Synology SSL VPN
Synology SSL VPN is a VPN service that supports SSL (Secure Sockets Layer) authentication and encryption. This service offers fast and secure SSL VPN access to webpages, files, and applications on the Internet or local networks.
General Management
To set up Synology SSL VPN:
- Click Synology VPN on the left panel, and go to SSL VPN.
- Select Enable Synology SSL VPN.
- Specify the settings below:
- Client IP range: Select a client IP range (i.e. a subnet or IP range behind your Synology Router) as virtual IP addresses available for clients. To add more for use, go to Object > Address Pool.
- Self-owned domain name: Click Edit to configure the Domain Setting.
- Port: Specify the port for connections via this protocol. The default port is 443. If Synology SSL VPN and WebVPN are both enabled, we recommend a non-443 port for Synology SSL VPN so that the general WebVPN speed will not be affected.
- Security level: Choose the preferred security level.
- Authentication: Select a method to authenticate clients.
- Encryption: Select a method to encrypt connections.
- Active licenses: See how many active licenses for the premium features are installed. To add licenses, go to License on the left panel.
- Disallow duplicate logins: Select to prevent accounts from creating multiple connections via this protocol.
- Enable split tunneling: Allow clients to connect to destination webpages/applications/servers in certain local subnets or local IP ranges (defined by objects) through Synology SSL VPN. The rest of traffic will go through the default gateway. Click Edit to add objects to the Split-tunnel List.
- Click Apply to finish the setup. A customized URL for the VPN Plus web portal will appear for use.
Note:
- The URL for the VPN Plus web portal may appear in one of the following forms:
- Internal IP: Only local users can access the web portal via this URL. You can manually replace it with the external IP to have a URL that allows remote access, and add the port number to it if a non-default port is used.
- External IP: Local and remote users can access the web portal via this URL.
- Domain name: Local and remote users can access the web portal via this URL. To have a domain-name URL, match the external IP address with the domain name on the DNS server first, or use the Synology DDNS service (see instructions). If the default port 443 is not used, add the non-default port number (e.g. 500) to the domain name (e.g. example.com:500).
- The object listed in Client IP range will be added to the Split-tunnel List, and can be removed only when another object is selected for Client IP range.
To install a third-party certificate to the Synology Router:
The network administrator can purchase a certificate from a trusted third-party and install it to the Synology Router. After installation, all clients can smoothly access the VPN Plus web portal without seeing browser alerts.
- Go to SRM Control Panel > Services > Certificate.
- Under the Action section, click Import certificate.
- Click Browse and provide the acquired private key and certificate.
- Click OK to finish the import.
To install the Synology Router certificate to local devices:
If no trusted third-party certificate is available, the network administrator can create a self-signed certificate from the Synology Router, and install it to all client devices.
- Go to SRM Control Panel > Services > Certificate.
- Under the Action section, click Create certificate > Create self-signed certificate. Follow the wizard's instructions to create a certificate for the VPN Plus web portal.
- Under the Server certificate section, click Export certificate to download the self-signed certificate.
- Share this certificate with local users. Ask them to install it to their devices as instructed in the Usage Guide.
Usage Guide
In the sections below, you will know how to use the Synology SSL VPN service to Internet and local network resources.
To connect via Synology SSL VPN:
You can start Synology SSL VPN connections with two exclusive clients- Synology SSL VPN Client (for Windows/Mac/Linux computers) and the VPN Plus mobile app (for iOS/Android devices).
Windows/Mac/Linux computers (except Firefox on Mac):
- Use a web browser and enter the VPN Plus web portal URL in the URL bar.
- Log in with your user credentials.
- Click SSL VPN on the left panel.
- Click Download Client to install Synology SSL VPN Client to your local computer.
- Follow the wizard's instructions to finish installation.
- When the client starts running, the webpage will refresh automatically.
- Click Connect to connect via Synology SSL VPN.
- Now all your connections from the local computer will go through the Synology Router as SSL VPN connections.
- To stop using this VPN service, click Disconnect.
Firefox on Mac:
- Use a web browser and enter the VPN Plus web portal URL in the URL bar.
- Log in with your user credentials.
- Click SSL VPN on the left panel.
- Click Download Client to install Synology SSL VPN Client to your local computer.
- Follow the wizard's instructions to finish installation.
- Go back to VPN Plus web portal > SSL VPN, and click on the link below the download button.
- A browser alert will appear in the opened webpage. Click Advanced > Add Exception.

- In the dialog, click Get Certificate, and then click Confirm Security Exception.

- Go back to VPN Plus web portal > SSL VPN. Click Connect to connect via Synology SSL VPN.
- Now all your connections from the local computer will go through the Synology Router as SSL VPN connections.
- To stop using this VPN service, click Disconnect.
iOS/Android devices:
- Go to Apple's App Store or Google Play, and download VPN Plus to your iOS/Android devices.
Note: Android application package (APK) is also available on Synology Download Center. For more information on how to manually install the application on your Android device, please refer to this article.
- Open VPN Plus, enter the IP address (e.g. 66.100.*.*) or domain name (e.g. vpn.service.com) of the Synology Router.
Note: If you use a custom port other than 443, please add the port number after the domain name/IP address with a colon (e.g., prefix.domain.com:10001).
- Log in with your user credentials.
- Tap Connect to connect via Synology SSL VPN.
- Now all your connections from the iOS device will go through the Synology Router as SSL VPN connections.
- To stop using this VPN service, tap Disconnect.
Note:
- The Synology SSL VPN service has only two compatible clients: Synology SSL VPN Client and VPN Plus mobile app.
- Synology SSL VPN Client and VPN Plus mobile app are only compatible with VPN Plus Server.
- If the network administrator has enabled split tunneling, only traffic to destination webpages/applications/servers in specified local subnets or IP ranges will go through VPN. The rest of traffic will go through the default gateway.
To install a certificate to your device:
If no trusted third-party certificate is available on VPN Plus Server, you can download and install a self-signed certificate on your computer to avoid repeated browser alerts.
- Go to the VPN Plus web portal.
- Click the person icon on the top-right corner.
- Click Configurations.
- In the pop-up window, click Download to download the ca.crt certificate to your computer.
Follow the steps below to install the certificate according to the computer platform.
For Windows:
- Double-click the ca.crt file on your computer.
- Click Open > Install Certificate... > Next.
- Select Place all certificates in the following store.

- Click Browse and choose Trusted Root Certification Authorities.

- Click OK and follow the wizard's instructions to finish installation.
- Reopen the browser to make the certificate take effect.
For Mac:
- Double-click the ca.crt file on your computer.
- Select System for Keychain, and click Add.
- Enter the user credentials and click Modify Keychain.
- Open Keychain Access on your Mac computer.
- On the left panel, select System under Keychains and then select Certificates under Category.

- Find and double-click the certificate.
- In the pop-up window, click Trust, and select Always Trust for When using this certificate.

- Close the pop-up and follow the instructions to finish installation.