How to Set Up OpenVPN on a Synology NAS

In this tutorial, we will look at how to set up OpenVPN on a Synology NAS. This allows you to safely and securely access your NAS from outside of your local network.

If you’re interested in understanding how to configure OpenVPN on a Synology NAS at a deeper level, check out our video below!

How to Set Up and Configure OpenVPN on a Synology NAS

The steps below will walk you through the process of configuring OpenVPN on a Synology NAS.

Step 1: Installing the VPN Server Application in the Package Center

1. Open the Package Center and install the VPN Server application.

2. Open the VPN Server application and navigate to the OpenVPN section.

3. Enable OpenVPN Server. Change the Dynamic IP address range and maximum connection properties to your desired settings (this is the IP address the VPN clients will use and the total number of connections per account).
   
   Since this setup allows us to access our Synology NAS outside of our local network, we need to enable Allow clients to access server’s LAN, as well as Verify TLS auth key.

4. Navigate to the privilege section and enable access for the users that you’d like to use OpenVPN.
   
   NOTE: I normally configure an individual user who has permission to the VPN server ONLY. This ensures that I connect to the VPN server with this user, and then access the NAS and everything else using my regular NAS username, but this is not required.

5. If you’re using Synology’s firewall, create an allow rule for UDP port 1194.

Step 2: Port Forward the OpenVPN Server Port

In order to connect to the VPN server, we must port forward UDP port 1194 on our router to the Synology NAS. Port forwarding will be completely different on every brand’s router settings page.

You must have a static IP address set up on your Synology NAS to use port forwarding. If you don’t currently have a static IP address set up, read how to set up a static IP address here.

• Create a port forwarding rule for UDP port 1194 to the IP address of your Synology NAS. In the example below, 192.168.1.220 is the IP address of my Synology NAS.

Step 3: Modify the OpenVPN Configuration File

If you have a dynamic external IP address, you’ll have to configure DDNS. If you don’t have a dynamic IP address, you can skip over this section and use your external IP address in the YOUR_SERVER_IP section.

If you’d like to configure DDNS using your Synology NAS, you can follow Synology’s instructions here or this tutorial for DDNS (just don’t complete the port forwarding section in the DDNS tutorial).

1. Open the VPN Server application and select OpenVPN. Select Export configuration.

2. Extract the contents of the folder. We will only be editing the .ovpn file, so open that file with a text editor.
3. By default, you will receive a default configuration file with a unique certificate at the bottom of it (the random numbers/letters). This document shouldn’t be shared with anyone other than users who will be authenticating with your VPN.
   
   There are a few changes that must be made to this configuration file:

• YOUR_SERVER_IP: This should be the DDNS hostname that you configured.
• redirect-gateway def1: This is what determines if you are configuring a split-tunnel or full-tunnel VPN.
  • NOTE: If you are using an iPhone and have iOS 7 or above, you will need to add redirect-gateway ipv6 under redirect-gateway def1.
• dhcp-option: If you have a local DNS server that you’d like to use, you can add the IP address of your DNS server there. If you don’t have a local DNS server, leave this line commented out.
  • NOTE: This is a very basic example of how DNS can be used.
• client-cert-not-required: This option is not added by default but should be added if you will be using the new OpenVPN clients (most people will be) as you’ll receive an error message if you don’t (though it will still work).

This is a sample configuration file, but yours will look different.

4. Save the configuration file and add it to any devices that you’d like to test the VPN connection with. I normally test the connection with my cellphone, as you cannot be on the same network as your VPN server. You MUST test this from an external network.

Connecting to OpenVPN Server from a Client Device

Now that we have configured OpenVPN on a Synology NAS from a server perspective, we need to test our connection. Download the client on your cell phone or on a PC that you can connect to a different network with. Remember, you must be connected to a different network to test this.

1. Download the OpenVPN client software for your device here.
2. Select the add button at the bottom and then choose File. You should now be prompted to browse for the .ovpn file that we created earlier. Upload the file and then log in with your DSM username and password.

3. You should be able to connect to your VPN now.

Conclusion on the Synology NAS OpenVPN Configuration

This tutorial looked at how to set up OpenVPN on a Synology NAS. Configuring Synology’s VPN Server allows you to securely connect to your home network to access your NAS and local resources.

It also completely bypasses the need for QuickConnect or exposing your NAS to the internet (which is a security risk). As an added benefit, the full tunnel VPN connection will also secure your connection when on public Wi-Fi devices!