We value your privacy

We use cookies to personalize your use of our site. This includes third-party cookies for that we use for advertising and site analytics. See our Privacy Statement and Cookie Policy for more information on how we collect and use data.

Cookie Options
OK
Knowledge Center

Set up VPN Server

With the VPN Server package, you can easily turn your Synology NAS into a VPN server to allow users to remotely and securely access resources shared within the local area network of your Synology NAS. By integrating common VPN protocols - PPTP, OpenVPN and L2TP/IPSec - VPN Server provides options to establish and manage VPN services tailored to your individual needs.

Note:

  • Enabling VPN service affects the network performance of the system.
  • Only administrators can install and set up VPN Server.

PPTP

PPTP (Point-to-Point Tunneling Protocol) is a commonly used VPN solution supported by most clients (including Windows, Mac, Linux, and mobile devices). For more information about PPTP, refer to here.

To enable PPTP VPN server:

  1. Open VPN Server and then go to PPTP on the left panel.
  2. Tick Enable PPTP VPN server.
  3. Specify a virtual IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
  4. Set Maximum connection number to limit the number of concurrent VPN connections.
  5. Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.
  6. Choose either of the following from the Authentication drop-down menu to authenticate VPN clients:
    • PAP: VPN clients' passwords will not be encrypted during authentication.
    • MS-CHAP v2: VPN clients' passwords will be encrypted during authentication using Microsoft CHAP version 2.
  7. If you selected MS-CHAP v2 for authentication above, choose any of the following from the Encryption drop-down menu to encrypt VPN connection:
    • No MPPE: VPN connection will not be protected with encryption mechanism.
    • Optional MPPE: VPN connection will be protected with 40-bit or 128-bit encryption mechanism or not, depending on the client's settings.
    • Require MPPE: VPN connection will be protected with 40-bit or 128-bit encryption mechanism, depending on the client's settings.
  8. Set MTU (Maximum Transmission Unit) to limit data packet size transmitted via the VPN.
  9. Tick Use manual DNS and specify the IP address of a DNS server to push DNS to PPTP clients. If this option is disabled, the DNS server used by the Synology NAS will be pushed to clients.
  10. Click Apply for the changes to take effect.

Note:

  • When connecting to the VPN, the authentication and encryption settings of VPN clients must be identical to the settings specified on VPN Server, or else clients will not be able to connect successfully.
  • To be compatible with most PPTP clients running Windows, Mac OS, iOS and Android operating systems, the default MTU is set to 1400. For more complicated network environments, a smaller MTU might be required. Try to reduce the MTU size if you keep receiving timeout error or experience an unstable connections.
  • Please check the port forwarding and firewall settings on your Synology NAS and router to make sure the TCP port 1723 is open.
  • PPTP VPN service is built-in on some routers, so the port 1723 might be occupied. To ensure VPN Server works properly, you might need to disable the built-in PPTP VPN service through the router's management interface to have the PPTP of VPN Server work. In addition, some old routers block the GRE protocol (IP protocol 47), which will result in VPN connection failure. It is recommended using a router that supports VPN pass-through connections.

OpenVPN

OpenVPN is an open-source solution for implementing VPN service. It protects the VPN connection with the SSL/TLS encryption mechanism. For more information about OpenVPN, visit here.

To enable OpenVPN VPN server:

  1. Open VPN Server and then go to OpenVPN on the left panel.
  2. Tick Enable OpenVPN server.
  3. Specify a virtual internal IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
  4. Set Maximum connection number to limit the number of concurrent VPN connections.
  5. Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.
  6. Set Port and Protocol for OpenVPN data transmission. You can determine to which port of your Synology NAS and through which protocol data packets are forwarded over VPN. The default is UDP port 1194.
    Note: To ensure that services on your Synology NAS work properly, please avoid assigning the same set of port and protocol as other Synology services. For more information, please refer to this article.
  7. Configure Encryption from the drop-down menu to encrypt data packets in VPN tunnels.
  8. Configure Authentication from the drop-down menu to authenticate VPN clients.
  9. Tick Enable compression on the VPN link if you want to compress data during transfer. This option can increase transmission speed, but might consume more system resources.
  10. Tick Allow clients to access server's LAN to permit clients to access the server's LAN.
  11. Tick Enable IPv6 server mode to enable OpenVPN server to send IPv6 addresses. You will first need to get a prefix via 6in4/6to4/DHCP-PD in Control Panel > Network > Network Interface. Then select the prefix in this page.
  12. Click Apply for the changes to take effect.

Note:

  • VPN Server does not support bridge mode for site-to-site connections.
  • Please check the port forwarding and firewall settings on your Synology NAS and router to make sure the UDP port 1194 is open.
  • When running OpenVPN GUI on Windows Vista or Windows 7, please note that UAC (User Account Control) is enabled by default. If enabled, you need to use the Run as administrator option to properly connect with OpenVPN GUI.
  • When enabling IPv6 server mode in Windows with OpenVPN GUI, please note the following:
    1. The interface name used by the VPN cannot have a space, e.g., LAN 1 needs to be changed to LAN1.
    2. The option redirect-gateway has to be set in the openvpn.ovpn file at the client side. If you do not want to set this option, you should set the DNS of the VPN interface manually. You may use Google IPv6 DNS: 2001:4860:4860::8888.

To export the configuration file:

Click Export Configuration. OpenVPN allows VPN server to issue an authentication certificate to the clients. The exported file is a zip file that contains openvpn.ovpn (configuration file for the client) and README.txt (simple instruction on how to set up OpenVPN connection for the client). For more information, refer to here.

Note:

  • Each time VPN Server runs, it will automatically copy and use the certificate shown at Control Panel > Security > Certificate. If you need to use a third-party certificate, please import the certificate at Control Panel > Security > Certificate > Add and restart VPN Server.
  • VPN Server will automatically restart each time the certificate file shown at Control Panel > Security > Certificate is modified. You will also need to export the new .opvn file to all clients.

L2TP/IPSec

L2TP (Layer 2 Tunneling Protocol) over IPSec provides virtual private networks with increased security and is supported by most clients (such as Windows, Mac, Linux, and mobile devices). For more information about L2TP, refer to here.

Note:

  • To use L2TP/IPSec, make sure your Synology NAS is running DSM 4.3 or later.

To enable L2TP/IPSec VPN server:

  1. Open VPN Server and then go to L2TP/IPSec on the left panel.
  2. Tick Enable L2TP/IPSec VPN server.
  3. Specify a virtual IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
  4. Set Maximum connection number to limit the number of concurrent VPN connections.
  5. Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.
  6. Choose either of the following from the Authentication drop-down menu to authenticate VPN clients:
    • PAP: VPN clients' passwords will not be encrypted during authentication.
    • MS-CHAP v2: VPN clients' passwords will be encrypted during authentication using Microsoft CHAP version 2.
  7. Set MTU (Maximum Transmission Unit) to limit data packet size transmitted via the VPN.
  8. Tick Use manual DNS and specify the IP address of a DNS server to push DNS to L2TP/IPSec clients. If this option is disabled, the DNS server used by the Synology NAS will be pushed to clients.
  9. For maximum VPN performance, select Run in kernel mode.
  10. Enter and confirm a pre-shared key. This secret key should be given to your L2TP/IPSec VPN user to authenticate the connection.
  11. Tick Enable SHA2-256 compatible mode (96 bit) to permit certain clients (non RFC standard) to use L2TP/IPSec connection.
  12. Click Apply for the changes to take effect.

Note:

  • When connecting to the VPN, the authentication and encryption settings of VPN clients must be identical to the settings specified on VPN Server, or else clients will not be able to connect successfully.
  • To be compatible with most L2TP/IPSec clients running Windows, Mac OS, iOS, and Android operating systems, the default MTU is set to 1400. For more complicated network environments, a smaller MTU might be required. Try to reduce the MTU size if you keep receiving timeout error or experience unstable connection.
  • Please check the port forwarding and firewall settings on your Synology NAS and router to make sure the UDP port 1701, 500, and 4500 are open.
  • L2TP or IPSec VPN service is built-in on some routers, so the port 1701, 500 or 4500 might be occupied. To ensure VPN Server works properly, you might need to disable the built-in L2TP or IPSec VPN service through the router's management interface to have the L2TP/IPSec of VPN Server work. It is recommended using a router that supports VPN pass-through connections.

About Dynamic IP Address

Depending on the number you entered in Dynamic IP address, VPN Server will choose from a range of virtual IP addresses while assigning IP addresses to VPN clients. For example, if the dynamic IP address of VPN server is set as "10.0.0.0", a VPN client's virtual IP address could range from "10.0.0.1" to "10.0.0.[maximum connection number]" for PPTP, and from "10.0.0.2" to "10.0.0.255" for OpenVPN.

Important: Before specifying the dynamic IP address of VPN server, please note:

  1. Dynamic IP addresses allowed for VPN server should be any of the following:
    • From "10.0.0.0" to "10.255.255.0"
    • From "172.16.0.0" to "172.31.255.0"
    • From "192.168.0.0" to "192.168.255.0"
  2. The specified dynamic IP address of VPN server and the assigned virtual IP addresses for VPN clients should not conflict with any IP addresses currently used within your local area network.

About Client's Gateway Setting for VPN Connection

Before connecting to the local area network of Synology NAS via VPN, the clients might need to change their gateway setting for VPN connection. Otherwise, they might not be able to connect to the Internet when VPN connection is established. For detailed information, refer to here.

PPTP
OpenVPN
L2TP/IPSec