It is very convenient to be able to access your home network anywhere outside your home, for example with your smartphone. For example, to operate IoT devices, view images from the IP camera or bypass regional blockades. By setting up a VPN server, you are safe on your home network in one operation. A nas is usually powerful enough for use as a VPN server, especially if you don’t need the highest speed. In this article we show you how to set it up and use it in combination with a smartphone.
If you have all kinds of great applications running at home, then sooner or later you will want to access them on the go from a smartphone, tablet or laptop. Think of home automation with Home Assistant or Domoticz, media streaming with Plex or Emby, the use of download servers or just access to personal files. You can arrange this per application, usually by forwarding a few ports, but such back doors are not without risks. For example, many applications contain vulnerabilities or do not use encrypted connections.
You can solve such problems with one well-secured VPN connection. The VPN connection actually provides an extra layer of protection on top of the security of the applications themselves. You can also immediately use all applications as you are used to at home and without having to adjust their configuration. This also applies to applications that you should normally not use via the internet, such as network file access (see box “Access files via the internet”). We show you how to achieve this with a vpn server on a nas of Synology or QNAP.
Access files via the Internet
Your nas may be the central storage point in your network. The smb protocol is used to access files from a Windows PC. Especially the first version (smb 1.0) is very unsafe. For example, a vulnerability was behind a major attack by WannaCry ransomware. In Windows 10, it is now disabled by default and many providers block the TCP port 445 used for SMB traffic. In the later versions 2.0 and 3.0, security was further improved, including by adding encryption, so that you can now also use it securely via should be able to use an internet connection.
Microsoft does the same for shared folders of the Azure Files service. Still, it’s unusual and we don’t recommend it. That is not just a trust problem. Older, vulnerable devices run in many networks. Even on a recent Synology nas, smb 3.0 appears to be disabled by default. You can also be bothered by the gate blocking with providers such as Ziggo. Furthermore, performance via internet connections is often disappointing. Above all, you remain susceptible to vulnerabilities, while it concerns your most critical data. To access your files in the network, we recommend a VPN connection or alternatives such as cloud storage.
01 Why a nas?
You may already have some devices on your network that you can use as a VPN server, such as a router. You shouldn’t expect miracles in terms of performance, and OpenVPN is not always supported. Having your own server is a nice option, but that is not within everyone’s reach. If you have a nas, then that is also an option, with extra processing power and great ease of use. By default, both Synology and QNAP support setup as a VPN server with relatively simple configuration. If you have a model with a processor that supports the AES-NI instruction set, you will benefit from significantly higher performance.
You can also influence performance with the encryption and key size algorithm. In this basic course we choose a safe compromise, enough for a handful of connections. True top speeds may remain out of reach, but that’s not a problem for most applications and there are always other limiting factors, such as your internet connection.
02 Install the application
Synology’s VPN server supports PPTP, OpenVPN and L2TP / IPSec. Only the last two are interesting. You can optionally set both, but in this basic course we limit ourselves to OpenVPN. It offers good performance and good safety, with a lot of freedom in configuration. To install it go to Package Center. Search VPN Server and install the application. At QNAP you open App Center and look for you QVPN Service in the section Utilities. In addition to the above protocols, this application also supports the QBelt protocol developed by QNAP itself. You can also use the QNAP application as a VPN client by adding profiles, if the nas has to use an external VPN server. That is also possible with Synology, you will find the option under Network in the Control Panel.
03 Configuration at Synology
Open VPN Server and tap under the heading Set up VPN Server on OpenVPN. Check the box Enable OpenVPN server. Adjust the configuration to your preference, such as the protocol (udp or tcp), the port and the encryption (see box “Protocol, port and encryption for OpenVPN”). A secure option is suggested: AES-CBC with a 256bit key and SHA512 for the verification. Please note, because there are also unsafe choices in the list. With the option Allow clients to access the LAN server make sure that from your vpn connection you can also access other devices on the same network as the nas. If you fail to do this, you will only be able to use the nas and the applications on that nas, which can sometimes be enough.
The option Enable compression on the VPN link we prefer to turn off. The added value is limited and it is not without risks due to some vulnerabilities. Finally click To apply followed by Export configuration to pick up the zip package with which you will set up the connection later. Under Overview you can see that OpenVPN is enabled. Do you use the firewall on your nas? Then go to Control Panel / Security / Firewall and add a line that allows traffic for the vpn server.
04 Configuration at QNAP
Open the application on a QNAP nas QVPN Service and choose under VPN server the option OpenVPN. Check the box Enable OpenVPN server and adjust the configuration to your preference. As with Synology, you can freely set the protocol and port. For encryption, standard AES is used with a 128 bit (standard) or 256 bit key. The option Enable compressed VPN connection we turn off. Then click To apply. After that you can download the OpenVPN profile, which also contains the certificate. We will use this under Android. below Overview you can see if the vpn server is running with also other details like connected users.
Protocol, port and encryption for OpenVPN
OpenVPN is flexible to configure. For starters, both udp and tcp can be used as a protocol, with udp being preferred because it works more efficiently and faster. The “regulatory” character of the TCP protocol is more likely to work against it than with traffic over a VPN tunnel. You can also choose practically any port. For udp this is standard port 1194. Unfortunately, companies often close these and other ports for outgoing traffic. However, “normal” website traffic is almost always possible via TCP ports 80 (http) and 443 (https). You can make smart use of this.
If you choose the tcp protocol with port 443 for the OpenVPN connection, you can connect via almost any firewall and proxy server, but at a loss of speed. If you have the luxury, you could set up two VPN servers, one with udp / 1194 and a second with tcp / 443. Regarding encryption, AES-CBC is most common with AES-GCM as an emerging alternative. A 256bit key is the norm, but a 128 or 192 bit key is also very safe. Until the distant future, it is virtually impossible to crack a (well-chosen) 128-bit key. An even longer key therefore adds little in terms of protection, but it does cost more computing power.
05 Make user accounts suitable
A user account is also required to log in to the VPN server. That is a normal user account on the nas with the proper rights to use the vpn server. At Synology, by default, all users have the option to use the VPN server. Adjust this to your preference by in VPN Server to Rights to go. At QNAP you enter QVPN Service to Privilege settings. Here you manually add the desired VPN users from the local users on the nas.
06 Post-process OpenVPN profile
You have to go through the OpenVPN profile in a text editor and make adjustments where necessary. At Synology you take the zip file (openvpn.zip) in a folder after which you save the file VPNConfig.ovpn can open in your text editor. Here you will find the line remote YOUR_SERVER_IP 1194 and a little further proto udp. This indicates which port number (1194) and protocol (udp) must be used when setting up the connection. At the place of YOUR_SERVER_IP enter the IP address of your internet connection at home, with QNAP this is already entered by default.
Does your internet provider for the internet connection at home not give you a fixed but a dynamic and therefore changing IP address? Then a dynamic dns service (ddns) is a good alternative. You can simply set it on your nas (see box “Dynamic dns service on your nas”) and then enter the address in the location of the IP address in the profile (this does not happen automatically). At Synology, dynamic dns is extra handy, because you can use the created server certificate to set up the connection, to solve a certificate problem.
Dynamic DNS service on your nas
With a dynamic-dns service (ddns), your IP address is tracked and passed on to an external server, which ensures that the chosen host name is always linked to the correct IP address. You can just run this on your nas. At Synology you will find it under Control Panel / Remote Access. The easiest way is to choose Synology as a (free) service provider with an available host name and domain name (we choose groensyn154.synology.me), as long as the combination is available. You can also set a custom ddns provider. At QNAP you go to Control Panel / Network and Virtual Switch. Under the heading Access services you will find the option DDNS. You can set up a custom ddns provider, but also configure and use QNAP’s myQNAPcloud service yourself. A wizard guides you through the settings. At the end you can choose which services should be set up. For security reasons, you could limit that by alone DDNS to choose.
07 Adding certificates
With QNAP, authentication when logging into the vpn server is only based on username and password. At Synology you also need two client certificates to avoid connection errors, which is of course also a lot safer. You can add them manually in the app, but also (as we do here) in the OpenVPN profile. We use the ddns certificate (in our example belonging to groensyn154.synology.me) for the two certificates. Go to this Control Panel / Security. Tap on Configure and make sure this certificate is selected behind VPN Server. Close the window with Cancel. Right-click on the certificate and choose Export certificate.
Extract the zip file. Open the OpenVPN profile in a text editor. At the bottom you see a block
08 Other configuration options
You can set more options to your preference. The first depends on your purpose of use. Do you only want to use the VPN connection to access your home network remotely? At Synology you have to make sure that there is before the rule redirect-gateway def1 a hook in your profile (#) so that it is considered a comment. If you remove the tick, all traffic will pass through the VPN tunnel, for example for regular websites you visit. With QNAP this is a server setting, so it does not affect the profile. You set it up QVPN Service with the option Use this connection as the default gateway for external devices. If you turn it on, all traffic from the VPN client goes through the VPN tunnel. Do you want to check that? Then visit the address with a browser https://whatismyipaddress.com. If your public IP address (from your internet connection) is here, you know that the traffic is going through the tunnel.
09 Forward ports in the router
In this basic course we have set the udp protocol on port 1194 for the vpn server and that is also the only traffic that you need to forward with a port forwarding rule from your router to your nas. It is advisable to first give the nas a fixed IP address in your network. The way you add such a rule differs per router. The rule itself is simple. The incoming traffic uses the udp protocol and the port is 1194. For the destination, enter the IP address of your nas and the port is also now 1194.
10 Access from smartphone
It is only a small step to use the VPN connection from a smartphone. Make sure you are on an external network (such as the mobile network) and not on your own WiFi network, so that you actually connect from the outside. As indicated, we use the official OpenVPN Connect app, which you can download from the Google Play Store or iOS App Store. You can connect an Android smartphone to the PC and copy the OpenVPN profile to the Download folder. Then import the profile with the app via Import Profile / File. With an iPhone, you can use iTunes, or email the OpenVPN profile to yourself and open it in the OpenVPN app.
Enter the username and password associated with your account on the nas. Now you can connect by tapping the profile. After this you have access to your nas and the home network to which your nas is connected.
Limitations when using ipv6
In this article, we assume that you are using an ipv4 address for your vpn server and not ipv6. In some situations this is a problem. For example, internet providers such as Ziggo sometimes no longer give customers a public IPV4 address. In such a case, you can only receive incoming connections to your VPN server via ipv6. And that is another problem if you want to connect to your smartphone from a mobile network, because ipv6 is only offered sparingly on mobile connections.
.