Using Synology DiskStation as a VPN server using built-in Android VPN client

An introduction to VPN

Why?

  1. When using internet over insecure Wifi networks on your phone/tablet you can use a VPN connection to use your home internet.
  2. You can access your home network just as if you were connected to your local Wifi eg. you can access your printer, cameras and router.
  3. Escape the geo-fenced content: some sites block their content if you access them from another country than your home country. Using this method you can “pretend” to be still at home!
  4. To work around filtering: the governmental/company filtering systems have no way of knowing what sites or content you are accessing. All they see is an encrypted connection.

How?

Don’t ever expose your DiskStation to the internet without enabling firewall. Even a few minutes is enough for hackers to get into your personal data on the DiskStation.

  • PPTP: less secure, but less hungry on your phone/tablet battery and DiskStation processor
  • L2TP/IPSec: more secure (still not ideal) but requires more processing power on both sides (which also implies draining more battery power).

First create a user only for VPN

  1. Create some users in Control Panel > User that doesn’t have access to any folders, permission or services and limit its disk usage quota to 1MB. Note that you need to explicitly deny all permissions. Needless to say that you should choose a long password.
  2. Go to VPN Server > Privileges and uncheck all user’s access to VPN except the newly created user.

Setting up PPTP

WARNING: PPTP is an obsolete and insecure VPN protocol. It is “better than nothing” ie. when connecting to insecure Wifi connections. If you can, aim for L2TP/IPSec which is also supported natively on Android.

On DiskStation

  1. Go to PPTP section on VPN Server and enable it.
  2. Choose MSCHAP v2 for authentication (more secure)
  3. Choose Require MPPE for encryption (enforce it, don’t leave it as optional)
  4. Press Apply

On Android

  1. Open Settings > More… > VPN
  2. Press the + button on the top right corner and choose a name for the VPN connection
  3. For its type pick PPTP
  4. Enter your DiskStation public address (domain or IP address)
  5. Enable PPTP encryption (MPPE)
  6. Press Save
  7. Now you can connect to the VPN Server using the credentials of a DiskStation of one of the users that are allowed in the Previledge section of VPN Server settings. It may take a while till it connects.

Setting up L2TP/IPSec

On DiskStation

  1. Go to L2TP/IPSec section on VPN Server and enable it.
  2. Choose MSCHAP v2 for authentication (more secure)
  3. Pick a secure Pre-shared key. It’s hard to type on the phone but once you save it you don’t have to type it again. Use a combination of small and big letters, numbers and ideally some punctuation marks. Pick at least 8 characters.
  4. Press Apply

On Android

  1. Open Settings > More… > VPN
  2. Press the + button on the top right corner and choose a name for the VPN connection
  3. For its type pick L2TP/IPSec PSK (if you have a public static address for your router or DiskStation you can go for the RSA version which is more secure and supports Always-on (discussed below)
  4. Enter your DiskStation public address (domain or IP address)
  5. Skip L2TP secret and identifier but enter the IPSec pre-shared key you chose on the VPN Server
  6. Press Save
  7. Now you can connect to the VPN Server using the credentials of a DiskStation of one of the users that are allowed in the Previledge section of VPN Server settings. It may take a while till it connects.

Always-on VPN

A few notes

  • If for whatever reason your VPN fails to connect while you’re on a public/insecure network, refrain from using that network because there might be an attacker forcing you for decrypted communication that makes it super easy to steal your credentials.
  • When using VPN all your communication is encrypted, not just the web traffic (ie. video calls, messaging, etc.) but it does not encrypt traffic that’s usually transmitted over mobile network (ie. phone calls, SMS, MMS).
  • If the server supports it, you can use HTTPS connection so at least your web traffic is encrypted
  • VPN protection is not free. It takes some processing power and battery life of your phone. Besides the data needs to travel all the way back to your home and from there reach out to the server. This makes the connection slower and add some lags.
  • PPTP gives you a very light protection (ie. better than nothing) but if your Synology has a good CPU and you don’t mind loosing some battery juice on your phone/tablet, go for L2TP/IPSec instead
  • It is recommended to use OpenVPN if you can but since it imposes more load on the CPU and requires a 3rd party app on your phone I’m not covering it here. Here is a comparison of the 3 VPN protocol natively supported on DiskStation. Besides, setting up OpenVPN is not a matter of typing some credentials, you actually have to download a few files, edit some, send them to your phone and then import them to OpenVPN.
  • Don’t want to use your DiskStation as a VPN Server? Here is a video for using a Raspberry Pi as a VPN Server and here it is in blog format if that’s your thing.

--

--

--

Sr. Staff Engineer, Knowledge Worker, MSc Systems Engineering, Tech Lead, Web Developer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cybersecurity in a Pandemic: Lessons Learned and Challenges Ahead

LockerGoga — input arguments, IPC communication and others

Making complex cyber security risks real (and memorable)

Announcing DogePluto $DPU Tokenomics And Community Drop

Lobster Daily #258 – Daily Recap – December 28:

WHAT IS SIEM? WHAT DOES SIEM DO? WHAT DO WE KNOW ABOUT SIEM? #2

Cyber-Attack Modelling

How to clear CRTP (Certified Red Team Professional) Certification

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alex Ewerlöf

Alex Ewerlöf

Sr. Staff Engineer, Knowledge Worker, MSc Systems Engineering, Tech Lead, Web Developer

More from Medium

How to create your first large-scale AIAAS?

Tech this Week

Edge Computing is the Only Solution for Today's Application Scenarios

IPA vs. BPA vs. RPA: What Should Your Company Choose