Setting up a VPN and Remote Desktop back into your home with a Synology (from an iPhone)
It's amazing that I can basically be my own IT Department. The kinds of things we can do in our homes as individuals with off-the-shelf hardware would have needed an IT Dept of a dozen just 10 years ago, ya know? Amazing.
I wanted to be able to VPN into my home and remotely access my machines and files. I do very much realize there are a lot of different options to do this, and have been for years. From GoToMyPc to Hamachi, again, there's dozens of ways. I wanted a VPN solution I could use on my iPhone/iPad and Surface. I wanted it to be standards-based and not require any additional software installations.
I have a a Synology 1511+ NAS appliance and I love it. It's not just a file server, it's an everything server, in my house. I use it for Plex, it hosts my files and photos, it manages my surveillance cameras and acts as a camera DVR, it runs a Minecraft Server, it's a Git server, it even runs Docker.
The Synology will act as my VPN server as well.
Here's how I set up four things. The Synology, my Router, my iOS device, and my Windows PC/Surface.
The result is I can now remote into my home and manage things from any device I own.
Setting up a Synology for L2TP VPN
First, in the Synology Package Manager, ensure that you've got the Synology VPN Server package installed and running.
You should give some though as to which VPN technique you want to use. I decided on L2TP, although there is some concern the NSA has weakened it. Benefits are that it's on all major platform, it's generally considered secure, and it's easy to setup.
Select L2TP (or whatever you want), and Enable it. Notice also that I selected my INTERNAL DNS server. I found this worked best for me when trying to access internal resources. You can also setup a hosts file if you want to just hit a few things inside your house.
Now click on Privilege. Just give the minimum privileges to the user that needs them. NO need to give VPN access to users who won't use it.
Setup your Router for VPN (L2TP)
My router is a Linksys WRT1900ac that I like very much. It supports port forwarding, and the Synology can often talk directly to a router and request open ports. However, there's something to be said for handling things yourself. It lets you know exactly what's going on, and it can be less of a "black box."
Login to your router and in this case of L2TP, forward UDP ports 1701, 500, and 4500. On my Linksys, it's under Security, Apps and Gaming.
The Device IP is the internal IP address of your Synology. It's best to have your Synology use a Static IP address, or at least have a DHCP reservation so this IP doesn't change and things stop lining up.
Also, ensure that your Router is passing L2TP traffic as well. I changed this under Security.
At this point, you should be able to at least try to connect to your house via VPN. I did this as a quick test by taking my iPhone off the wireless networking (thereby being on the open internet) and VPN'ing back in.
If you succeed, you should be able to see yourself in the VPN Server | Connection List area on our Synology.
Here's what I did on my iDevice to setup VPN.
Setting up iOS/iPhone/IPad for VPN
From the iOS Settings app, go General | VPN. Touch Add VPN Configuration. I selected L2TP and put in my Server name or IP and named the account "home."
NOTE: If you don't want to use your IP address, you can use the Synology.me dynamic DNS feature built into your Synology, or any one of many dynamic DNS systems that will give you a nice domain like "myhanselmanhouse.foofoo.com" or whatever. You can also, if you like, setup a CNAME with your own domain and point it to that dynamic domain. So vpn.hanselman.com could be your server, if you wanted.
With L2TP you'll need your username and password, as well as a Shared Secret. That's like another password. Specifically the Secret text box in iOS is the "pre-shared key" from your Synology L2TP VPN setup.
At this point you'll get a nice VPN option on your Settings app under Personal Hotspot that wasn't there before. You can turn it on and off now, easily.
Once I'm VPN'ed in I can see a [VPN] indicator in the top status bar. I've installed the FREE Microsoft Remote Desktop Client for iOS.
And here's me VPN'ed into my home PC from my iPhone. This of course, can be done on Android and Windows Phone as well.
It looks small, but in reality it's very usable, especially from an iPad with a Bluetooth Keyboard.
Setting up L2TP VPN on Windows 8.1
Now I'll setup VPN back to home on my Windows 8.1 machine. For some reason this was super easy in Windows 7, but in Windows 8.1 there isn't a clear way to just add a L2TP VPN. You can add other simpler (or Vendor) VPNs in a straightforward manner, but not L2TP.
Just hit the Windows key (or Start Menu) and type "Add VPN." When you get to the VPN management screen, you'll see this and can fill it out.
But L2TP VPN setup with a pre-shared key requires some more work. If you know of a simpler way, let me know. I can see about three different ways to get to the same result.
Go ahead and create a new VPN connection with the menu above. Select Microsoft as the VPN type and put in your server address and optionally name and password. This will create the VPN connection.
Pay attention now. Go back to the Start Menu and type "Network Connection." You want the first item called "View Network Connection" (a classic control panel, not a fullscreen 'metro' one).
From there, you'll open a classic control panel and see your VPN connection. Right click and click Properties.
Click Security, make sure L2TP is set, then click Advanced Settings.
'
Put your pre-shared key there.
Connect to your home VPN and have fun
Of course, please do remember to use strong passwords, strong pre-shared keys, and change them. Don't be lazy.
At this point you can connect to your home/office and work to your heart's content.
For some of you this is "duh" or old hat, but for me it was something I just never got around to doing. Mostly laziness prevented. But just last week I had to drive 30 miles back to my house from a dinner in order to move a file from my Desktop into Dropbox. I'm pretty sure I'm not the only reasonably smart techie with a story like that. This VPN setup would have meant I could do that from my phone and it would have saved me a big hassle and over an hour of my time.
RELATED LINKS
- The Computer Backup Rule of Three
- A basic non-cloud-based personal backup strategy
- On Losing Data and a Family Backup Strategy
- Windows 8, Step 0 - Turn on continuous backups via File History
- Automatically Backup your Gmail account on a schedule with GMVault and Windows Task Scheduler
- Give Grandpa and Grandma the gift of an off-site backup of your photos
About Scott
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
About Newsletter
Davin Studer
"so vpn.hanselman.com could be your server, if you wanted"
is it first come first first serve? :P
Cheaper is an odroid c1 (35$) with ARM Linux + SoftEther VPN Server or OpenVPN.
SoftEther has a nice GUI and supports OpenVPN clients, L2TP, SSTP etc.
eg: My LAN has 192.168.1.x
Synolgy VPN clients get 10.0.0.x
they are therefor cut out of the LAN.
however, if the Synology runs DHCP it's able to distribute an internal IP: 192.168.1.x
I'm using Tonido since they removed the necessities to pay for personal use
Martin, that's true, BUT change the IP address range and have perhaps, 200 IPs for home in one range and 10 or so for VPN, and they can all be on the same network. Mine are 10.2.x.x, and it works fine.
Chrome Remote Desktop is fine for machine access, but I want/wanted complete network access to multiple machines.
"create a new DWORD (32-bit) key AssumeUDPEncapsulationContextOnSendRule at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent and set it’s value to 2 since both the client and the server were behind NAT devices."
I guess you didn't have this issue this time round as the screenshots suggest you had already gone through the process of setting up your VPN to MS.
Source of fix:
http://www.carecom.de/en/blog/hm/blog/trouble-connecting-to-home-network-from-windows-8-1-vpn-client-via-synology-diskstation
You can easily set up a RDC without using a VPN. Is there an added value to the VPN ?
Also: yes, the Syno can set-up port forwarding on your router, but that requires taht you enable uPnP on the router, which is a very very bad idea: any malware you download will be able to use that to open ports on your router.
If DHCP is done by the router, in my experience, you can't "see" any device on the home LAN, and you have to remember their IP adress, right ?
+1 for the comments around securing the connection from a public hotspot.
I have an issue and I guess it is related to my router. I can forward the ports but I do not have this option "VPN passthrough". Checking UDP ports is not easy, I did it with nmap and 1 in the 3 ports is contacted.
So what is the purpose of this function "VPN passthrough" compared to the standard port forwarding? (never had it before)
I did not find it in the documentation of my current router. I will contact the vendor.
Bonus points for bringing a smile to my face when I saw the GeForce Experience pop-up on your remote desktop screenshot, since I worked on that project when I was still at NVIDIA :-)
Although I did have this queued as one of future steps I want to thank Dinos Christou for making me try it. Great community!
tl:dr My issue was also "AssumeUDPEncapsulationContextOnSendRule" registry option.
Got it running on my Synology (well now it's XPEnology running in a VM but same thing)
You said you point the VPN to your internal DNS server. Is that a hardware server or is it Synology running DNS?
Rob
Comments are closed.