How to: Setup a secure OpenVPN connection on a Synology NAS

The following tutorial describes in simple steps the process to setup a secure VPN connection from your Synology NAS device using the OpenVPN protocol. There are other protocols and connection methods available but OpenVPN is widely considered more secure than PPTP or L2TP/IPSec and as such comes highly recommended if you want to try this yourself. Most VPN providers allow you to connect via either method.

If your plan to access your Synology Diskstation remotely or run any kind of web hosting services you will need a dedicated IP address with a full open port which you can then point at your domain or DDNS service. I won’t cover how to do this in this article but i do recommend thinking about this before you sign up to a VPN service as most do not offer a dedicated IP with a full open port which you may later find you need.

The steps below apply to DSM versions 4 and above. I have tested using version 4 (build 2265) and 5 (build 4528). I have also tested on DSM running from a Virtual Machine and XPEnology. The OpenVPN service used was from Private Internet Access (PIA).

Step 1: Sign up and create an account with any OpenVPN service provider and make note of the VPN server hostname or IP address, username and password. Please note that some VPN services require you to generate a seperate PPTP/L2TP/SOCKS username and password, which is likely to be different from the login credentials used on the desktop client. This is usally achieved via the control panel on the VPN providers website. While the username and password for the desktop client may work to establish a connection, it won’t allow any inbound network traffic.

Step 2: Download the OpenVPN configuration files which will include the connection certificate authority (.CA). You should of received these when you signed up, usually sent as a link in the welcome e-mail. Check the VPN provider support website if you can’t find them. Failing that download the Windows/Mac client installer, run the installer on another machine and search the installation directory for the .crt file.

Step 3: Login to Disk Station Manager (DSM) and navigate to Control Panel > VPN (DSM 4.0)



Control Panel > Network > Network Interface (DSM 5.0+)



Step 4: Create a new VPN profile by clicking the ‘Create’ button (select from drop down box if using DSM 5.0+)

Step 5: Select ‘OpenVPN’, click Next


Step 6: Enter a profile name (tip: Put the VPN Server country in the profile name so it’s easy to switch profiles when you need to access geographic restricted services) and the account details you made note of in Step 1. Click ‘Browse’ or ‘Choose File’ and navigate to the directory where you saved the connection certificate authority in Step 2. Check the details carefully to ensure they match what the VPN service provider gave you and click next.


Step 7: Setup advanced connection settings. The following options should be enabled:

A: Route all client traffic through the VPN Server (DSM 4.0) or Use default gateway on remote network (DSM 5.0+). Enable this option to route all the network traffic from the Synology NAS to the VPN server.

B: Reconnect when the VPN connection is lost (DSM 5.0+). If the VPN connection is unexpectedly lost, the system will attempt to re-establish the connection. It will attempt five times, once every 30 seconds, before it fails.

Click apply to save the new VPN connection.

Step 8: Connect to your new VPN Profile and test the connection. Navigate to the Network Interface – VPN window, as shown in step 3, select the profile you just created and click connect. If successful you should see the connection status change to connected and the VPN IP address in the details underneath. Ensure you see data being transmitted and recieved, if you don’t see any data recieved check you have the correct PPTP/L2TP/SOCKS username and password (see Step 1).

If you followed these steps and established a connection you can now be confident your Synology device is secure from prying eyes. If however you got this far and haven’t established a connection then we need to check the firewall router is allowing pass through traffic and not preventing the VPN from punching a hole through the firewall. This may mean changing how aggressive your firewall settings are. You may also need to forward the listening UDP port from your gateway router to your Diskstation. OpenVPN default ports are TCP 443, TCP 943, UDP 1194.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s