Standard VPN
VPN Plus Server provides multiple popular VPN solutions—SSTP VPN, OpenVPN, L2TP/IPSec, and PPTP VPN—to suit your needs and networking environments.
SSTP VPN
Secure Socket Tunneling Protocol (SSTP) is a VPN solution that provides SSL-protected VPN connections. With the built-in client on the Windows computer, you can quickly build the SSTP VPN connection.
To set up SSTP VPN:
- Click Standard VPN on the left panel, and go to SSTP.
- Select Enable SSTP.
- Specify the settings below:
- Client IP range: Select a client IP range (i.e. a subnet or IP range behind your Synology Router) as virtual IP addresses available for clients. To add more for use, go to Object > Address Pool.
- Port: Specify the port for connections.
- Active licenses: See how many active licenses for the premium features are installed. To add licenses, go to License on the left panel.
- Disallow duplicate logins: Select to prevent a user from creating multiple connections.
- Click Apply to finish the setup.
To connect via SSTP VPN:
Follow the instructions to start an SSTP VPN connection from your local computer:
OpenVPN
OpenVPN is an open source solution for implementing the VPN service, and provides SSL/TSL-protected VPN connections.
To set up OpenVPN:
- Click Standard VPN on the left panel, and go to OpenVPN.
- Select Enable OpenVPN server.
- Specify the settings below:
- Client IP range: Select a client IP range (i.e. a subnet or IP range behind your Synology Router) as virtual IP addresses available for clients. To add more for use, go to Object > Address Pool.
- Max. concurrent accounts: Specify the maximum number of concurrently connected accounts.
- Port: Specify the port for connections.
- Protocol: Select the TCP or UDP for building connection.
- Encryption: Select a method to encrypt connections.
- Authentication: Select a method to authenticate clients.
- Enable compression on the VPN link: Select to compress data during transfer for increased transmission speed. This option may consume more system resources.
- Allow clients to access server's LAN: Select to allow clients access to resources in the local network of your Synology Router.
- Enable IPv6 server mode: Select to send IPv6 addresses to clients. You also have to select 6in4/6to4/DHCPv6-PD for IPv6 setup (at SRM > Network Center > Internet > Connection > Primary Interface > IPv6 setup).
- Disallow duplicate logins: Select to prevent clients from creating multiple connections.
- Click Apply to finish the setup.
Note:
- The OpenVPN service does not support site-to-site connections in the bridge mode.
- The UDP port 1194 should be open in port forwarding rules (at Network Center > Port Forwarding) and firewall rules (at Network Center > Security) of the Synology Router and other connected routers.
- When running OpenVPN GUI on Windows Vista or Windows 7, please note that UAC (User Account Control) is enabled by default. If enabled, you need to use the Run as administrator option to properly connect with OpenVPN GUI.
- When Enable IPv6 server mode is selected through a Windows computer, note the following:
- The interface name specified for the OpenVPN service should not contain any space.
- The redirect-gateway option should be properly set in the VPNConfig.ovpn file for the client. Otherwise, you should set DNS for the OpenVPN service manually, or try Google's IPv6 DNS: 2001:4860:4860::8888.
To export certificates for clients' use:
VPN Plus Server can issue a certificate for OpenVPN clients to have them authenticated to use OpenVPN for network access.
- Click Standard VPN on the left panel, and go to OpenVPN.
- Make sure Enable OpenVPN server is selected.
- Click Export Configurations to download a .zip file that contains VPNConfig.ovpn, the certificate file for use.
- Have VPNConfig.ovpn installed on OpenVPN client devices.
Note:
- Each time VPN Plus Server runs the OpenVPN service, it will automatically copy and use the self-signed certificate (at Control Panel > Services > Certificate) for OpenVPN authentication.
- You may use an acquired third-party certificate for OpenVPN authentication. Go to Control Panel > Services > Certificate and import the certificate. Then, restart VPN Plus Server for OpenVPN authentication.
- When the certificate file at Control Panel > Services > Certificate is modified, VPN Plus Server will restart.
To connect via OpenVPN
Follow the instructions to start an OpenVPN connection from your local computer:
L2TP/IPSec VPN
L2TP (Layer 2 Tunneling Protocol) over IPSec provides VPN connections with increased security and is supported by most clients (such as Windows, Mac, Linux, and mobile devices).
To set up L2TP/IPSec VPN:
- Click Standard VPN on the left panel, and go to L2TP.
- Select Enable L2TP/IPSec VPN server.
- Specify the settings below:
- Client IP range: Select a client IP range (i.e. a subnet or IP range behind your Synology Router) as virtual IP addresses available for clients. To add more for use, go to Object > Address Pool.
- Network interface: Select a network interface of your Synology Router so that clients can connect through this interface for VPN connection.
- Max. concurrent accounts: Specify the maximum number of concurrently connected accounts.
- Authentication: Select a method to authenticate clients:
- PAP: Client passwords will not be encrypted during authentication.
- MS-CHAP v2: Client passwords will be encrypted during authentication using Microsoft CHAP version 2.
- MTU (Maximum Transmission Unit): Set the maximum data packet size allowed for VPN transmission.
- DNS: Specify the DNS server address to be pushed to clients. Otherwise, the DNS server address for the Synology Router will be pushed to clients.
- Run in kernel mode: Select to run VPN Plus Server for optimal performance.
- Disallow duplicate logins: Select to prevent a user from creating multiple connections.
- For more security, you may enter and confirm a Pre-shared key given to clients for authentication.
- To allow non-RFC standard clients to use L2TP/IPSec VPN connection, select Enable SHA2-256 compatible mode (96 bit).
- Click Apply to finish the setup.
Note:
- For successful L2TP/IPSec VPN connection, clients should apply authentication and encryption settings identical to those specified for the L2TP/IPSec VPN service on VPN Plus Server.
- The UDP ports 500, 1701, and 4500 should be open in port forwarding rules (at Network Center > Port Forwarding) and firewall rules (at Network Center > Security) of the Synology Router.
- When Enable SHA2-256 compatible mode (96 bit) is enabled for the first time, you may need to restart the Synology Router to have successful client connections.
To connect via L2TP/IPSec VPN:
Follow the instructions to start an L2TP/IPSec VPN connection from your local computer:
PPTP VPN
PPTP (Point-to-Point Tunneling Protocol) is a commonly used VPN solution supported by most clients (including Windows, Mac, and Linux).
To set up PPTP VPN:
- Click Standard VPN on the left panel, and go to PPTP.
- Select Enable PPTP VPN server.
- Specify the settings below:
- Client IP range: Select a client IP range (i.e. a subnet or IP range behind your Synology Router) as virtual IP addresses available for clients. To add more for use, go to Object > Address Pool.
- Max. concurrent accounts: Specify the maximum number of concurrently connected accounts.
- Authentication: Select a method to authenticate clients:
- PAP: Client passwords will not be encrypted during authentication.
- MS-CHAP v2: Client passwords will be encrypted during authentication using Microsoft CHAP version 2.
- Encryption (for MS-CHAP v2 authentication): Select a method to encrypt connections:
- No MPPE: VPN connection will not be protected.
- Optional MPPE: VPN connection will be protected with 40-bit or 128-bit encryption mechanism or not, depending on the client's settings.
- Require MPPE: VPN connection will be protected with 40-bit or 128-bit encryption mechanism, depending on the client's settings.
- MTU (Maximum Transmission Unit): Set the maximum data packet size allowed for VPN transmission.
- Use manual DNS: Specify the DNS server address to be pushed to clients. Otherwise, the DNS server address for the Synology Router will be pushed to clients.
- Disallow duplicate logins: Select to prevent a user from creating multiple connections.
- Click Apply to finish the setup.
Note:
- For successful PPTP VPN connection, clients should apply authentication and encryption settings identical to those specified for the PPTP VPN service on VPN Plus Server.
- The TCP port 1723 should be open in port forwarding rules (at Network Center > Port Forwarding) and firewall rules (at Network Center > Security) of the Synology Router.
- PPTP VPN is not supported on Mac computers already upgraded to macOS Sierra.
To connect via PPTP VPN:
Follow the instructions to start a PPTP VPN connection from your local computer: