How to Set Up OpenVPN on a Synology NAS

In this tutorial, we will look at how to set up OpenVPN on a Synology NAS to safely and securely access your NAS from outside of your network. I used the VPN Server package to run OpenVPN for almost a year and had no issues at all. I was able to safely access my NAS anywhere in the world and more importantly, I could control access.

How to Set Up and Configure OpenVPN on a Synology NAS

The six steps below will walk you through the process of configuring OpenVPN on a Synology NAS, allowing access through Synology’s firewall, and ensuring that all port forwarding rules are successfully created.

Installing the VPN Server Application in the Package Center

The first step in configuring OpenVPN on a Synology NAS is installing the VPN server package which is where we’ll modify the OpenVPN configuration.

1. Open the Package Center and Install the VPN Server application.

2. Open the application and navigate to the OpenVPN section.

3. Enable OpenVPN Server. Change the Dynamic IP address range and maximum connection properties if you’d like.
   
   Since we are trying to access our Synology NAS outside of our network, we need to enable Allow clients to access server’s LAN, as well as Verify TLS auth key. The rest can stay as default. Click Apply.

4. Navigate to the privilege section and ensure that the user account that you’d like to connect to the VPN with has permission for OpenVPN.
   
   NOTE: I normally configure an individual user that has permission to the VPN server ONLY. This ensures that I connect to the VPN server with this user, and then access the NAS and everything else using my regular NAS username.

5. Finally, If you’re using Synology’s firewall, you’ll have to create an allow rule for UDP port 1194.

Open the Control Panel, Security, then navigate to the Firewall and Edit Rules. Create an Allow rule for the VPN Server (OpenVPN) application, UDP port 1194.

Port Forwarding for the OpenVPN Server

In order to connect, we must port forward UDP port 1194 on our router to our Synology NAS. Port forwarding will be completely different on every brand’s router settings page. This is a great guide that shows how to port forward on a few different brands of routers, but the best thing to do is try and do a web search on the name of your router and port forwarding.

This process requires you to have a static IP address set up on your NAS. If you don’t currently have a static IP address setup, read how to set up a static IP address here.

• Create a port forwarding rule for UDP port 1194 to your Synology NAS’s IP address. In the example below, 192.168.1.220 is the IP address of my Synology NAS.

Modifying the Configuration File

If you have a dynamic IP address (most people do), you’ll have to configure DDNS. If you don’t, you can skip over this section and use your external IP address in the YOUR_SERVER_IP section.

If you’d like to configure DDNS using a free synology.me hostname, you can follow Synology’s instructions here or this tutorial for DDNS (just don’t complete the port forwarding section in the DDNS tutorial).

1. Open the VPN Server application and select OpenVPN. Select Export configuration.

2. Extract the contents of the folder. We will only be editing the .ovpn file, so open that file with a text editor.
3. By default, you will receive a default configuration file with a unique certificate at the bottom. This document shouldn’t be shared with anyone other than users who you would like to authenticate with your VPN. We need to change the items below that are highlighted in blue.

• YOUR_SERVER_IP: This should be the DDNS hostname that you configured.
• redirect-gateway def1: This is what determines if you are configuring a split-tunnel or full-tunnel VPN.
  • NOTE: If you are using an iPhone and have iOS 7 or above, you will need to add redirect-gateway ipv6 under redirect-gateway def1.
• dhcp-option: If you have a local DNS server that you’d like to use, you can add the IP address of your DNS server there. If you don’t have a local DNS server, leave this line commented out.
  • NOTE: This is a very basic example of how DNS can be used.
• client-cert-not-required: This option is not added by default but should be added if you will be using the new OpenVPN clients (most people will be) as you’ll receive an error message if you don’t (though it will still work).

This is a sample configuration file, but yours will look different.

4. Save the configuration file and add it to any devices that you’d like to test the VPN connection with. I normally test the connection with my cellphone, as you cannot be on the same network as your VPN server. You MUST test this from an external network.

Connecting to the VPN Server from a Client

Now that we configured OpenVPN on a Synology NAS from a server perspective, we need to test our connection. Download the client on your cell phone or on a PC that you can connect to a different network. Remember, you must be connected to a different network to test this.

1. Download the OpenVPN client software for your device here.
2. Select the add button at the bottom and then choose File. You should now be prompted to browse for the .ovpn file that we created earlier. Upload the file and then login with your DSM username and password.

3. You should be able to connect to your VPN now.

Conclusion on the Synology NAS OpenVPN Configuration

This tutorial looked at how to set up OpenVPN on a Synology NAS. Configuring Synology’s VPN Server allows you to securely connect to your home network to access your NAS and local resources.

It also completely bypasses the need for QuickConnect or exposing your NAS to the internet (which is a security risk). As an added benefit, the full tunnel VPN connection will also secure your connection when on public Wi-Fi devices! If you have any questions or comments, please leave them below!