Troubleshooting Connectivity Issues with OpenVPN and Wireguard on Synology NAS

Currently reading
Troubleshooting Connectivity Issues with OpenVPN and Wireguard on Synology NAS

280
79
NAS
DS920+, DS916+, DS211j
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
I am encountering the following problem:

I have OpenVPN installed on my Synology NAS with the aim of allowing users from various locations to log in to the NAS, both via mobile data and WiFi when on site. While mobile access functions properly, accessing the NAS from locations with WiFi poses an issue.

Problem scenario 1 is as follows:
  • At location B, WiFi access is not functional due to the location sharing the same IP range as my home network, specifically 192.168.178.0/24. After some research, it seems that this conflict arises because of the identical IP ranges with OpenVPN. My query is how to resolve this conflict to enable OpenVPN to connect to LAN devices at location B via WiFi?
  • Problem scenario 2 is as follows: From location C, I can establish an OpenVPN connection to the home network but cannot access the NAS. In this case, the IP address from location C is a static public IP assigned by the WiFi network, for instance, 146.50.*.. Despite this, there is no successful connection to the NAS. I have attempted the following:
    • Verifying all settings, ports, and firewall rules (all are correct).
    • Temporarily disabling the firewall (no improvement). Accessing the NAS is feasible when connecting via mobile data. My query remains: how can I enable OpenVPN to access the NAS from location C via WiFi?
What's peculiar is that I've also configured Wireguard via Docker (weejewel/wg-easy), and with this setup, I can connect to the home network and access the NAS from location C. However, the same issue with conflicting IP ranges arises at location B with Wireguard.

Therefore, how can I resolve the issue of conflicting IP ranges with OpenVPN and Wireguard, and how can I rectify the WiFi problem at location C? I would greatly appreciate any suggestions or ideas to address these challenges.

Thank you in advance for your assistance!
 
The VPN connection needs to have unique subnets for each of client's LAN, VPN service's clients, and server's LAN. If there is overlap in IP ranges then the client device will have problems routing packets via the tunnel to the desired destination. When the client LAN subnet is the same as the server's LAN then the routing table in the client device will be directing packets to the client LAN. The NAS's services can be accessed on .1 of the VPN service's subnet, well for VPN Server services.

Short of changing one of the site's LAN subnet? It's going to be more complicated.
 
Upvote 0
Short of changing one of the site's LAN subnet? It's going to be more complicated.
Unfortunately, this is not an option. I was hoping for a simpler solution.

Could I perhaps use the second NIC from my NAS for this, if I set it to a different ip-range and that I also create a new network in my RT6600ax router for this ip-range....would this theoretically work? Just a thought...
 
Upvote 0
You could try connecting NAS LAN 2 interface to use a VLAN ID of another of the RT6600ax's private LANs. Then set up router port forwarding to the LAN 2 IP address. I would doubt that this would allow the remote client device to access devices on the NAS site, unless they too are on this other private LAN. The issue here sounds to be the overlap of IP addresses and the inability of the client device to route to the remote site when it knows the subnet exists at its local site.

I would still try to access the NAS down the VPN tunnel using its VPN server IP address, not its LAN IP address.

In the OpenVPN profile have you assigned a DNS server? Is that DNS server the LAN IP address of the NAS's LAN? The RT6600ax which would be seen by the VPN client as on its local LAN. Won't be causing the issue if you only use IP addresses.
 
Upvote 0
In the OpenVPN profile have you assigned a DNS server? Is that DNS server the LAN IP address of the NAS's LAN? The RT6600ax which would be seen by the VPN client as on its local LAN. Won't be causing the issue if you only use IP addresses.
I'm using the DNS of the Router and I'm also running the DNS Server app on the router, this way when I have a user login from the outside they can still use the subdomains e.g. dsfile.domain.tld to login in the DSFile app on their mobile devices. So no need to switch everytime between subdomain and IP when logging in...that's the idea behind my Local LAN setup. Everything in my LAN is reachable using a subdomain.
So to make that work this way I have to add the router IP and the routes I have added.

This is part of the openvpn config file:
Code:
dev tun
tls-client

remote [ddnsname].duckdns.org 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway def1
route-nopull
route 192.168.178.0 255.255.255.0
route 10.6.0.0 255.255.255.0

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

dhcp-option DNS 192.168.178.1
dhcp-option DOMAIN domain.tld

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2


comp-lzo

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass
 
Upvote 0
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Solved
Glad it’s working. Now you can help the next person! No reward necessary 😎
Replies
14
Views
2,362
  • Solved
yes you can fullchain + privkey would be a better option
Replies
21
Views
3,175
  • Solved
Yes I do use Cloudflare. I’ve had no other problems other than what NPM introduced. I used to use Davx5...
Replies
5
Views
1,629
  • Question
Web Station by default uses TCP port 80 so the firewall rule in DSM would look like: Enabled Ports =...
Replies
7
Views
7,632

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top