OpenVPN dysfunctional on my Synology DS118 NAS

CSharpDev · Jan 10, 2024

I have been having this issue recently with OpenVPN on my DS118 NAS:

I successfully log into the VPN, am authenticated and then I map, say, 2 network shares the given user has access to, and then I log out of the VPN, disconnect from it, reboot the PC or VM (for testing purposes) and then lo and behold, I can access the network shares WITHOUT having to log into the VPN first.

There's no way this is normal. And when I look at what's happening inside the Synology Admin Center, when I log into the local user account on the given PC, Synology says the given NAS user account is connected to the NAS via SMB3 so basically from the File Explorer (since I previously mapped those 2 network shares, they are NOT crossed out with a red "X" symbol in File Explorer when I'm not connected to the VPN even tho they SHOULD be and I SHOULD be UNABLE to connect to them without being connected to the VPN first)

Can someone please help?

NavyLCDR · Jan 10, 2024

Are you connected to the same LAN the NAS is on?

CSharpDev · Jan 10, 2024

NavyLCDR said:
Are you connected to the same LAN the NAS is on?

Yes

trumpy81 · Jan 10, 2024

CSharpDev said:
There's no way this is normal. And when I look at what's happening inside the Synology Admin Center, when I log into the local user account on the given PC, Synology says the given NAS user account is connected to the NAS via SMB3 so basically from the File Explorer (since I previously mapped those 2 network shares, they are NOT crossed out with a red "X" symbol in File Explorer when I'm not connected to the VPN even tho they SHOULD be and I SHOULD be UNABLE to connect to them without being connected to the VPN first)

This depends on exactly how you have your VPN configured.

Your SMB network shares are generally not affected by any VPN. The VPN operates between your configured device/s and the internet (WAN). Your SMB shares operate on your local network (LAN).

BTW: The Synology Admin Center as you call it, is actually Disk Station Manager or DSM for short.

CSharpDev · Jan 10, 2024

trumpy81 said:
This depends on exactly how you have your VPN configured.

Your SMB network shares are generally not affected by any VPN. The VPN operates between your configured device/s and the internet (WAN). Your SMB shares operate on your local network (LAN).

BTW: The Synology Admin Center as you call it, is actually Disk Station Manager or DSM for short.

Yeah you're right sorry about the terminology mixup

How is this secure tho? The fact that SMB network shares no longer need authentication into them once you've authenticated into them once? If the PC isn't on a LAN, I don't think you should be able to access the SMB network shares' content without the VPN

CSharpDev · Jan 10, 2024

trumpy81 said:
This depends on exactly how you have your VPN configured.

Your SMB network shares are generally not affected by any VPN. The VPN operates between your configured device/s and the internet (WAN). Your SMB shares operate on your local network (LAN).

BTW: The Synology Admin Center as you call it, is actually Disk Station Manager or DSM for short.

Btw in terms of how I have my VPN configured, please have a look at that video I've linked to in the OP, that's exactly how I have it configured, followed him step-by-step

trumpy81 · Jan 10, 2024

Your PC is always connected to a LAN as soon as you plug it into a router.

The VPN controls traffic to/from the internet (WAN or Wide Area Network), it does not control traffic to/from your LAN (Local Area Network).

Your SMB shares need to be authenticated on your PC and on the NAS (both on your LAN), they do not need to be authenticated to your VPN.

Note: I don't see any video links or otherwise in your first post?

CSharpDev · Jan 10, 2024

trumpy81 said:
Your PC is always connected to a LAN as soon as you plug it into a router.

The VPN controls traffic to/from the internet (WAN or Wide Area Network), it does not control traffic to/from your LAN (Local Area Network).

Your SMB shares need to be authenticated on your PC and on the NAS (both on your LAN), they do not need to be authenticated to your VPN.

Note: I don't see any video links or otherwise in your first post?

View attachment 83738

Sorry if it was missing

trumpy81 · Jan 10, 2024

Go back and watch that video again from the ~18 Minute mark. He has some important info to share then.

You are essentially connecting the Synology DDNS service to the VPN, which is the reverse of how you would normally setup a VPN. Also, your PC is not connected to the VPN until you enter the address he gives you, into the browser and then it only controls the traffic to/from your browser.

None of this effects your LAN at all. It does give you access to your LAN in a limited way from the WAN, which again, is the reverse of a usual VPN setup.

If you log in via the OpenVPN software on the PC, then the PC is connected to the WAN via the VPN, but again, that does not effect your LAN.

CSharpDev · Jan 10, 2024

trumpy81 said:
Go back and watch that video again from the ~18 Minute mark. He has some important info to share then.

You are essentially connecting the Synology DDNS service to the VPN, which is the reverse of how you would normally setup a VPN. Also, your PC is not connected to the VPN until you enter the address he gives you, into the browser and then it only controls the traffic to/from your browser.

None of this effects your LAN at all. It does give you access to your LAN in a limited way from the WAN, which again, is the reverse of a usual VPN setup.

If you log in via the OpenVPN software on the PC, then the PC is connected to the WAN via the VPN, but again, that does not effect your LAN.

So how do I set it up if I want the SMB shares to NOT be able to be opened unless I am authenticated into the VPN?

trumpy81 · Jan 10, 2024

As far as I am aware you don't.

Again, the VPN is to/from the WAN. Your SMB shares are to/from your LAN. These are two different things.

CSharpDev · Jan 10, 2024

trumpy81 said:
As far as I am aware you don't.

Again, the VPN is to/from the WAN. Your SMB shares are to/from your LAN. These are two different things.

Not to sound stupid but then what!s the point of the VPN then if I cannot secure the contents of my NAS if I am not on my LAN?

trumpy81 · Jan 10, 2024

Your LAN by it's very nature is secure, your router sees to that.

A VPN is designed to protect you on the WAN. To stop prying eyes seeing where you are going and what you are doing. It is NOT intended to protect you from your own LAN.

If you don't want to expose your SMB connections, then don't map the network drives to your PC as they are automatically authenticated once you enter the user name and password to connect them.

To remove that authentication, you need to remove the entry from Control Panel > Credential Manager > Windows Credentials > Name of your NAS and then click on Remove.

That will mean you will have to enter the user name/password when you want to connect to the NAS again, and then your credentials will be stored again, so not really worth the effort.

NavyLCDR · Jan 10, 2024

CSharpDev said:
Yes

It is acting exactly the way it is supposed to. The VPN is for connecting to your NAS remotely from somewhere outside your local network. Computers on your local network connect to the shares via SMB with no need for the VPN.

NavyLCDR · Jan 10, 2024

trumpy81 said:
You are essentially connecting the Synology DDNS service to the VPN, which is the reverse of how you would normally setup a VPN. Also, your PC is not connected to the VPN until you enter the address he gives you, into the browser and then it only controls the traffic to/from your browser.

trumpy81 said:
Your LAN by it's very nature is secure, your router sees to that.

A VPN is designed to protect you on the WAN. To stop prying eyes seeing where you are going and what you are doing. It is NOT intended to protect you from your own LAN.

If you don't want to expose your SMB connections, then don't map the network drives to your PC as they are automatically authenticated once you enter the user name and password to connect them.

The real purpose of a VPN is different that being described. The purpose of a VPN is to provide secure access to a network from a remote location outside of that network. Third party VPN companies take advantage of the fact that a VPN connection is secure and encrypted to tout a false claim of security and make money from it. I am securely connected to this forum right now via an encrypted secure connection without using a VPN because it is an https connection which is encrypted all the way from my browser, through my LAN, across the internet, until it reaches the server hosting elevenforum where it is finally decrypted.

Yes, a VPN connection will hide which ultimate server you are connecting to to some extent. Yes, a VPN will make it appear that your connection to the ultimate server is coming from the VPN server rather than the original IP address. This is used to circumvent restrictions placed on certain countries by the service being connected to.

However, the purpose of the VPN server on the NAS has nothing to do with any of that. The Synology NAS is behind the router's Network Address Translation Firewall which prevents connections to the NAS from the WAN (the internet). The VPN server opens a secure gateway through the firewall via which the NAS can be connected to from the WAN side of the router - and actually opens a secure gateway onto the entire local network through the router's NAT firewall. It would be a VPN client that would be used to connect to a VPN on the WAN side of the router - not a VPN server.

I have a VPN server built into my home router as well as a connection to a third party DDNS server. This allows me to connect to my local LAN remotely from the internet using the domain name provided by the DDNS server. In my camping trailer, I have a travel router which runs a VPN client. I connect the travel router to the internet via my phone's hotspot or via public WiFi. Then I use the VPN client on the travel router to connect to the VPN server on my home router. This extends my home network to the LAN in my travel trailer and all the devices connected to the travel router now appear as if they are connected directly to my home network. I have a NAS on my home network that I can access remotely this way and also it allows me to extend my Xfinity streaming cable TV to my travel trailer on the road which normally would not be possible due to location restrictions.

jimbo45 · Jan 11, 2024

Hi folks
Some VPN's have a facility which can exclude some specific applications out of VPN control -- depending on your VPN.

I use Nordvpn which allows me to keep specific applications not under its control e.g local file explorer etc although in the case of Nordvpn you have to specifically exclude applications -- yours might have a different default config.

I think it's called split tunnelling. Check your VPN setup as others have suggested.

Cheers
jimbo

NavyLCDR · Jan 11, 2024

jimbo45 said:
Hi folks
Some VPN's have a facility which can exclude some specific applications out of VPN control -- depending on your VPN.

I use Nordvpn which allows me to keep specific applications not under its control e.g local file explorer etc although in the case of Nordvpn you have to specifically exclude applications -- yours might have a different default config.

I think it's called split tunnelling. Check your VPN setup as others have suggested.

Cheers
jimbo

Just be advised that @CSharpDev is not posting about using a VPN client to connect to an external VPN . They are posting about running a VPN server on their NAS which is for incoming connections, not outgoing connections.

CSharpDev · Jan 11, 2024

NavyLCDR said:
It is acting exactly the way it is supposed to. The VPN is for connecting to your NAS remotely from somewhere outside your local network. Computers on your local network connect to the shares via SMB with no need for the VPN.

But if I have enabled the "Be always available offline" on the given SMB share, so "synchronization" of contents between the mapped SMB share and my NAS, if I update the contents of the given SMB share on my NAS, won't the client computer have to first log into the VPN for the SMB share's content to also be updated on their end?

NavyLCDR · Jan 11, 2024

CSharpDev said:
But if I have enabled the "Be always available offline" on the given SMB share, so "synchronization" of contents between the mapped SMB share and my NAS, if I update the contents of the given SMB share on my NAS, won't the client computer have to first log into the VPN for the SMB share's content to also be updated on their end?

No. The VPN server is used to connect to the NAS from outside of your local LAN (ie from the Internet). SMB works within your local LAN without using the VPN. Unless you want to remotely connect to your local network remotely using the Internet, your VPN server should be disabled.

CSharpDev · Jan 11, 2024

NavyLCDR said:
No. The VPN server is used to connect to the NAS from outside of your local LAN (ie from the Internet). SMB works within your local LAN without using the VPN. Unless you want to remotely connect to your local network remotely using the Internet, your VPN server should be disabled.

So for instance thru the browser? Like, if I was going to log into DSM via Edge by typing in the NAS' IP address?