Initially I had some trouble getting this to work, but figured this out and figured I would pass it on.
This guide assumes you are attempting to set up a VPN tunnel to your Synology NAS over WAN using OpenVPN. While a PPTP VPN connection is much easier to set up and doesn’t require third-party software, OpenVPN has been shown to be signifigantly more secure.
For this, I’m using Windows 7 64-bit. While file locations will likely differ on other OSes, the overall configuration is likely smiliar.
Base configuration
Log in to your Synology NAS using the admin account and install the OpenVPN server from within Package Center.
Once installed, start VPN Server and enable OpenVPN under OpenVPN Server > Settings > OpenVPN.
The following pop-up message will appear instructing you to make sure UDP port 1194 is open:
If your NAS is behind a router, make sure you have port forwarding set up to forward UDP port 1194 to your NAS.
If you are using the Synology Router Config tool, you can set the port forwarding from Control Panel > Router Configuration > Create. You’ll find the port setting under Built-In Applications as shown below:
If you’re setting up port forwarding in your router, then the Synology Router Configuration tool isn’t needed. Use one or the other, whichever you prefer.
Install OpenVPN
Download and install the OpenVPN application for your OS from OpenVPN community downloads. Install using the defaults.
Getting the configuration from the Synology OpenVPN server
Before the client software can be configured, a few files (specifically the OpenVPN configuration files and the certificate) need to be downloaded from the Synology NAS. from the NAS, go to OpenVPN Server > OpenVPN and click on Export Configuration. This will download a zip file containing the two needed files plus a third README file. You can either refer to the README for instructions or simply continue reading.
Configure the OpenVPN client software
Open windows explorer and navigate to “C:\Program Files (x86)\OpenVPN\config”. Copy the openvpn.opvn and ca.crt files from the openvpn.zip file you downloaded earlier to this directory.
Right-click on openvpn.ovpn and open it with notepad (or your favorite text editor) and make the edits explained below:
Change the line starting with remote to specify your or your server’s IP address or hostname. For example, if your OpenVPN server is at ovpn.example.com, change it as follows:
remote ovpn.example.com 1194
If your host’s IP address frequently changes, uncomment the float option, by changing
#float
to
float
Or, you can specify an IP address, like so:
remote 192.0.2.0 1194
Also, if you want to redirect ALL traffic across the OpenVPN connection (strongly recommended), uncomment the redirect-gateway option by changing
#redirect-gateway
to
redirect-gateway
Connecting to the OpenVPN Server
Right-click the OpenVPN GUI desktop icon and select “Run as administrator”. (You can edit the shortcut to always start with administrative privileges by right-clicking on it, selecting Properties, then Compatibility, then checking Run this program as an administrator.)
The OpenVPN GUI icon will appear in your taskbar, and it will appear red. Right-click on it and select Connect. You will be prompted for your username and password (as used on your Synology NAS) to connect.
If you’re having trouble authenticating make the account you are trying to connect as has access to the VPN server. Look in VPN Server > Privilege to verify account access.
That’s it! You should have a working OpenVPN tunnel connection working after following these steps. If you have any suggestions, comments, or feedback, or just want to share your thoughts, please do it in the comments section below. Thanks!
Related posts:
PPTP VPN Connection to Synology NAS on Windows 7
Installing and configuring a PPP null-modem connection on Windows 7
Set up an encrypted VPN using DD-WRT
Intermittent wireless connection and disconnects with DD-WRT and Windows 7
How to script a change to a static IP address or DHCP IP address in Windows using a batch file
35 comments
1 ping
Skip to comment form ↓
Johan Karlström
May 15, 2012 at 1:07 am (UTC -5) Link to this comment
Thanks man!
I been stuck with this for some time but your little info regarding “Getting the configuration from the Synology OpenVPN server” solved my problem… :)
Now I will work to solve the default route to go to the tunnel and also so that the Synology actually route my traffic out on its local network and futher out to its local internet connection..
Mike
October 22, 2012 at 9:05 pm (UTC -5) Link to this comment
Traffic will route through the tunnel first if you turn on the redirect-gateway option.
Larry Barbish
June 15, 2012 at 10:30 am (UTC -5) Link to this comment
Mike,
I just found your site. I have set up a diskstation at home and had to port forward my hand since my ATT router wasn’t listed. Pretty tough when not knowing what I am doing. But I got it finally. Have my Android phone set up so that I can access my DSAudio and my DSphoto and DSfiles through IP addresses. And I can sit here at work on my laptop and sign in through htpps:.
What is the benefit of doing the VPN. I don’t quite understand how the access is different/better. And it looked too hard to do I I have what I have but now may want to to the VPN if I understand the benefits. Thanks for doing this stuff. I just put my emergency contact info on my wallpaper of my phone. Cool.
Eric Kwan
September 5, 2012 at 2:58 am (UTC -5) Link to this comment
Mike,
After updated the VPN Server package on the Synology NAS, The VPN connection does not work any more.
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
IMPORTANT: OpenVPN’s default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
LZO compression initialized
Mike Beach
September 9, 2012 at 10:16 pm (UTC -5) Link to this comment
Eric,
I’m not sure where your issue lies. I just tested a clean OpenVPN setup using DSM 4.1 and VPN Server 1.1-2254. Are you using the same versions of these packages?
Jo
September 24, 2012 at 4:36 am (UTC -5) Link to this comment
Mike,
I have the same problem as Eric. I use DSM 4.1 and VPN Server 1.1-2256. Can you help?
Mike Beach
September 24, 2012 at 8:52 am (UTC -5) Link to this comment
I’ve responded with a comment below. Could you please provide the requested information?
Mike Beach
September 24, 2012 at 8:49 am (UTC -5) Link to this comment
@Jo, @Eric,
What Synology NAS units are you running? Please provide the model numbers. Also, which version of the OpenVPN GUI are you running, and for which OS?
I will help as best I am able to.
Pantos
January 10, 2013 at 5:06 am (UTC -5) Link to this comment
Hi Mike,
Thanks for the guide! I´m having the same problem as Jo and Eric, and since they didn´t reply, I´m going to answer your question, just to see if maybe you can think of what the problem can be.
Synology NAS DS110j
DSM 4.1
VPN Server version: 1.1.2262
OS: Windows 7 Professional SP1
OpenVPN client version: 2.3.0 64 bit
This is the content in my config file:
***************************************************************
dev tun
tls-client
remote [ip address hidden] 1194
# The “float” tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the –remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it’s
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
redirect-gateway
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
proto udp
script-security 2
ca ca.crt
comp-lzo
reneg-sec 0
auth-user-pass
***************************************************************
Anyway the problem seems to be happening in the server side, since I´m also trying to connect from an Android device and I can´t do it either.
Any ideas?
Thanks again!
Mike
January 10, 2013 at 8:52 am (UTC -5) Link to this comment
Pantos,
I’m going to take a closer look at this later, but I have some suggestions:
First, and I suppose the most obvious, is to confirm you’re using your public IP address (not your LAN IP) where needed. Also, try enabling the float option to see if that doesn’t help.
Let me know if either of these help or change anything.
Pantos
January 10, 2013 at 2:41 pm (UTC -5) Link to this comment
Hi Mike!
Thanks for the quick reply!
Yes, I´m using my public IP address. I tried with my no-ip.org domain name and it seemed to resolve it without problems, but since it wasn´t working, I started using the public ip address, but still got the same result.
Anyway, I´m home now, and in order to determine if the problem was on the server or on the network, I tried installing OpenVPN on my pc and connecting to the server via LAN. It worked. So it must be my gateway, not forwarding the ports correctly (even though the first thing I did was opening the port 1194 manually), so I´m gonna keep banging my head against the gateway untill I get it to do things right.
Thanks again, as soon as I get to figure out why this is happening I´ll post the solution.
Sorry if my english is not the best, I´m from spain.
Cheers!
Mike
January 10, 2013 at 3:55 pm (UTC -5) Link to this comment
For port 1194, you’re forwarding UDP and not just TCP, correct?
What kind of gateway are you using?
Pantos
January 14, 2013 at 3:49 am (UTC -5) Link to this comment
Hey Mike, I don´t know why I can´t reply to your post, so I´ll just reply to mine.
My gateway is a Huawei HG622, and I finally got to connect to the Synology. It was indeed the gateway not redirecting the port 1194 to my NAS. After doing the right configuration it still didn´t work, so I just stopped working on that and forgot untill today. I tried connecting and it worked, so it seems that this gateway just takes its time to apply the configuration set by the user, not even rebooting made the trick, just waiting a few days :S
Thanks a lot Mike!!!!
Mike
January 14, 2013 at 12:39 pm (UTC -5) Link to this comment
No problem, and I’m glad you found the issue :)
arnie
September 26, 2012 at 2:11 am (UTC -5) Link to this comment
hi mate thanks for the article stuck on the client configuration
Change the line starting with remote to specify your server’s IP address or hostname. For example, if your OpenVPN server was at ovpn.example.com, change it as follows:
1 remote ovpn.example.com 1194
If your host’s IP address frequently changes, uncomment the float option.
do i use my routers ip since i set that up through ez internet and a ddns eg hello.me
cheers
maarten
September 26, 2012 at 1:57 pm (UTC -5) Link to this comment
Hello Mike,
Im stuck at the changing server’s IP address or hostname, what do i have to fill in for IP address?
Thanks!
Maarten
maarten
September 26, 2012 at 2:07 pm (UTC -5) Link to this comment
No need to answer, i’ve found it
Jason Cooke
October 22, 2012 at 9:43 am (UTC -5) Link to this comment
50% a good article, but techies that know this stuff already don’t need it. So there is quite a bit missing for network dummies like me.
Please edit and explain each point. A few examples …
“Also make sure that if you are behind a router or other NAT that the port is forwarded to the Synology NAS. eh?
“For example, if your OpenVPN server was at ovpn.example.com, change it as follows:” Sorry what now?
“If your host’s IP address frequently changes, uncomment the float option.” How?
“Also, if you want to redirect ALL traffic across the OpenVPN connection (preferred), uncomment the redirect-gateway option.” Now I’m lost!
Also if your router is not on the Synology list, like mine isn’t the article is useless to large extent.
Big sigh!
Thanks Anyways
Mike
October 22, 2012 at 9:50 am (UTC -5) Link to this comment
Jason,
Thanks for the feedback and suggestions. You bring up some very valid points on this article. While some of these points could use to be expanded on, a certain level of working knowledge is required.
I’ll go back and revise the article based on your feedback at some point in the near future.
Thanks.
spawn
November 14, 2012 at 9:09 am (UTC -5) Link to this comment
Thank you for the clear guide. Didn’t knew it was this easy !!
Ray
November 16, 2012 at 4:24 am (UTC -5) Link to this comment
Hi,
Thanks for this great how-to guide but I have two qwestions, How do I setup auto login for the VPN so I don’t have to have the user remember to connect? and second is there anyway to have OpenVPN auto reconnect if the connection is lost? We are all using Windows 8 Pro 64-Bit.
Thanks for your time
Mike
January 14, 2013 at 12:44 pm (UTC -5) Link to this comment
There is a way to have the VPN auto-connect at startup. One way is to put a link in the “Startup” folder of the start menu.
Auto-reconnect is supported but discouraged. You could do a Google search for it, as I know there are articles out there, but isn’t something I’ve worked on yet myself.
Aron
December 9, 2012 at 6:38 pm (UTC -5) Link to this comment
Ahh, thanks for the article, I wasted almost 4 hours trying to set up remote access to my Synology NAS without any luck. I would have never figured out that I need to download the settings and copy them in to that folder and then edit that file. Anyways, I just wanted to say THANK YOU. Where would humanity be if we did not invent the Internet… :)
Mike
December 9, 2012 at 8:19 pm (UTC -5) Link to this comment
Glad it helped!
Ferry
January 10, 2013 at 5:53 am (UTC -5) Link to this comment
This way of connecting with OpenVPN on a Synology NAS is not Secure enough.
Read the status log when you make a connection.
you will see this warning message come along;
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
normally a OpenVPN requires a server and a client certificate to authenticate with eachother.
So this way is not more secure then a PPTP connection.
i’m searching myself for a solution to make a secure (good certificate authenticated) connection with my synology nas, but haven’t found it yet.
So if someone else already figured it out, it would be glad to hear how to set it up the right “secure” way.
Ferry
January 10, 2013 at 8:33 am (UTC -5) Link to this comment
i the found the solution.
it is described on this site: http://forum.synology.com/wiki/index.php/How_to_use_your_own_certificates_for_connecting
i tested it and it works!
the only thing i don’t get is that i still see the same warning message;
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
But the other logs make it clear that my connection is now fully working with certificates.
Mike
January 10, 2013 at 8:54 am (UTC -5) Link to this comment
Ferry,
Thanks so much for this! I’m glad you were able to find the solution, and thanks for coming back to share it.
Xazen
January 13, 2013 at 3:33 pm (UTC -5) Link to this comment
Hey Mike,
thanks for this guide. Unfortunately I lost internet after on my computer after vpn connection is established.
Mike
January 14, 2013 at 12:39 pm (UTC -5) Link to this comment
Sounds like a routing or configuration issue.
Aaron
January 28, 2013 at 9:16 am (UTC -5) Link to this comment
Hi Mike,
Chanced upon your site, have to say, your guides have been pretty helpful for my Synology setup.
I’m running into some issues with the OpenVPN setup.
2013-01-28 23:11:54 TCP/UDP: Incoming packet rejected from [IP ADDRESS MASKED] :34790[2], expected peer address: [IP ADDRESS MASKED]:1194 (allow this incoming source address/port by removing –remote or adding –float)
I’m on a static IP address and can confirm that my ports have been forwarded and firewall allows port 1194 as well. PPTP works fine, however, the OpenVPN doesn’t work at all.
The error message does not make any sense to me at all.
Cheers!
Mike
January 28, 2013 at 9:30 am (UTC -5) Link to this comment
I’m assuming the two IP addresses you removed are different, yes?
Aaron
January 29, 2013 at 4:01 am (UTC -5) Link to this comment
Hi Mike,
No, they are the same. Anyways, after posting this; the problem was resolved. :)
Mike
January 29, 2013 at 9:36 am (UTC -5) Link to this comment
Well, at least it works now! :)
Kamran
March 9, 2013 at 2:45 am (UTC -5) Link to this comment
Hi All,
Very useful post, I configure the VPN server on Synology RS2212+, UDP Link reaches the IP address of my synology, port 1194 is open but I am getting TLS handshake fail error:
TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
What will be the issue?
Steven
June 2, 2013 at 6:17 am (UTC -5) Link to this comment
Hi@all,
i have the same problem with TLS Timeout but it is not the gateway. The difference between working and not working port-forwarding is the connection list in the VPN-Server-App. With active forwarding it shows an unauthorized connection. So what else can be the problem? LAN-Connection works brilliant, the only change in the last few days was an VPN-Server-Update. So what I’m going to try now is an update to DSM 4.2. I hope that will help…
PPTP VPN Connection to Synology NAS on Windows 7 » MikeBeach.org
November 29, 2012 at 8:22 pm (UTC -5) Link to this comment
[...] previously wrote a post about connection to a Synology NAS VPN server using OpenVPN. Although OpenVPN is more secure, it does involve installing software and can be a bit tricky to [...]