Secure Public WiFi using Synology VPN Server

Public WiFi is something many of use enjoy while we’re at the coffee shop, hotels, airports, libraries and so on, but one thing everyone should or needs to know is that public WiFi is NOT secure. In fact it’s so easy for people to eavesdrop and hack a public WiFi that even a 7 year old girl can do it, in under 11 minutes!

The solution would be to use a VPN which will encrypt your traffic between you and the VPN server. So even if someone is attempting to hack the public WiFi, your traffic becomes useless to them and thus your emails, chats, web browsing and file transfers are now secure and out of other peoples sight.

There are plenty of VPN services available such as NordVPN (which I also use), but you can also setup your own VPN server on your Synology NAS.

How to setup a Synology VPN server on a Synology NAS

Before we get started installing the Synology VPN Server you will want to make sure you already have DDNS configured on your Synology NAS and familiar with how to do port forwarding on your home router.

  1. Log into your Synology NAS then open the Package Center and install the Synology VPN Server under Utilities.
    synology vpn package
  2. After the package has been installed, open the VPN Server app.
    start synology vpn package
  3. The Synology VPN server can be configured to use PPTP, OpenVPN, and L2TP/IPSec. I went with OpenVPN due to being considered very secure, fast, and there is an OpenVPN client available for all my devices (Windows and Android. If you’re a MAC user, there is also a MAC client).

    That said, on the left side click on “OpenVPN” and then check “Enable OpenVPN server” on the right side, then click Apply.
    Enable OpenVPN server

  4. The default setting is to allow every user VPN access. I would suggest changing the privilege to only the user(s) you want to be able to connect to the VPN. In this case click on Privilege, then uncheck all the check boxes expect the OpenVPN box for the user(s) you want to have access, then click on Save.
    synology vpn privilege
  5. Finally, on the left side click on “OpenVPN” and then click on “Export configuration” and save the openvpn.zip file, such as to your desktop as we’ll be using this soon.
    export vpn configuration

At this point the Synology VPN server is running and user(s) have been granted access to log into the Synology VPN. There are still a few more steps needed to be completed before we are completely finished. Such as open the port on the Synology firewall (you ARE running the firewall aren’t you?) as well as setup the OpenVPN configuration files.

How to open the Synology firewall to allow VPN connections

  1. Go to Control Panel > Security > click on the Firewall tab. Then create a firewall rule to allow the VPN Server (OpenVPN) access.
    open firewall port vpn

How to configure the OpenVPN configuration files

  1. Before we get started editing config files we need to first export the Synology certificate. You’ll want to do this regardless if it’s a self-signed cert or a paid SSL certificate.
    So open Control Panel > Security > and click on the Certificate tab and click on “Export certificate” and save the file.
    export synology certificate
  2. Now extract the openvpn.ovpn file from openvpn.zip as well as the files from archive.zip somewhere on your computer.
  3. Now open the openvpn.ovpn file with an editor, such as NotePad++ and edit line 4, replacing YOUR_SERVER_IP with your Synology DDNS or (other DDNS) name, add a # in front of “ca ca.crt” to comment out the line as we’ll be embedding the cert into our openvpn.ovpn file.
  4. Now open the file ca.crt with an editor and copy the key inside the <ca> section in openvpn.ovpn, do the same for the server.crt but copy the key inside <cert> section and server.key into the <key> section.
  5. The end result of your openvpn.ovpn file should look something like this:
    dev tun
    tls-client
    
    remote username.synology.me 1194
    
    # The "float" tells OpenVPN to accept authenticated packets from any address,
    # not only the address which was specified in the --remote option.
    # This is useful when you are connecting to a peer which holds a dynamic address
    # such as a dial-in user or DHCP client.
    # (Please refer to the manual of OpenVPN for more information.)
    
    #float
    
    # If redirect-gateway is enabled, the client will redirect it's
    # default network gateway through the VPN.
    # It means the VPN connection will firstly connect to the VPN Server
    # and then to the internet.
    # (Please refer to the manual of OpenVPN for more information.)
    
    #redirect-gateway
    
    # dhcp-option DNS: To set primary domain name server address.
    # Repeat this option to set secondary DNS server addresses.
    
    #dhcp-option DNS DNS_IP_ADDRESS
    
    pull
    
    # If you want to connect by Server's IPv6 address, you should use
    # "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
    proto udp
    
    script-security 2
    
    # ca ca.crt
    
    comp-lzo
    
    reneg-sec 0
    
    auth-user-pass
    
    <ca>
    -----BEGIN CERTIFICATE-----
    Copy content of ca.crt here
    -----END CERTIFICATE-----
    </ca>
    
    <cert>
    -----BEGIN CERTIFICATE-----
    Copy content of server.crt here
    -----END CERTIFICATE-----
    </cert>
    
    <key>
    -----BEGIN RSA PRIVATE KEY-----
    Copy content of server.key here
    -----END RSA PRIVATE KEY-----
    </key>
    

The only things left to do if you haven’t already done so is to configure your router to forward the port 1194 (default OpenVPN port) to your Synology NAS.

You’ll also need to place the newly edited openvpn.ovpn file in your C:\Program Files\OpenVPN\config\ directory if you’re a Windows user – once you’ve installed the OpenVPN client, or on your SD Card if you’re going to use the VPN on your Android phone.

Now when you connect to your VPN server all your traffic will be encrypted which greatly protects you from evil doers and will make it look like you are actually home surfing the internet and not at the coffee shop.

If you are wanting a bit more security and anonymity I would certainly suggest checking out NordVPN. I use them a lot as well and NordVPN has servers located all over the world, which is also great to access geo-restricted content. You can also use coupon code 70off to save 70%! 😉

If you’re looking to get in touch, follow me on Twitter!