App Support.

We're here to help.



Setting up an OpenVPN server with Synology and Viscosity

Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.

Running your own OpenVPN server will allow you to encrypt everything you do on the internet, so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server at home. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.

This guide will walk you through the steps involved in setting up an OpenVPN server on a Synology Network Attached Storage (NAS) device that allows you to securely access both your file server and your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.

Preparation

For this guide, we assume:

  • You have already installed the latest version of Synology DiskStation Manager (6.0 at time of writing)
  • You have admin access to this installation
  • You are connected with your client device to the Synology server via its LAN interface during this guide
  • You already have a copy of Viscosity installed on your client device

If you need a copy of DiskStation Manager, information can be found at https://www.synology.com/en-us/wheretobuy/. We won't be covering the details of setting up a Synology instance, many guides can be found online. Regardless of the version of Synology you are running, it's very likely that many or even all of the steps outlined in this guide will still apply. If you are looking to setup an OpenVPN server on a different operating system, please check out our other guides.

If you don't have a copy of Viscosity already installed on your computer, then please check out this setup guide for installing Viscosity (Mac | Windows).

Please be aware that we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.

Getting Started

On your client device, connected to the LAN interface of the Synology server, open a web browser and navigate to the IP address of your Synology server (on port 5000). The URL should look something like: http://192.168.0.x:5000 (assuming your LAN subnet is in the range 192.168.0.0/24). Now log in to the web interface of your Synology server with the admin account.

First, we need to install the VPN Server package. Click on the Package Center icon on the desktop. Search for 'VPN Server' and install the package.



Firewall Setup

The next step will be to enable the firewall to permit VPN traffic. If you already have your firewall set up, make sure to add a rule to allow our OpenVPN traffic. However, if this is just a simple standalone Synology server, the firewall settings below should be enough to get your OpenVPN server up and running.

  1. Open the Control Panel by clicking the 'Control Panel' icon on the desktop and click the Advanced Mode in the top right corner of the Control Panel to show all the options.
  2. Click the Security icon and then click on the Firewall tab at the top.
  3. Check the 'Enable firewall' box
  4. In the Firewall Profile section, click on the Firewall Profile dropdown menu and click the + button to create a new profile.
  5. Name this profile 'OpenVPN rules' and press OK.
  6. Select the 'OpenVPN rules' from the Firewall Profile dropdown menu and click the Select button.
  7. Click the Edit Rules button to start creating rules.



LAN Settings

First, we need to allow our client device to maintain access to the server:

  1. On the top right, click on the dropdown menu and select the LAN interface through which your client device is connected to the Synology server.
  2. Click the Create button.
  3. In the Ports section, click the 'Select from a list of built-in applications' option and click the Select button.
  4. Find the two 'Management UI' options on ports 5000 and 5001 and check the boxes to enable them.
  5. Click OK.


  6. In the Source IP section, click the 'Specific IP' option and click Select.
  7. Click the 'Subnet' option and enter the subnet of your LAN connection (something like: IP address = 192.168.0.0 and subnet mask = 255.255.255.0).
  8. Click OK.
  9. Leave the Action section option as 'Allow' and click the OK button to create the rule.

To protect your Synology server from unwanted traffic, set the default rule to 'Deny access' at the bottom of the window. To save these changes, click the OK button at the bottom. You should be notified that the settings have been saved successfully.

WAN Settings

To allow VPN traffic over the WAN interface:

  1. Reopen the 'OpenVPN rules' by clicking the Edit Rules button.
  2. Click on the dropdown menu on the top right to change to the WAN interface.
  3. Click the Create button.
  4. In the Ports section, click the 'Select from a list of built-in applications' option and click the Select button.
  5. Find the option 'VPN Server (OpenVPN)' on port 1194 and check the box to enable.
  6. Click OK.
  7. In the Source IP section, leave the option set as 'All'.
  8. Leave the Action section option as 'Allow'.
  9. Click the OK button to create the rule.

To protect your Synology server from unwanted traffic, set the default rule to 'Deny access' at the bottom of the window. To save these changes, click the OK button at the bottom. You should be notified that the settings have been saved successfully.

If you have other services running on your Synology server, then you need to make sure that you allow their traffic through the firewall as well. Make sure to add any rules for any other ports your Synology server is listening on (such as a Plex media server or maybe your own email server).

OpenVPN Server Setup

Open the VPN Server by clicking on the 'Main Menu' icon in the top left and clicking the 'VPN Server' icon. By default, the OpenVPN server is disabled.

To enable the OpenVPN server:

  1. From the VPN Server Overview page, click on 'OpenVPN' in the Settings section on the left.
  2. Check the box for the Enable OpenVPN server option.
  3. Check the box for the Allow clients to access server's LAN.
  4. You don't need to modify any of the other OpenVPN server settings, so click the Apply button to startup the OpenVPN server. You will be reminded to check the port forwarding and firewall settings.



Before doing anything else, click the Export configuration button to download the necessary information for your client to connect to this server. This should download the file openvpn.zip which we will use later in the guide.

DNS Server Setup

If you are planning on encrypting all network traffic through your VPN server then it is recommended to install and setup the DNS Server package.

Click on the Package Center icon on the desktop. Search for 'DNS Server' and install the package. You may have a Firewall Notification pop up to ask if you want to permit DNS traffic through the firewall. Go ahead and click OK.

Open the DNS Server by clicking on the Main Menu icon in the top left of the desktop and clicking on the DNS Server icon. Click on the Resolution section to the left. Check the 'Enable resolution services' box to activate the DNS server. With the 'Enable forwarders' box checked, set the Forwarder 1 address to 8.8.8.8 and Forwarder 2 to 8.8.4.4. We are using the Google DNS servers (you are free to use your DNS resolution service of choice). When done, click the Apply button to save these changes.



Router Setup

If your Synology server is directly accessible from the internet, then you can skip this section. However if your Synology server is behind a router (such as on your home WiFi), then you will need to configure your router to permit encrypted VPN connection to the server. Due to the many different models of router and network configurations, we cannot provide a step by step guide on how to set up your router to allow VPN traffic. However there are a few settings you are likely to need to change, so we will outline them here.

As the the router will be directing all traffic to and from your OpenVPN server, you will need to set up port forwarding so that the OpenVPN server is externally accessible. Port forwarding may be under the section in your router management interface named 'Virtual Servers'. In general, you will want to forward any traffic incoming to the router on the OpenVPN port (1194). You will need to setup a rule to send any UDP traffic on this port to the local IP address of your OpenVPN server (which is probably something in the range 192.168.0.x).

If you have set up port forwarding please also make a note of your external WAN IP address. This is the IP address assigned to your router by your Internet Service Provider (ISP). This address will be needed when configuring your connection in Viscosity below.

Viscosity Setup

The interface provided by the Mac and Windows versions of Viscosity are intentionally very similar. As such, we will focus our guide on the Mac version, pointing out any differences with the Windows version as they arise.

If you do not have Viscosity already running, start Viscosity now. In the Mac version you will see the Viscosity icon appear in the menu bar. In the Windows version you will see the Viscosity icon appear in the system tray.

Extract the openvpn.zip file you downloaded previously from your Synology server and find the ca.crt file inside. We will be using this file shortly. Click the Viscosity icon in the menu bar (Windows: system tray) and select 'Preferences...':

Mac


Windows


This shows you the list of available VPN connections. We assume you recently installed Viscosity, so this list should be empty. Click on the '+' button and select 'New Connection':

Configuring the Connection

You will now need to set the connection parameters as outlined below:

  1. In the General tab, replace the connection name with your desired name for the connection, for example "DemoConnection".
  2. Replace the "Address" field with the IP address needed to connect to the server. If the Synology server is directly reachable from the internet this will be its IP address. If the server is behind a router and port-forwarding has been set up this should be the external IP address of your router (please see the section above).


  3. Click the Authentication tab. Check the "Use Username/Password authentication" option.
  4. Click the Select ... button next to the CA option. Find the ca.crt file we extracted from the openvpn.zip file earlier and select it.


  5. Click on the Options tab and change the LZO Compression to "On (Adaptive)". This will reduce the bandwidth of your VPN connection.


  6. Click on the Networking tab and enter "10.8.0.1" into the "Servers" field in the DNS Settings section.


  7. Click the Save button to save your changes.

(Optional) Allowing Access to the Internet

By default the VPN connection will allow access to the file server and other computers on the home/office (LAN) network. However if you also wish to have all internet traffic sent through the VPN connection it's necessary to make a final edit to the connection:

  1. Double-click on your connection in the Viscosity Preferences window to open the connection editor
  2. Click on the Networking tab.
  3. Tick the "Send all traffic over VPN connection" option. It is not necessary to enter a Default Gateway.
  4. Click the Save button.

Connecting and Using Your VPN Connection

You are now ready to connect. Click on the Viscosity icon in the menu bar (Windows: system tray) and select 'Connect DemoConnection'. You will be asked to enter your Synology username and password. That's it, you should see a notification that you're now connected!

To check that the VPN is up and running, you can use the Viscosity details window. Click the Viscosity menu bar (Windows: system tray) icon and select 'Details...'. This will bring up the details window.



This window will show you the traffic passing through the VPN connection. Attempt to connect to a service you have running on your Synology server (such as a Plex media player). You should see a spike in the graph.

Accessing Your NAS

Once connected to your VPN, you can access your files or other services by using the LAN IP address you would use if you were connected to them via your home/office local network.

Mac

To connect to a shared network directory from your Mac connected to the VPN:

  1. Open a Finder window
  2. Click Go on the menu bar and select "Connect to Server..."


  3. In the Server Address, type the LAN IP address of your network resource (something like 192.168.0.x) and click Connect.
  4. Enter the username and password for the network resource
  5. Select the shared volume you want to access and click OK

Network resources you would normally find appearing in the Finder sidebar will not appear when connected to via the VPN. You can find connected network resources in the Computer directory. In a Finder window, press + shift + c to jump to the Computer directory.

Windows

To connect to a shared network directory from your PC connected to the VPN:

  1. Type the \\lan-ip-address into the Search the web and Windows box in the taskbar and press Enter (something like \\192.168.0.x)


  2. Enter the username and password for the network resource
  3. You will then see the folders shared by this host

Accessing Computers on Your Home or Office Network

Other computers on the home or office network can be accessed by repeating the steps to 'Accessing Your NAS', however replace the IP address with the internal LAN IP address of your networked host.


That's it, you've set up your very own OpenVPN server. Congratulations, you are now free to enjoy the benefits of operating your own OpenVPN server!