How to Access NAS remotely with just OpenVPN

[Octopus123]

I have one question, that I have never found a way around for:

I have created a xxx.synology.me DDNS, and I cant seem to access it through my LAN, as it requires me to open port 5000/5001.
If I do open these ports, my connection in LAN works for the DDNS, however, I can also access my NAS remotely with the same DDNS, when the port 5000/5001 is open on my router.

How can I access my NAS through DDNS using just Open VPN, and not port forward 5000/5001.

Any ideas?

 

[Rusty]

Close those ports on your router, and configure the VPN server (on a custom port or 1194 udp default one). Once you have it configured, connect to it and you will be able to access your nas on those 5000/5001 ports even though they are not opened on the router. You will access them as they were local.

 

[Octopus123]

So if I close all ports on the router and only open port 1194, and configure OpenVPN on Nas, and also allow firewall for port 1194.

I still cannot access my nas remotely, even though OpenVPN says its connected.

 

[Rusty]

I still cannot access my nas remotely, even though OpenVPN says its connected

If you have a NAS firewall up and running, you will have to create an allow rule that will give your VPN subnet range access to your LAN range (or nas IP). Then it will work.

 

[Octopus123]

No very pro at this sorry.
When you say allow with VPN subnet range, is this done differently VS what I already have which is general 1194 Allow All rule?

 

[Rusty]

Not sure how that rule looks on your end, but make one that has VPN service going to your SourceIP (specific IP) and select subnet. For subnet value, enter the value of your VPN subnet that you can check inside VPN application what it is. Finally select allow, and that's it.

Subnet is for example 192.168.25.0 with 255.255.255.0 as the mask

 

[Octopus123]

Specific IP is NAS Local IP?

How Do I find subnet of OpenVPN?

This is my OpenVPN application on Nas:

 

[Rusty]

Specific IP is NAS Local IP?

it can be or an example of a subnet that I listed under the image

How Do I find subnet of OpenVPN?

based on your image it's 10.8.0.0 and uses 255.255.255.0 as subnet mask

 

[Octopus123]

Let me try the setting and see if it works.
Just a clarification. is it 10.8.0.0 OR 10.8.0.1 (as per image)?

Also how I access DDNS in local LAN without opening 5000/5001 port?

 

[WST16]

I still cannot access my nas remotely, even though OpenVPN says its connected.

Are you using the NAS’ IP address or the VPN’s dynamic address?

Edit. Rephrase:
Once you’re connected over the VPN, are you trying to reach you DSM management screen by entering the NAS’ IP address or the VPN’s dynamic IP address?
How are you doing it?

 

[Rusty]

Just a clarification. is it 10.8.0.0 OR 10.8.0.1 (as per image)?

10.8.0.0 with a subnat mask

Also how I access DDNS in local LAN without opening 5000/5001 port?

if your router supports nat loopback you will be able to access the nas using its ddns address on those ports while inside the lan. If not, use the IP address of the nas itself.

 

[Octopus123]

If I use the ip address of the lan, it gives me not safe warning, as it cannot verify the certiificate with the ddns name.

 

[Rusty]

Ofc, as expected. But if you are inside your LAN that will not make any difference, and if your are going over VPN, once you have connected, again you are back in your lan.

So with an active vpn there is no actual need to run your services over https or try and access them over ddns name.

 

[Octopus123]

I am afraid it doesn't work. The connection on OpenVPN times out, and never connects

I have allowed Firewall as10.8.0.0 and subnet mask of 255.255.255.0 for the port 1194 (OpenVPN)

I have 2 routers setup, in which one is a modem, and the other is connected to its WAN, I have opened 1194 both on both routers.

On VPNconfig file I have added my DDNS name before 1194.

What am I doing wrong here?

 

[Octopus123]

My OpenVPN log on synology is saying connected.
But when I am actually connected I cant access server through DDNS, nor 192.168.X.X, nor network mapped drive

 

[Rusty]

My OpenVPN log on synology is saying connected.
But when I am actually connected I cant access server through DDNS, nor 192.168.X.X, nor network mapped drive

Any more firewalls on some level? It has to be a network access problem on some level. Your VPN subnet has no visibility to your LAN subnet and as a result, you can't access it.

 

[Octopus123]

This is my firewall setting:

Few things to note:
1) If I set a OpenVPN server on the router, I can access synology remotely by 192.168.X.X, but cant do with DDNS as that requires me to have HTTPS port open on the router.
2) If i open HTTPS port on the router, i can access synology with my DDNS name, no OpenVPN required.

So the thing is I can access synology by the above method remotely, but why is the VPN server set up on Synology itself cannot access nas?

 

[ed.j]

Sounds similar to a few of the issues I was having in this thread, which got resolved - have a read through:

Connecting to DSM/local network via OpenVPN

So I'm predictably having some difficulties setting up a VPN connection on my DSM (7) I have managed to set up an OpenVPN server on the DSM and connect to it from my laptop. What I am having difficulty doing is viewing either the DSM or the network devices from the laptop I am connecting...

www.synoforum.com

 

[Octopus123]

Ya i read it, and i have done everything up to the point where you add local gateway of the router where the nas is located.

File will look like this: dhcp-option DNS 192.168.X.X

But this also didnt work.
8.8.8.8 didnt work
8.8.4.4 didnt work

at this moment I am just throwing different numbers lol

What did you do different?

 

[ed.j]

my ovpn file has this:
dhcp-option DNS 192.168.1.1

the whole file is:

dev tun
tls-client

remote vpn.xxxxxx.uk

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

redirect-gateway

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

dhcp-option DNS 192.168.1.1

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2


comp-lzo

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass

it's pretty basic i think but it works.

re your firewall rules, i have these two enabled that i think are for the vpn server:

Ports all / Source IP specific range 192.168.5.1 to 192.168.5.10 [this one ties into the network you set up in VPN server]
Ports all / Source IP subnet 192.168.1.1 / 255.255.255.0 [i think this one gives access to the network generally]

for what it's worth i did have a firewall rule specifically for the VPN server but it's not enabled....

can't promise the above is the right thing to do from a security point of view!!!