VPN server: on DSM or SRM?

Currently reading
VPN server: on DSM or SRM?

fredbert

Moderator
NAS Support
Subscriber
5,122
2,072
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
  4. WRX560
Operating system
  1. macOS
Mobile operating system
  1. iOS
What is everyone's feeling on where to run a remote access VPN server. I'm guessing that if you have an SRM router then you also have a DSM NAS, but less likely the other way around.

Both VPN Server on DSM and VPN Plus on SRM support OpenVPN and L2TP/IPsec (let's forget PPTP). So unless SSL-VPN is needed there are two options for where to deploy the sever.

I moved from DSM to SRM simply to move the remote access away from being directly connected to the NAS and it's content. There is then the possibility to use DSM's firewall to control access from SRM's VPN users, should this be needed. When using DSM VPN Server the DSM firewall may have done the same filtering to protect local content, but it wasn't obviously so.

I suppose if VPN users only need access to the DSM content then use it, and don't allow VPNs to access the LAN. But otherwise, and my preference, is to separate the infrastructure device functions from server functions.
 
separate the infrastructure device functions from server functions.
Would agree with you on this one but saying this I still run VPN on one of my NAS and not my router. 2 reasons. 1st im lazy atm to move it and second I dont wanna close ddns access to my infrastructure. This would happen if I land vpn on my router (true I could use multiple gateway etc) but then we are back to reason no.1 :).

All in all if there is an option to separate it, then do it by all means.
 
I just own a small NAS and i want to keep de NAS crisp for other services.
There for i chose to run a VPN server on a Raspberry.
It's running in combination with PiHole with a little tweak so all mobile devices run ad free world wide.
Main reason running at a Raspberry is that al though possible is to run PiHole via docker but maintenance at every PiHole update is needed to get a my connection between PiVPN and PiHole running again.
While on a Raspberry it's no issue at all with this in mind PiHole also isn't support for Synology and just want a stable system without a hustle.
Other reason is the RPi runs 24/7 and doesn't need maintenance and updating host files are done automatically.
While now and then i need to bring down the NAS meaning mobile devices VPN connections (not at home) ar lost and my wife and daughter is starting to message me they lost internet again ;-)
Running this way is just a personal choice...
 
Would agree with you on this one but saying this I still run VPN on one of my NAS and not my router. 2 reasons. 1st im lazy atm to move it and second I dont wanna close ddns access to my infrastructure. This would happen if I land vpn on my router (true I could use multiple gateway etc) but then we are back to reason no.1 :).

Lazy is ok when things are working properly ;) You may have a more complicated setup than me.

I have DDNS on DSM to update a couple of services, and I'm being lazy not to move them to SRM. They have wildcard resolution back to my ISP connection. Then using DNS Server to mimic my domain resolution internally, because I'm lazy with bookmarks.

My Let's Encrypt certificate, managed by DSM, has alternate names for the packages' Custom Domains and reverse proxied sub-domains. It all works pretty well.

The only issue is getting signed Let's Encrypt certificates on to SRM and so to VPN Plus for Web VPN and SSL-VPN. That's because ports 80/443 are already forwarded to DSM.
 
The only issue is getting signed Let's Encrypt certificates on to SRM and so to VPN Plus for Web VPN and SSL-VPN. That's because ports 80/443 are already forwarded to DSM.
Think about using LE docker container with DNS validation against Cloudflare. 80/443 will not be needed then and on top of that, you will be able to get a wild card cert (not for synology ddns domains but for any 3rd party will work fine, I have it like this for a while).
Also, you will be able to use that wild cert on multiple devices that you want to host under the same roof.
 
There for i chose to run a VPN server on a Raspberry.

Interesting. I was wondering about the possibilities of running RPi as an outbound VPN concentrator, so taking it off the SRM (which is really a VPN client for all outbound traffic). That would/should make it possible to split-tunnel outbound either via VPN or local ISP.

But PiVPN as a separate remote access server for OpenVPN. That's yet another thing it can do ... cheaply.
 
Think about using LE docker container with DNS validation against Cloudflare. 80/443 will not be needed then and on top of that...

I'm going to have to have a look at that. The main issue I have with Docker is that the repositories have very little explanation about the containers and there's a lot of trust to be placed in the people that release them.
 
From my personal experience I find having the router do the VPN service a bit more stable and allows a little bit better bandwith.

We are using Synology VPNPlus now. The great thing about it it works good in combination with Synology site-to-site VPN (networks of my brother, parents and myself are now joined) and able to browse anything in any network (if we are not home :)). But............ it feels Synology VPNPlus configuration options are way to slim and needs more time to 'grow up'. Especially if you check what configuration options are available with, for example, OpenVPN.

I just love how OpenVPN shows a simple console with all kinds of commands and codes flying by when connecting (which makes it easier to troubleshoot in an event of an issue). Synology VPNPlus doesn't have that.... :(
 
I'm going to have to have a look at that. The main issue I have with Docker is that the repositories have very little explanation about the containers and there's a lot of trust to be placed in the people that release them.
linuxserver/letsencypt image has a detail page on usage. If you get stuck, you can always ask here ;)
 
Just remembered another 'feature' I've done for using VPN Plus on SRM because I don't run media and user services on the SRM router, and only my administrator user has login access to the SRM GUI.

So while I could use local user accounts (they couldn't managed their passwords) what I did instead was to set up LDAP server on DSM. In the LDAP service I created an account for my users and also a vpn users group. On DSM these LDAP users only have restricted privileges but can login to DSM to manage their passwords. If I hadn't already made local users on DSM I might have used LDAP for user accounts*.

On SRM the vpn users group has privilege to use the VPN services.


*though I couldn't get Mail Server to work with LDAP accounts.
**briefly thought about linking WiFi to RADIUS on DSM but realised life is too short.
 
So while I could use local user accounts (they couldn't managed their passwords) what I did instead was to set up LDAP server on DSM.

On SRM the vpn users group has privilege to use the VPN services.

I have this as wel. Works well, users can use the same credentials on every Synology devices in my networks thanks to LDAP.

*though I couldn't get Mail Server to work with LDAP accounts.
Ye.......... Can your NAS run MailPLUS instead? I have that running and works well with LDAP.

**briefly thought about linking WiFi to RADIUS on DSM but realised life is too short.
Tried this out and turned out to be a nightmare. Especially Android clients that connect to a WPA2-Enterprise WiFi (which will transform into if you link your WiFi to a RADIUS) will keep whining about a certificate...
 
We are using Synology VPNPlus now

What are the advantages of the VPN Plus on the SRM vs just VPN Server on the DSM (which is what I run now)? I just use to access SRM and DSM services remote and to encrypt traffic when on strange wifi. Not a power user like many of you.
 
What are the advantages of the VPN Plus on the SRM vs just VPN Server on the DSM (which is what I run now)?
VPN plus offers a web based portal for specific apps that you want access to inside your network but without the need of a vpn client. So if you wanna offer a secure access to a specific app and not your whole network and on top of that not "force" remote users to use any VPN client while not exposing that same app via a remote proxy, then VPN plus (Web VPN option) is the way to go.

Another option is using it for RDP or Site to Site VPN options.
 
Ye.......... Can your NAS run MailPLUS instead? I have that running and works well with LDAP.
Coming back to this ... I recently saw that Mail Server (non-Plus) runs with users from either local database or LDAP, but not both together. I've already got it with local users so for my usage it's not worth the effort to migrate to LDAP.

What are the advantages of the VPN Plus on the SRM vs just VPN Server on the DSM
  1. It has more types of VPN service.
  2. SSL VPN service (needs licences: 1 free is included) is an easy solution for mobile devices...no OpenVPN .ovpn file to maintain, and reconnects when device's network connection changes (unlike most L2TP clients).
  3. It separates remote access termination from content servers: terminates connections before they get inside your LAN.
  4. DSM firewall can be used to implement policies that definitely address access from VPN users, (it's not clear how it manages access from DSM VPN Server users, or if it does).
  5. You can split the VPN services across SRM and DSM if you want to, e.g.:
    1. SSL VPN (inc WebVPN and Remote Desktop) and L2TP/IPsec: SRM VPN Plus
    2. OpenVPN: DSM VPN Server
  6. There's more flexibility for setting the VPN services' client subnets in VPN Plus.
  7. Better dashboard.
Not a power user like many of you
Sometimes a 'power user' is just someone that likes to play with kit to see what happens :)
 
The 1 BIG reason why I use Synology VPN is so clients end up in the same subnets as the perimeter network. This allowes the VPN clients to also be able to connect trough my site-to-site tunnels.

Synology doesn't support OpenVPN with a TAP interface, so clients end up in a different subnet. Ok, the advantage there it reduces broadcast and overhead traffic on the VPN connection. But VPN clients cannot then connect to 'another' NAS (for a particular service, like MailPlus) in another site.. This major disadvantage for me doesn't weigh against this small advantage for me at all.
 
Think about using LE docker container with DNS validation against Cloudflare. 80/443 will not be needed then and on top of that, you will be able to get a wild card cert (not for synology ddns domains but for any 3rd party will work fine, I have it like this for a while).
Also, you will be able to use that wild cert on multiple devices that you want to host under the same roof.
I wouldn't mind doing something like this in the future.

Please consider writing a tutorial, as I'm pretty sure I'd fail at trying to set it up :giggle:
 
I wouldn't mind doing something like this in the future
Don't want to digress too much from the main topic but keep a lookout for the DSM 6.2.2-UP3 that came out a few days ago. Its main feature is LE support with ACME v2 meaning that you can finally get LE wild card certificates. Still not sure if this will be limited to *yourcustomname.synology.me domain or any domain, but if you are not open to having your own domain name and pay for it this might be just what's needed for most.

Haven't tested this version as of yet so can't say and would be best to open a separate topic on the matter.
 
Thanks, I'll take a look at that.

I do already have some of my own domain names, so it would be good if I could use them, for this.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
So you have two sites with identical local IP subnets and even IP assignments? If trying to connect from...
Replies
2
Views
1,052
Thank you for your help ! Doesn't work with incognito, weird. At least I have other solutions....
Replies
10
Views
1,345
all the logs are in /var/log folder (and subfolders). try and ssh into your nas and locate it there
Replies
1
Views
5,809
  • Question
It's not that core VPN client/server principles are fundamentally different, rather it's how the person...
Replies
7
Views
3,009
  • Question
I'm having the same issue. I can't add the public IP in the FW access list because for the NAS I'm...
Replies
18
Views
6,082
  • Question
This is an incoming VPN not outgoing. This VPN server package can't connect to 3rd party VPNs, it is not...
Replies
1
Views
2,053
Figure out a solution: I chances the proto to tcp and its working fine now :)
Replies
1
Views
2,063

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top