Setup Synology OpenVPN Server (easy, secure, remote access)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right how's it going Neil so today this tutorial I made a while ago and I've been planning on remaking this for a long time because of tons change and that is going to be how to set up an open VPN server on your Synology Nas and this is a huge tutorial because it allows you to secure access to your NAS from wherever you are in the world if an open VPN server gets hacked there are a lot bigger problems in the world and so it's a great way to open yourself up to the Internet while also being very secure so you can access all of your features on your Nas and even on your local network but you are in a very protected VPN tunnel coming straight back to the nas so you are adding a second layer of security versus opening up the surfaces directly to the internet themselves so having a VPN server and using a VPN can allow you to completely disable quick connect and all open ports on your router except for one the openvpn port you choose now what this does restrict you to being able to do is it means that nobody else can access your NAS from outside your network except people you give a open VPN profile to so if you want to be able to share photos with families unless you get every single one of your family members on the VPN which is not really going to happen you are just really not going to be able to but for businesses who are looking for a very secure way of having files handled this is an easy place to start and it has gotten a lot better than when I previously did it because now there's a great client for Mac windows and Linux and IOS and Android pretty much everything you possibly need and it has also gotten a couple security updates that are very important to enable just so your server does not get bogged down alright so before we start this video I need to talk about the difference between a VPN server and like a VPN like a nordvpn this is not meant so that you can hide your traffic from your ISP or torrent or anything like that no what this VPN does is it allows you secure access to your local network from wherever you are in the world and even act like you are in that location from wherever you are in the world so if you wanted to and you were in a place that was blocking specific traffic you could hook up to this VPN and actually set it to all the traffic went through your home network so if you wanted to act like you were at home to your Netflix account you could do that here but it's not going to hide your internet traffic from your ISP because it's going to look like all of your traffic is coming directly out of your home network even though you may be in a different part of the world that being said there's an optional configuration where you can only send local traffic or all traffic and I will show that when we get to that part but I did want to add that because people are always asking my public IP address did not change when I connected to this it's because you just connected locally but first let's take a moment to the sponsor of today's video Southern New Hampshire University one of the biggest things I have learned from starting a Consulting business is the importance of experience if you feel like experience is holding you back from you in the career you want then I'm excited to tell you about southern New Hampshire University snhu has one of the largest accredited non-profit online degree offerings in the country and today we're going to be talking about their online degree in computer science in this program you will learn the skills you need to join one of the nation's fastest growing career Fields you'll also learn popular programming languages such as python Java and C plus you will also learn agile software methodologies and develop a security mindset which is crucial for the current industry environment snhu also provides cloud-based virtual environments for some courses which allows you to get access to the technology you will need for your degree as well as for your career snhu is also radically affordable their online tuition rates are some of the lowest in the country go to snhu.edu X or click the link in the description to find out more information about the average annual salary for computer scientists and request free information about the program it only takes one click to find your calling alright thanks to snhu for sponsoring that section of the video back to the tutorial all right so now there is one additional caveat you do require the ability to port forward on your router where the Nas is located and there are two big drawbacks to this because some people are not going to be able to so first off if you are outside the US it's a lot more common outside the US or if you have a service such as starlink more newer isps that have not been at around as long do not give you a public IP address what they give you is a shared public IP address using a process called carrier grade Nat or cgnat what this means is you're unable to open up ports on your router this means that you're not going to be able to use this because it requires port forwarding to be done on your router I do have a video on how to set up tailscale for this exact way so if you do not have the ability for port forwarding you can use tailscale still as a third-party VPN which does not require port forwarding I'll leave a link to that in the description below also if you have two routers on your network this can have a similar effect so you may have your isps router and then you bought an another router such as like a mesh setup and just plug it directly into that those are two different routers which means you actually need to log into both of them and do the port forwarding so you'd have to forward from the first router to the second router and the second router to the nas those are just the two caveats there if you've not set the first router up the isps router up in pass-through mode some routers cannot be done there so if you do have two routers on your system that is what you have to do it's not too big of a deal you just need to forward the ports twice and it will continue on working fine all right so now let's go ahead and start setting this up and all we need to do is go ahead and log into DSM right here and we can go ahead and just install the package through a package in it right here all we need to do is search VPN and install the VPN server all right so now once this is installed we can just go ahead and hit open on it and we can start setting some things up so the first thing we're going to want to do is we're going to want to go into general settings and make sure that your network interface matches what is actually in use so for me I've got the 10 gig card added into this so I'm On LAN three and you can see this is actually my local IP address so I'm going to want to be using this one if you have multiple Lan ports choose the one that's actually used for the network you want to be able to share with people and then if you have a domain controller so if this is a business and you've got people using Windows domain or a ldap you can go ahead and actually choose if you have local users or domain users though you cannot do both and finally you have the option for who you want to Grant VPN permissions to for most people everybody gets VPN permissions just because if you want them to have access to the nasp you're probably want them to have access to that but that is going to be up to you and it can further be controlled right here by selecting who has access on the VPN so we can just say only will has access to openvpn and that's it but that's all up to you I would not worry too much about that for most people just because they also require their certificate file and you probably want people to have access to the openvpn server if you're giving them access to the nas so now we just need to come in here and enable the open VPN server and we'll see that we've got a few options right here first off the dynamic IP address this right here is going to be the IP addresses your clients get when they connect to the VPN server and so I would highly recommend leaving this at 10.8.0.1 as this is what we will be using for this tutorial if you do have that Subnet in use you can set it to whatever but very few people are likely to have that Subnet in use there's about 65 000 other options so you're very unlikely to have this actually in use but if you do that'd be the one thing though you probably do not and so right here this 10.8.0.1 is going to be the IP address of the Synology on the VPN server so that means that even if we've got a weird networking configuration I'm going to talk about later clients always always always can use 10.8.0.1 to connect into the nasp from their VPN setup and so that's what I'm going to be setting up here and recommending to most people because it keeps it super simple we can also say how many people want to connect 15 and now for Port let's just bash in a random four digit number and that is going to be the port you use I always just set it randomly openvpn is very secure but it just is easier to have a random Port that way you don't even see logs of people just like guessing and unnecessarily it is just one of those things it's like may as well do it and as long as it's not in use by anything else you're going to be fine the rest of this you are going to want to leave as the default unless you have a specific thing you are looking for now we've got these additional options right here and for most people what I would recommend is allowing clients access to the server Lan so this means that a client on the VPN would be able to not just talk to the nas but maybe another Nas on the same local network or maybe a computer and be able to remote desktop into it things like that and then if you're setting this up for the first time I would highly recommend verifying the TLs auth key that just reduces spam down into your network where people are just trying to connect to VPN servers even though there's a massive encryption key that they're not going to be able to Brute Force there's basically just Bots out there spamming it to see what can happen so verifying the TLs auth key can fix that though note if you do actually set this and you've already previously set up and exported configurations with it disabled you will need to re-export those configurations for people and send them back out we're going to talk about that in a minute then finally I generally do not verify the server's common name just because that requires you to have a properly signed SSL certificate and to have a properly signed SSL certificate you need to use let's encrypt and then also be able to have Port 80 open and so it's just a much easier not to have it and just have it be self-signed because that way you can set this up way easier and have less ports open overall and you don't have a weird update to your certificate that all of a sudden now breaks your VPN connection which can be a huge pain technically verifying the server's common name is a little bit more secure so that there can't be a complete man-in-the-mill attack who is essentially emulating your VPN and actually has your VPN parameters in there I don't know how that would really happen but technically verifying the server's common name would do that but for all intents and purposes leave that one unchecked unless you really know what you're doing and really have a specific reason to and that's pretty much it now we just need to make sure we know this port and we're going to go ahead and hit apply now it's going to tell us we need to open up this port on our router and on our firewall so if you've not set up a firewall you can skip the step right here but if you have set up a firewall all you need to do is come into your firewall and just give access to that you can just go into your firewall and we'll just enable it and just show you it really quick first what you're going to want to do is hit create and allow anybody into the VPN server so just scroll down until you see that VPN and click ok and that's from any IP address that's because you want anybody on the internet to be able to initiate the VPN handshake if you're super restrictive you can also just say just us but honestly you're using a VPN server you're good nobody's brute forcing their way into this almost certainly so I would not worry about that I would just set it to it all and now we just need to go ahead and say anybody who's on the VPN subnet 10.8.0.0 255-255-2550 is allowed to do anything on the nas so these would just be the two allow rules that you would need to add in if you had a more complex firewall already set up so you can add those in and make sure but if your firewall is disabled there is no reason to the first one allows the VPN traffic into the nas so it can actually do it and then the second one actually allows your Nas to actually communicate and work with people who are on this VPN network now the next part is the most complicated because there's five billion different types of routers out there what you now need to do is figure out how to do port forwarding on your router the easiest thing to do is figure out the name of your router and then just Google that port forwarding there are going to be a few caveats here first off if you have two routers so a lot of people have their isps router and then their own like tp-link mesh network if those are both acting as routers and you've not set up the isps router in pass-through mode you're going to have to do port forwarding twice first from the isps router into your second router and then from your second router into the Synology so essentially what port forwarding does is it allows a connection from the internet into a specific device so in this case when something from the internet requests Port 7854 from the IP address of our router it will be forwarded on to the actual Synology so that it can actually connect to the VPN and so what you're going to want to do is you're going to want to essentially first start by giving the Synology a static IP address a dhcpu reservation in the router that way every single time this analogy connects it's given the same local IP address in my case I can go in here and go into LAN 3. and I can see that I want to give it the IP address 10.30.0.106 because that's already what it's on this is not required in all routers some of them will automatically do that then step two is actually forwarding the port for me it is going to be 7854 UDP to the IP address of the Synology 10.30.0.106 you will have a few options you may have an internal external get set those both as 7854 or whatever Port you choose and you will also need to go ahead and make sure that it is UDP I'm going to go ahead and show it on my router really quick so now I've come in unify I'll leave a link to my unified tutorial on this what we just need to do is set it up basically we're going to say from any port from any IP address to Port 7854 both the external port and the internal Port will be the same we'll be forwarded to the IP address of our nastin.30.0.106. which is right here and protocol UDP this is by far going to be the hardest thing to do and it can be tough it's kind of confusing port forwarding stuff if you want to hire me there's a link for that but just search the type of your router and port forwarding and you should be able to figure it out only open up this single port all right and now we just hit apply changes and now we should be good all right so now we are pretty much done except for two additional steps first we need a way to figure out where our House's IP address is most home users have a variable IP address basically a non-static IP address that means every few weeks or every few years your ISP may give you a different public IP address you don't have to change your certificate every single time that happens so instead what you want to do is every time that happens it just updates by a name so that is called ddns so Synology has a free built-in ddns that we can just come into external access ddns and just hit add you are going to select your service provider as Synology or if you've got any other ones you can choose that and we'll call it ds1522 demo whatever you would like it to be now what this will do is it will automatically set your public IP address to this so if you looked up at DNS address for ds1522demo.synology.me you would get given this fake public IP address that's not actually my public IP address so that is what you would do and so that way you can always connect back to your homes Network because anytime this external IP address updates this hostname ds1522demo.synology.me will update with it as well so they stay in sync so now we'll just hit OK so now it's done we can now go ahead and Export our VPN configuration by coming back into VPN server and hitting export configuration and now we can go ahead and edit this word document you'll see it's gone into my downloads folder and what I'm going to do is I'm going to right click on it and open it with a text editor so now the only thing that's required for everybody to change is this line number three right here we're just going to change that to ds1522 demo so analogy.me whatever you set up in the last step as your ddns put in right here that way the openvpn server always knows how to connect to your router then there's a bunch of useful options in here so you can really Tinker with it later on but the most useful one that actually I would recommend people look at is this line right here redirect Gateway you can see it's got a pound in front of it which means it's commented out IE not red what this does is this has the option if it's commented only traffic to your local network I.E going to a Nas or a computer on the local network will actually be sent through the VPN tunnel that means that if you are an employer and you've got 15 employees connecting the VPN server and they're on YouTube their YouTube at home is not going to be routed through your office's internet really saving on bandwidth the only thing that will be actually sent through the VPN tunnel will actually be traffic destined for the nas so for most offices I would really recommend leaving that commented because you don't want all your traffic going through there however if you are looking to be able to go out of country and still log into your Netflix as if you're at home you can actually uncomment that by deleting the pound and now all of your traffic will look like it's coming out of your home's IP address so that is the most useful one there now all we need to do is download the openvpn connect for whatever computer you're on in just Google open VPN connect and they've got it for Windows Mac OS whatever and it is free so go ahead and download that and I'm just going to go ahead and open it up right now and basically open up this file and it's automatically going to load in or just drag it directly into the app so right here we just need to go ahead and enter our username password this is the username password for the Synology Nas and now I'm going to take myself off of Wi-Fi and instead connect to my phone basically this is just going to connect me into my phone's hotspot and so that way I'm not on my local network and hit connect the first time you connect you will see this missing external certificate just say don't show again and hit continue and now this is painfully slow because my phone's hotspot is quite slow but we should go ahead and get a connection in a second here and just like that we are now connected on in so now let's talk about how we can access our files anytime so we're going to be using SMB for this so a Mac osfinder hit command K once you've opened up finder or hit go connect to server and now type in SMB colon slash and to work no matter where you are this is what I tell people to do who may have a weird networking configuration where essentially the coffee Shop's IP address and your home's IP address have the exact same subnet if that's the case you can always use 10.8.0.1 [Music] and hit connect and the reason this works is this is the IP address of the Synology on the VPN and so you can see just like that I was able to connect to demo which is that SMB share in Windows you do the exact same thing you open up Windows File Explorer and in the file path just type backslash backslash 10.8.0.1 and hit enter and then if prompted put in your username and password so that will work wherever you are with whatever Network you are so if you are an employer and you just want people to be able to access at the same time every single time that's generally what I set up for people just because it's rock style solid steady and just tends to work now you're probably used to just seeing it show up in the sidebar over here under Network so you'll notice that it's not going to show up there anymore that's because this is a layer 3 Connection so those connections that you just see on your network sidebar automatically is what's called a layer 2 connection and so that only works when you're in the same local area network or have DNS multicast a bunch of stuff so those only work when you're on the local connection instead you need to use the IP address and and so that's what you really want to get used to there if your home's IP address is not 192.168.1 or is also not 10.0.0.0 if you've got something custom there whenever I set up a router I always set up with like 10.80.30 something just so this never happens if you have that case you can always also use the IP address of the nas on the local area network so for mine it was 10 Dot 30.0.106 which is the IP of the local network and now I just type in my username password and just like that I am now connected back in and the reason that works is on my Hotspot I'm not getting a local IP address that's 10.30 if I did get a 10.30 it would conflict with my home's IP address of 10.30 so because it's not the case it's not conflicting I can still use all the IP addresses that are on the local IP network though if you have a very common line one like 192.168.1 I would really recommend all of your employees get just used to using 10.8.0.1 because that will always always work the only downside is if you have something like a remote desktop that you want them to be able to connect to or Windows machine or whatever then they are going to have to use a local IP address and so you may run into an issue issue there all right and so now before we close I do want to mention there's a couple of things you can do to kind of change this out one I'm going to leave a link to my Forum posts that goes over actually a way that you can kind of jankly but it works still use that ds1522.local I'll leave a link to that and it's for people who are a little bit more computer savvy a little bit tech savvy and are fine debugging this kind of stuff and then another one is say this laptop is going to be always connected to this VPN server at a friend's house and I always want to be able to connect to it well when I'm home I can't see that that a IP address exists I don't know where to find that 10.8.0.2 whatever this was assigned IP address so what you need to do is log in your router and set up a static route so you just essentially tell the router hey I've got a VPN server over there it's on the IP address of 10.30.0.106 that's the IP address on the local network of my Synology and behind it is the subnet 10.8.0.0 24. I just wanted to mention that look up static route for your router and be able to do that for people who are looking at the configuration few people will actually do that most people will only be connecting into the network and not trying to access stuff that's on the VPN server from the local network I just want to include that for full thing also I do Consulting so if you want me to set this up for you or your business go and check out the link in the description for that and if you have any other questions put them in the comments below or on forums.spaceworks.com all right have a going bye [Music]
Info
Channel: SpaceRex
Views: 82,332
Rating: undefined out of 5
Keywords:
Id: vBXlZf7gSwc
Channel Id: undefined
Length: 24min 24sec (1464 seconds)
Published: Thu Jul 06 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.