Synology VPN Server not accessing local services

Currently reading
Synology VPN Server not accessing local services

7
0
NAS
rs820+
I have hosted Synology with static public IP, this server is running the following:

  • VPN Server
  • Active directory Server
Client using VPN server are redirecting correctly to use the VPN IP, but when they try to access the Active directory on same server they access it with the origin IP, so the firewall block the connection.

Any suggestion
 
Firewall is on the NAS? If so you could allow vpn subnet access to your lan subnet and that should solve this.
Thanks Rusty, Firewall is enabled, and configured as allow all access for VPN.
in same time, when firewall disabled I saw client accessing the NAS with the ISP IP not the VPN or dynamic IP, knowing that when I check the client IP on google I saw the VPN IP.
 
Upvote 0
saw client accessing the NAS with the ISP IP not the VPN or dynamic IP
Not sure I follow here.

So you turned the fw off and your connected clients had their own public isp ips? Why did you expect vpn ip in the first place? Also what dynamic ip?

So if you test once you connect as a vpn user, can you test LDAP over 389/udp towards your nas? Do you get any results?
 
Upvote 0
t
Not sure I follow here.

So you turned the fw off and your connected clients had their own public isp ips? Why did you expect vpn ip in the first place? Also what dynamic ip?

So if you test once you connect as a vpn user, can you test LDAP over 389/udp towards your nas? Do you get any results?
The NAS static public IP is 84.16.**.**, the VPN Dynamic IP for client is 10.8.0.6.

When client is connected to VPN, in google show the IP (84.16.**.**), but when client try to connect Active directory Server it shows the client public IP (as if no vpn is running) which is not allowed through firewall.
 
Upvote 0
t

The NAS static public IP is 84.16.**.**, the VPN Dynamic IP for client is 10.8.0.6.

When client is connected to VPN, in google show the IP (84.16.**.**), but when client try to connect Active directory Server it shows the client public IP (as if no vpn is running) which is not allowed through firewall.
Is that VPN profile configured to pass all traffic via the VPN or is it split?
 
Upvote 0
I've read this a few times now and it's not clear what is going on.

Hosted Synology [NAS]​
Client​
VPN​

Are you running a business providing access to this hosted Synology NAS? I thought that must be the case when I first read the posts. When you use the term 'client' do you mean 'your customer' or a 'VPN client' application? Which VPN service are you using: OpenVPN, L2TP/IPsec; PPTP? And what is Google doing in all of this?

If your remote devices are creating a VPN tunnel to the NAS, accessing the AD service the using NAS's private IP address, then the source IP address should be the dynamic IP address assigned for the VPN client connection by the VPN server.
 
Upvote 0
I've read this a few times now and it's not clear what is going on.

Hosted Synology [NAS]​
Client​
VPN​

Are you running a business providing access to this hosted Synology NAS? I thought that must be the case when I first read the posts. When you use the term 'client' do you mean 'your customer' or a 'VPN client' application? Which VPN service are you using: OpenVPN, L2TP/IPsec; PPTP? And what is Google doing in all of this?

If your remote devices are creating a VPN tunnel to the NAS, accessing the AD service the using NAS's private IP address, then the source IP address should be the dynamic IP address assigned for the VPN client connection by the VPN server.
Hi Fredbert,
I have hosted Synology NAS in infomaniak.com, this Synology NAS using static public IP (84.16.**.**),
in same Synology NAS both (VPN server - Synology directory Server) are running,

Client mean (devices joined to domain), when client start VPN every thing going well and they start browsing internet with the VPN IP or gateway (84.16.**.**), but when client want to contact the Synology directory Server they contact it with the original IP (as if no vpn is running), so FW will block the connection.

Goal: Make client connect to Synology directory Server using VPN.
 
Upvote 0
If your remote devices are creating a VPN tunnel to the NAS, accessing the AD service the using NAS's private IP address, then the source IP address should be the dynamic IP address assigned for the VPN client connection by the VPN server.
the VPN I'm using is openvpn, and here is the point, when I disable the FW I saw in AD log that devices are connecting using the ISP IP not the vpn dynamic IP.

If devices was connecting via VPN Dynamic IP, then I can enable it in FW and will solve the issue.
 
Upvote 0
How are the remote clients accessing Synology Directory Server? I assume it is either one of these:
  • OpenVPN server IP address (usually the .1 address on the OpenVPN subnet).
  • NAS's LAN IP.
If you use a domain name to access the Directory Server then that requires whichever DNS server your remote devices are using to resolve to a private IP address associated with the NAS. Otherwise the connection will be routed out towards the Internet and then you're relying on the Internet firewall/router to know to pass the connection back to the NAS, and not NAT the source IP address in the process.
 
Upvote 0
How are the remote clients accessing Synology Directory Server? I assume it is either one of these:
  • OpenVPN server IP address (usually the .1 address on the OpenVPN subnet).
  • NAS's LAN IP.
If you use a domain name to access the Directory Server then that requires whichever DNS server your remote devices are using to resolve to a private IP address associated with the NAS. Otherwise the connection will be routed out towards the Internet and then you're relying on the Internet firewall/router to know to pass the connection back to the NAS, and not NAT the source IP address in the process.
Right now the clients accessing Synology Directory Server using OpenVPN hosted on other (centos 7) server, and this VPN IP is allowed in NAS FW, and working good but slow.
sure DNS server is working, if I disable the FW any one on internet can access the AD domain.

So I need to use Synology VPN server instead of (centos 7) VPN, When client connect to Synology VPN:

- They can browse and do everything OK.
- When they connect to Synology AD on (same VPN server) they connect with the normal public IP, which is not allowed on FW.
 
Upvote 0
Did you ever figure out this problem? I am experiencing the same issue now.

The web is accessible via the VPN’s Public IP but all Synology’s services are accessed using the Client‘s public IP instead of the VPN Dynamic IP.
 
Upvote 0
Did you ever figure out this problem? I am experiencing the same issue now.

The web is accessible via the VPN’s Public IP but all Synology’s services are accessed using the Client‘s public IP instead of the VPN Dynamic IP.
how does your vpn client settings look like exactly?
 
Upvote 0
It seems many people are having this problem. The workaround is to use physical private IP of the NAS instead of the public IP Or FQDN.

Rusty, I don’t think you understand this to offer help based on your question. Jojo made it very clear as to what the problem is
 
Upvote 0
Rusty, I don’t think you understand this to offer help based on your question. Jojo made it very clear as to what the problem is
Well, I wasn't asking OP that stopped posting on the mater 1,5m ago. I was referring to you, but ok, I'll take a back seat np.
 
Upvote 0
I'm having the same issue. I can't add the public IP in the FW access list because for the NAS I'm accessing from my ISP IP address, not the public IP from the VPN. Using the local NAS IP address is not a solution for me because I want to access the service from different IPs in the whitelist, not only through VPN and also domain name pointed to the IP for the Git service installed in the NAS.

Did you figure it out?

Screenshot 2022-09-22 at 13.18.43.png
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
That is correct. I can continue to connect to devices on my LAN. But opening a website for example just...
Replies
2
Views
1,522
Replies
11
Views
3,467
The difference is that the surface pro X uses an ARM processor. It uses a 32bit emulator for x32 apps
Replies
3
Views
3,208
Officially synology's nginx (reverse proxy) uses port 80/443 and those are reserved. Trying to free them...
Replies
2
Views
4,221
right , so I would assume even though there is no certificate applied on the certificate option, it...
Replies
3
Views
8,899
  • Question
So you have two sites with identical local IP subnets and even IP assignments? If trying to connect from...
Replies
2
Views
1,052

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top