OpenVPN Connection to Synology NAS on Windows 7

Initially I had some trouble getting this to work, but figured this out and figured I would pass it on.

This guide assumes you are attempting to set up a VPN tunnel to your Synology NAS over WAN using OpenVPN. While a PPTP VPN connection is much easier to set up and doesn’t require third-party software, OpenVPN has been shown to be signifigantly more secure.

For this, I’m using Windows 7 64-bit. While file locations will likely differ on other OSes, the overall configuration is likely smiliar.

Base configuration

Log in to your Synology NAS using the admin account and install the OpenVPN server from within Package Center.

Once installed, start VPN Server and enable OpenVPN under OpenVPN Server > Settings > OpenVPN.

The following pop-up message will appear instructing you to make sure UDP port 1194 is open:

If your NAS is behind a router, make sure you have port forwarding set up to forward UDP port 1194 to your NAS.

If you are using the Synology Router Config tool, you can set the port forwarding from Control Panel > Router Configuration > Create. You’ll find the port setting under Built-In Applications as shown below:

If you’re setting up port forwarding in your router, then the Synology Router Configuration tool isn’t needed. Use one or the other, whichever you prefer.

Install OpenVPN

Download and install the OpenVPN application for your OS from OpenVPN community downloads. Install using the defaults.

Getting the configuration from the Synology OpenVPN server

Before the client software can be configured, a few files (specifically the OpenVPN configuration files and the certificate) need to be downloaded from the Synology NAS. from the NAS, go to OpenVPN Server > OpenVPN and click on Export Configuration. This will download a zip file containing the two needed files plus a third README file. You can either refer to the README for instructions or simply continue reading.

Configure the OpenVPN client software

Open windows explorer and navigate to “C:Program Files (x86)OpenVPNconfig”. Copy the openvpn.opvn and ca.crt files from the openvpn.zip file you downloaded earlier to this directory.

Right-click on openvpn.ovpn and open it with notepad (or your favorite text editor) and make the edits explained below:

Change the line starting with remote to specify your or your server’s IP address or hostname. For example, if your OpenVPN server is at ovpn.example.com, change it as follows:

remote ovpn.example.com 1194

If your host’s IP address frequently changes, uncomment the float option, by changing

#float

to

float

Or, you can specify an IP address, like so:

remote 192.0.2.0 1194

Also, if you want to redirect ALL traffic across the OpenVPN connection (strongly recommended), uncomment the redirect-gateway option by changing

#redirect-gateway

to

redirect-gateway

Connecting to the OpenVPN Server

Right-click the OpenVPN GUI desktop icon and select “Run as administrator”. (You can edit the shortcut to always start with administrative privileges by right-clicking on it, selecting Properties, then Compatibility, then checking Run this program as an administrator.)

The OpenVPN GUI icon will appear in your taskbar, and it will appear red. Right-click on it and select Connect. You will be prompted for your username and password (as used on your Synology NAS) to connect.

If you’re having trouble authenticating make the account you are trying to connect as has access to the VPN server. Look in VPN Server > Privilege to verify account access.

That’s it! You should have a working OpenVPN tunnel connection working after following these steps. If you have any suggestions, comments, or feedback, or just want to share your thoughts, please do it in the comments section below. Thanks!

About these ads

, , ,

  1. #1 by Johan Karlström on May 15, 2012 - 1:07 am

    Thanks man!

    I been stuck with this for some time but your little info regarding “Getting the configuration from the Synology OpenVPN server” solved my problem… :)
    Now I will work to solve the default route to go to the tunnel and also so that the Synology actually route my traffic out on its local network and futher out to its local internet connection..

    • #2 by Mike on October 22, 2012 - 9:05 pm

      Traffic will route through the tunnel first if you turn on the redirect-gateway option.

  2. #3 by Larry Barbish on June 15, 2012 - 10:30 am

    Mike,

    I just found your site. I have set up a diskstation at home and had to port forward my hand since my ATT router wasn’t listed. Pretty tough when not knowing what I am doing. But I got it finally. Have my Android phone set up so that I can access my DSAudio and my DSphoto and DSfiles through IP addresses. And I can sit here at work on my laptop and sign in through htpps:.

    What is the benefit of doing the VPN. I don’t quite understand how the access is different/better. And it looked too hard to do I I have what I have but now may want to to the VPN if I understand the benefits. Thanks for doing this stuff. I just put my emergency contact info on my wallpaper of my phone. Cool.

  3. #4 by Eric Kwan on September 5, 2012 - 2:58 am

    Mike,

    After updated the VPN Server package on the Synology NAS, The VPN connection does not work any more.

    TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    TLS Error: TLS handshake failed
    SIGUSR1[soft,tls-error] received, process restarting

    IMPORTANT: OpenVPN’s default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.

    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

    NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    LZO compression initialized

    • #5 by Mike Beach on September 9, 2012 - 10:16 pm

      Eric,

      I’m not sure where your issue lies. I just tested a clean OpenVPN setup using DSM 4.1 and VPN Server 1.1-2254. Are you using the same versions of these packages?

  4. #6 by Jo on September 24, 2012 - 4:36 am

    Mike,

    I have the same problem as Eric. I use DSM 4.1 and VPN Server 1.1-2256. Can you help?

    • #7 by Mike Beach on September 24, 2012 - 8:52 am

      I’ve responded with a comment below. Could you please provide the requested information?

  5. #8 by Mike Beach on September 24, 2012 - 8:49 am

    @Jo, @Eric,

    What Synology NAS units are you running? Please provide the model numbers. Also, which version of the OpenVPN GUI are you running, and for which OS?

    I will help as best I am able to.

    • #9 by Pantos on January 10, 2013 - 5:06 am

      Hi Mike,

      Thanks for the guide! I´m having the same problem as Jo and Eric, and since they didn´t reply, I´m going to answer your question, just to see if maybe you can think of what the problem can be.
      Synology NAS DS110j
      DSM 4.1
      VPN Server version: 1.1.2262
      OS: Windows 7 Professional SP1
      OpenVPN client version: 2.3.0 64 bit

      This is the content in my config file:

      ***************************************************************
      dev tun
      tls-client

      remote [ip address hidden] 1194

      # The “float” tells OpenVPN to accept authenticated packets from any address,
      # not only the address which was specified in the –remote option.
      # This is useful when you are connecting to a peer which holds a dynamic address
      # such as a dial-in user or DHCP client.
      # (Please refer to the manual of OpenVPN for more information.)

      #float

      # If redirect-gateway is enabled, the client will redirect it’s
      # default network gateway through the VPN.
      # It means the VPN connection will firstly connect to the VPN Server
      # and then to the internet.
      # (Please refer to the manual of OpenVPN for more information.)

      redirect-gateway

      # dhcp-option DNS: To set primary domain name server address.
      # Repeat this option to set secondary DNS server addresses.

      #dhcp-option DNS DNS_IP_ADDRESS

      pull

      proto udp
      script-security 2

      ca ca.crt

      comp-lzo

      reneg-sec 0

      auth-user-pass
      ***************************************************************

      Anyway the problem seems to be happening in the server side, since I´m also trying to connect from an Android device and I can´t do it either.
      Any ideas?

      Thanks again!

      • #10 by Mike on January 10, 2013 - 8:52 am

        Pantos,

        I’m going to take a closer look at this later, but I have some suggestions:

        First, and I suppose the most obvious, is to confirm you’re using your public IP address (not your LAN IP) where needed. Also, try enabling the float option to see if that doesn’t help.

        Let me know if either of these help or change anything.

        • #11 by Pantos on January 10, 2013 - 2:41 pm

          Hi Mike!
          Thanks for the quick reply!
          Yes, I´m using my public IP address. I tried with my no-ip.org domain name and it seemed to resolve it without problems, but since it wasn´t working, I started using the public ip address, but still got the same result.

          Anyway, I´m home now, and in order to determine if the problem was on the server or on the network, I tried installing OpenVPN on my pc and connecting to the server via LAN. It worked. So it must be my gateway, not forwarding the ports correctly (even though the first thing I did was opening the port 1194 manually), so I´m gonna keep banging my head against the gateway untill I get it to do things right.

          Thanks again, as soon as I get to figure out why this is happening I´ll post the solution.
          Sorry if my english is not the best, I´m from spain.

          Cheers!

          • #12 by Mike on January 10, 2013 - 3:55 pm

            For port 1194, you’re forwarding UDP and not just TCP, correct?

            What kind of gateway are you using?

          • #13 by Pantos on January 14, 2013 - 3:49 am

            Hey Mike, I don´t know why I can´t reply to your post, so I´ll just reply to mine.
            My gateway is a Huawei HG622, and I finally got to connect to the Synology. It was indeed the gateway not redirecting the port 1194 to my NAS. After doing the right configuration it still didn´t work, so I just stopped working on that and forgot untill today. I tried connecting and it worked, so it seems that this gateway just takes its time to apply the configuration set by the user, not even rebooting made the trick, just waiting a few days :S

            Thanks a lot Mike!!!!

          • #14 by Mike on January 14, 2013 - 12:39 pm

            No problem, and I’m glad you found the issue :)

  6. #15 by arnie on September 26, 2012 - 2:11 am

    hi mate thanks for the article stuck on the client configuration

    Change the line starting with remote to specify your server’s IP address or hostname. For example, if your OpenVPN server was at ovpn.example.com, change it as follows:

    1 remote ovpn.example.com 1194

    If your host’s IP address frequently changes, uncomment the float option.

    do i use my routers ip since i set that up through ez internet and a ddns eg hello.me

    cheers

  7. #16 by maarten on September 26, 2012 - 1:57 pm

    Hello Mike,

    Im stuck at the changing server’s IP address or hostname, what do i have to fill in for IP address?

    Thanks!
    Maarten

    • #17 by maarten on September 26, 2012 - 2:07 pm

      No need to answer, i’ve found it

  8. #18 by Jason Cooke on October 22, 2012 - 9:43 am

    50% a good article, but techies that know this stuff already don’t need it. So there is quite a bit missing for network dummies like me.

    Please edit and explain each point. A few examples …

    “Also make sure that if you are behind a router or other NAT that the port is forwarded to the Synology NAS. eh?

    “For example, if your OpenVPN server was at ovpn.example.com, change it as follows:” Sorry what now?

    “If your host’s IP address frequently changes, uncomment the float option.” How?

    “Also, if you want to redirect ALL traffic across the OpenVPN connection (preferred), uncomment the redirect-gateway option.” Now I’m lost!

    Also if your router is not on the Synology list, like mine isn’t the article is useless to large extent.

    Big sigh!

    Thanks Anyways

    • #19 by Mike on October 22, 2012 - 9:50 am

      Jason,

      Thanks for the feedback and suggestions. You bring up some very valid points on this article. While some of these points could use to be expanded on, a certain level of working knowledge is required.

      I’ll go back and revise the article based on your feedback at some point in the near future.

      Thanks.

  9. #20 by spawn on November 14, 2012 - 9:09 am

    Thank you for the clear guide. Didn’t knew it was this easy !!

  10. #21 by Ray on November 16, 2012 - 4:24 am

    Hi,
    Thanks for this great how-to guide but I have two qwestions, How do I setup auto login for the VPN so I don’t have to have the user remember to connect? and second is there anyway to have OpenVPN auto reconnect if the connection is lost? We are all using Windows 8 Pro 64-Bit.

    Thanks for your time

    • #22 by Mike on January 14, 2013 - 12:44 pm

      There is a way to have the VPN auto-connect at startup. One way is to put a link in the “Startup” folder of the start menu.

      Auto-reconnect is supported but discouraged. You could do a Google search for it, as I know there are articles out there, but isn’t something I’ve worked on yet myself.

  11. #23 by Aron on December 9, 2012 - 6:38 pm

    Ahh, thanks for the article, I wasted almost 4 hours trying to set up remote access to my Synology NAS without any luck. I would have never figured out that I need to download the settings and copy them in to that folder and then edit that file. Anyways, I just wanted to say THANK YOU. Where would humanity be if we did not invent the Internet… :)

    • #24 by Mike on December 9, 2012 - 8:19 pm

      Glad it helped!

  12. #25 by Ferry on January 10, 2013 - 5:53 am

    This way of connecting with OpenVPN on a Synology NAS is not Secure enough.
    Read the status log when you make a connection.
    you will see this warning message come along;
    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    normally a OpenVPN requires a server and a client certificate to authenticate with eachother.

    So this way is not more secure then a PPTP connection.

    i’m searching myself for a solution to make a secure (good certificate authenticated) connection with my synology nas, but haven’t found it yet.

    So if someone else already figured it out, it would be glad to hear how to set it up the right “secure” way.

  13. #26 by Ferry on January 10, 2013 - 8:33 am

    i the found the solution.
    it is described on this site: http://forum.synology.com/wiki/index.php/How_to_use_your_own_certificates_for_connecting

    i tested it and it works!
    the only thing i don’t get is that i still see the same warning message;
    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

    But the other logs make it clear that my connection is now fully working with certificates.

    • #27 by Mike on January 10, 2013 - 8:54 am

      Ferry,

      Thanks so much for this! I’m glad you were able to find the solution, and thanks for coming back to share it.

  14. #28 by Xazen on January 13, 2013 - 3:33 pm

    Hey Mike,

    thanks for this guide. Unfortunately I lost internet after on my computer after vpn connection is established.

    • #29 by Mike on January 14, 2013 - 12:39 pm

      Sounds like a routing or configuration issue.

  15. #30 by Aaron on January 28, 2013 - 9:16 am

    Hi Mike,

    Chanced upon your site, have to say, your guides have been pretty helpful for my Synology setup.

    I’m running into some issues with the OpenVPN setup.

    2013-01-28 23:11:54 TCP/UDP: Incoming packet rejected from [IP ADDRESS MASKED] :34790[2], expected peer address: [IP ADDRESS MASKED]:1194 (allow this incoming source address/port by removing –remote or adding –float)

    I’m on a static IP address and can confirm that my ports have been forwarded and firewall allows port 1194 as well. PPTP works fine, however, the OpenVPN doesn’t work at all.

    The error message does not make any sense to me at all.

    Cheers!

    • #31 by Mike on January 28, 2013 - 9:30 am

      I’m assuming the two IP addresses you removed are different, yes?

  16. #32 by Aaron on January 29, 2013 - 4:01 am

    Hi Mike,

    No, they are the same. Anyways, after posting this; the problem was resolved. :)

    • #33 by Mike on January 29, 2013 - 9:36 am

      Well, at least it works now! :)

  17. #34 by Kamran on March 9, 2013 - 2:45 am

    Hi All,

    Very useful post, I configure the VPN server on Synology RS2212+, UDP Link reaches the IP address of my synology, port 1194 is open but I am getting TLS handshake fail error:

    TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    TLS Error: TLS handshake failed

    What will be the issue?

  18. #35 by Steven on June 2, 2013 - 6:17 am

    Hi@all,

    i have the same problem with TLS Timeout but it is not the gateway. The difference between working and not working port-forwarding is the connection list in the VPN-Server-App. With active forwarding it shows an unauthorized connection. So what else can be the problem? LAN-Connection works brilliant, the only change in the last few days was an VPN-Server-Update. So what I’m going to try now is an update to DSM 4.2. I hope that will help…

  19. #36 by Zach on July 5, 2013 - 12:50 pm

    Hi Mike,

    You just might have the answer I’ve been looking for – I’ve been looking for a NAS with a VPN server built in, and the DS413j might do the trick for me. What I’m looking for is a VPN that will also allow me to access the internet through the NAS, and even the other computers on the home network the NAS is on.

    If I am reading this properly, using the redirect-gateway option will allow all traffic on the client machine to be passed through the VPN client, right – that will take care of the internet option.

    But will that also allow me to access the other powered-on computers on the same network as the NAS? Is that even possible with the synology NAS products? It would be nice to be able to then use RDP to the media server that the NAS connects to, since I plan on only using the NAS for storage (and VPN).

    Or, for what I want, do you think I would be better suited to just run an OpenVPN server on the media server, and then connect to that instead of the NAS? I would prefer to do the former though, as I think that 9/10 times I will just want the NAS for the files, not to control something on the media server usually.

    Thanks for the great blog entry!

    • #37 by Mike on July 11, 2013 - 5:08 pm

      Deleted the double post per your request :)

      You can both access the outside world through the VPN as well as address machines on the “local” (internal) LAN using their IP addresses.

Follow

Get every new post delivered to your Inbox.

Join 35 other followers

%d bloggers like this: