I’m preparing the setup of my DS423+ and have been learning about security and the VPN topic.
My needs:
Remote Access to my NAS
Protect traffic from my ISP (mainly for some of the arrs)
From what I understand, I need to setup a VPN server for the remote access part and I need a VPN client to protect the traffic from my ISP.
What I’m not sure to understand is if or when it’s preferable to have the VPN server on the router vs on the NAS and same for the VPN client?
I’ve been reading about gluetun which could be install as a docker container and accept many different VPN providers. What do you guys think about this solution?
Pros and cons of having VPN on the router vs on the NAS?
Also, regarding my needs, which VPN provider would you recommend?
EDIT: I forgot to talk about performance, I’m not sure if this will affect my bandwidth or not? I assume if it’s configured properly it should be minimal?
Router VPN: Simpler but might impact performance (performance not compromised in most cases).
NAS VPN: More secure (some say) and flexible, potentially slightly more complex setup.
While Synology offers OpenVPN (known for its ease of use), L2TP/IPsec is another option. Here’s a comparison to help you choose:
L2TP/IPsec: Widely supported by devices without extra software/VPN client apps, but setup might have more steps.
OpenVPN: Considered more secure due to frequent updates, but some/most devices will require a separate VPN client app.
Setting Up L2TP/IPsec VPN:
Open DSM/SRM and enable VPN Plus Server.
In the left panel, click L2TP/IPsec and check “Enable L2TP/IPsec VPN server.”
Create a strong “Preshared Key” (password) for authentication.
Set Client User Permissions: In the left panel of VPN Plus Server (VPN Plus Server > Permission > Services)
Advanced settings (optional):
Define allowed access range for connected devices within your network.
Adjust MTU (consult your ISP for recommended size - eg 1360 for my mobile ISP. Default of 1400 stops the internet connetion on my phone when connected to the VPN).
Save your configuration and connect to the VPN:
On your client device, go to VPN settings (Network/Connections).
Select L2TP/IPsec and enter details:
Server Address: Your Synology Router’s DDNS hostname or public IP.
Preshared Key: The one you created in step 3.
Username and Password: Your Synology NAS credentials.
Lightweight, offers access to various VPN providers.
More involved setup, ensure proper security configuration.
Personal Note: For remote access to my NAS (DS918+) I utilize L2TP/IPsec “VPN Plus Server” setup on my router (Synology rt2600ac) withautomatic IPblockingandaccount blocking, along with geo-IP filtering. Fortunately, despite seeing a high volume of connection attempts (+3000/day) on my router over the past five+ years (running L2TP/IPsec VPN 24/7), I haven’t detected any hacks on the accounts of my rt2600ac router or NAS directly.
The easiest way is to install the Tailscale package from the Package Center, and use the Tailscale clients / Apps on my devices.
It installs a WireGuard VPN connection „for IT dummies“.
An alternative would be a Wireguard server installed on your router. This already requires more technical insight - so for noobs Tailscale is the best option.
If I may ask, is it for a specific purpose or application you’re setting this configuration up for? Ive never setup a vpn in the way you’re describing and I’m curious what real-life application it could serve me if I wanted to try it also.
As explained in my original post, I want to be able to remote access to my NAS and hide traffic from my ISP for some docker containers (i.e: my torrent client).
