Evacuating office - need to set up telecomuting

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

PacketWithA_Racket

New Around Here
Covid has forced us to empty the office and work from home. I have been tasked with setting up a VPN tunnel but have not managed to get it working yet. I can connect to the work server by VPN but not access the shared files.

Our setup:
* Synology Diskstation 1517
* Netgear R8000
* A cable modem from our cable provider. The router in this is set to bridge mode.
* Everyone is on Mac

Static IP Synology NAS (Set by router): 10.0.0.20
This is set as the network interface of the VPN, LAN 1. This is also set as Default gateway in the NAS.

Range of VPN incoming connections: 10.20.0.0
Permissions are OK
Ports 1701, 4500 and 500 are forwarded in the router
Synology provides DDNS for the NAS

I have succeeded in connecting remotely to the NAS with both OpenVPN and L2TP/IPSec. Currently I have it set to L2TP/IPSec to make it easier to set up on Mac. Connections are stable but I have not been able to actually access any of the shared folders on the NAS.
From what I understand they should be found at their original location: smb://10.0.0.20/FOLDER

I have tried the following:
* Two different routers. An Assus and the above Netgear
* Turning of the firewall in the client computer
* The firewall on the Synology has ben opened up to both the 10.0.0.0 and 10.20.0.0 ranges
* amongst others

I have checked everything I could think of and am out of ideas. I would be very grateful for any advice/suggestions that can get us sharing files again in a convenient (and safe) way.

Stay safe everyone! And don't forget to wash your hands.
 

System Error Message

Part of the Furniture
It depends for your VPN on where your resources are hosted. You'll either have a VPN server in public or LAN depending on where your resources are.

If you have your own servers like VPS, dedicated servers, etc including services that are tied to datacenters, then at least use a VPS as a VPN server, otherwise you can set it up in your LAN.
When you set up a VPN server, please avoid all VPN routers, they suck at VPN. Cisco pro has dropped significantly as well in quality too. Set up a unix/linux server as a VPN server, configure it, it'll be faster and better.

Netgear routers tend to suck, same reason as to why cisco sucks too. Might sound personal but its based on direction, its why you should not let the feds sneak staff to install backdoors in your products.

My suggestion is you that you can try using asus with RMerlin firmware, as his firmware has better VPN support but the best is still a x86 linux server with relevant CPU acceleration. It highly depends on your internet speeds. If you have hundreds of Mb/s of bandwidth and want VPN at those speeds then use x86 as its a lot faster than an ASUS router for that.

Please do not use your NAS as the router. When you set up a VPN server, that server also acts as a router, thats why its good to use configurable routers. Simplest way for me is to NAT VPN clients, because irregardless of static IPs or not, there are 2 IPs to go through requiring some routing to be set up. Routing requires both the clients to have the route set up for them too, so NAT means only needed to configure the router instead. Some consumer routers will do this for you though or just give the client an IP and use the same LAN IP it has as the gateway IP too.

Synology is good at being a NAS, they arent great at being a complicated router. Make sure your subnets are correct too.
 

helio58

Regular Contributor
Covid has forced us to empty the office and work from home. I have been tasked with setting up a VPN tunnel but have not managed to get it working yet. I can connect to the work server by VPN but not access the shared files.

Our setup:
* Synology Diskstation 1517
* Netgear R8000
* A cable modem from our cable provider. The router in this is set to bridge mode.
* Everyone is on Mac

Static IP Synology NAS (Set by router): 10.0.0.20
This is set as the network interface of the VPN, LAN 1. This is also set as Default gateway in the NAS.

Range of VPN incoming connections: 10.20.0.0
Permissions are OK
Ports 1701, 4500 and 500 are forwarded in the router
Synology provides DDNS for the NAS

I have succeeded in connecting remotely to the NAS with both OpenVPN and L2TP/IPSec. Currently I have it set to L2TP/IPSec to make it easier to set up on Mac. Connections are stable but I have not been able to actually access any of the shared folders on the NAS.
From what I understand they should be found at their original location: smb://10.0.0.20/FOLDER

I have tried the following:
* Two different routers. An Assus and the above Netgear
* Turning of the firewall in the client computer
* The firewall on the Synology has ben opened up to both the 10.0.0.0 and 10.20.0.0 ranges
* amongst others

I have checked everything I could think of and am out of ideas. I would be very grateful for any advice/suggestions that can get us sharing files again in a convenient (and safe) way.

Stay safe everyone! And don't forget to wash your hands.
You can run openvpn on synology . And port forward the router to the synology openvpn port. We used that way works great.
 

PacketWithA_Racket

New Around Here
You can run openvpn on synology . And port forward the router to the synology openvpn port. We used that way works great.

Yes, I have successful established remote connections to the NAS using both OpenVPN and L2TP/IPSec. The tunnel itself works fine. Problem is that I have not been able to open any shared folders using a VPN tunnel. Any ideas on what I need to do in order to get the last step working?
 

PacketWithA_Racket

New Around Here
It depends for your VPN on where your resources are hosted. You'll either have a VPN server in public or LAN depending on where your resources are.

If you have your own servers like VPS, dedicated servers, etc including services that are tied to datacenters, then at least use a VPS as a VPN server, otherwise you can set it up in your LAN.
When you set up a VPN server, please avoid all VPN routers, they suck at VPN. Cisco pro has dropped significantly as well in quality too. Set up a unix/linux server as a VPN server, configure it, it'll be faster and better.

Netgear routers tend to suck, same reason as to why cisco sucks too. Might sound personal but its based on direction, its why you should not let the feds sneak staff to install backdoors in your products.

My suggestion is you that you can try using asus with RMerlin firmware, as his firmware has better VPN support but the best is still a x86 linux server with relevant CPU acceleration. It highly depends on your internet speeds. If you have hundreds of Mb/s of bandwidth and want VPN at those speeds then use x86 as its a lot faster than an ASUS router for that.

Please do not use your NAS as the router. When you set up a VPN server, that server also acts as a router, thats why its good to use configurable routers. Simplest way for me is to NAT VPN clients, because irregardless of static IPs or not, there are 2 IPs to go through requiring some routing to be set up. Routing requires both the clients to have the route set up for them too, so NAT means only needed to configure the router instead. Some consumer routers will do this for you though or just give the client an IP and use the same LAN IP it has as the gateway IP too.

Synology is good at being a NAS, they arent great at being a complicated router. Make sure your subnets are correct too.

Thanks! I would preferably want to get this working without buying new equipment. A new install of everything usually ends up being more time consuming than one first anticipates. There is a lot of other stuff we need to focus on at the moment in order to stay afloat.

I assume the best place to assign the client a static IP would be in the router (based on MAC-address)? Would this require setting up a static route in the Discstation in order to work? Or is there some other method.
 

distilled

Senior Member
I would be very grateful for any advice/suggestions that can get us sharing files again in a convenient (and safe) way.

In your OpenVPN config, are you using TUN or TAP to route SMB? You might give that a change.

OpenVPN works fine on Mac, BTW.
 

Klueless

Very Senior Member
In your OpenVPN config, are you using TUN or TAP to route SMB? You might give that a change.
Good point. TUN works at the router level, e.g., two separate and different subnets, so you've that routing, port forwarding and/or firewall stuff to mess with. It's the "right" thing to do but it's over my head.

TAP makes clients look like they're on the same LAN as the host services, e.g., just like they're at the office. If TAP works then you'll have a better idea where to focus your attention when you go back to TUN.

Myself, I'm such a novice, I wound up using PPTP because 1.) it also makes the clients look like they're at the office (e.g., same subnet) and 2.) because the client software was already built into Windows.

Good Luck!

EDIT: OK, forget my silly post. I just reread yours and see you're already playing with L2TP? But I'm confused; you still document incoming connections as coming from 10.20.0.0?
 
Last edited:

helio58

Regular Contributor
Yes, I have successful established remote connections to the NAS using both OpenVPN and L2TP/IPSec. The tunnel itself works fine. Problem is that I have not been able to open any shared folders using a VPN tunnel. Any ideas on what I need to do in order to get the last step working?
I suggest just using openvpn . Restart synology. If using mac use tunnelblick as client. Access shares with ipaddress.
 

PacketWithA_Racket

New Around Here
I suggest just using openvpn . Restart synology. If using mac use tunnelblick as client. Access shares with ipaddress.
I have tried OpenVPN. Ran into the same problems as with L2TP/IPSec. It connected fine but I could not access shared folders.

Edit: I just noted. Does the Synology need a proper restart? That is one of the few things I have not tried.
 

System Error Message

Part of the Furniture
Thanks! I would preferably want to get this working without buying new equipment. A new install of everything usually ends up being more time consuming than one first anticipates. There is a lot of other stuff we need to focus on at the moment in order to stay afloat.

I assume the best place to assign the client a static IP would be in the router (based on MAC-address)? Would this require setting up a static route in the Discstation in order to work? Or is there some other method.
no need, i just set a blanket NAT over the ip range for VPN clients. This solves the problem for me while i use dhcp.
 

System Error Message

Part of the Furniture
Could you point me towards some reading on how to do this? I have never had to deal with NAT and such before.
my experience is with mikrotik. Basically your VPN clients are all part of some network which you NAT so your office LAN looks like the internet to it, in terms of how to treat it. It works as long as you arent hosting remotely (basically not the server joining the VPN. Depending on how your server or router implements it, you gain an additional route when you use VPN which is the VPN server itself before going to the next network.

Its like this
typical home net : client -> router (NAT) -> internet
VPN : client -> router (VPN) -> router(LAN) -> LAN

So if you NAT connections for the client it can use the server's internal address instead so you wont have to worry about that additional step in routing. On mikrotik that tends to be the case but on some routers it will have the same IP not requiring this.

example for linux https://serverfault.com/questions/377137/using-iptables-to-nat-vpn-clients-to-internet
on mikrotik its as easy as setting NAT for VPN clients like you do for LAN clients to internet, only you're setting the NAT to LAN instead.
 

Klueless

Very Senior Member
my experience is with mikrotik. Basically your VPN clients are all part of some network which you NAT so your office LAN looks like the internet to it, in terms of how to treat it. It works as long as you arent hosting remotely (basically not the server joining the VPN. Depending on how your server or router implements it, you gain an additional route when you use VPN which is the VPN server itself before going to the next network.

Its like this
typical home net : client -> router (NAT) -> internet
VPN : client -> router (VPN) -> router(LAN) -> LAN

So if you NAT connections for the client it can use the server's internal address instead so you wont have to worry about that additional step in routing. On mikrotik that tends to be the case but on some routers it will have the same IP not requiring this.

example for linux https://serverfault.com/questions/377137/using-iptables-to-nat-vpn-clients-to-internet
on mikrotik its as easy as setting NAT for VPN clients like you do for LAN clients to internet, only you're setting the NAT to LAN instead.
This kind of brings me back to my question.
Yes, loggs show VPN client at 10.20.0.x
Yet your host is 10.0.0.20 which implies your office LAN is 10.0.0.X but your VPN clients are coming in at 10.20.0.X? Two different networks. But I thought L2TP was all layer 2 meaning VPN clients should all be members of the host network?

I think this brings us back to firewalls and such or "System Errors" idea of trying to reconcile addressing with NAT?

Many apologies for adding to the confusion!
 

PacketWithA_Racket

New Around Here
This kind of brings me back to my question.

Yet your host is 10.0.0.20 which implies your office LAN is 10.0.0.X but your VPN clients are coming in at 10.20.0.X? Two different networks. But I thought L2TP was all layer 2 meaning VPN clients should all be members of the host network?

I think this brings us back to firewalls and such or "System Errors" idea of trying to reconcile addressing with NAT?

Many apologies for adding to the confusion!

Thing is that the Synology NAS requires a different IP-range for the IP-server. It is not posilble to set this to the server LAN. Clients then get assigned IP-numbers from this range. Also in these settings one picks the host LAN and there I of course select the correct one. I am starting to believet that the NAS, for some strange reason, does not connect these two as it should.
 

Klueless

Very Senior Member
Thing is that the Synology NAS requires a different IP-range for the IP-server. It is not posilble to set this to the server LAN. Clients then get assigned IP-numbers from this range. Also in these settings one picks the host LAN and there I of course select the correct one. I am starting to believet that the NAS, for some strange reason, does not connect these two as it should.
Oh wow, that strikes me as a bit bizarre, I had no klue. So the NAS is kinda like its own imbedded router talking between clients on office subnet 10.20 and itself on subnet 10.0. (Reminds me of the old Novell Servers from a couple generations ago.) Thank you for taking the time to explain.

So the office LAN is 10.20.x.x. and clients are coming in as 10.20.x.x. It's just the NAS that sits on 10.0.0.20. I never knew that. And you gotta be right 'cause everything works at the office.

I gotta tap out. As long as the subnet masks are something like 255.255.0.0 or 255.255.255.0 (and not 255.0.0.0) then I have no klue.
 
Last edited:

System Error Message

Part of the Furniture
Oh wow, that strikes me as a bit bizarre, I had no klue. So the NAS is kinda like its own imbedded router talking between clients on office subnet 10.20 and itself on subnet 10.0. (Reminds me of the old Novell Servers from a couple generations ago.) Thank you for taking the time to explain.

So the office LAN is 10.20.x.x. and clients are coming in as 10.20.x.x. It's just the NAS that sits on 10.0.0.20. I never knew that. And you gotta be right 'cause everything works at the office.

I gotta tap out. As long as the subnet masks are something like 255.255.0.0 or 255.255.255.0 (and not 255.0.0.0) then I have no klue.
check your routes on the NAS, also consider NAT-ing as i mentioned. From VPN net to LAN NAT source. If this doesnt work you can try NAT the other way round.

Client thinks your office LAN is internet so doesnt route through. Must also check server routes too.

Edit i finally remembered how i set mine up. I NAT LAN to VPN instead. My setup had both VPN and LAN sharing the same subnet though not sharing L2 despite using L2TP. What you dont understand is that L2TP initiates the tunnel on layer 2 as well but does not forward L2, as VPNs are layer 4. Layer 2 tunneling does not work over the internet so if you want to pass layer 2 (highly not recommended) you will needto either proxy or NAT layer 2 as you cannot forward to IP but through interface as a VPN client wont have a MAC but will have an interface.

So my setup i had the clients with DHCP and same network but i had to NAT LAN to VPN. For your case since you have 2 you may have to NAT both sides and port forward making it complicated. The easiest way is to add routes from LAN to VPN on server and router, and also on your client from VPN to LAN. This requires adding static route configs.

if you can get your hands on mikrotik, its pretty easy to set up all sorts of complicated stuff there but you can also give VPN on other devices a try. Synology is very good for files but doesnt do well on software.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top