Synology Use a VPN between an Android mobile and a Synology NAS via Proximus network

I spent hours trying to figure out why I couldn't connect my Galaxy S7 onto my Synology using a PPTP VPN on the Proximus 3G/4G Network (Belgium) while it was working fine if connected via WiFi.

Finally, I gave up and configured a L2TP/IPSec VPN. This one worked immediately like a charm, both on WiFi and 3G/4G. I am quite sure this is due to Proximus configuring my profile to use CGN (Carrier Grade NAT).

Click to Read More

I was initially inspired by this post ("Using Synology DiskStation as a VPN server using built-in Android VPN client"). So;

  • I did first configure my Synology VPN Server to use PPTP as explained here (Official Knowledge base Synology)
  • Next, I did open my Synology Firewall (port 1723 for PPTP) via the Control Panel > Security > Firewall > Edit Rules > Edit an entry to Allow > Select Built-in applications > VPN Server (PPTP)

Open Firewall Synology for VPN

  • Then, I did configure my Modem to route the TCP port 1723 to my NAS via Access Control > Port Mapping

Configure Proximus Modem Route

Configure Proximus Modem Route

  • Finally, I configured a PPTP VPN on my Galaxy S7 via Settings > Connections > More connection settings > VPN > ADD VPN

It worked immediately while connecting my Galaxy S7 via WiFi. But if failed while connected via 3G/4G. To investigate, I did enable the firewall of my dd-wrt router (placed between my modem and my NAS) and configured it to send all its firewall messages to the syslog server of my Synology (the "Log Center"). I those logs, I found packets corresponding most probably to the VPN requests from my Galaxy S7 (They were only arriving when I was trying to establish a connection). Those were not coming from my Galaxy S7's IP. Instead, they were coming from another Proximus IP, with a protocol 47 (Generic Route Encapsulation)?! Could this be due to Proximus configuring my profile to use CGN (Carrier Grade NAT)? Unfortunately, I couldn't check and reconfigure this myself as the option is not available anymore via the MyProximus administration interface...

So, I decided to give up with this PPTP VPN and use a more secure but less performant VPN: L2TP/IPSEC with a PSK (IPsec pre-shared key). And miracle, after opening and routing the UDP ports 500, 1701 and 4500, it worked !

Synology Create a VPN to download from a Synology

In order to hide my NAS, I wanted it to use its own VPN, while my public IP was still visible when surfing with any other devices in my LAN.

To do so, I subscribed to HMA! (HideMyAss!) and applied their configuration procedure on my Synology. Et voilà.

Click to Read More

I did try both a L2TP and a OpenVPN VPN with success. Tricks:

  • For a L2TP VPN, use your PPTP password and NOT your account password
  • For a OpenVPN VPN, use your account password
  • Although using Port Forwarding to access my NAS from internet, I did not had to open the required ports !!!
    • L2TP: UDP 500, 4500 and 1701
    • Open VPN : 443 if using TCP, 553 is using UDL
  • If you are using a DDNS, go to the  Control Panel > External Access and Click Update to verify the public IP of your NAS. It must now be your VPN IP.
  • Check that downloading a torrent (with this procedure), your tracker IP is your VPN IP.
  • Check you IP calling ipify from your NAS.
    • A very simple way to do this is to call the following php page on your Web Station:
<?php 
 $ip = file_get_contents('https://api.ipify.org');
 echo "My public IP address is: " . $ip;
?>
  • Soon after enabling the VPN, I started to be attacked on Telnet port! I am using Security's Auto-Block feature to prevent brute force attacks.
  • On a mobile device (or anything else) connected directly to Internet (not via your LAN), type your VPN IP in a browser. You should see the default home page of your web station if this one is enabled.
    • I would recommend to replace this default page by a php page returning a header 404.
<?php
 header("HTTP/1.0 404 Not Found");
?>
  • If you are using a DDNS on your NAS, you won't be able to access your router and VDSL modem via that domain name. Indeed, only your NAS is accessible via this VPN IP. If possible, configure another DDNS on your VDSL modem or router.
    • Ex.: I am using duckdns.org for free. They have a great support page here with detailed configurations for many different devices.
    • Doing so, you can access your NAS and your router or modem via their own Domain name.
  • "Tested OK" both when accessed from LAN or from Internet:
    • Download Station via Synology Download Station for Chrome (https://www.download-station-extension.com)
    • JDownloader via Chrome extension and via https://my.jdownloader.org
    • Plex Server via App or via http://DDNS name:port/web or via http://plex.tv
    • DSM via its admin port
    • Apps: DS Cam, DS File, DS Audio, DS Get, DS Photo, DS Video, DS Cloud and DS Note are all wokring fine using Quick Connect (All those I tested via their DDNS name + custom port or DSM admin port worked too)
    • Cloud Sync (with Hubic)
    • FTP Server