Setting up an OpenVPN server with Synology and Viscosity
Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.
Running your own OpenVPN server will allow you to encrypt everything you do on the internet, so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server at home. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.
This guide will walk you through the steps involved in setting up an OpenVPN server on a Synology Network Attached Storage (NAS) device that allows you to securely access both your file server and your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.
Preparation
For this guide, we assume:
- You have already installed the latest version of Synology DiskStation Manager (6.2 at time of writing)
- You have admin access to this installation
- You are connected with your client device to the Synology server via its LAN interface during this guide
- You already have a copy of Viscosity installed on your client device
- You are using at least version 1.3.9 of the VPN Server package.
If you need a copy of DiskStation Manager, information can be found at https://www.synology.com/en-us/wheretobuy/. We won't be covering the details of setting up a Synology instance, many guides can be found online. Regardless of the version of Synology you are running, it's very likely that many or even all of the steps outlined in this guide will still apply. If you are looking to setup an OpenVPN server on a different operating system, please check out our other guides.
If you don't have a copy of Viscosity already installed on your computer, then please check out this setup guide for installing Viscosity (Mac | Windows).
Support
Please be aware that we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.
For further information or help with Synology Diskstation and the VPN package, there are several communities recommended by Synology at https://www.synology.com/en-global/su.../community
Getting Started
On your client device, connected to the LAN interface of the Synology server, open a web browser and navigate to the IP address of your Synology server (on port 5000). The URL should look something like: http://192.168.0.x:5000 (assuming your LAN subnet is in the range 192.168.0.0/24). Now log in to the web interface of your Synology server with the admin account.
First, we need to install the VPN Server package. Click on the Package Center icon on the desktop. Search for 'VPN Server' and install the package.
Firewall Setup
The next step will be to enable the firewall to permit VPN traffic. If you already have your firewall set up, make sure to add a rule to allow our OpenVPN traffic. However, if this is just a simple standalone Synology server, the firewall settings below should be enough to get your OpenVPN server up and running.
- Open the Control Panel by clicking the 'Control Panel' icon on the desktop and click the Advanced Mode in the top right corner of the Control Panel to show all the options.
- Click the Security icon and then click on the Firewall tab at the top.
- Check the 'Enable firewall' box
- In the Firewall Profile section, click on the Firewall Profile dropdown menu and click the
+
button to create a new profile. - Name this profile 'OpenVPN rules' and press
OK
. - Select the 'OpenVPN rules' from the Firewall Profile dropdown menu and click the
Select
button. - Click the
Edit Rules
button to start creating rules.
LAN Settings
First, we need to allow our client device to maintain access to the server:
- On the top right, click on the dropdown menu and select the LAN interface through which your client device is connected to the Synology server.
- Click the
Create
button. - In the Ports section, click the 'Select from a list of built-in applications' option and click the
Select
button. - Find the two 'Management UI' options on ports 5000 and 5001 and check the boxes to enable them.
- Click
OK
.
- In the Source IP section, click the 'Specific IP' option and click
Select
. - Click the 'Subnet' option and enter the subnet of your LAN connection (something like: IP address = 192.168.0.0 and subnet mask = 255.255.255.0).
- Click
OK
. - Leave the Action section option as 'Allow' and click the
OK
button to create the rule.
To protect your Synology server from unwanted traffic, set the default rule to 'Deny access' at the bottom of the window. To save these changes, click the OK
button at the bottom. You should be notified that the settings have been saved successfully.
WAN Settings
If your Diskstation is connected directly to the internet and firewalled, you will need to allow VPN connections in. To allow VPN traffic over the WAN interface:
- Reopen the 'OpenVPN rules' by clicking the
Edit Rules
button. - Click on the dropdown menu on the top right to change to the WAN interface.
- Click the
Create
button. - In the Ports section, click the 'Select from a list of built-in applications' option and click the
Select
button. - Find the option 'VPN Server (OpenVPN)' on port 1194 and check the box to enable.
- Click
OK
. - In the Source IP section, leave the option set as 'All'.
- Leave the Action section option as 'Allow'.
- Click the
OK
button to create the rule.
To protect your Synology server from unwanted traffic, set the default rule to 'Deny access' at the bottom of the window. To save these changes, click the OK
button at the bottom. You should be notified that the settings have been saved successfully.
If you have other services running on your Synology server, then you need to make sure that you allow their traffic through the firewall as well. Make sure to add any rules for any other ports your Synology server is listening on (such as a Plex media server or maybe your own email server).
OpenVPN Server Setup
If you haven't already done so already, install the VPN Server package. Click on the Package Center icon on the desktop. Search for 'VPN Server' and install the package.
Create Certificate
Before Enabling the OpenVPN server, we need to create a Certificate to use for OpenVPN.
- Open Control Panel, click Advanced Mode up the top right if it's available
- Go to Security, then Certificate at the top
- Click Add
- Select Add a new certificate, click Next
- Enter 'VPN Server' as the Description, select Create self-signed certificate, click Next
- For Create root certificate, Set the Common name to 'VPN Server', fill out the rest of the details, optionally change the Private key length to 4096, click Next
- For Create certificate, set the Common name to your server address, click Apply
- With the certificate we just created in the list now, click Configure at the top of the list, and set the Certificate for VPN Server to the certificate we just created, click OK.
Enable OpenVPN
Open the VPN Server by clicking on the 'Main Menu' icon in the top left and clicking the 'VPN Server' icon. By default, the OpenVPN server is disabled.
To enable the OpenVPN server:
- From the VPN Server Overview page, click on 'OpenVPN' in the Set up VPN Server section on the left.
- Check the box for the Enable OpenVPN server option.
- Uncheck the box Enable compression on the VPN link.
- Set the Encryption dropdown option to AES-256-CBC if it is not.
- Set the Authentication dropdown to SHA512 if it is not.
- Check the box for the Allow clients to access server's LAN if you would like this functionality.
- You don't need to modify any of the other OpenVPN server settings, so click the
Apply
button to startup the OpenVPN server. You will be reminded to check the port forwarding and firewall settings.
Before doing anything else, click the Export configuration
button to download the necessary information for your client to connect to this server. This should download the file openvpn.zip which we will use later in the guide.
DNS Server Setup
If you are planning on encrypting all network traffic through your VPN server then it is recommended to install and setup the DNS Server package.
Click on the Package Center icon on the desktop. Search for 'DNS Server' and install the package. You may have a Firewall Notification pop up to ask if you want to permit DNS traffic through the firewall. Go ahead and click OK
.
Open the DNS Server by clicking on the Main Menu icon in the top left of the desktop and clicking on the DNS Server icon. Click on the Resolution section to the left. Check the 'Enable resolution services' box to activate the DNS server. With the 'Enable forwarders' box checked, set the Forwarder 1 address to 8.8.8.8 and Forwarder 2 to 8.8.4.4. We are using the Google DNS servers (you are free to use your DNS resolution service of choice). When done, click the Apply
button to save these changes.
Router Setup
If your Synology server is directly accessible from the internet, then you can skip this section. However if your Synology server is behind a router (such as on your home WiFi), then you will need to configure your router to permit encrypted VPN connection to the server. Due to the many different models of router and network configurations, we cannot provide a step by step guide on how to set up your router to allow VPN traffic. However there are a few settings you are likely to need to change, so we will outline them here.
As the the router will be directing all traffic to and from your OpenVPN server, you will need to set up port forwarding so that the OpenVPN server is externally accessible. Port forwarding may be under the section in your router management interface named 'Virtual Servers'. In general, you will want to forward any traffic incoming to the router on the OpenVPN port (1194). You will need to setup a rule to send any UDP traffic on this port to the local IP address of your OpenVPN server (which is probably something in the range 192.168.0.x).
If you have set up port forwarding please also make a note of your external WAN IP address. This is the IP address assigned to your router by your Internet Service Provider (ISP). This address will be needed when configuring your connection in Viscosity below.
Viscosity Setup
If you do not have Viscosity already running, start Viscosity now. In the Mac version you will see the Viscosity icon appear in the menu bar. In the Windows version you will see the Viscosity icon appear in the system tray.
Extract the openvpn.zip file you downloaded previously from your Synology server and find the ca.crt file inside. We will be using this file shortly. Click the Viscosity icon in the menu bar (Windows: system tray) and select 'Preferences...':
This shows you the list of available VPN connections. We assume you recently installed Viscosity, so this list should be empty. Click on the '+' button and select 'New Connection':
Configuring the Connection
You will now need to set the connection parameters as outlined below:
- In the General tab, replace the connection name with your desired name for the connection, for example "DemoConnection".
- Replace the "Address" field with the IP address needed to connect to the server. If the Synology server is directly reachable from the internet this will be its IP address. If the server is behind a router and port-forwarding has been set up this should be the external IP address of your router (please see the section above).
- Click the Authentication tab. Check the "Use Username/Password authentication" option.
- Click the
Select ...
button next to the CA option. Find the ca.crt file we extracted from the openvpn.zip file earlier and select it. - Click on the Options tab and set the Compression drop down to
Off
. - Click on the Networking tab and enter "10.8.0.1" into the "Servers" field in the DNS Settings section.
- Click on the Advanced tab. Add the following lines:
cipher AES-256-CBC
auth SHA512
- Click the
Save
button to save your changes.
(Optional) Allowing Access to the Internet
By default the VPN connection will allow access to the file server and other computers on the home/office (LAN) network. However if you also wish to have all internet traffic sent through the VPN connection it's necessary to make a final edit to the connection:
- Double-click on your connection in the Viscosity Preferences window to open the connection editor
- Click on the Networking tab.
- Click the "All Traffic" drop down and select the "Send all traffic over VPN connection" option. It is not necessary to enter a Default Gateway.
- Click the
Save
button.
Connecting and Using Your VPN Connection
You are now ready to connect. Click on the Viscosity icon in the macOS menu bar or Windows system tray to open the Viscosity Menu, select the connection you imported, and Viscosity will connect.
To check that the VPN is up and running, you can open the Details window from the Viscosity Menu. This will allow you to view connection details, traffic and the OpenVPN log.
That's it, you've set up your very own OpenVPN server. Congratulations, you are now free to enjoy the benefits of operating your own OpenVPN server!