Set up VPN Server
Under Settings in the left panel, choose any of the following types of VPN server to enable VPN service on your DiskStation.
Note:
- Enabling VPN service affects the network performance of the system.
PPTP
PPTP (Point-to-Point Tunneling Protocol) is a commonly used VPN solution supported by most clients (including Windows, Mac, Linux, and mobile devices). For more information about PPTP, refer to here.
To enable PPTP VPN server:
- Tick Enable PPTP VPN server.
- Specify a virtual IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
- Set Maximum connection number to limit the number of concurrent VPN connections.
- Choose either of the following from the Authentication drop-down menu to authenticate VPN clients:
- PAP: VPN clients' passwords will not be encrypted during authentication.
- MS-CHAP v2: VPN clients' passwords will be encrypted during authentication using Microsoft CHAP version 2.
- If you use MS-CHAP v2 for authentication, choose any of the following from the Encryption drop-down menu to encrypt VPN connection:
- None: VPN connection will not be protected with encrypting mechanism.
- Require MPPE (40/128 bit):VPN connection will be protected with 40-bit or 128-bit encrypting mechanism, depending on the client's setting.
- Maximum MPPE (128 bit): VPN connection will be protected with 128-bit encrypting mechanism, which provides the highest level of security.
- Set MTU (Maximum Transmission Unit) to limit data packet size through the VPN network.
- Tick Use manual DNS and specify DNS server IP to push DNS to PPTP clients or the setting will be the presented DNS setting of DiskStation.
- Click OK.
Note:
- The authentication and encryption types of VPN clients must be identical to the settings specified on VPN Server.
- To apply to most PPTP clients running Windows, Mac OS, Mac iOS and Android operating systems, the default MTU is set to 1400. For more complicated network environments, a smaller MTU might be required. Try to reduce the MTU size if you keep receiving timeout error or experience unstable connections.
- Please check the port forwarding and firewall settings on your DiskStation and router to make sure the TCP port 1723 is open.
- PPTP VPN service is built-in on some routers, the port 1723 is therefore occupied. You should disable the built-in PPTP VPN service through the router's management interface to have the PPTP of VPN Server work.
Besides, some old routers block the GRE protocol (IP protocol 47), which will cause VPN connection failure. It is recommended to use a router supporting VPN passthrough connections.
OpenVPN
OpenVPN is an open source solution for implementing VPN service. It protects VPN's connection with the SSL/TLS encrypting mechanism. For more information about OpenVPN, visit here.
To enable OpenVPN VPN server:
- Tick Enable OpenVPN server.
- Specify a virtual internal IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.
- Set Maximum connection number to limit the number of concurrent VPN connections.
- Tick Enable compression on the VPN link if you want to compress data during transfer.
- Click OK.
Note:
- VPN Server does not support bridge mode for site-to-site connections.
- Please check out the port forwarding and firewall settings on your DiskStation and router to make sure the UDP port 1194 is open.
To export configuration file:
Click Export Configuration. OpenVPN allows VPN server to issue an authentication certificate to the clients. The exported file is a zip file that contains ca.crt (certificate file for VPN server), openvpn.ovpn (configuration file for the client), and README.txt (simple instruction on how to set up OpenVPN connection for the client). For more information, refer to Synology VPN User's Guide.
L2TP/IPSec
L2TP (Layer 2 Tunneling Protocol) over IPSec provides virtual private networks with increased security and is supported by most clients (such as Windows, Mac, Linux, and mobile devices). For more information about L2TP, refer to here.
Before you start:
To use L2TP/IPSec, make sure your DiskStation is running DSM 4.3 or later.
To enable L2TP/IPSec VPN server:
- Tick Enable L2TP/IPSec VPN server.
- Specify a virtual IP address of VPN server in the Dynamic IP address field. Refer to About Dynamic IP Address below for more information.
- Set Maximum connection number to limit the number of concurrent VPN connections.
- Choose either of the following from the Authentication drop-down menu to authenticate VPN clients:
- PAP: VPN clients' passwords will not be encrypted during authentication.
- MS-CHAP v2: VPN clients' passwords will be encrypted during authentication using Microsoft CHAP version 2.
- Set MTU (Maximum Transmission Unit) to limit data packet size through the VPN network.
- Tick Use manual DNS and specify DNS server IP to push DNS to L2TP/IPSec clients or the setting will be the presented DNS setting of DiskStation.
- Enter and confirm a pre-shared key. This secret key can be given to your L2TP/IPSec user to authenticate the connection.
- Click OK.
Note:
- The authentication and encryption types of VPN clients must be identical to the settings specified on VPN Server.
- To apply to most L2TP/IPSec clients running Windows, Mac OS, Mac iOS, and Android operating systems, the default MTU is set to 1400. For more complicated network environments, a smaller MTU might be required. Try to reduce the MTU size if you keep receiving timeout error or experience unstable connection.
- Please check the port forwarding and firewall settings on your DiskStation and router to make sure the UDP port 1701, 500, and 4500 are open.
- L2TP or IPSec VPN service is built-in on some routers, the port 1701, 500 or 4500 is therefore occupied. You should disable the built-in L2TP or IPSec VPN service through the router's management interface to have the L2TP/IPSec of VPN Server work.
It is recommended to use a router supporting VPN passthrough connections.
About Dynamic IP Address
Depending on the number you entered in Dynamic IP address, VPN Server will choose from a range of virtual IP addresses while assigning IP addresses to VPN clients. For example, if the dynamic IP address of VPN server is set as "10.0.0.0", a VPN client's virtual IP address could range from "10.0.0.1" to "10.0.0.[maximum connection number]" for PPTP, and from "10.0.0.2" to "10.0.0.255" for OpenVPN.
Important:Before specifying the dynamic IP address of VPN server, please note:
-
Dynamic IP addresses allowed for VPN server should be any of the following:
-
From "10.0.0.0" to "10.255.255.0"
-
From "172.16.0.0" to "172.31.255.0"
-
From "192.168.0.0" to "192.168.255.0"
-
The specified dynamic IP address of VPN server and the assigned virtual IP addresses for VPN clients should not conflict with any IP addresses currently used within your local area network.
About Client's Gateway Setting for VPN Connection
Before connecting to DiskStation's local area network via VPN, the clients might need to change their gateway setting for VPN connection. Otherwise, they might not be able to connect to the Internet when VPN connection is established. For detailed information, refer to Synology VPN User's Guide.