Using Synology DiskStation as a VPN server using built-in Android VPN client

This took me a while to figure out so I’m gonna document it here in case someone else is having a similar need. Both DiskStation and Android come with free first party software that allows you to setup a VPN connection.

An introduction to VPN

Here is how it works: Your phone encrypts your information and sends it to your DiskStation. DiskStation decrypts the data and sends the requests from your home network on your behalf just as if your Android phone/tablet was connected to the internet from your home network. It gets the server response back and sends it to your phone. All information is encrypted between your phone and your home network.

Why?

1. When using internet over insecure Wifi networks on your phone/tablet you can use a VPN connection to use your home internet.
2. You can access your home network just as if you were connected to your local Wifi eg. you can access your printer, cameras and router.
3. Escape the geo-fenced content: some sites block their content if you access them from another country than your home country. Using this method you can “pretend” to be still at home!
4. To work around filtering: the governmental/company filtering systems have no way of knowing what sites or content you are accessing. All they see is an encrypted connection.

How?

Install VPN Server from Package Center of your DiskStation and open it.

Before you begin you need to make sure VPN Server is accessible from the internet. There are several ways to do that. One way is to assign a private static LAN IP address to your DiskStation and add it to the DMZ in your router setting. This essentially exposes your DiskStation to the internet so you want to make sure that you’ve enabled Firewall in the Control Panel > Security > Firewall tab. Another way is to only port-forward the VPN-related ports from your router to DiskStation.

Don’t ever expose your DiskStation to the internet without enabling firewall. Even a few minutes is enough for hackers to get into your personal data on the DiskStation.

While you’re here, click on Edit Rules and open the ports for your desired VPN type. You can choose the Select from a list of built-in applications and look for VPN Server (there are a couple of them. Only enable the one that you want to use). There are basically two types of VPN protocols that are supported by both DiskStation and your Android built-in software:

• PPTP: less secure, but less hungry on your phone/tablet battery and DiskStation processor
• L2TP/IPSec: more secure (still not ideal) but requires more processing power on both sides (which also implies draining more battery power).

You can enable both and use the one you prefer depending on how much you trust the connection between your phone/tablet to your home.

Don’t forget to block all other ports: create a firewall rule that denies all ports from all source IPs and put it right under the rule you just created in the previous step. It is important that the deny all rule is below that in order to have less priority so the desired ports are still accessible.

First create a user only for VPN

Both native Android VPNs have known security issues (PPTP, L2TP/IPSec). Since both of them require authentication using your DiskStation credentials, you may breach a powerful account if your VPN is cracked. You shouldn’t use the accounts that you use to access your files specially not an account with administration powers on DiskStation. By creating a user specifically for the VPN, you limit the powers of that user and minimize the risk if the credentials of that user are compromised.

1. Create some users in Control Panel > User that doesn’t have access to any folders, permission or services and limit its disk usage quota to 1MB. Note that you need to explicitly deny all permissions. Needless to say that you should choose a long password.
2. Go to VPN Server > Privileges and uncheck all user’s access to VPN except the newly created user.

Setting up PPTP

PPTP is less secure but works fine if your DiskStation doesn’t have a powerful processor.

WARNING: PPTP is an obsolete and insecure VPN protocol. It is “better than nothing” ie. when connecting to insecure Wifi connections. If you can, aim for L2TP/IPSec which is also supported natively on Android.

On DiskStation

1. Go to PPTP section on VPN Server and enable it.
2. Choose MSCHAP v2 for authentication (more secure)
3. Choose Require MPPE for encryption (enforce it, don’t leave it as optional)
4. Press Apply

On Android

1. Open Settings > More… > VPN
2. Press the + button on the top right corner and choose a name for the VPN connection
3. For its type pick PPTP
4. Enter your DiskStation public address (domain or IP address)
5. Enable PPTP encryption (MPPE)
6. Press Save
7. Now you can connect to the VPN Server using the credentials of a DiskStation of one of the users that are allowed in the Previledge section of VPN Server settings. It may take a while till it connects.

Setting up L2TP/IPSec

L2TP/IPSec is more secure than PPTP but requires more processing power so your internet may feel slower on your phone specially for media contents.

On DiskStation

1. Go to L2TP/IPSec section on VPN Server and enable it.
2. Choose MSCHAP v2 for authentication (more secure)
3. Pick a secure Pre-shared key. It’s hard to type on the phone but once you save it you don’t have to type it again. Use a combination of small and big letters, numbers and ideally some punctuation marks. Pick at least 8 characters.
4. Press Apply

On Android

1. Open Settings > More… > VPN
2. Press the + button on the top right corner and choose a name for the VPN connection
3. For its type pick L2TP/IPSec PSK (if you have a public static address for your router or DiskStation you can go for the RSA version which is more secure and supports Always-on (discussed below)
4. Enter your DiskStation public address (domain or IP address)
5. Skip L2TP secret and identifier but enter the IPSec pre-shared key you chose on the VPN Server
6. Press Save
7. Now you can connect to the VPN Server using the credentials of a DiskStation of one of the users that are allowed in the Previledge section of VPN Server settings. It may take a while till it connects.

Always-on VPN

Android has an Always-on setting for the VPN that automatically turns on your VPN every time you connect to the network.

Always-on requires an IP address for both Server and DNS setting (ie. domain names don’t work).

Always-on solves this chicken and egg problem: you don’t want to connect to an insecure Wifi network unless the connection is encrypted with a VPN but you can’t use a VPN unless you connect to that very network. Even a brief connection to the Wifi network may signal your apps to transfer data over that insecure network so you want to enable VPN the very moment you connect to the Wifi but your fingers can’t beat the speed of light.

A few notes

• If for whatever reason your VPN fails to connect while you’re on a public/insecure network, refrain from using that network because there might be an attacker forcing you for decrypted communication that makes it super easy to steal your credentials.
• When using VPN all your communication is encrypted, not just the web traffic (ie. video calls, messaging, etc.) but it does not encrypt traffic that’s usually transmitted over mobile network (ie. phone calls, SMS, MMS).
• If the server supports it, you can use HTTPS connection so at least your web traffic is encrypted
• VPN protection is not free. It takes some processing power and battery life of your phone. Besides the data needs to travel all the way back to your home and from there reach out to the server. This makes the connection slower and add some lags.
• PPTP gives you a very light protection (ie. better than nothing) but if your Synology has a good CPU and you don’t mind loosing some battery juice on your phone/tablet, go for L2TP/IPSec instead
• It is recommended to use OpenVPN if you can but since it imposes more load on the CPU and requires a 3rd party app on your phone I’m not covering it here. Here is a comparison of the 3 VPN protocol natively supported on DiskStation. Besides, setting up OpenVPN is not a matter of typing some credentials, you actually have to download a few files, edit some, send them to your phone and then import them to OpenVPN.
• Don’t want to use your DiskStation as a VPN Server? Here is a video for using a Raspberry Pi as a VPN Server and here it is in blog format if that’s your thing.

⚡️Liked what you read? Follow me to be notified when I write something new.