For whatever reason, I sometimes have problems with Synology’s VPN package, specifically when using OpenVPN. There may be issues with the L2TP/IPSec or PPTP, but I don’t use them so I can’t specifically comment.
Anyway the nature of the problem is that no matter what settings I change — for example the dynamic IP address or Authentication methods — it doesn’t seem to change the configuration settings properly. It’s happened a handful of times where I change the IP range or when I need to give remote clients access to the local network, and it simply and inexplicably doesn’t work. Or to be more specific, the VPN may connect but will not bridge to the rest of the network. Bridging would be necessary to give remote users access to the local network because the VPN service by default uses a 10.8.0.1/24 network and most networks are in the 192.168.x.0/24 range.
When changes are made to the OpenVPN configuration through DSM, it is supposed to make changes to this file:
I’ve found that I need to manually edit this file instead of letting the limited GUI do it for me, especially since the GUI lacks advanced functionality like if there are multiple subnets on a given network (though to be fair, if your network is large enough to have multiple subnets, you probably aren’t using a Synology as your VPN appliance).
It’s happened enough times that I’ve had to refer back to some technical notes I keep, so I hope this is useful to other people too.
#pushing a route is necessary to bridge dissimilar networks, so both the VPN #network and the intranet network(s) need to be defined here. #intranet network: push "route 192.168.1.0 255.255.255.0" #vpn network: push "route 10.8.0.0 255.255.255.0" #force clients to use remote gateway (force all traffic through VPN) #optional, and can be configured/overridden in the client connection script push "redirect-gateway def1" #force Intranet DNS servers (so that remote clients can use intranet hostnames) # this assumes you have an internal DNS server. If you don't, you can simply use # the intranet default DNS settings (192.168.1.1 in this case, if the router does it) push "dhcp-option DNS 192.168.1.10" push "dhcp-option DNS 192.168.1.11" dev tun management 127.0.0.1 1195 server 10.8.0.0 255.255.255.0 dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh3072.pem ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key max-clients 5 comp-lzo #encryption method. I usually prefer strong AES encryption as it's yet to be defeated cipher AES-256-CBC persist-tun persist-key verb 3 #log-append /var/log/openvpn.log keepalive 10 60 reneg-sec 0 plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf client-cert-not-required username-as-common-name duplicate-cn status /tmp/ovpn_status_2_result 30 status-version 2 proto udp6 port 1194 auth SHA256
Now just to be clear, this is by no means the only way to set up the VPN, and perhaps not even the best way, but I’ve found it to be a great starting point to tweak as needed.