How to set up VPN access to my network

[TheLyppardMan]

I have a Synology Diskstation connected to my network via an ASUS RT-AX88U router, both of which offer VPN features. However, knowing very little about how VPNs are set up, I thought I'd better seek some advice here first to point me in the right direction.

Basically, a member of my family is now studying at Brighton University and wants to be able to access his files stored on my Diskstation in the same way he is able to do so where he's at home, i.e., via either Windows Explorer or the Apple equivalent on his Macbook. So the first question I suppose is, which device do I need to set as the VPN server (if that's the right term)? I have tried setting up OpenVPN on my router and was able to log on to it via my Android mobile when off the Wi-Fi network, but that's as far as I got. Any advice (in simple terms please) would be appreciated.

 

[elorimer]

Three steps, now that you are this far.

1. Import the .ovpn config file into the Macbook.
2. Connect to your ovpn server from the Macbook.
3. Browse to the Diskstation the same way as when the Macbook is connected.

I don't use a Macbook so someone else can be more specific. But my Windows PC in a remote location has several datasets on my FreeNAS server mapped and they are available to me when I have the connection going (26 days and counting) just like they are available when I'm on my home network.

 

[PolarBear]

So the first question I suppose is, which device do I need to set as the VPN server (if that's the right term)?

My choice would be to set up OpenVPN server on your router (which I think you have already), rather than on the Synology Diskstation NAS itself.

An advantage of doing it this way is that after your relative logs on remotely, he/she will also be able to print to any networked printer you have at home, as well as accessing your Diskstation NAS. This very convenient when you need hard copy, but do not want to carry a heavy document while travelling back home. Printing in this way will not be possible if you set up OpenVPN server on the Diskstation NAS itself.

It's good to make sure your Diskstation NAS always has the same internal IP address. And if your ISP changes your public IP address frequently, you will need a DDNS server provider. (There are many recent threads concerning this.)

Your relative will also need to install OpenVPN on his/her laptop. As eliromer said, you will have to click the export button on the Asus VPN set up screen, to save the configuration file (normally this is called client.ovpn) on the user's Mac or PC. On a PC the configuration file should be saved here:
C:\Program Files\OpenVPN\config\client.ovpn

Because of Windows access rights, you may have to copy it first to a temporary location on the PC, then figure out a way to get it into the folder mentioned above.

It's important that both the OpenVPN server on the router, and the OpenVPN client on the laptop use the same settings. But if you export the config file from the router and save it on the laptop, this is done automatically.

There is a lot of information on the forum about the best settings for OpenVPN but the most important IMHO are to choose TUN (not TAP) and UDP (not TCP). These are I think the default settings in Merlin.

There are a lot of bad guys on the Internet who try to break into OpenVPN on routers, so you may want to make sure you use a non-standard adminstrator user name on the router (*not* admin) and a complicated password (16 characters max).

It's also good to change the port used away from the default 1194, but maybe this is a refinement you can do after you have got it all up and running.

If your relative is using a Windows PC to access the Diskstation NAS, he/she should map it in Windows using its internal IP address rather than its host name (for example, using \\192.168.x.y instead of \\DISKSTATION or similar). After starting OpenVPN and connecting remotely, the server drives can then be accessed in Windows Explorer exactly as at home. On the other hand, mapping in Windows using the server name (e.g. \\DISKSTATION) has not worked as smoothly for me.

I use this setup very frequently and it works fine. Speed is of course slower than when accessing the NAS from at home, because it is limited by the *upstream* speed of your Internet connection. But for light/medium usage, it's fine and much more convenient than carrying around paper.

As eliromer said, it's very stable and the OpenVPN connection stays up for days without any problem.

 

[Butterfly Bones]

There is no native OpenVPN client for MacBook, however the VPN Server section has information and a link Asus support that links to a third party app for MacOS (named Tunnelblick) that has complete instructions and works very well.

Here is the link to Asus support and instructions.
https://www.asus.com/support/FAQ/1004472

 

[RMerlin]

Tunnelblick works fine with Asuswrt-Merlin, I have a few customers that uses it.

 

[martinr]

Hardly for me to vouch for what Merlin says, but my brother set up Tunnelblick on his MacBook in order to make use of the OpenVPN server on my router, and it was both simple and effective.

 

[TheLyppardMan]

Thanks everyone for this. It will be very useful to refer to when setting this up.

 

[TheLyppardMan]

Just one more question (for now at least) - if I add additional users to the VPN, do I have to re-export a new OVPN file for everyone?

 

[elorimer]

Just one more question (for now at least) - if I add additional users to the VPN, do I have to re-export a new OVPN file for everyone?

Two answers to that. First, you can have multiple users connected under the same user name. So I don't think you need to add additional users to the VPN unless you want to separate them/track them for some reason, like different routes or access rights. So, your college kid probably has good internet and doesn't want you to see what he's surfing, so that user will probably want a LAN only configuration. You may want a VPN to access the net from and insecure location. Of course, that can also be done by editing the .ovpn file.

Second, you don't need to re-export a new OVPN file when you add users, since user/password aren't exported. If you later edit the .ovpn file to add user/password information you might need to change that if you use it for another user.

 

[TheLyppardMan]

Two answers to that. First, you can have multiple users connected under the same user name. So I don't think you need to add additional users to the VPN unless you want to separate them/track them for some reason, like different routes or access rights. So, your college kid probably has good internet and doesn't want you to see what he's surfing, so that user will probably want a LAN only configuration. You may want a VPN to access the net from and insecure location. Of course, that can also be done by editing the .ovpn file.

Second, you don't need to re-export a new OVPN file when you add users, since user/password aren't exported. If you later edit the .ovpn file to add user/password information you might need to change that if you use it for another user.

OK thanks, that's useful to know.

I do have another query now however. I am experimetning with remote access for my router and not surprisingly, a warning message popped up about security after the ASUS app on my Android mobile made the necessary changes. It did say a better way would be to use a VPN. Following this, I did think that if I logged on to the VPN, I would be able to access the router via the ASUS app, but it doesn't work (it just says that the router is unreachable). Do you, or anyone who reads this thread, know how to set this up?

 

[elorimer]

I don't use the app at all, so this is for someone else to respond. Tried it once and, meh, not worth the risks. I use a laptop to make a VPN connection and do everything through a browser. Mostly, though, I'm using ssh and WinSCP.