Using Synology DiskStation as a VPN server using built-in Android VPN client

This took me a while to figure out so I’m gonna document it here in case someone else is having a similar need. Both DiskStation and Android come with free first party software that allows you to setup a VPN connection.

An introduction to VPN

Here is how it works: Your phone encrypts your information and sends it to your DiskStation. DiskStation decrypts the data and sends the requests from your home network on your behalf just as if your Android phone/tablet was connected to the internet from your home network. It gets the server response back and sends it to your phone. All information is encrypted between your phone and your home network.



Install VPN Server from Package Center of your DiskStation and open it.

Before you begin you need to make sure VPN Server is accessible from the internet. There are several ways to do that. One way is to assign a private static LAN IP address to your DiskStation and add it to the DMZ in your router setting. This essentially exposes your DiskStation to the internet so you want to make sure that you’ve enabled Firewall in the Control Panel > Security > Firewall tab. Another way is to only port-forward the VPN-related ports from your router to DiskStation.

Don’t ever expose your DiskStation to the internet without enabling firewall. Even a few minutes is enough for hackers to get into your personal data on the DiskStation.

While you’re here, click on Edit Rules and open the ports for your desired VPN type. You can choose the Select from a list of built-in applications and look for VPN Server (there are a couple of them. Only enable the one that you want to use). There are basically two types of VPN protocols that are supported by both DiskStation and your Android built-in software:

You can enable both and use the one you prefer depending on how much you trust the connection between your phone/tablet to your home.

Don’t forget to block all other ports: create a firewall rule that denies all ports from all source IPs and put it right under the rule you just created in the previous step. It is important that the deny all rule is below that in order to have less priority so the desired ports are still accessible.

First create a user only for VPN

Both native Android VPNs have known security issues (PPTP, L2TP/IPSec). Since both of them require authentication using your DiskStation credentials, you may breach a powerful account if your VPN is cracked. You shouldn’t use the accounts that you use to access your files specially not an account with administration powers on DiskStation. By creating a user specifically for the VPN, you limit the powers of that user and minimize the risk if the credentials of that user are compromised.

Setting up PPTP

PPTP is less secure but works fine if your DiskStation doesn’t have a powerful processor.

WARNING: PPTP is an obsolete and insecure VPN protocol. It is “better than nothing” ie. when connecting to insecure Wifi connections. If you can, aim for L2TP/IPSec which is also supported natively on Android.

On DiskStation

On Android

Setting up L2TP/IPSec

L2TP/IPSec is more secure than PPTP but requires more processing power so your internet may feel slower on your phone specially for media contents.

On DiskStation

On Android

Always-on VPN

Android has an Always-on setting for the VPN that automatically turns on your VPN every time you connect to the network.

Always-on requires an IP address for both Server and DNS setting (ie. domain names don’t work).

Always-on solves this chicken and egg problem: you don’t want to connect to an insecure Wifi network unless the connection is encrypted with a VPN but you can’t use a VPN unless you connect to that very network. Even a brief connection to the Wifi network may signal your apps to transfer data over that insecure network so you want to enable VPN the very moment you connect to the Wifi but your fingers can’t beat the speed of light.

A few notes

Liked what you read? Follow me to be notified when I write something new.