LAN device discovery / access? I currently have UDP 1194 and TCP 5000 and 5001 forwarded to my Synology.

If it matters, my network topology is Motorola Arris SB6141 to Google Nest Wifi to a TP Link SG116 switch. I set up port forwarding on the Google Nest directly via the app. But since that didn't work, I tried to do it via the Synology controller. In the Router Configuration screen, I ran a test to detect router information. It gave me an error for Checking Network Environment, with a message that "if all port forwarding rules failed, please check if there are 2 or more routers in your network. In that case, please set the modem/router to bridge mode." I do have 2 nest devices that's it's shown as in Bridge mode.

I've reached out to Synology support team, but we're not getting a solution yet.

Any help is greatly appreciated.

 

[Rusty]

First off this sounds like a firewall issue in terms that your VPN subnet has no connection to your LAN. But, if you are able to access DSM and the internet that raises a question again.

When you say you can reach your DSM once the tunnel is up, how are you accessing it exactly? Using your NAS IP address on port 5000/5001 or some other method?

In order to troubleshoot this I would advise you to (once you have VPN up) try and ping your router for example or some other target LAN devices. Are you getting any response from those?

changing my VPN Dynamic IP to 192.168.5.1

Don't change the VPN subnet inside the VPN server. Also, while on that subject, is your VPN subnet different from your LAN one?

please set the modem/router to bridge mode." I do have 2 nest devices that's it's shown as in Bridge mode.

Not sure I follow here. Isn't the Motorola device your 1st device inside your network coming in from your ISP? Then from Motorola the connection going forward to your Next device? Nest is your router correct? If so, then the Motorola device needs to be bridged to your Nest, not the other way around.

So bottom line, what did you exactly do to get "bridge" mode?

 

[Mikie Mike]

First off this sounds like a firewall issue in terms that your VPN subnet has no connection to your LAN. But, if you are able to access DSM and the internet that raises a question again.

When you say you can reach your DSM once the tunnel is up, how are you accessing it exactly? Using your NAS IP address on port 5000/5001 or some other method?

In order to troubleshoot this I would advise you to (once you have VPN up) try and ping your router for example or some other target LAN devices. Are you getting any response from those?


Don't change the VPN subnet inside the VPN server. Also, while on that subject, is your VPN subnet different from your LAN one?


Not sure I follow here. Isn't the Motorola device your 1st device inside your network coming in from your ISP? Then from Motorola the connection going forward to your Next device? Nest is your router correct? If so, then the Motorola device needs to be bridged to your Nest, not the other way around.

So bottom line, what did you exactly do to get "bridge" mode?

@Rusty thank you for your responses. Please see my clarifications below:

1. When I'm connected through my hotspot to OpenVPN via full tunnel, I can assess the DSM via its LAN address (192.186.x.x). I can also assess it via the OpenVPN dynamic address of 10.8.0.1. When I do a whatismyip check, my PC comes back with the external address of my home network. So all obvious indications show VPN is working and I'm in my house's network. Per your suggestion, I changed the dynamic IP back to 10.8. Seems to work in both instances.

2. When connected via VPN with Computer A, I can ping my home router and the Synology NAS via 192.168. However I cannot ping another Computer B that's on the same LAN as the router and the NAS. But Computer B can ping both the router and NAS.

3. my Computer A's VPN subnet default is 255.255.255.252. My Computer B and NAS are both on subnet 255.255.255.0. I tried changing the subnet on my Computer A Windows 11 network setting, to .0 and that did not fix the issue.

4. Regarding the bridging, let me clarify. I'm just referring to the 2 Nest mesh devices. There is the primary router and the secondary. According to my app, the secondary is bridged to the primary router. The primary router is operating in NAT (Standard) Mode. Are you suggesting I need to connect to the Arris modem to set that to Bridge mode? It's a SB6141 IP 192.168.100.1 and when connect to that IP, there are no configurations I can do. Just a status page. No log in, admin access, etc.

5. At this point, all my testing done with FW off on the NAS, so I know it's not a FW setup issue.

6. I thought it could be my Windows 11 network setting for network discovery / file sharing. I have them all open for both public and private. Still same issue.

7. On Computer B that's on the LAN, I cannot see Computer A in the Network tree (A is VPN into the LAN). So somehow, seems like my setup only allows me to get to the NAS and full tunnel out to the internet, but there is a setting somewhere that prevents me from getting into the LAN. I also double checked OpenVPN setting and ensure the box is checked to allow me access to the Server's LAN

8. I also want to add that if the FW on the NAS is active, I cannot ping the NAS or the Router when on VPN. If I turn off the FW on the NAS, I can ping both the NAS and Router when VPN in.

 

[Rusty]

Ok there are certain issues/questions here regarding your answers.

First off about your Nest devices. Leave them as they are I was not aware there were 2 of them and what you meant by that but ok those devices are meshed and just leave them.

Now, No 5 and 8 don’t add up. Last you said that when the firewall was down all works fine but not when nas fw is running.

So, this could be a simple issue of having your fw hardened to the point that the communication is not working.

Make sure if the fw is up that you have configured your vpn subnet access to your LAN.

Also, computer B not being able to talk to computer A. Does this mean while computer A is on a vpn connection? If so this could again be fw issue.

Also, try and turn off windows fw on both devices as well for testing and then see the outcome.

 

[Mikie Mike]

@Rusty, so after 1 week of this, I finally got it to work! The secret lies in the HOST file setting in Windows. I came across 1 post that mentioned modifying the host file and adding the IP address and the device name to the file. (instructions on how to find it and modify it is HERE). I added a line like below to the file and saved it.

192.168.86.29 SynologyNASDeviceName

Now, I can see my NAS device in the network explorer and the corresponding mapped network drives to the different shared folders. I double checked. If I comment out my edits, I immediately lose access to the mapped drives connections and shortcuts. The only way to get to the files is via DMS.

Thanks @Rusty for your suggestions. My NAS firewall is cleaned up, have the setups and accesses that I need. Now I'm good to go!

 

[Dunkhan]

Hello all !
I am currently having the same issue as OP, and after weeks of fiddling around settings and firewalls I thought I'd better ask you guys directly.

Basically, I wish to connect to my workplace's network from my home network using OpenVPN and access LAN resources (i.e. by using remote desktop).

I followed several post on this forum (including this one) and configured my NAS along, but without achieving much I'm afraid
All I can do is connect to the VPN, but I can't access internet, my NAS nor LAN resources even though my external IP changes to the DDNS one and my session gets logged into the VPN Server logs.

At this point, it looks like I forgot to configure something, but I can't put my finger on it.

Any help would be greatly appreciated.

P.S. Is it ok for me to continue this thread or should I start a new one ?

 

[Rusty]

Basically, I wish to connect to my workplace's network from my home network

Welcome to the forum!

So just to be clear on this. The NAS is at your workplace running VPN Server, and you are trying to connect to it from your home using an open VPN client?

What OS is in question here? What VPN client app?

 

[Mobi506]

I had the same problem, I was able to setup a VPN connection to my NAS, was able to logon to my router (192.168.*) but not able to connect to my NAS on the home network adres. I found my solution on this site: Synology Community

The fix for me was to un-check the "Enable Multiple Gateways" in Network in the Control Panel.
Go to Control Panel->Network->General->Advanced Settings.

As soon as it was un-checked, I was able to access all my devices in my home network.

 

[Dunkhan]

Welcome to the forum!

So just to be clear on this. The NAS is at your workplace running VPN Server, and you are trying to connect to it from your home using an open VPN client?

What OS is in question here? What VPN client app?

Thanks for the warm welcome !

You are right on this, the NAS is at my workplace, running VPN Server with OpenVPN.
I am indeed trying to connect from my home using OpenVPN Connect on Windows 10.

 

[Rusty]

Thanks for the warm welcome !

You are right on this, the NAS is at my workplace, running VPN Server with OpenVPN.
I am indeed trying to connect from my home using OpenVPN Connect on Windows 10.

Just as a suggestion, could you try and use a drifferent ovpn client? Personally I used to use Viscosity by SparkLabs. There is a 30 day trial option.

This is just a test to see if there is some issue on the client side in terms of the actual client itself.