Setting up OpenVPN Server on a Synology NAS (Step-by-Step Tutorial)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys in this video we're going to take a look at how you can set up openvpn on your sonology Nas to securely connect to your local network from wherever you are now openvpn is fairly complicated for a lot of people so we're going to break this down step by step and try and explain everything throughout the entire process but there's a few important notes you have to be aware of the first is you have to be able to port forward if you can't port forward unfortunately you're not going to be able to use openvpn the second is that the setup process is a little bit more complicated than something like tail scale which you can also run on your sonology Nas tail scale is a zero configuration VPN but they basically manage the entire process for you so really all you're doing on your Nas itself is opening up the package Center installing tail scale and then configuring that and in a few steps honestly like 3 to five minutes you can probably have tail scale up and running and access your Nas that's out of scope for this video I do have an article on T scale I'll leave in the description and I also have instructions for everything in regards to openvpn which we'll be doing today that I will leave in the description as well so let's get into it so the very first thing that you have to do is open up the package Center search for the VPN server application and then install it so while this is installing what I want to mention is we'll be configuring openvpn on your Nas in this video but if you have a different device that is capable of running a VPN server you can do it there as well so for transparency purposes I did use openvpn on my Nas for about a year and it worked well no problems right now it runs on my firewall on pfSense and I use both wire guard and openvpn on that server so while I'm showing you this today this is not currently what I'm using but the point is there are multiple places where you can run a VPN server it does not have to be on your nest so now that that's out of the way and the VP PN server application is installed the first thing you're going to see here is the general settings and the Privileges we're going to go through each of these now general settings just make sure this should automatically set to uh the Lan interface that you're currently using I only have one uh ethernet cable plugged into my Nash right now but if you have multiple any of them will be fine the point is you want to make sure that you're connecting to the correct network interface the second thing we're going to take a look at is this priv VES tab so by default all of your users are going to have privilege meaning that if they're capable of connecting to any of the VPN servers they will have permission to do that so what I like to do is actually uncheck all of this and apply it so at this point nobody has access to anything and then what I do is I come into the control panel go to users and groups and then I create a new user that will only be used for the VPN tunnel so this this user will not have permission to any shared folders this user will not have permission to do anything other than connect to openvpn you do not have to do it this way if you have regular users on your Nas you can just allow them to sign in I like to manage it this way mainly because then I'm connecting to the VPN with a different user than I will actually connect to my Nas with but there's not a right or wrong answer so I'm going to go in here and I am going to walk through this and what you'll see is while they'll be added to the users I'm going to provide no access to all my shared folders then we're going to keep walking through this and then I'm going to deny access to everything and then we are going to create this user so now we have a new user account which we'll use only to connect through openvpn so if we close out of here and we can close out of the package Center let's refresh this and then you'll see this new user so we're going to uncheck this user from everything other than openvpn and at this point we will will connect to the VPN using this VPN user account and then from there we will go through and connect to DSM and everything else using our regular DSM users so one point I want to you know really highlight here is that if you have multiple people that are connecting to your Nas this is probably not something you're going to do um this is another layer of security technically at least that's how I look at it but you don't have to do it this way if you have multiple users that will be connecting just set up their user accounts to have per openvpn and you'll be fine so moving on to openvpn here the first thing you're going to see is this openvpn server and we're going to enable it now this 108.0 do1 that is the IP address of your openvpn server so every client that you have that's going to connect to this VPN server will actually be assigned a IP address when they're assigned that IP address they'll be connecting through the 108.0 subnet so if you have multiple users 10.8 .0.2 10.8.3 you get the point every user will Connect using a different IP address on this 108.0 subnet now this maximum connection number this is going to really be based on how many users you're connecting most people I'm assuming it's going to be a small number but you can modify this as well and then Max connections of an account you can actually connect multiple times on an individual account but you can modify this setting if you want now Port this is important by by default the openvpn port is UDP Port 1194 I right now I'm going to change this to 1195 only because I am using openvpn on pfSense right now I have it running and it's using Port 1194 so the point here is you can make this anything that you want if you want to just change it to get off of the default Port you can do that if you want to leave it at$ 1194 you can do that as well I am only changing it because I don't want to disable everything that I have on openvpn currently so I'm changing it to 1195 but you'll have to remember this for a little later so take note of that and then let's move on all of this other stuff can stay as default this is really just the encryption I would say that whatever sonology sets here leave it as default and this bottom section here is going to become pretty important the first thing we're going to take a look at is this allow clients to access servers landan now allow clients to access servers land what that means is you're going to be connecting to a a VPN tunnel a secure VPN tunnel when you connect to that tunnel what it's going to allow you to do is access the services on your local network if you select this so let's say you have a PC and you want to access it when you connect to your VPN you will have to have this setting enabled if you don't have it enabled you're not going to be able to actually access it the next thing we're going to take a look at is this verify TLS off key I would keep this as enabled and then I would apply all of these settings verify y the server common name honestly I've had problems with this in the past I would probably not recommend that you turn that on you can turn it on though it's going to try and validate a few additional parameters that we're not going to go into I did have problems with that if you want to try it out you can so believe it or not but the VPN server is actually configured at this point but we're not close to where we need to be so the next step is going to be ddns now ddns will ensure that your connecting to your external IP address at all times if your external IP address ever changes it will automatically update that ddns host name and then you'll ensure that you're always connecting to it few notes that I want to make if you have a static external IP address meaning that it never changes you do not have to do this most home users do not have a static external IP address so we're going to go through the process of configuring ddns now but if you have a static external IP address you can skip this step so the easiest way in my opinion is to actually use Sony's uh built-in ddns service so what you could do is open up the control panel go to external access and then go to ddns from there you are going to select sonology then you're going to select a host name now this is the host name that will update if your external IP address ever changes you'll then see that auto is selected for both ipv4 and IPv6 this should be fine if you don't have an IPv6 address you can disable this if you want but either way leaving this as Auto should be fine now what we're going to do is test the connection and then as soon as that reports back as normal you should be good the other thing that I want to point out here is get a certificate from let's encrypt and set it as default I like to select this and the reason I like to select this is because when you get a certificate from let's encrypt this way it actually gets it through DNS I don't want to get too complicated here but when you get a certificate from let en Crypt normally you have to open a port so 80 or 443 on your router and at that point it goes through and validates the certificate and that's how you would manage it moving forward when you get a certificate using this method right here this ddns method on your Nas what it's actually doing is it's obtaining it through DNS so what that means is you don't have to open ports 80 or 443 and moving forward all of the renewals will actually be done through DNS as well so you'll never have to have a port open and you will have a dtns host name with a valid SSL certificate from let's encrypt that is renewed through DNS I just said a lot it'll make a little bit more sense in a second here but when you select okay here what you'll see is that this certificate will be set as the default certificate so we're going to click okay here and then it's going to take a few minutes but you will get a certificate and then what is going to happen is the web server is actually going to restart and once it restarts we'll get back to this okay so after the ddns is done configuring the web server will actually restart and you can continue to it and what you'll see is if you open up the control panel go to security and then select certificate what you'll see is we have our ddns certificate so it's a wild card certificate and it's actually renewed through DNS now in the settings here you'll see that everything was changed to this the reason it's important to do it in this order is because when we export our VPN configuration file what we're actually doing is exporting a certificate that's part of the uh VPN configuration file so you have to do it in this order but the point is we're using this certificate and now we can move on to finishing the creation of openvpn so we're going to open up the VPN server we're going to go back to openvpn and then we are going to export this configuration file the only other thing I want to point out is all of these settings when you actually change them what you're really doing is modifying the configuration file so if you hover over any of these what you'll actually see is is that they go through and they say you have to reexport the configuration file the reason you have to reexport the configuration file is because it's adding parameters to that VPN configuration file so whenever you make a change the easiest thing you can do is export the configuration file and start to use that but I do want to point out that if you open the VPN configuration file and you manually make changes to it that works as well so let's export it and then this will make a little bit more sense so I'm going to open up this VPN configuration file with this text edit program and then you will see that this is our VPN configuration file so a few things that we have to change right off the bat so our ddns host name has to be has to go here so mine was ddns wonder. synology.me if you aren't sure what it is you can go back into external access ddns and then you'll see your ddns host name here as long as it says normal you're good so we're going to minimize this again and then what you're going to see is 95 this is the port that we're using for openvpn if you're if you didn't change this port it will still be 1194 or if you changed it to something entirely different it will reflect that here two things I want to talk through the first thing we're going to do is add a parameter client CT non required if we add the if we don't add this you're just going to get a certificate error that you have to click through every time you try and connect to the VPN server not a major problem but I like to add this the other thing we're going to talk about is this redirect Gateway so by default openvpn is configured as a split tunnel VPN what that means is that you will only Route traffic for your local network through this VPN tunnel so when you're connecting to it all of your traffic will still go out through whatever Network you're currently on but if you try to connect to your Nas for example it will route that traffic through the VPN tunnel if you uncomment this what these hashtag pound signs are for is their their comments so when it's written this way it's commented out so nothing will actually run and when you remove it you're uncommenting it when you remove that what it's actually going to do is it's going to Route all of your traffic through the VPN tunnel so what I personally like to do is I like to create two VPN uh configuration files one for full tunnel one for split tunnel so what I'm going to do here is I'm going to save this and then I'm going to come in here and I'm going to just rename this to VPN full tunnel and then I'm going to copy this and I'm going to paste it I'm going to rename this to VPN split tunnel and then we're going to go through and we're going to open this again with our text editor and then we are going to comment this out again and now we have two configuration files now this is the configuration file so anything you change here in one way or another will alter this VPN tunnel so the reason why why vpns are secure and the reason why people suggest them is because whether you realize it or not you actually have multiple forms of authentication with this VPN tunnel so not only do you need the username and the password that we configured earlier you actually need the certificate file SLC configuration file as well if you have one and not the other there's nothing that you're going to be able to do so you actually have multiple forms of authentication built in the other thing is that you're only opening one port in this case I'll be opening UDP Port 1195 but you only have one port that you're actually utilizing and you're able to access all of your services on your local network so now that we have our VPN configuration files uh set up what we have to do is move on to the actual port forwarding section now port forwarding is going to be the most frustrating part of this for most people because I can't really show it to you what I will do is show you how to port forward on pfSense but port forwarding on pfSense is drastically more complicated than probably any other device that you're going to be using so this section is going to look very confusing I promise you it's probably not going to be this confusing on your setup but regardless we will walk through it so before we get to that point you have to make sure the IP address on your sonology Nas is static so that's this is the local IP address in this network section I have a sonology Nas setup you know full length movie that I released last week that goes into this uh but if if you edit this what you'll see is I have uh the static IP address 10.2.0 59 set you can do this on your router if you want to set a DHCP reservation it's better to do it there or you can come in here and you can use manual configuration and then the nas will attempt to use this IP address at all times this is very important because you're going to be port forwarding so this is in pfSense my port forwarding rule so way more complicated than yours is going to look but we will quickly talk through this so what we're doing is we are port forwarding UDP Port 1195 to our sonology Nest so what we're basically doing is we're saying that on UDP Port 1195 we're going to open that up for this device and this device only so that's why this IP address is here redirect Target Port is the same they just match you don't have to worry about this once again this is just pfSense being pfSense and then you can save this I have an old screenshot from I think it's a Netgear router that I will leave in the written instructions that you'll see as well this step is going to be different for everybody just Google whatever router you have and port forwarding and you should find steps on how to port forward you just have to make sure that you port forward UDP Port whatever you selected to your sonology Nas so at this point we Port forwarded we configured the VPN server we have our ddns host name set up everything is ready to go the next step is going to be actually connecting so what I'm going to do is I'm actually going to import these so you'll see here this is my pfSense vpns that I have have set up already okay so what I did is I just copied them to the desktop to make it a little easier and what I'm going to do is I'm just going to drag and drop them in so what you'll see is that we have our profile name here I'm just going to change this and now what we have to do is connect with the VPN user that we configured earlier now everything else should be good so you can click connect here it's not act it's going to attempt to connect but we're on the same network we'll get to that in a second and then we're just going to drag drag in the second file here all right so we have both of rvpn configuration files in I'll talk through the differences in a second but what you have to do is you have to ensure that you're on an external network so what I'm quickly going to do is open up a Hotpot on my phone connect to it and then we'll regroup back in a second so I have my Hotspot that I just connected to if you attempt to connect on your local network it's not going to work so connected to the hotspot this is the first time I'm running it we are going to come in here attempt to connect and assuming that it works it's going to take a second here because it's a hot spot okay so technical difficulties because I have wire guard set to automatically connect so that was causing some problems but now we're back uh and we're going to try we're connected to our Hotpot what we're going to do is try and connect to the VPN tunnel and you will see that we are good so really quickly I will disconnect from the VPN tunnel go back to DSM try and connect to it and you will see see that I am not able to connect if we wait long enough it's actually going to be an error page all right while we're waiting for that to error out I'm actually going to show you that what you can see is we're connected to the split tunnel VPN right now and our public IP address is the IP address of my Hotspot so we are not able to connect to Sony DSM what we're going to do is we are going to come back here connect to the VPN split tunnel and then we're going to refresh DSM and you're going to see that DSM is is going to start to load it's slow because my Hotspot is very slow but you get the point so once again our IP address external IP address it's still going to be our hotspot while we're connected to the VPN we're only connected to the VPN for traffic that is destined for the VPN server meaning your local IP addresses on your local network what we're going to quickly do minimize this and we are going to connect to the full tunnel VPN when we connect to the full tunnel VPN what you'll see is we can still connect to DSM I'll be it very slowly all right that took forever but the point remains we can still connect to DSM but what I really wanted to show you is that we are now connected to my home network meaning all of our traffic is going through our home network so when would you use a split tunnel VPN and when would you use a full tunnel VPN this is the way that I do it if you want to Route all of your traffic through your home at all times s obviously you'll use a full tunnel VPN but when I'm on a public Wi-Fi I will always use a full tunnel VPN and basically all other scenarios I use a split tunnel VPN so I will if I'm connected to a family member's house their Wi-Fi I'll you know route out all my regular traffic through their Wi-Fi then I'll route only the traffic destined for the VPN server through that VPN tunnel it just allows me to browse the internet faster however if you want privacy meaning if you want want everything to route through your um through your home network you would then use the full tunnel VPN so the reason I like to create both of these is really just for that reason it ensures that if I want to Route all of my traffic through the VPN tunnel I can and if I don't want to I don't have to so that is basically the entire tutorial like I said I have written instructions that will walk through the entire process I will leave a link in the description for that but that really will just break down each individual step and walk you through the entire process of creating the configuration file Etc so to recap the majority of people recommend a VPN tunnel mainly because you're able to access your entire home network if you really want to this is not something that you have to do you can use Quick Connect or you can use port forwarding though I do not recommend it or you can use reverse proxy you get the point a VPN tunnel is a secure way of accessing your home network and it not only allows you to access your sonology Nas but it allows you to access all of the other devices on your personal Network so I'm hopeful that this video helped you out if it did please consider give it a thumbs up also please consider subscribing to the channel if you like this type of content and if not I will see you next time
Info
Channel: WunderTech
Views: 8,120
Rating: undefined out of 5
Keywords: openvpn on a synology nas, synology nas openvpn, synology openvpn, synology nas openvpn server
Id: 2gkbwxm72lE
Channel Id: undefined
Length: 22min 12sec (1332 seconds)
Published: Sun Dec 10 2023
Related Videos
Setup Synology OpenVPN Server (easy, secure, remote access)
SpaceRex
73K
How to Set Up & Configure Synology Drive (Beginners Tutorial)
WunderTech
32K
Setup An OpenVPN Server On A Synology NAS Running DSM 7
Digital Aloha
52K
COMPLETE Synology NAS Setup Guide for 2023 (Detailed for Beginners)
WunderTech
39K
How to Make Your Own VPN (And Why You Would Want to)
Wolfgang's Channel
2.1M
How to Set up Firewall on Synology NAS (and why you probably do not need one)
SpaceRex
22K
Best Starter Synology NAS in 2024 (dont waste your money)
SpaceRex
184K
7 Synology Apps YOU NEED TO USE in 2023
WunderTech
60K
How to Secure your Synology NAS (Best Practices)
WunderTech
9.5K
Why I no longer use a VPN (most of the time) and nor should you
Sun Knudsen
1M
Setup An L2TP/IPSec VPN Server On A Synology NAS
Digital Aloha
24K
Block Ads on your ENTIRE Network! Synology Pi-hole Setup Tutorial
WunderTech
4.1K
Should you use a VPN or QuickConnect?
WunderTech
21K
Setup WireGuard On A Synology NAS Running DSM 7.2 Using Container Manager
Digital Aloha
8.4K
Unifi OpenVPN Server
Mactelecom Networks
28K
Gluetun, and oh ya I F*cked up!!!
LoRes DIY
15K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.