Setup An OpenVPN Server On A Synology NAS Running DSM 7

You're welcome... Glad to hear that the video was helpful in your setup!!

You're welcome!! Glad the video was helpful in getting your OpenVPN connection working properly.

​@@digital_alohaPlease help me. 🙏Recently, I changed my ISP and tried this again. An error occurred saying,
"TLS Error: TLS key negotitation failed to occur within 60 seconds (check network connectivity)
TSL Error: TLS handshake failed"
I checked and enabled 'Use TLS 1.0', 'Use TLS 1.1',' and Use TLS 1.2' from my Internet Properties > Advance Setting.
However, I am still getting the error, do you have any suggestions? Thanks in advance. :)

Hi Radha, You're welcome and I appreciate the compliment. I'm hoping my videos cover the topics I cover in an approachable and detailed way and comments like yours makes me think I'm on the right track. Thanks so much!!

@bringyourownheart You're welcome!! Thank you for the wonderful review of the content I've been releasing. It is motivating and rewarding to hear reviews like yours!!

Hi Jacob, You're welcome. Happy to hear that the video and specifically the coverage on full and split tunnel helped you out!!

Hi Dennis, You're welcome!! I'm glad the video helped get your OpenVPN and Windows system setup properly.

You're welcome!! Glad the video was helpful and thank you for the feedback!!

@andreyv1 You're welcome. Glad the video was helpful!!

Hi Amado, You're welcome! I'm happy to hear that the video helped you with your VPN setup!!

@dvdm1dvdm1 You're welcome!! Glad the video was helpful!!

Hi Andy, You're welcome and thanks for the feedback. I'm happy the video was helpful!!

Hi Florin, Thank you and you're welcome!! Glad the video was helpful!!

Hi Glen, You're welcome on the videos and I'm glad they are informative and easy to follow. I appreciate the positive feedback on the videos I've been putting out!! Thank you for that!!
Regarding your problem I'm wondering if you used your Synology's internal/LAN IP address instead of your DDNS hostname in your configuration file? I say this because the OpenVPN connection works on your LAN which makes me think that you used the internal/LAN IP address (or maybe you changed your configuration to the internal/LAN IP address in your testing?).
If you do have the DDNS hostname entered correctly then I'd try disabling your Synology Firewall and see if that does the trick. Also, have a look at the logs on both the client and server ends for additional clues.
Hope this helps and best of luck in trying to find the problem.

I have exactly the same problem. Trying to connect through a UDM. Connects on LAN. Remote does not. So far tried only my iPhone13 / OpenVPN Connect app. Disabled the NAS Firewall, still I am stuck with "Peer certificate verification failure". Have you had any progress since your post?

Thanks Francois for the complement on the video and for the suggestions as well. I'll keep in mind the screen size and readability of the content I'm presenting as I create further videos. Good point on leaving the default port on the OpenVPN side and adjusting the external port on the router.

Hi Joe, You're welcome and thanks for your feedback on my videos. I appreciate it!!

Hi @mariuszengland, You're welcome!! Glad the video was helpful.

No problem 👍. You're welcome. Glad the video was helpful!!

@mwolfod You're welcome!! Glad to hear the tutorial was helpful for you. Regarding your comment on sharing media with less technical family members, I do agree that port forwarding would simplify things for them. Good luck with your setup!!

Hi STG1989, You're welcome and thank you for subscribing!!
Regarding your question, the OpenVPN server that Synology runs is the community edition and doesn't require signing up for the services you mentioned. Hope this helps answer your question and good luck with setting up OpenVPN on your Synology NAS.

Hi Manoj, Glad you like the way I narrate my videos and I appreciate the feedback!!
Regarding your question on double NAT and port forwarding, if you can't setup port forwarding directly on your router(s) then you may be stuck with QuickConnect and the hole punching technology it uses. Also if you want to use a VPN setup you will need to use DDNS and port forwarding so you may be out of luck there as well.
One thing you may want to try is TailScale, which allows endpoint to endpoint connections in a similar way that QuickConnect does, but you may have better luck with speeds. I have a video on it as well - ua-cam.com/video/x7SVbkHaEaA/v-deo.html. Good luck!!

Hi shironator, You're welcome, hopefully the video was helpful to you!! Regarding your question on DNS I've used both a DNS running on my NAS as well as external from my NAS. Generally for external DNS it's been something on my local network though, not one outside of my home network. I've settled on Pi-hole with Unbound at the moment and I have a video on that setup as well if you are interested -> ua-cam.com/video/-546g1w_L3w/v-deo.html. Hope this helps and good luck with your setup!!

Hi Adam, You're welcome on the video... And yes you can map a network share as a drive letter if you would like. Thinking about your comment I guess it would have been more impactful if I did map a network share from my Synology NAS, but I thought seeing access to DSM over the VPN was good enough. Thanks for your comment and best of luck in your setup!!

@@digital_aloha map a network share would be extremely useful to see.

Excellent. Thanks both for answering my question. The use case for my remote access would 99% be for accessing files on my NAS. I can't think of a reason I'd want to connect directly. Subscribed!

Hi Jo, Sorry about that! I've had other comments regarding my videos resolution and the difficulty in seeing some of the screenshots that I provide. I've since been trying to be more mindful to increase the size of text when I can and will be looking into providing better resolution in future videos as well.
Regarding this video if you have any questions regarding screenshots that you aren't able to see very well please let me know and I'll try to provide you with the details that you may be missing.

Hi Paul, You're welcome on the tutorials and I'm happy you have found value in them!! Sorry for not getting back to you sooner, but regarding your questions I'd use the information from this video (ua-cam.com/video/bvvIoSMYDK4/v-deo.html) to share files with people. The setup described provides a SSL cert and secure way to share files although it is completely independent from Synology Drive. For your second question I think this video (where you commented) covers pretty much everything regarding the OpenVPN setup along with Windows client setup as well. Hope this helps and good luck to you in your setup!

Hi Throttle Nerd, I actually don't think you can setup OpenVPN access to your Synology NAS if you have a gray IP address from your provider. You'd have to setup port forwarding and that isn't possible from what I am aware of. In this situation I'd recommend either QuickConnect or Tailscale (see this video here on Tailscale -> ua-cam.com/video/x7SVbkHaEaA/v-deo.html). I like Tailscale as well because it opens up more access to your Synology NAS then QuickConnect.

@@digital_aloha Thank you so much! I'll buy public IP option from my provider then )

@@throttlenerd You're welcome and good luck with getting everything setup after enabling the public IP option with your provider.

Hi Bergami Family, Great question... There are ways to access folders on the NAS through a hostname over an OpenVPN connection, but it takes a little more work. For background, when a computer is on the same network as the NAS it picks up the NAS's hostname through the NAS broadcasting it's hostname so it can be discovered by systems on the local network. This broadcast doesn't work over an OpenVPN connection.
To allow remote hostname access you can either setup a DNS name server that includes the Synology NAS as a host that can be resolved (here is a link from Synology that covers setting up a DNS server - kb.synology.com/en-us/DSM/tutorial/How_to_set_up_your_domain_with_Synology_DNS_Server) or a simpler way is to edit the local hosts file on your computer (here is a link for Windows - petri.com/easily-edit-hosts-file-windows-10/ and for MacOS - setapp.com/how-to/edit-mac-hosts-file).
Hope this helps? I may release a video or a series of videos on this these topics in the future so consider subscribing if you haven't already. Good luck to you!!

🤣… You’re welcome!!

Hi An, This sounds like a firewall issue to me. I would double check that SMB isn't blocked and/or create a firewall rule to allow SMB access. Hope this helps? Good luck with your setup!!

@goudaibrahim6027 Thank you... Glad the video was helpful!! Regarding your question, openvpn uses local users so you'll need to setup an account you would like to use with openvpn and use the username and password associated with the account to login. Hope this helps? Best of luck in your set up!!

Hi Greg, Thanks for the compliment on my videos!!
Regarding your question, you should be able to edit your OpenVPN configuration file using textedit on your Mac. You should be able to right click on the configuration file, select open with and select textedit. Hope this helps and good luck in setting up OpenVPN.

Hi Valdemar, actually no. The feature that allows you to do this is called Wake-on-LAN and it requires you to be on the same LAN as your Synology NAS to work. It won't work properly over a VPN connection.

@christianblicher1358 Thanks for the compliment on this video! Regarding your issue have a look at the Synology NAS firewall and, if it is turned on, turn it off and see if access to DSM and home assistant start working. If it does then you probably need to setup an allow/access rule for the IP addresses assigned to the OpenVPN network. Hope this helps and best of luck to you in figuring out the issue!

@@digital_aloha Thanks! will check it ut!

@@christianblicher1358 You're welcome. Hopefully the firewall is the issue. Good luck!!

Great suggestion! I'm interested in Synology Mailplus myself and will look into putting together a video on the topic. Thanks for the compliment on my videos as well!!

@@digital_aloha Thank you ahead of time, excitedly waiting for it.

hoaconstrictor (cool name by the way) - I have a couple videos in my queue yet... Look for the Mailplus video in the next couple of weeks.

Also, looking forward to the Mail sever video.
Joe

Hi Kenny, Hopefully you got this resolved already (it's been a while since your comment/question was posted)?

@schlicht. Great question!! You can definitely setup your reverse proxy to manage your OpenVPN connection exactly how you described. Let me know if you do run into any trouble with your setup. I'll formalize the configuration and will release a video if you think it would be useful to you and others. Good luck!!

@@digital_aloha thanks for the quick response! Thanks to your Video I was able to set up OpenVPN without a reverse proxy. Unfortunately, I can't manage to set up OpenVPN with the reverse proxy. My reverse proxy port (XXX) uses TCP, do I have to open it again for the UDP protocol and if so is it worth to use the reverse proxy (for OpenVPN) at all if I can also just open the port for OpenVPN (1194 UDP). I understood that OpenVPN must communicate with my Network from the outside, so when I tried to use it with the reverse proxy I changed the OpenVPN config from [myddns + 1194] to [vpn.myddns + reverse proxy port (XXX)]. Is my understanding correct here? I certanly think a Video would be helpful! Again, thanks in advance for any help!

@michael6621 You should be able to enter in a local DNS server in the config file. Check out the windows setup section of the video (ua-cam.com/video/Wv4CfZ40rFE/v-deo.html). I'm assuming your DNS server has your local devices setup by name? If not, you could edit the local host file on the client and enter in the IP address and hostname of your devices. Then you should be able to connect to your devices via the hostname that you configured. See this link for reference -> docs.rackspace.com/support/how-to/modify-your-hosts-file/. Hope this helps and best of luck in your setup!!

it does connect to the server though, which is weird, but no internet?

Hi Mario, It does seem like the CA file isn't included anymore with the download. I'm seeing the same thing you are and I'm able to use the VPNConfig.ovpn file just fine. See what happens if you just continue through the instructions. I think you'll be okay. Good luck!!

Hi Baschi, Yes it is possible. You'll need to setup your client with full tunneling and you'll be set. Full tunneling is covered in the video, but if you have any further questions please let me know.

@keerapatratanasirisawad4040 Sorry for the slow response and thank you for the compliment on my video guide!! Regarding SMB, it should work if it is enabled on your Synology NAS and you are connected through OpenVPN. I wonder if it may be the Synology firewall that could be the issue. If it is on, turn it off and see if SMB works. If that does the trick you just need to enable access to the OpenVPN subnet and you should be set. Hope this helps or, better yet, I hope you already got this problem resolved. In any case, best of luck in getting SMB working through your OpenVPN setup.

Hi thanks for reply. It works actually I don’t know the reason why it didn’t at first. Cheers! Would you consider make some contents related to media server and related apps like Lidarr, Sonarr, etc..

@@keerapatratanasirisawad4040 You're welcome!! Glad to hear you got your SMB issue resolved. Regarding your comment about media servers I'll definitely look into creating some content in the future. Thanks for the suggestion!!

Hi Chi Cago, From what I've read this seems to be a firewall issue. I'd recommend turning off your Synology firewall if you have it on (just to test) and then change the firewall rules if that is the issue. Hope this helps. Good luck to you!!

Hi Phantom, what error message or problem are you experiencing?

@@digital_aloha mainly the actual VPN config file to upload on openvpn. Every time I upload the file to openvpn on my mobile device it never seems to connect at all.

@@phantomsynthesizer6171 It is hard to really say exactly where the problem may be from the information you provided because there are a bunch of steps you'll need to go through to get OpenVPN working like setting up DDNS/port forwarding, editing the downloaded configuration file, etc. I think the video covers everything you'll need to do so make sure you go through each step.
Other things you may want to check on is if the configuration file works on your desktop and not just on your mobile device. Also see if you can connect to the OpenVPN server from within your network which will bypass the need to have DDNS/port forwarding properly setup. I also have a couple of videos on VPN setup on mobile devices. This one for iOS - ua-cam.com/video/Yc5lTaFrdkc/v-deo.html and this one for Android - ua-cam.com/video/wuVSJ01cDwA/v-deo.html. Hope some of these tips help? Good luck to you!!

Thank you for your help I will try it again and let you know. I know I'm missing something! Lol

@@phantomsynthesizer6171 You're welcome and let me know if I can assist any further. Good luck to you!!

@eagle1107flyer This does work on an iPhone and I cover how to set things up in this video -> ua-cam.com/video/Yc5lTaFrdkc/v-deo.html. Hope this helps and good luck in your setup!!

Hi Arhan, You're welcome and I hope you got your OpenVPN connection working!!??
Regarding your question I just exported the configuration file and I see the same thing you do (just the README.txt and VPNConfig.ovpn files). It looks like the CA certificate is included in the OVPN file (bring it up in an editor and scroll to the end) so maybe that is why Synology doesn't include the CA.crt file any more. I also imported the OVPN file into my OpenVPN Connect client and it works perfectly for me. Hope this helps and answers your question!!

@@digital_aloha the extracted certificate file is unfortunately not recognized by the openvpn program. all the time is displayed: WARNING: No server certificate verification method has been enabled.

Hi Damian, what OpenVPN client are you using? I've been using OpenVPN Connect and it worked great both on MacOS and iOS.

@@digital_aloha Hi
as you wrote, the certificate is contained in the .ovpn file
In the case of launching Open VPN Connect, I just click skip the certificate and then it works.
Does it mean that I am unprotected?
And why can't I see my local network computers (DSM firewall port 1194 open)?

@@damianfuture6882 If it is the same warning that I mentioned in the video then continuing through the connection error message is fine and your connection is secure.
As for accessing your local network, what happens if you disable the DSM firewall entirely? If the local network is accessible at that point then you should look at your firewall rules further. Good luck!!

@grem28 Yes, if you setup OpenVPN you will be able to map network drives like you would if you were on the local network.

@@digital_aloha wow. Thanks. I'll give this a shot!

@@grem28 Your welcome!! Good luck to you!!

Hi Garry, I would check to make sure a user is assigned privileges to logon to OpenVPN. This is covered at 2:10 of the video -> ua-cam.com/video/Wv4CfZ40rFE/v-deo.html. When I remove privileges in my testing I get the exact error you get. Good luck!!

Hi Imad, The username I used was "openvpn" and the password was one that I entered in when I created the user. The user was created at 0:35 of the video. Good luck in getting everything setup!!

@@digital_aloha thanks. I think I have it set up now. Just need to figure out how to get access to the drive as network folder through the vpn connection

@hanswelder You should be able to change the password for the user that you are authenticating with by going to Control Panel -> User & Group. Then select the user you would like to work on and select Edit. You'll see the Change Password option from the window that pops up. Hope that helps?

@@digital_aloha Will check it, hadn't thought about that way, thank you!

@@hanswelder You're welcome and good luck with your setup!!

Aloha gertwallen, Glad the video was of help to you. Regarding your issue the only thing I can think of is that maybe your Synology NAS firewall is enabled and that is why the router config failed when you ran it? Other than that it sounds like you have the right setup. Hope this helps and good luck to you!

@@digital_aloha Thanks, I'll check that, also, is it better to set up a VPN from the NAS's DSM and run it from there, or directly from the router's included VPN?

@@gertwallen You're welcome!! Regarding your question, I think the opinion varies but, for me personally, I'm fine with running the VPN on the NAS mainly because the interfaces I've seen on the routers I use aren't the greatest and Synology's VPN Server setup is very nice and intuitive. Hope this helps in your decision making?

@@digital_aloha Yes, I agree, generally speaking Synology's DSM is very intuitive not only for setting up the VPN but for any other task too. Regarding my question, it seems that the consensus is that it is always better to run the VPN from the router and not from the NAS or any other device. In particular it seems that the cipher for OpenVPN that Synology uses is outdated and not updated, which is a security concern. You can google this and you'll find many sources of info.

@@gertwallen Ah yes, good point. I've ran into issues with older/outdated software in other aspects of DSM as well.

I do!! My consulting website is digitalaloha.com where I gear consulting toward backups and data protection, but I can definitely assist with OpenVPN setup as well. Feel free to contact me through the website or here through UA-cam, which ever you prefer.

Hi Tom999, You should be able to use the account to login to DSM and other applications in addition to the VPN. You can check what applications the account has access to from Control Panel -> User & Group then editing the user and selecting Applications. At this point you should be able to allow or deny access as you would like. Hope this helps?

Got it... You're welcome and thanks again!!

You're right, you would need to install an OpenVPN client and upload the config file to your Android device to be able to use the apps you mentioned. It isn't to much of a pain to setup and I have a video that covers what I used, which was Synology Drive. You can check out the video here -> ua-cam.com/video/wuVSJ01cDwA/v-deo.htmlsi=grs0NExv2PqQbxHk. Hope this helps and best of luck in your setup!!

Hi @fordsrmaster, Did you get this resolved? I'm wondering if your port forwarding is setup for TCP rather than UDP and that is why you can't connect. Hopefully you got this resolved and sorry for the slow response.

@@digital_aloha No, I did not get it resolved. I ran out of time and I haven't been able get back to it to figure it out yet.

@jonathanmatthew5631 At some point the certificate was rolled into the VPNConfig.ovpn file and isn't a separate file any more. The setup should still work if you haven't continued on. Good luck in getting everything working!!

@ignacbonifac206 I do have videos that cover both Android and iOS setups for OpenVPN (and other VPN services as well). Here is the Android link -> ua-cam.com/video/wuVSJ01cDwA/v-deo.html and here is the iOS link -> ua-cam.com/video/Yc5lTaFrdkc/v-deo.html.
I think your particular issue is because the certificate is included within the VPNConfig.ovpn file, if you are getting the message "Select Certificate... This profile doesn't include a client certificate...". You can either click Continue to proceed with connecting or, if you check out the MacOS section of this video, I added the line "setenv CLIENT_CERT 0" to the VPNConfig.ovpn file that disables the checking for the client certificate.
Hope this helps? Good luck in getting the certificate message resolved.

@@digital_aloha thank you, I know what you are saying, but I need it to work for me with the certificate. When I click continue, it connects, everything works, but it doesn't solve my problem, where only with that certificate can I get into the systems I need for work. Without a certificate, it's useless to me. I need to solve the issue with the certificate on Android - especially on the Samsung Galaxy Tab S8+ .....

@@ignacbonifac206 You're welcome!! However, Synology's OpenVPN server doesn't use client certificates so there isn't an option to get it working the way you want from what I can tell. Note also that Synology's OpenVPN server does use server certificates so the connection is still secure, it just doesn't allow for both server and client certificates thus the work around that I mentioned earlier. Hope this helps?

@@digital_aloha hmmm thank you very much, but it's not a positive message, but if it is, then I probably don't need to search any further. It's a shame it doesn't work, I think Synology should fix it.

@@digital_aloha I'm sorry I have one more question... Have u got video how to setup protocol LPTSec ??? Thank you

Hi Guilhem, I haven't run across the problem you are experiencing, but I know a few other viewers commented that they didn't get a zip file either (although in their experience they got a file named entry.cgi when clicking the export link). What I suggested for them was to use the command line to see if the zip file existed by using SSH. Below is a copy of the comment with the commands you can try.
Also what is the Synology NAS model and DSM version you are using? Maybe that will provide clues for me to research on.
Good luck!!
---
I can give you another way to download the openvpn.zip file that you are having problems retrieving.
It does deal with the command line and SSH so hopefully you are comfortable with that. Have a look at my SSH video -> ua-cam.com/video/t213x-sne6A/v-deo.html and pretty much just turn on the SSH service (the first minute of the video) and you'll be set. At this point you'll need to open up a terminal (I'm on a mac) and first I ran "cd Downloads" to change to the Downloads directory. Next I issued the following command:
dsadmin@192.168.81.15:/volume1/@appstore/VPNCenter/etc/openvpn/keys/openvpn.zip .
where
dsadmin is the administrator account on my Synology NAS (your's is probably different)
192.168.81.15 is the IP address of my Synology NAS
/volume1/@appstore/VPNCenter/etc/openvpn/keys/openvpn.zip is the path and openvpn.zip file you need to setup your OpenVPN clients
After the path and openvpn.zip file include a space and a . which means download the file to the current directory.
At this point you should be able to unzip the openvpn.zip file and go through the client setup process.

@@digital_aloha Thanks for this I learnt a thing or two. I was access my NAS over wan, as soon as I accessed on LAN the zip file exported fine

@@MrGeelhem Thanks for sharing your findings! Interesting that the zip file doesn't export properly when done over the wan.

Hi kk, It is hard to say exactly what the problem may be from the error you provided, but I would point you to looking at your client logs for clues and also your certificates as well. If you have further details on your errors let me know and I can see if I can assist further. Good luck!!

@@digital_aloha Yes. When i run openvpn server. on thing message pop up. And it say"There was an error attempting to connect to the selected server". So i can't use openvpn server..

Hi kk, I can try to help if you provide me the error messages you see in your logs. Hard to give you additional things to try unless I get more info ;)

@@digital_aloha Umm i not sure how to give you error information to you as well. So.. sending file to iphone is okay.. but when i try to turn on VPN server, then i cant use it. Like loading going 1minute.. it say there is error to connect server.. i cant get any information about error..

@@digital_aloha oh yes i’m living in China.. but i’m Korean and i need VPN server to use internet..i’m use my friend’s VPN server. So is there are problem to make VPN server in China??😢

Hi Andrej, I just ran through setting up OpenVPN on a new Synology NAS and didn't see the need to setup a username and password on the OpenVPN site. There was another comment regarding setting up a username and password, so maybe I'm missing something? If you could point out were in the process the username and password is needed that would be great!! I'd love to get further details and maybe I can create an updated video if there is a need for more accurate instructions.

Glad the video was helpful, although it seems like you ran into an issue I've never experienced before. I don't know how to resolve your specific issue, but I can give you another way to download the openvpn.zip file that you are having problems retrieving.
It does deal with the command line and SSH so hopefully you are comfortable with that. Have a look at my SSH video -> ua-cam.com/video/t213x-sne6A/v-deo.html and pretty much just turn on the SSH service (the first minute of the video) and you'll be set. At this point you'll need to open up a terminal (I'm on a mac) and first I ran "cd Downloads" to change to the Downloads directory. Next I issued the following command:
dsadmin@192.168.81.15:/volume1/@appstore/VPNCenter/etc/openvpn/keys/openvpn.zip .
where
dsadmin is the administrator account on my Synology NAS (your's is probably different)
192.168.81.15 is the IP address of my Synology NAS
/volume1/@appstore/VPNCenter/etc/openvpn/keys/openvpn.zip is the path and openvpn.zip file you need to setup your OpenVPN clients
After the path and openvpn.zip file include a space and a . which means download the file to the current directory.
At this point you should be able to unzip the openvpn.zip file and go through the client setup process.
Hope this helps and good luck to you!!

@@digital_aloha Thanks for taking the time to respond and help. Unfortunately that isn't working for me! In facts it's telling me that the directory doesn't exist. Honestly I'm pulling my hair out now!

Sorry that didn't help. I'm wondering if uninstalling and reinstalling the VPN Server package may help. Maybe there was an issue with the initial install? Also confirm that your Synology NAS model is compatible with VPN Server - www.synology.com/en-us/dsm/packages/VPNCenter. Hope you can get things resolved!!

@@itsThemuRR i have this problem too :c