VPN server: on DSM or SRM?

Currently reading
VPN server: on DSM or SRM?

fredbert

Mega Poster
What is everyone's feeling on where to run a remote access VPN server. I'm guessing that if you have an SRM router then you also have a DSM NAS, but less likely the other way around.

Both VPN Server on DSM and VPN Plus on SRM support OpenVPN and L2TP/IPsec (let's forget PPTP). So unless SSL-VPN is needed there are two options for where to deploy the sever.

I moved from DSM to SRM simply to move the remote access away from being directly connected to the NAS and it's content. There is then the possibility to use DSM's firewall to control access from SRM's VPN users, should this be needed. When using DSM VPN Server the DSM firewall may have done the same filtering to protect local content, but it wasn't obviously so.

I suppose if VPN users only need access to the DSM content then use it, and don't allow VPNs to access the LAN. But otherwise, and my preference, is to separate the infrastructure device functions from server functions.
 

Rusty

Staff member
Moderator
NAS Support
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
separate the infrastructure device functions from server functions.
Would agree with you on this one but saying this I still run VPN on one of my NAS and not my router. 2 reasons. 1st im lazy atm to move it and second I dont wanna close ddns access to my infrastructure. This would happen if I land vpn on my router (true I could use multiple gateway etc) but then we are back to reason no.1 :).

All in all if there is an option to separate it, then do it by all means.
 

Siewert_JR

Bit Poster
github.com
NAS
DS218J + APC Back-UPS BX700U-GR - Win10/RPi user
I just own a small NAS and i want to keep de NAS crisp for other services.
There for i chose to run a VPN server on a Raspberry.
It's running in combination with PiHole with a little tweak so all mobile devices run ad free world wide.
Main reason running at a Raspberry is that al though possible is to run PiHole via docker but maintenance at every PiHole update is needed to get a my connection between PiVPN and PiHole running again.
While on a Raspberry it's no issue at all with this in mind PiHole also isn't support for Synology and just want a stable system without a hustle.
Other reason is the RPi runs 24/7 and doesn't need maintenance and updating host files are done automatically.
While now and then i need to bring down the NAS meaning mobile devices VPN connections (not at home) ar lost and my wife and daughter is starting to message me they lost internet again ;-)
Running this way is just a personal choice...
 

fredbert

Mega Poster
Would agree with you on this one but saying this I still run VPN on one of my NAS and not my router. 2 reasons. 1st im lazy atm to move it and second I dont wanna close ddns access to my infrastructure. This would happen if I land vpn on my router (true I could use multiple gateway etc) but then we are back to reason no.1 :).
Lazy is ok when things are working properly ;) You may have a more complicated setup than me.

I have DDNS on DSM to update a couple of services, and I'm being lazy not to move them to SRM. They have wildcard resolution back to my ISP connection. Then using DNS Server to mimic my domain resolution internally, because I'm lazy with bookmarks.

My Let's Encrypt certificate, managed by DSM, has alternate names for the packages' Custom Domains and reverse proxied sub-domains. It all works pretty well.

The only issue is getting signed Let's Encrypt certificates on to SRM and so to VPN Plus for Web VPN and SSL-VPN. That's because ports 80/443 are already forwarded to DSM.
 

Rusty

Staff member
Moderator
NAS Support
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
The only issue is getting signed Let's Encrypt certificates on to SRM and so to VPN Plus for Web VPN and SSL-VPN. That's because ports 80/443 are already forwarded to DSM.
Think about using LE docker container with DNS validation against Cloudflare. 80/443 will not be needed then and on top of that, you will be able to get a wild card cert (not for synology ddns domains but for any 3rd party will work fine, I have it like this for a while).
Also, you will be able to use that wild cert on multiple devices that you want to host under the same roof.
 

fredbert

Mega Poster
There for i chose to run a VPN server on a Raspberry.
Interesting. I was wondering about the possibilities of running RPi as an outbound VPN concentrator, so taking it off the SRM (which is really a VPN client for all outbound traffic). That would/should make it possible to split-tunnel outbound either via VPN or local ISP.

But PiVPN as a separate remote access server for OpenVPN. That's yet another thing it can do ... cheaply.
 

fredbert

Mega Poster
Think about using LE docker container with DNS validation against Cloudflare. 80/443 will not be needed then and on top of that...
I'm going to have to have a look at that. The main issue I have with Docker is that the repositories have very little explanation about the containers and there's a lot of trust to be placed in the people that release them.
 

Shadow

Byte Poster
NAS
DS216+II, DS118
Router
RT1900ac, RT2600ac
From my personal experience I find having the router do the VPN service a bit more stable and allows a little bit better bandwith.

We are using Synology VPNPlus now. The great thing about it it works good in combination with Synology site-to-site VPN (networks of my brother, parents and myself are now joined) and able to browse anything in any network (if we are not home :)). But............ it feels Synology VPNPlus configuration options are way to slim and needs more time to 'grow up'. Especially if you check what configuration options are available with, for example, OpenVPN.

I just love how OpenVPN shows a simple console with all kinds of commands and codes flying by when connecting (which makes it easier to troubleshoot in an event of an issue). Synology VPNPlus doesn't have that.... :(
 

Rusty

Staff member
Moderator
NAS Support
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
I'm going to have to have a look at that. The main issue I have with Docker is that the repositories have very little explanation about the containers and there's a lot of trust to be placed in the people that release them.
linuxserver/letsencypt image has a detail page on usage. If you get stuck, you can always ask here ;)
 

fredbert

Mega Poster
Just remembered another 'feature' I've done for using VPN Plus on SRM because I don't run media and user services on the SRM router, and only my administrator user has login access to the SRM GUI.

So while I could use local user accounts (they couldn't managed their passwords) what I did instead was to set up LDAP server on DSM. In the LDAP service I created an account for my users and also a vpn users group. On DSM these LDAP users only have restricted privileges but can login to DSM to manage their passwords. If I hadn't already made local users on DSM I might have used LDAP for user accounts*.

On SRM the vpn users group has privilege to use the VPN services.


*though I couldn't get Mail Server to work with LDAP accounts.
**briefly thought about linking WiFi to RADIUS on DSM but realised life is too short.
 

Shadow

Byte Poster
NAS
DS216+II, DS118
Router
RT1900ac, RT2600ac
So while I could use local user accounts (they couldn't managed their passwords) what I did instead was to set up LDAP server on DSM.

On SRM the vpn users group has privilege to use the VPN services.
I have this as wel. Works well, users can use the same credentials on every Synology devices in my networks thanks to LDAP.

*though I couldn't get Mail Server to work with LDAP accounts.
Ye.......... Can your NAS run MailPLUS instead? I have that running and works well with LDAP.

**briefly thought about linking WiFi to RADIUS on DSM but realised life is too short.
Tried this out and turned out to be a nightmare. Especially Android clients that connect to a WPA2-Enterprise WiFi (which will transform into if you link your WiFi to a RADIUS) will keep whining about a certificate...
 

fredbert

Mega Poster
I can use Mail Plus but I need eight accounts and I’m too cheap to pay the extra licences. My use of Mail Server is as an archive from my email service: it gets forwarded copies for recovery if we need to move service.
 

daptap

Byte Poster
NAS
DS718+
Router
RT2600ac
We are using Synology VPNPlus now
What are the advantages of the VPN Plus on the SRM vs just VPN Server on the DSM (which is what I run now)? I just use to access SRM and DSM services remote and to encrypt traffic when on strange wifi. Not a power user like many of you.
 

Rusty

Staff member
Moderator
NAS Support
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
What are the advantages of the VPN Plus on the SRM vs just VPN Server on the DSM (which is what I run now)?
VPN plus offers a web based portal for specific apps that you want access to inside your network but without the need of a vpn client. So if you wanna offer a secure access to a specific app and not your whole network and on top of that not "force" remote users to use any VPN client while not exposing that same app via a remote proxy, then VPN plus (Web VPN option) is the way to go.

Another option is using it for RDP or Site to Site VPN options.
 

fredbert

Mega Poster
Ye.......... Can your NAS run MailPLUS instead? I have that running and works well with LDAP.
Coming back to this ... I recently saw that Mail Server (non-Plus) runs with users from either local database or LDAP, but not both together. I've already got it with local users so for my usage it's not worth the effort to migrate to LDAP.

What are the advantages of the VPN Plus on the SRM vs just VPN Server on the DSM
  1. It has more types of VPN service.
  2. SSL VPN service (needs licences: 1 free is included) is an easy solution for mobile devices...no OpenVPN .ovpn file to maintain, and reconnects when device's network connection changes (unlike most L2TP clients).
  3. It separates remote access termination from content servers: terminates connections before they get inside your LAN.
  4. DSM firewall can be used to implement policies that definitely address access from VPN users, (it's not clear how it manages access from DSM VPN Server users, or if it does).
  5. You can split the VPN services across SRM and DSM if you want to, e.g.:
    1. SSL VPN (inc WebVPN and Remote Desktop) and L2TP/IPsec: SRM VPN Plus
    2. OpenVPN: DSM VPN Server
  6. There's more flexibility for setting the VPN services' client subnets in VPN Plus.
  7. Better dashboard.
Not a power user like many of you
Sometimes a 'power user' is just someone that likes to play with kit to see what happens :)
 

Shadow

Byte Poster
NAS
DS216+II, DS118
Router
RT1900ac, RT2600ac
The 1 BIG reason why I use Synology VPN is so clients end up in the same subnets as the perimeter network. This allowes the VPN clients to also be able to connect trough my site-to-site tunnels.

Synology doesn't support OpenVPN with a TAP interface, so clients end up in a different subnet. Ok, the advantage there it reduces broadcast and overhead traffic on the VPN connection. But VPN clients cannot then connect to 'another' NAS (for a particular service, like MailPlus) in another site.. This major disadvantage for me doesn't weigh against this small advantage for me at all.
 

jono

Byte Poster
NAS
DS1019+, DS218+, DS416play
Router
RT2600ac
Think about using LE docker container with DNS validation against Cloudflare. 80/443 will not be needed then and on top of that, you will be able to get a wild card cert (not for synology ddns domains but for any 3rd party will work fine, I have it like this for a while).
Also, you will be able to use that wild cert on multiple devices that you want to host under the same roof.
I wouldn't mind doing something like this in the future.

Please consider writing a tutorial, as I'm pretty sure I'd fail at trying to set it up :giggle:
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Top