Jump to content

Setting up a VPN


GiGo

Recommended Posts

Hey all, I'm hoping someone can help me, I've Googled, I've watch YouTube videos, I've read many a posts, articles etc.... but my mind is mush and incapable of processing the required knowledge of how to setup a VPN on Synology NAS and how it all works.  So I'm hoping the kind helpful people of the Emby community would be able to offer some assistance.

I'm wanting to use the VPN Server app by Synology via OpenVPN.  Im struggling with how it actually works..... If I enable the VPN, copy the IP address etc...to the opvn file but then I'm confused.

I'm on a dynamic VPN, so my IP address changes, will I need change the opvn file each time?

I'm also wanting to be able to access my NAS via the DDNS (servername.synology.me) and of course be able to use Emby remotely.

At the moment I'm working remotely so I'm guessing setting up the VPN is harder (or impossible). Really just wanting the VPN setup so any traffic from my NAS is private. The articles I've read say I need to use a VPN app to connect to my NAS afterwards, or it's the way I've interpreted it which gets me even more confused 🤔

So what do I need to do to get my NAS private and me to be able to connect via the DDNS, really hoping someone can give me a fairly plain english answer.

TIA 👍

Link to comment
Share on other sites

RobsterUK

I have got a VPN server setup and use the OpenVPN Windows & Android client to connect to my NAS.

First thing first have you setup a DDNS account? I have a couple setup in Control Panel> External Access> DDNS.image.png.fd30937ef8bd45a622047d5f2d0085c3.png

 

Once you have installed the VPN Server app on the Synology
image.png.68cdbee40907591543d3296fb4bd69e0.png

You need to enable it and configure the OPEN VPN section.
Once you have configured the internal DHCP scope, port, encryption settings (I use AES-256-CBC). You need to Export the configuration:
image.png.cc66d3e6820149629238f645db2c6ba1.png

This will create a zip folder to download & use for the Open VPN client for Windows or Android.

The zip folder contains:
image.png.24573b10939aef0bd500f4a86005b26e.png

The README.txt informs you where to put the file. But in Windows it is to teh installation folder of the OpenVPN client

C:\Program Files\OpenVPN\config

THe .ovpn file needs to be edited with a text editor. First entry in ovpn file is 'remote' leave a space and enter your registered DDNS host name. followed by the port number:
image.png.5ade1fdf02aa63b5a57b52152c37b778.png

In this example the default synology VPN port of 1194 is specified.
This port will need forwarding from your router to your NAS.

The account you attempt to authenticate with needs to be granted permission to do so form the Privilege section:
image.png.a8e2144f71eeea0d56a4fbe0227501fe.png

Post back if you get stuck on anything!

 

 

 

Link to comment
Share on other sites

1 hour ago, RobsterUK said:

Post back if you get stuck on anything!

Thanks mate, that is extremely helpful! Thank you!

Just so I am compeletly clear, I can use the current registered DDNS address I have, 'servername'.synology.me, insert that into where I would put the IP address (in the opvn file) and it will enable external access that DSM 'binds' to my IP address whenever it changes?

 

So because you are incrediblely kind and helpful, can you answer me four other questions please :) 

1) To be able to connect to my NAS remotely I have to use the OpenVPN client? I'm a little confused as to why I need too

2) Can I set this up remotely? (not on the local network till Sunday)

3) By doing the above process does it make the traffic from my NAS private?

4) Do I need to use a VPN app to connect to Emby on each device I use, currently I use a half a dozen or so devices to connect to it remotely, if that is the case I assume I'll have to pay for OpenVPN client useage as it's limited to two devices for free?

Thanks for your help @RobsterUK it's amazing that people are willing to help :) 

Link to comment
Share on other sites

RobsterUK

If you have already got a DDNS host name registered with 'servername'.synology.me then yes that is what you can use to populate the ovpn file.

In answer to your questions:
1. You dont have to use a VPN to connect to your NAS. If you set it up to only allow https access it secures access using the built in SSL certifictaes to the Synology web gui on port 5001. But the more services you wish to allow access to you will have to do port forwarding on your router for each port rule you need.

2. Yes you can do it remotely if you have done the port forwardign rule to allow http access on port 5000 to your NAS (or 5001 for https). Depends if you can access your router externally or not.

3. Using a VPN and only allowing the VPN port through router does mean that traffic is encrypted. But so is access using an SSL certificate.

4. You would need to use a VPN app on each client device to access Emby through the VPN.
Or, alternatively you can secure Emby using a free SSL certificate. (you do have to renew the cert every 90 days). This guide outlines how to do it. Then you can just use your DDNS name and the emby secure port 8920 (again needs forwarding through your router) in the emby alient apps for secure access. Only thing is that your DDNS host needs to allow you to create TXT entries. Which is why i have created a host name with dynu.com as it provides this function. I'm not sure the synology.me service will allow you to do this.

Sounds like the SSL certificate is the way for you to go to be honest.
Good luck!

Link to comment
Share on other sites

30 minutes ago, RobsterUK said:

 

Sounds like the SSL certificate is the way for you to go to be honest.
Good luck!

Thanks once again and more mushy brained questions, really really appreciate it.

 

1. You dont have to use a VPN to connect to your NAS. If you set it up to only allow https access it secures access using the built in SSL certifictaes to the Synology web gui on port 5001. But the more services you wish to allow access to you will have to do port forwarding on your router for each port rule you need.

To double check with you, so no VPN client app needed for port 5000/5001 (ports are already forwarded) and I can access it just like a do in my web browser

2. Yes you can do it remotely if you have done the port forwardign rule to allow http access on port 5000 to your NAS (or 5001 for https). Depends if you can access your router externally or not.

Yes, my TP-Link P9 allows me to setup port forwarding remotely, very useful thing to have :) 

3. Using a VPN and only allowing the VPN port through router does mean that traffic is encrypted. But so is access using an SSL certificate.

Sorry I'm confused by this, everything in and out from my NAS; file transfers, Emby streaming, torrents etc....  is all encrypted YES? I assume setting up SSL Certificate doesn't make data in and out private, only data going out?

4. You would need to use a VPN app on each client device to access Emby through the VPN.
Or, alternatively you can secure Emby using a free SSL certificate. (you do have to renew the cert every 90 days). This guide outlines how to do it. Then you can just use your DDNS name and the emby secure port 8920 (again needs forwarding through your router) in the emby alient apps for secure access. Only thing is that your DDNS host needs to allow you to create TXT entries. Which is why i have created a host name with dynu.com as it provides this function. I'm not sure the synology.me service will allow you to do this.

OK, so if I use 'emby connect' to connect each device I do require clients to access Emby from outside my network, this is my stumbling block, I would prefer not have to that. Can't I use servername.synology.me:8096 from my browser (with port forwarding) to access Emby as I do with 5000/5001? I would have thought Emby Connect would 'know' the route to server and give me access, but then I have no idea how it all works 😵

 

I assume that there is no way just to create a VPN just for Download Station and not worry about anything else?

Again thank you so much for all your help!

Link to comment
Share on other sites

RobsterUK

To access NAS if 5000 & 5001 are forwarded in your router you can access NAS from anywhere using any web browser & the DDNS name you have.

Setting up a VPN does not encrypt all traffic. Using torrents is not encrypted by this kind of VPN. You only asked about access from an external source to your internal NAS.
This type of connect only encrypts traffic going back & forth from your external device through the VPN client and to your NAS.

Setting up a VPN for torrents to go through is different procedure and more complex. It would change your external access to the NAS.

Yes: You can use servername.synology.me:8096 from web browser or Emby App on external device. But 8096 is http port in Emby, so traffic is not encrypted.
Use https port of 8920 but you need SSL certificate to encrypt traffic.

Hope that helps.

 

Link to comment
Share on other sites

1 hour ago, RobsterUK said:

To access NAS if 5000 & 5001 are forwarded in your router you can access NAS from anywhere using any web browser & the DDNS name you have.

Setting up a VPN does not encrypt all traffic. Using torrents is not encrypted by this kind of VPN. You only asked about access from an external source to your internal NAS.
This type of connect only encrypts traffic going back & forth from your external device through the VPN client and to your NAS.

Setting up a VPN for torrents to go through is different procedure and more complex. It would change your external access to the NAS.

Yes: You can use servername.synology.me:8096 from web browser or Emby App on external device. But 8096 is http port in Emby, so traffic is not encrypted.
Use https port of 8920 but you need SSL certificate to encrypt traffic.

Hope that helps.

 

No I'm even more confused 🥴 I'll send you a PM.

Link to comment
Share on other sites

to secure all your connections you can redirect all the traffic through the 443 port wich is the default httpS port for all the internet. For the traffic to be very secure you have to add a certificate, synology have a let's encrypt service that auto renew certificate.

so, if you want to access securely to your nas and you ISP changes you IP every day, you'll need

  • a faster DDNS than the synology embed DDNS, synology.me domain is fine, but very slow
  • a certificate

if you want to access emby remotely you can use the secure port 8920 but you have to manually import your certificat to the emby server, that's true for all web services but you can use 1 port and 1 certificate for all. I wrote a guide here,

it's not simple because you have to deal with a huge internet and security concepts, so do it slowly to understand all the steps. If it's too complicated for you, you can open on your router the 8096 port which is the non secure http port to emby, it's like you let your home door wide open while you are here or not. 

note that I remember that emby connect does not encrypt the video stream, so the emby connect  service connection is secure but not the link to your home.

the most simple is also your VPN, as @RobsterUK says a VPN is used to connect yourself to your home, so it's like YOU are at home, no more no less, so if you have a torrent client on your pc, it's just that your traffic will be redirect to your home, so you torrent client will have your home IP, just that (if you activate the redirect-gateway def1 option). 

 

  • by default this option is not activated so ONLY the traffic to your NAS will pass through the VPN, internet through your local internet connection

OpenVPN-tunnel-client-to-site.png

  • with the redirect option, all traffic goes to your remote home (location B), internet included

infographie du fonctionnement d'un vpn

in your VPN server settings, change some basic security options to add a more secure cypher like this

image.png.9ea8b483be5ef14e26b3c8ebcf20eb3b.png

in my configuration I allow VPN user to access all my local network, not only my NAS.

 

Edited by yarez0
Link to comment
Share on other sites

@yarez0 thank you for the detail

1 hour ago, cayars said:

@GiGo

Just curious, but what is your motivation to setup a VPN server in your LAN?

@cayars I wanted a VPN to secure any downloads I do, nothing more, my original question was very much flawed, with the help and advice I have been given I have solution to my problem now so will work on it when I get back to my local network 👍

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...