How to Setup a Synology NAS Part 35: Installing and Configuring L2TP/IPSec on VPN Server

With our Synology NAS now remotely accessible, we take a look at an alternative method for securely connecting to our home network. So in this video we demonstrate how to install and configure Synology’s VPN Server package.

Quick reference notes:

• Log into Disk Station Manager (DSM) with administrators privileges
• Open Package Centre and install VPN Server onto your Synology NAS

Notes: If you enabled the Firewall on your NAS, during the installation process you will be prompted to open the Ports that VPN Server will need to use. For now simply select OK, as you will be looking at the Firewall later.

• Now, open VPN Server from within the Main Menu
• Under Manage VPN Server select General Settings
• Remove the tick to Grant VPN Permission to newly added local users
• Select Apply
• Locate and select Privilege
• Remove the ticks next to any users who you do not wish to give VPN access. As we are only installing L2TP/IPSec VPN do not place ticks in the PPT and OvenVPN columns.

Note: As PPTP is not a very secure VPN Protocol we recommend that you do not use it. Both Open VPN and L2TP/IPSec should work well, however until we have VPN Server working correctly, we recommend that you do not enable more than one VPN Protocol. It’s better to get one protocol working, before attempting to activate and configure a second. So we start with L2TP/IPSec as both Windows and macOS have built in VPN clients that work well with this protocol.

• Select L2TP/IPSec from under Setup VPN Server
• Check the tick box Enable L2TP/IPSec VPN server
• Leave Dynamic IP address with its default setting
• Select the Maximum connection number from the drop down menu
• Change the Maximum number of connections with same account to 1
• Authentication needs to remain set as MS-CHAP v2
• MTU can remain set to 1400
• Leave the checkbox for Use Manual DNS unchecked
• Set your Pre-shared key
• Choose Apply

Notes: While VPN Server has now been configured and is running. If you enabled the Firewall on your NAS, you will also need to check that the correct ports are open.

• From the DSM desktop open Control Panel
• Within Control Panel select Security – Firewall
• Under Firewall Profile choose Edit Rules
• You should find listed a new VPN Server rule make sure that this rule is above the Deny All rule
• Highlight the VPN Server rule and select Edit
• Choose Select next to Select from a list of built in applications
• Scroll through the list of rules to locate the VPN server rules.
• Remove the ticks from VPN Server Ports 1723 and VPN Server Ports 1194
• Click OK, OK, OK to save the changes to the Firewall

Notes: We now need to update the Port Forwarding rules on our router. If your router is not compatible with your Synology NAS you will have to manually configure the Port Forwarding rules on your router.

• Still in Control Panel, open External Access – Router Configuration
• Now select Create – Built in Application
• When you select Next, you will be presented with list of Built in applications
• Scroll through the list to locate the 4 VPN Server options
• Tick the check boxes next to VPN Server UDP 1701, 500 and 4500
• Select Apply
• Save your changes

Reference materials:

• Synology Support Article – Setup VPN Server
• Synology Support Article – How to connect to Synology’s VPN Server using a WIndows PC or Mac
• Synology Support – Synology NAS Port numbers