Skip to main content
OpenVPN Synology DSM 7 VPN Server Run an OpenVPN server on a Synology NAS so external devices can securely reach internal resources. This note targets the DSM 7 VPN Server package (OpenVPN mode), from NAS-side setup through to client connection.
Every server address, port, account, and certificate value below is a placeholder. Replace them with your own. The OpenVPN tls-auth static key and private key are secrets: never publish them or commit them to version control. Leaking them lets a connection be impersonated.

Overview

OpenVPN is a TLS-based open-source VPN: cross-platform and highly configurable. Synology’s VPN Server package wraps the server side in a GUI, and the exported .ovpn bundles the certificates so the client just imports and connects. Two roles:
  • IT admin: build the server on the NAS, create accounts, set routing and the public address, export the config.
  • End user: receive the .ovpn plus credentials, import into OpenVPN Connect, connect.

NAS-side setup (IT admin)

1

Install and enable the VPN Server package

In DSM Package Center, install VPN Server and launch it. Open OpenVPN in the left menu and check “Enable OpenVPN server”.
2

Create a dedicated VPN account

In DSM Control Panel → User & Group, create a dedicated account (e.g. vpnuser):
  • Set a strong password (length ≥ 12, mixed case, digits, symbols)
  • Under “Application permissions”, enable only what is needed (e.g. File Station / SMB)
Never grant the VPN account admin rights. Follow least privilege.
3

Tune the OpenVPN server settings

Adjust on the OpenVPN settings page:
SettingSuggestedNotes
Server portcustom (default 1194)A non-standard port lowers scan exposure
ProtocolUDPBetter latency; switch to TCP for strict firewalls
Dynamic IP address10.8.0.0 (mask 255.255.255.0)Virtual subnet for clients
Max connections5–20Adjust to need
EncryptionAES-256-CBC / SHA256Default; adjust if required
Enable “Allow clients to access server’s LAN” and “Push LAN routes to clients”. If you only need to reach the internal network, do not check “Redirect all client traffic through the VPN”.
4

Set VPN permissions

On the VPN Server “Privilege” page, set the target account’s OpenVPN column to “Allow”. In General settings, uncheck “Grant VPN privilege to newly added local users” and assign it manually per user instead.
5

Configure DDNS (recommended)

DSM Control Panel → External Access → DDNS, add Synology DDNS (hostname like your-nas.example.synology.me). The NAS keeps the DNS record pointed at the current external IP, so client configs survive IP changes. Without Synology DDNS, point a Cloudflare DNS A record at the external IP with an auto-update script.
6

Router port forwarding

Add a rule under the router’s Port Forwarding / Virtual Server:
SettingValue
External (WAN) portcustom (match below)
Internal IPNAS LAN IP (e.g. 192.168.x.x)
Internal portsame as VPN Server
ProtocolUDP
Double-NAT (ISP gateway + your own router): forward from the outer device to the inner router first, then from the inner router to the NAS, or external connections will not reach in.
7

Allow through the DSM firewall (if enabled)

DSM Control Panel → Security → Firewall: add an allow rule (source optionally limited to your IP range, port = your OpenVPN port, action Allow), placed before any deny rule.
8

Export and edit the .ovpn config

On the OpenVPN page click “Export configuration” to get the .ovpn (certificates may be bundled). Open it and change remote YOUR_SERVER_IP 1194 to your DDNS or static external IP and your actual port:
remote your-nas.example.synology.me <your-port>
Confirm the ca / cert / key settings (Synology usually bundles them), save, and hand the file plus credentials to the user.

Client connection

Install OpenVPN Connect on each platform, import the .ovpn, enter credentials.
  1. Install OpenVPN Connect.
  2. Import Profile → Upload File, choose the .ovpn.
  3. Enter username/password, click Connect.
  4. If it warns about a missing certificate, confirm the .ovpn embeds ca/tls-auth or import the bundled cert files alongside it.
TCP or UDP? Prefer UDP for low latency (no retransmit, tolerates minor loss). Prefer TCP to punch through strict firewalls or when you need guaranteed in-order delivery (slightly higher latency). VPNs typically default to UDP.

Troubleshooting

SymptomLikely causeWhere to look
No external accessWrong forwarding, double-NAT not chained, ISP blocks the portRecheck the rule, chain NAT per layer, use a non-standard port or ask the ISP
Client reports missing certificate.ovpn not embedded / bundled certs missingRe-export a config that includes the certificates
Connected but no internal accessLAN routes not pushedEnable “push LAN routes” / “allow LAN access” on the server
DDNS not updatingDDNS not enabled or external IP changedCheck DSM DDNS status; update manually if needed

Operations

  • Grant VPN access manually; revoke on offboarding or project end.
  • Review VPN Server connection logs regularly for unusual sources or times.
  • Keep the server port off the default and limit sources via the DSM firewall.
  • Deliver secrets (private keys, tls-auth key, credentials) only over secure channels; never in version control or public channels.
This page is a public, sanitized version of the private organization repo issp-mes-lab/labvpn, with lab-internal addresses, ports, accounts, and certificates removed. The source repo is private and requires organization access.