We value your privacy

We use cookies to personalize your use of our site. This includes third-party cookies for that we use for advertising and site analytics. See our Privacy Statement and Cookie Policy for more information on how we collect and use data.

Cookie Options
OK
Knowledge Center

Standard VPN

VPN Plus Server provides multiple popular VPN solutions - SSTP VPN, OpenVPN, L2TP/IPSec, and PPTP VPN - to suit your needs and networking environments.

SSTP VPN

Secure Socket Tunneling Protocol (SSTP) is a VPN solution that provides SSL-protected VPN connections. With the built-in client on the Windows computer, you can quickly build an SSTP VPN connection.

To set up SSTP VPN:

  1. Click Standard VPN on the left panel, and go to SSTP.
  2. Tick Enable SSTP VPN server.
  3. Specify the settings below:
    • Active licenses: See how many active licenses for the premium features are installed. To add licenses, go to License on the left panel.
    • Client IP range: Select a client IP range (i.e., a subnet or IP range behind your Synology Router) as virtual IP addresses available for clients. To add more, go to Object > Address Pool.
    • Self-owned domain name: You can create an URL for SSTP VPN using Synology's DDNS hostname or a customized domain name. To use a customized domain name, follow the steps shown under the SSTP tab to import your certificate.
    • Port: Specify the port for connections.
    • Disallow duplicate logins: Select to prevent a user from creating multiple connections.
  4. Click Apply to finish the setup. You are now ready to set up an SSTP VPN connection from your local computer.

OpenVPN

OpenVPN is an open-source solution for implementing the VPN service, and provides SSL/TLS-protected VPN connections.

To set up OpenVPN:

  1. Click Standard VPN on the left panel, and go to OpenVPN.
  2. Select Enable OpenVPN server.
  3. Specify the settings below:
    • Client IP range: Select a client IP range (i.e., a subnet or IP range behind your Synology Router) as virtual IP addresses available for clients. To add more, go to Object > Address Pool.
    • Max. concurrent accounts: Specify the maximum number of concurrently connected accounts.
    • Port: Specify the port for connections.
    • Protocol: Select the TCP or UDP for building connections.
    • Encryption: Select a method to encrypt connections.
    • Authentication: Select a method to authenticate clients.
    • Use manual DNS: Specify a server that provides DNS resolution for VPN connections. If this option is not enabled, the DNS server of Synology Router will be applied to the VPN.
    • Enable compression on the VPN link: Select to compress data during transfer for increased transmission speed. This option may consume more system resources.
    • Allow clients to access server's LAN: Select to allow clients access to resources in the local network of your Synology Router.
    • Enable IPv6 server mode: Select to send IPv6 addresses to clients. You also have to select 6in4/6to4/DHCPv6-PD for IPv6 setup (at SRM Network Center > Internet > Connection > Primary Interface > IPv6 setup).
    • Disallow duplicate logins: Select to prevent clients from creating multiple connections.
  4. Click Apply to finish the setup.

Note:

  • The OpenVPN service does not support site-to-site connections in the Wireless AP (bridge) mode (configurable at Network Center > Operation Modes).
  • The UDP port 1194 should be open in port forwarding rules (at Network Center > Port Forwarding) and firewall rules (at Network Center > Security) of the Synology Router and other connected routers.
  • When running OpenVPN GUI on Windows Vista or Windows 7, please note that UAC (User Account Control) is enabled by default. If it is enabled, you need to use the Run as administrator option to properly connect with OpenVPN GUI.
  • When Enable IPv6 server mode is selected through a Windows computer, note the following:
    • The interface name specified for the OpenVPN service should not contain any space.
    • The redirect-gateway option should be properly set in the VPNConfig.ovpn file for the client. Otherwise, you should specify a DNS server for the OpenVPN service manually, or try Google's IPv6 DNS server: "2001:4860:4860::8888".

To export certificates for client use:

VPN Plus Server can issue a certificate for OpenVPN clients to have them authenticated for OpenVPN connections.

  1. Click Standard VPN on the left panel, and go to OpenVPN.
  2. Make sure Enable OpenVPN server is selected.
  3. Click Export Configurations to download a .zip file that contains VPNConfig.ovpn, the certificate file for use.
  4. Have VPNConfig.ovpn installed on OpenVPN client devices.

Note:

  • Each time VPN Plus Server runs the OpenVPN service, it will automatically copy and use the self-signed certificate (at Control Panel > Services > Certificate) for OpenVPN authentication.
  • You may use an acquired third-party certificate for OpenVPN authentication. Go to Control Panel > Services > Certificate and import the certificate. Then, restart VPN Plus Server for OpenVPN authentication.
  • When the certificate file at Control Panel > Services > Certificate is modified, VPN Plus Server will restart.

To connect via OpenVPN

Follow the instructions to start an OpenVPN connection from your local computer:

L2TP/IPSec VPN

L2TP (Layer 2 Tunneling Protocol) over IPSec provides VPN connections with increased security and is supported by most clients, such as Windows, Mac, Linux, and mobile devices.

To set up L2TP/IPSec VPN:

  1. Click Standard VPN on the left panel, and go to L2TP.
  2. Select Enable L2TP/IPSec VPN server.
  3. Specify the settings below:
    • Client IP range: Select a client IP range (i.e., a subnet or IP range behind your Synology Router) as virtual IP addresses available for clients. To add more, go to Object > Address Pool.
    • Network interface: Select a network interface of your Synology Router so that clients can connect through this interface for VPN connections.
    • Max. concurrent accounts: Specify the maximum number of concurrently connected accounts.
    • Authentication: Select a method to authenticate clients:
      • PAP: Client passwords will not be encrypted during authentication.
      • MS-CHAP v2: Client passwords will be encrypted during authentication using Microsoft CHAP version 2.
    • MTU (Maximum Transmission Unit): Set the maximum data packet size allowed for VPN transmission.
    • Use manual DNS: Specify a server that provides DNS resolution for VPN connections. If this option is not enabled, the DNS server of Synology Router will be applied to the VPN.
    • Run in kernel mode: Select to run VPN Plus Server for optimal performance.
    • Disallow duplicate logins: Select to prevent a user from creating multiple connections.
  4. For more security, you may enter and confirm a Pre-shared key given to clients for authentication.
  5. To allow non-RFC standard clients to use L2TP/IPSec VPN connection, select Enable SHA2-256 compatible mode (96 bit).
  6. Click Apply to finish the setup.

Note:

  • To establish a successful L2TP/IPSec VPN connection, clients should apply authentication and encryption settings identical to those specified for the L2TP/IPSec VPN service in VPN Plus Server.
  • The UDP ports 500, 1701, and 4500 should be open in port forwarding rules (at Network Center > Port Forwarding) and firewall rules (at Network Center > Security) of the Synology Router.
  • When Enable SHA2-256 compatible mode (96 bit) is enabled for the first time, you may need to restart the Synology Router to have successful client connections.

To connect via L2TP/IPSec VPN:

Follow the instructions to start an L2TP/IPSec VPN connection from your local computer:

PPTP VPN

PPTP (Point-to-Point Tunneling Protocol) is a commonly used VPN solution supported by most clients, including Windows, Mac, and Linux.

To set up PPTP VPN:

  1. Click Standard VPN on the left panel, and go to PPTP.
  2. Select Enable PPTP VPN server.
  3. Specify the settings below:
    • Client IP range: Select a client IP range (i.e., a subnet or IP range behind your Synology Router) as virtual IP addresses available for clients. To add more, go to Object > Address Pool.
    • Max. concurrent accounts: Specify the maximum number of concurrently connected accounts.
    • Authentication: Select a method to authenticate clients:
      • PAP: Client passwords will not be encrypted during authentication.
      • MS-CHAP v2: Client passwords will be encrypted during authentication using Microsoft CHAP version 2.
    • Encryption (for MS-CHAP v2 authentication): Select a method to encrypt connections:
      • No MPPE: VPN connections will not be protected.
      • Optional MPPE: VPN connections will be protected with a 40-bit or 128-bit encryption mechanism or not, depending on the client's settings.
      • Require MPPE: VPN connections will be protected with a 40-bit or 128-bit encryption mechanism, depending on the client's settings.
    • MTU (Maximum Transmission Unit): Set the maximum data packet size allowed for VPN transmission.
    • Use manual DNS: Specify a server that provides DNS resolution for VPN connections. If this option is not enabled, the DNS server of Synology Router will be applied to the VPN.
    • Disallow duplicate logins: Select to prevent a user from creating multiple connections.
  4. Click Apply to finish the setup.

Note:

  • To establish a successful PPTP VPN connection, clients should apply authentication and encryption settings identical to those specified for the PPTP VPN service in VPN Plus Server.
  • The TCP port 1723 should be open in port forwarding rules (at Network Center > Port Forwarding) and firewall rules (at Network Center > Security) of the Synology Router.
  • PPTP VPN is not supported on Mac computers already upgraded to macOS Sierra.

To connect via PPTP VPN:

Follow the instructions to start a PPTP VPN connection from your local computer:

SSTP VPN
OpenVPN
L2TP/IPSec VPN
PPTP VPN