DSM 6.2 Newbie Question: Does VPN server perform the functions of a paid VPN service?

[Voyager]

Hello,

Does the VPN server included with DSM allow me to make secure connections from computers on my home LAN to websites on the internet, or does it only allow an external computer to securely connect to my NAS?

If this VPN server does not work like a traditional paid VPN service, is there an alternate way to do this without signing up for a paid VPN?

Sorry, I don't know much about VPN technicalities, excuse the dumb question.

 

[fredbert]

Like other network services, e.g. web server and web browser (client), it takes both a VPN server and VPN client to create a VPN tunnel. The VPN server acts as the central point for multiple clients to make their connection. Once a connection, VPN tunnel, is created there can then be bi-directional access between other client and server services and this doesn't have to be all clients being at the VPN client end.

There are two basic VPN tunnel types:

1. Client to Site. This is the normal remote access for users to securely access home or business services.
2. Site to Site. This is usually a router at one site initiates a VPN tunnel to a VPN server at another site. This normally connects the two private LANs across, e.g., the Internet.

When looking at Internet VPN services, e.g. NordVPN / WindScribe / ExpressVPN, etc., these are VPN servers which also have a secured breakout onto the Internet. They can include additional features such as malware screening for traffic that the client device has tunnelled down to the service's site.

To access these Internet VPN services you use a VPN client, such as on your phone or Mac, and often will send all traffic from the client device to the VPN server. This is a Client to Site type.

Alternatively you can use the NAS's Network settings in Control Panel with it's built-in VPN client support. This can be used as a Site to Site connection. But you'd have to configure the NAS and LAN devices to know to use it to route traffic via its VPLN tunnel.

The Synology VPN Server package offer three VPN server types. Your home devices won't get any benefit from using this as they already have local access to the LAN and also Internet access through your router. But you can use it to get secure access for your mobile devices to the NAS or there LAN devices. This would also enable these mobile devices to use your home Internet access to get to web sites... meaning that if you're in the UK and travel to US then you can create a remote connection back home and any connections to the Internet will appear to be from your UK home, which could get you UK-geo-blocked access to sites such as BBC iPlayer. In this regard your NAS becomes like a private Internet VPN service using your home Internet access.

 

[Rusty]

is there an alternate way to do this without signing up for a paid VPN?

As @fredbert has already explained, I would just like to ask one question. What do you need it for, exactly? Putting a VPN client on the NAS means that you want to protect traffic from and towards the NAS itself. Is that towards the entire NAS or a specific service/app?

 

[Voyager]

What I am trying to do, and I can be totally off base, is to provide secure connections for all the computers on the same household LAN to the outside world (to login to my bank, make online purchases, etc.). Basically, what NordVPN, ExpressVPN, or PIA does, only I'm doing that myself on the NAS. Perhaps I misunderstand what the Synology VPN server does, thinking that it can replace NordVPN or ExpressVPN or PIA. Is sounds like the VPN server app only protects the NAS and not any other computers/devices connected to the same network, right?

fredbert, thank you for the detailed explanation of VPNs.

 

[fredbert]

It wasn’t just about VPNs in general, I also said about the specific situation of your LAN devices VPN’ing to the NAS (also on your LAN).

Think of a VPN tunnel like a bridge transporting traffic between A and B. If you have both ends at home then you aren’t going to arrive at your friends’s house.

To do what you want will require you to subscribe to one of those Internet VPN services. That way you’ll have encrypted traffic leaving your LAN out to a point on the Internet.

VPN Server doesn’t do what you want. Control Panel does.

 

[Rusty]

What I am trying to do, and I can be totally off base, is to provide secure connections for all the computers on the same household LAN to the outside world (to login to my bank, make online purchases, etc.)

You can do that as @fredbert said and on top of that you after you configure it on your nas you can then use your nas local ip address as a gateway parameter for your lan devices.

that way, while nas has a vpn connection up and running all your devices that are going through it will be protected as well.

 

[EAZ1964]

As I understand VPN, there is a fundamental difference though. A commerial VPN will hide your IP address, as “the other side“ will see the IP adress of the VPN service.
If you host your own VPN service, your IP is visible and tracking on IP will be done.
I also doubt if banking and online purchase will be safer, as HTTPS is now standard anyway.

 

[fredbert]

As I understand VPN, there is a fundamental difference though. A commerial VPN will hide your IP address, as “the other side“ will see the IP adress of the VPN service.
If you host your own VPN service, your IP is visible and tracking on IP will be done.

It's not that core VPN client/server principles are fundamentally different, rather it's how the person deploying them has decided on the environment into which it is implemented: the surrounding security functions and network access are different. The VPN server is only one part of the technology that is deployed.

An Internet VPN service will (actually 'can' as this isn't mandatory in VPN technology) hide the source IP. This will be using NAT just like the home firewall/router uses NAT to replace RFC 1918 LAN IPs behind the routable ISP IP of the router. In this comparison the VPN client traffic comes to the VPN server and then exits to the Internet using the local Internet IP address of that location, plus it's source IP will be NAT'ed to that IP address: which will be your home's ISP IP when using the NAS as the VPN server.


Using an Internet VPN service will displace the point of Internet access for its clients to the service's point of presence on the Internet. The IPs it uses on the Internet will be geo-located to where they have decided to register them, so the clients will seem to be coming from that geographic location. The clients will alos bypass their local ISP's services that may track traffic patterns and content monitoring. Unless the VPN client and server perform some compression then you're not going to affect the underlying speed of your connectivity.

However, you then must trust the Internet VPN service provider to not be doing the same and more to your connections at their data centre end.

If you are looking for secured connectivity and not to hide activity from your ISP or change geo-location then using HTTPS from home to your bank will be as secure. You should also be concerned about the security posture of the client and server devices, and environments as these are more likely to be targeted.