Enabling VPN in a home NAS is a good way – some might say paramount requirement – to preserve your privacy when using certain applications. While the highest flexibility comes from running the NAS directly in a Linux machine, out-of-the-box solutions can win in convenience thanks to built-in applications and mobile App support. One of such solutions is Synology. In this post I will describe how to setup OpenVPN in a Synology NAS while still preserving access from the outside.
Find a VPN provider
The first thing to do is finding a VPN provider. While there are many possibilities, based on my experience I can highly recommend iVPN. Apart from providing very stable VPN connections while introducing low overhead, iVPN maintains servers in different countries, which might also be convenient for using services such as Netflix or Pandora. Besides, they are members of the EFF and adhere to good service provider practices such as maintaining a warrant canary.
Independently of the VPN provider you choose, it is important to check that they support OpenVPN and that they provide certificates and configuration files for their different servers. For iVPN, those can be downloaded here. When your download these files copy them in a directory (we will refer to this directory as $IVPN_CONFIG).
For configuring the VPN in our Synology box, we will make use of the command line; Synology’s GUI allows to configure a primitive VPN service, but for configuring VPN using OpenVPN and certificates this is not enough. Note that we will need ssh access privileges to the NAS.
We will use the following convention for the VPN configuration:
XXX = Name of the client (as in client_XXX)
$USERNAME = VPN username.
$PASSWORD = VPN password.
$IVPN_CONFIG = Name for the VPN configuration directory where VON configurations and certificates are located.
$AUTH_FILE = File where the VPN $USERNAME and $PASSWORD are stored.
$VPN_SERVER = Server (e.g., gw1.ch.ivpn.net). In the example we will use gw1.ch.ivpn.net, which corresponds IVPN’s the Swiss server. This can be changed. This applies too to the port and protocol (2049 and udp respectively.
Step 1. First, we log into the Synology NAS using a browser and navigate the GUI:
Control Panel > Network > Network Interface > Create > Create VPN Profile.
We choose OpenVPN and introduce the data obtained from your VPN provider. This will not create the right configuration, but will create the skeleton that we will use later on.
Step 2. Then, we access the NAS from the terminal using ssh. The following commands will create a symbolic link to the openvpn configuration directory in our home directory. This is convenient for future use.
$ ln -s /usr/syno/etc/synovpnclient/openvpn/
And we copy the VPN configuration files to our Synology box. From a terminal in our local machine:
$ scp -r $DOWNLOAD_DIR/$IVPN_CONFIG $SYNOLOGY_USERNAME@$SYNOLOGY_IPADDRESS:~/openvpn/
Step 3. Now in the Synology (ssh), we go to the openvpn directory. Here, we are interested in two files: client_XXX.crt and ovpnclient.conf; these hold the OpenVPN configuration. The configuration I use is the following:
$ vi client_XXX.crt
client dev tun proto udp tls-client log log.log remote gw1.ch.ivpn.net 2049 auth-user-pass $AUTH_FILE resolv-retry infinite nobind persist-tun persist-key ca $IVPN_CONFIG/ca.crt cert $IVPN_CONFIG/client1.crt key $IVPN_CONFIG/client1.key tls-auth $IVPN_CONFIG/ta.key 1 cipher AES-256-CBC ns-cert-type server comp-lzo verb 3 up /usr/syno/etc.defaults/synovpnclient/scripts/ovpn-up route-up /usr/syno/etc.defaults/synovpnclient/scripts/route-up script-security 2 explicit-exit-notify plugin /lib/openvpn/openvpn-down-root.so /usr/syno/etc.defaults/synovpnclient/scripts/ip-down
$ vi ovpnclient.conf
[oXXX] nat=no protocol=udp redirect-gateway=no comp-lzo=yes route-nopull pass=$GENERATED port=2049 reconnect=yes conf_name=@VPN_NAME user=$USERNAME remote=gw1.ch.ivpn.net
Step 3. Finally, we create $AUTH_FILE and write our VPN $USERNAME and $PASSWORD in two different lines.
$ vi $AUTH_FILE
Step 4. We come back to the GUI (Control Panel > Network > Network Interface) and click on “connect” under the VPN interface. Meanwhile, in the terminal (ssh to Synology) look at the log file to check that everything is correct.
$ tail -f log.log
The connection should succeed. Now from the terminal, check that your public IP corresponds to the country where the server is located:
$ wget -qO- http://ipecho.net/plain ; echo
There are many ways to do this. A simple one is just copying the IP address in iplocation.net.
Also, if you have configured a Synology DDNS you can see your public IP address from Control Panel > External Access > DDNS
Enable external access
If you had configured access to your NAS from outside your network (e.g., mobile Apps, Cloud Station) you will notice that they all stopped working. The reason is that all traffic is redirected through the VPN interface (e.g., tun0). Thus, any incoming connection is lost. This can be seen by looking at the routing tables (route -n).
Traditionally, this is solved by enabling multi route tables, which allow to manage traffic at a lower granularity. Unfortunately, Synology boxes are not so easy to update when it comes to recompiling the Linux kernel and installing a package manager: Updates become messy, depending on the model and the chipset used, packages vary, etc.
Since version 5.1 however, a new option in the GUI allows to enable multiple gateways simultaneously and to reply to requests that target specific interfaces. I am not sure how this works exactly, since ip tables are not modified. Either way, in Control Panel > Network > General > Advanced Settings (under Manually configure DNS server), enabling the two available options gives the wanted behaviour.
Now, all traffic initiated by the NAS will be through the VPN interface while connections initiated from the outside will be answered using the incoming interface. Note that it is not necessary to make modification in the router(s) (e.g., forwarded ports), nor in the Synology firewall – VPN should be now transparent to all incoming connections.
Check that everything works fine
Finally, come back to Step 4. and check that the public IP address corresponds to the country where the VPN server is located. Try connecting to the Synology NAS from one of the mobile Apps from outside your local network. If it works, you have succeeded 🙂
Note that this is a very experimental approach. Checking the ip tables generated by OpenVPN and analyzing incoming and outgoing packages allows us to be sure that the interface split is as clean as we wanted it to be. If interested, Wireshark is the best tool I know.
If you experience that you cannot access your Synology media center after configuring VPN, uncheck the advanced settings in the Synology GUI, apply, and apply them again. These options should be apply after VPN is already up and running.
I had done the exact steps you’ve described in your post and it just wouldn’t work, which is why I searched online, leading me here.
Then I did the same steps again following your guide and now it works!
Must have been some magic bits coming from your post 🙂
One question remains though. On the “Network Interface” tab the “Service Order” can be changed manually. Does the activation of “Multiple Gateways” make the service order irrelevant?
Thanks for a well structured and easy to follow post!
Thanks for the comment. Glad to hear that it worked out for you 🙂
The answer to your question is yes; at least that is my understanding.
Very useful and solved an old problem I had since using VPN.
I included all of this (after some minor adpatations) under Domoticz virtual switch, then letting me toggle my VPN like a simple swithc. But I sometimes have to connect and do the uncheck/re-check boxes in the advanced settings in the Synology GUI. Do you known command lines that can do the trick to script this part also ?
Congratulations! I looked for this solution all over internet, but unfortunately it’s way out of my capacity
Just as a quick note, Since dsm 5.X you can navigate to Settings > Network > Advanced Settings and enable: Use multiple gateways option and it will solve this problem
Thanks interesting post. I think somehow the order of things matter. I tried it in the morning and it didn’t work , but I turn the settings on and off again, disconnect and reconnect VPN again and it worked. Also changed service order from VPN on top to second.
Confirmed that Download manager is using VPN to connect out. ANd Plex server with remote access is working via regular non-VPN connection.
Correction… I checked again and Service Order is VPN first, regular connection is second. Somehow Plex still works and I can access from my phone via LTE…