It is very handy to be able to access your home network from anywhere outside your home with, for example, your smartphone. For example, to operate IoT devices, view images from the IP camera or circumvent regional blocks. By setting up a VPN server, you are safely on your home network in one action. A NAS is usually powerful enough for use as a VPN server, especially if you don't need the highest speed. In this article we show you how to set it up and use it in combination with a smartphone.
If you have all kinds of beautiful applications running at home, sooner or later you will also want to access them from your smartphone, tablet or laptop while on the road. Think, for example, of home automation with Home Assistant or Domoticz, media streaming with Plex or Emby, the use of download servers or simply access to personal files. You can arrange that per application, often by forwarding a few ports, but such backdoors are not without risks. For example, many applications contain vulnerabilities or do not use encrypted connections.
You can solve such problems with one well-secured VPN connection. The VPN connection actually provides an extra layer of protection on top of the security of the applications themselves. You can also immediately use all applications as you are used to at home and without adjusting their configuration. This also applies to applications that you should normally not use via the internet, such as network file access (see box 'Access files via the internet'). We'll show you how to achieve this with a VPN server on a Synology or QNAP NAS.
Access files over the Internet
Your NAS is probably the central storage point in your network. The smb protocol is used to access files from a Windows PC. Especially the first version (smb 1.0) is very unsafe. For example, a vulnerability was at the root of a major attack by WannaCry ransomware. In Windows 10 it is now disabled by default and many providers block the tcp port 445 used for smb traffic. should be able to use an internet connection.
Microsoft itself also does this for shared folders of the Azure Files service. Still, it's unusual and we don't recommend it. That's not just a trust issue. Many networks run older, vulnerable devices. Even on a recent Synology NAS, smb 3.0 appears to be disabled by default. The port blocking with providers such as Ziggo can also bother you. Furthermore, the performance via internet connections is often disappointing. Above all, you remain vulnerable to vulnerabilities, while it still concerns your most critical data. To access your files in the network, we recommend a VPN connection or alternatives such as cloud storage.
01 Why a nose?
You may already have some devices in your network that you can use as a VPN server, such as a router. You should not expect miracles in terms of performance and OpenVPN is not always supported. Your own server is a nice option, but that is not within everyone's reach. If you have a NAS, that is also an option, with extra processing power and a lot of ease of use. Both Synology and QNAP support setting up as VPN server by default with relatively easy configuration. If you have a model with a processor that supports the AES-NI instruction set, you will benefit from significantly higher performance.
You can also influence the performance with the encryption algorithm and the key size. In this basic course we choose a safe compromise, enough for a handful of connections. True top speeds may be out of reach, but that's not a problem for most applications, and there are always other limiting factors, such as your internet connection.
02 Install the application
Synology's VPN server supports PPTP, OpenVPN and L2TP/IPSec. Only the last two are interesting. You can optionally set up both, but in this basic course we limit ourselves to OpenVPN. It offers good performance and good safety, with a lot of freedom in configuration. To install it go to Package Center. Search VPN Server and install the application. At QNAP you open App Center and looking for you QVPN Service on in the section Utilities. In addition to the above protocols, this application also supports QBelt protocol developed by QNAP itself. You can also use the QNAP application as a VPN client by adding profiles, if the NAS needs to use an external VPN server. This is also possible at Synology, you will find the option under Network in the Control Panel.
03 Configuration at Synology
Open VPN Server and tap under the heading VPN Server Setup on OpenVPN. Put a check in Enable OpenVPN server. Adjust the configuration to your preference, such as protocol (udp or tcp), port and encryption (see box 'Protocol, port and encryption for OpenVPN'). A secure option is suggested: AES-CBC with a 256bit key and SHA512 for authentication. Be careful, because there are also unsafe choices in the list. With the option Allow clients to access the LAN server make sure that you can also access other devices on the same network as the NAS from your VPN connection. If you fail to do this, you will only be able to use the nas and the applications on that nas, which can sometimes be enough.
The option Enable compression on the VPN link we prefer to turn it off. The added value is limited and it is not without risks due to some vulnerabilities. Finally click To apply followed by Export configuration to retrieve the zip package with which you will set up the connection later. Under Overview you will see that OpenVPN is enabled. Are you using the firewall on your NAS? Then go to Control Panel / Security / Firewall and add a rule that allows traffic for the vpn server.
04 Configuration at QNAP
Open the application on a QNAP NAS QVPN Service and choose below VPN server the option OpenVPN. Put a check in Enable OpenVPN server and adjust the configuration to your preference. Just like with Synology, you can freely set the protocol and port. By default, AES is used for encryption with either a 128-bit (default) or 256-bit key. The option Enable compressed VPN connection we turn off. Then click To apply. After this you can download the OpenVPN profile, which also contains the certificate. We will use this under Android. below Overview you can see if the vpn server is running with also other details like connected users.
Protocol, Port and Encryption for OpenVPN
OpenVPN is flexible to configure. For starters, both udp and tcp can be used as protocols, with udp being preferred because it is more efficient and faster. The 'regulatory' nature of the TCP protocol works against rather than cooperates with traffic over a VPN tunnel. Furthermore, you can choose practically any port. For udp, the default port is 1194. Unfortunately, companies often close these and other ports for outgoing traffic. However, 'normal' website traffic via the tcp ports 80 (http) and 443 (https) is almost always possible. You can make smart use of this.
If you choose the tcp protocol with port 443 for the OpenVPN connection, you can connect through almost any firewall and proxy server, but with a loss of speed. If you have the luxury, you could set up two VPN servers, one with udp/1194 and a second with tcp/443. In terms of encryption, AES-CBC is the most common with AES-GCM as an emerging alternative. A 256-bit key is the norm, but a 128 or 192-bit key is also very secure. Until the distant future, it will be virtually impossible to crack a (well-chosen) 128-bit key. An even longer key therefore adds little in terms of protection, but does cost more computing power.
05 Enable user accounts
A user account is also required to log in to the vpn server. That is an ordinary user account on the nas with the correct permissions to use the vpn server. By default, Synology allows all users to use the VPN server. Adjust this to your preference by entering VPN Server nasty rights to go. At QNAP you enter QVPN Service nasty Privilege Settings. Here you add the desired vpn users manually from the local users on the nas.
06 Edit OpenVPN profile
You have to go through the OpenVPN profile in a text editor and make adjustments where necessary. At Synology you extract the zip file (openvpn.zip) into a folder and then you can save the file VPNConfig.ovpn can open in your text editor. Here you will find the line remote YOUR_SERVER_IP 1194 and a little further prototype udp. This indicates which port number (1194) and protocol (udp) must be used when setting up the connection. In the place of YOUR_SERVER_IP enter the IP address of your internet connection at home, with QNAP this is already filled in by default.
Do you not receive a fixed IP address from your internet provider for the internet connection at home, but a dynamic and therefore varying IP address? Then a dynamic-dns service (ddns) is a good alternative. You can simply set it up on your nas (see box 'Dynamic dns service on your nas') and then enter the address instead of the IP address in the profile (this does not happen automatically). With Synology, dynamic dns is extra useful, because you can then use the created server certificate to set up the connection, to solve a certificate problem.
Dynamic dns service on your nas
With a dynamic-dns service (ddns), your IP address is kept and passed on to an external server, which ensures that the chosen host name is always linked to the correct IP address. You can just run this on your nas. At Synology you will find it under Control Panel / Remote Access. The easiest is to choose Synology as a (free) service provider with an available hostname and domain name (we choose greensyn154.synology.me), as long as the combination is available. Optionally, you can also set up a custom ddns provider. At QNAP you go to Control Panel / Network and Virtual Switch. Under the heading Access Services do you find the option DDNS. You can set up a custom ddns provider, as well as configure and use QNAP's myQNAPcloud service itself. A wizard guides you through the settings. At the end you can choose which services should be set up. For security reasons you could limit that by only DDNS to choose.
07 Add Certificates
With QNAP, authentication when logging into the VPN server is based on username and password only. With Synology you also need two client certificates to prevent connection errors, which is of course also a lot more secure. You can add them manually in the app, but also (as we do here) include them in the OpenVPN profile. We use the ddns certificate (in our example belonging to greensyn154.synology.me) for the two certificates. Go to Control Panel / Security. Tap on Configure and make sure this certificate is selected behind VPN Server. Close the window with Cancel. Right click on the certificate and choose Export Certificate.
Extract the zip file. Open the OpenVPN profile in a text editor. At the bottom you see a blockwith the contents of approx.crt. Below that you add a block in which you enter the contents of cert.pem sets. Then add another block with the contents of privkey.pem. With this profile you can set up a connection in combination with the user account on your NAS.
08 Other configuration options
You can set more options according to your preference. The first depends on your purpose of use. Do you only want to use the VPN connection to access your home network remotely? At Synology you then have to make sure that before the line redirect gateway def1 in your profile a bracket (#) so that it is treated as a comment. If you remove the parenthesis, all traffic will go through the VPN tunnel, even for regular websites that you visit, for example. With QNAP, this is a server setting, so it doesn't affect the profile. You set it QVPN Service with the option Use this connection as the default gateway for external devices. If you turn it on, all traffic from the VPN client will go through the VPN tunnel. Do you want to check that? Then visit http://whatismyipaddress.com using a browser. If your public IP address (of your internet connection) is listed here, you know that the traffic is going through the tunnel.
09 Port forwarding in the router
In this basic course we have set the udp protocol on port 1194 for the vpn server and that is also the only traffic you need to forward from your router to your nas with a portforwarding rule. It is advisable to first give the NAS a fixed IP address in your network. The way you add such a rule differs per router. The rule itself is simple. The incoming traffic uses the udp protocol and the port is 1194. As destination you enter the ip address of your nas and the port is also 1194 now.
10 Access from smartphone
It is only a small step to use the VPN connection from a smartphone. Make sure you are on an external network (such as the mobile network) and not on your own WiFi network, so that you actually make a connection from outside. As indicated, we use the official OpenVPN Connect app that you can download from the Google Play Store or iOS App Store. You can connect an Android smartphone to the PC, after which you can copy the OpenVPN profile to the Download folder. Then import the profile with the app via Import Profile / File. With an iPhone, you can use iTunes, or email the OpenVPN profile to yourself and open it in the OpenVPN app.
Enter the username and password associated with your account on the NAS. Now you can connect by tapping the profile. After this you have access to your NAS and the home network to which your NAS is connected.
Restrictions when using ipv6
In this article we assume that you use an ipv4 address for your vpn server and not ipv6. In some situations this is a problem. For example, internet providers such as Ziggo sometimes no longer give customers a public IPv4 address. In such a case, you can only receive incoming connections to your VPN server via ipv6. And that is another problem if you want to connect to your smartphone from a mobile network, because ipv6 is only offered sparingly on mobile connections.
