Remote access to your internal network using a Synology NAS can be implemented securely and reliably by configuring an L2TP/IPsec VPN server on the NAS. L2TP paired with IPsec provides a good balance of compatibility and security for site-to-site connections and remote clients. This article walks through the prerequisites, detailed Synology DSM configuration, router and firewall requirements, client setup (Windows, macOS, iOS, Android), and troubleshooting tips to get a robust L2TP/IPsec VPN running on your Synology NAS.

Why choose L2TP/IPsec on Synology?

L2TP over IPsec combines the tunneling features of L2TP with the encryption and authentication provided by IPsec. On Synology NAS systems this approach offers:

  • Native support through the VPN Server package in DSM (DiskStation Manager).
  • Broad client compatibility (Windows, macOS, Linux, iOS, Android).
  • Stronger encryption than PPTP and better native support than some third-party protocols.
  • Simple configuration when used with a strong pre-shared key (PSK) or certificates (when supported).

Prerequisites and design considerations

Before starting, validate the following:

  • Your Synology NAS is running a recent DSM version (DSM 6.2+ or DSM 7.x recommended).
  • You have administrative access to the NAS and to your network router/firewall.
  • A static LAN IP address for the NAS (recommended) or a DHCP reservation so port forwarding stays valid.
  • Public IP address or dynamic DNS (DDNS) hostname for remote clients to reach the router/NAS.
  • Knowledge of the subnets used in your LAN and the remote clients to avoid IP conflicts with the VPN pool.

Step 1 — Install and enable VPN Server on Synology

1. Log in to DSM as an administrator.
2. Open Package Center and install VPN Server if it’s not already installed.
3. Launch VPN Server and navigate to the L2TP/IPsec section.

Key options to configure:

  • Enable L2TP/IPsec — turn the service on.
  • Pre-shared key (PSK) — choose a long, random PSK (at least 20 characters with letters, numbers and symbols). Use a secure password manager to store it.
  • Maximum number of connections — set according to your expected remote clients.
  • Authentication — Synology supports local DSM accounts and LDAP/AD accounts; configure user privileges later.
  • VPN IP address range / client address range — choose a subnet that does not overlap your LAN (for example, 10.8.0.0/24 if your LAN uses 192.168.x.x).

Notes on choosing PSK vs certificates

Synology’s built-in VPN Server primarily uses a PSK for IPsec. While PSKs are easier to deploy, they require careful handling and strong entropy. Certificates (X.509) are more secure and scalable for enterprise deployments, but require a CA infrastructure and may not be fully integrated in older DSM VPN Server features. If you need certificate-based IPsec, consider using a dedicated VPN appliance or third-party packages that support IKEv2 with certificates.

Step 2 — Configure user access

After enabling the VPN service, configure which users or groups can connect:

  • Open Control Panel → User (or Group) and ensure the users you want to permit exist and have secure passwords.
  • In VPN Server → Privilege, check the boxes for users allowed to use L2TP/IPsec.
  • Optionally, create a specific VPN-only account and restrict access to other NAS services as needed for security segmentation.

Step 3 — Router/NAT and firewall settings

For remote clients to reach the L2TP/IPsec server behind NAT, configure your router and NAS firewall:

  • Forward these ports from the router to the NAS LAN IP:
    • UDP 500 — IKE (Internet Key Exchange)
    • UDP 4500 — IPsec NAT Traversal (NAT-T)
    • Protocol ESP (IP protocol 50) — used by IPsec ESP payloads (some consumer routers support automatic handling via NAT-T and only need UDP 4500/500)
  • Do not forward GRE (protocol 47) — GRE is used by PPTP, not L2TP/IPsec.
  • On Synology Control Panel → Security → Firewall, add rules to allow the incoming UDP 500/4500 and ESP if supported by the UI.
  • Enable VPN passthrough on the router if available (IPsec passthrough).
  • Avoid exposing unnecessary services; restrict router firewall to only allow traffic to the VPN ports from the public internet if possible.

Step 4 — Advanced IPsec configuration and tuning

Most Synology NAS units provide basic IPsec settings which are sufficient for many deployments, but for improved security and interoperability consider:

  • Selecting strong encryption and hashing algorithms where available (AES-256, SHA-2 family, and DH group 14 or above). If DSM UI lets you choose phases or profiles, prefer AES-GCM if supported.
  • Enforcing strong authentication (complex PSK and long passwords for user accounts).
  • Setting an MTU for VPN clients if you observe fragmentation issues (typical L2TP/IPsec MTU is ~1400; lower if necessary and configure MSS clamping on the router).
  • Enabling NAT traversal (NAT-T) to support clients behind NAT devices.

Step 5 — Configure clients

Clients will need the NAS public IP/DDNS name, VPN username/password, and the PSK. Below are concise client setup steps.

Windows 10 / 11

  • Open Settings → Network & Internet → VPN → Add a VPN connection.
  • VPN provider: Windows (built-in).
  • Connection name: Friendly name.
  • Server name or address: your public IP or DDNS hostname.
  • VPN type: L2TP/IPsec with pre-shared key.
  • Pre-shared key: enter the PSK you configured.
  • Type of sign-in info: Username and password.
  • After creating, go to Advanced options → Edit adapter options → Right-click the VPN adapter → Properties → Security tab. Ensure “Allow these protocols” includes MS-CHAP v2 and the encryption is set to require maximum strength.
  • If you encounter authentication failures on modern Windows versions, ensure Windows supports the chosen crypto suites and that no registry-level policies block the algorithms. Additionally, check “Use default gateway on remote network” in IPv4 Properties → Advanced if you want all traffic through the VPN (force full tunnel).

macOS

  • Open System Preferences → Network → + to add a new service.
  • Interface: VPN, VPN Type: L2TP over IPSec.
  • Server Address: public IP or DDNS name, Account Name: VPN username.
  • Click Authentication Settings: enter the user password and the machine authentication using the PSK.
  • Under Advanced, enable “Send all traffic over VPN” if a full tunnel is desired.

iOS (iPhone/iPad)

  • Settings → General → VPN & Device Management → VPN → Add VPN Configuration.
  • Type: L2TP. Server: public IP or DDNS. Account: username. Password: user password. Secret: PSK. Enable “Send All Traffic” if needed.

Android

  • Settings → Network & Internet → VPN → Add VPN. Choose L2TP/IPsec PSK (naming varies by vendor).
  • Enter server, username, password, and the PSK. Some Android versions require selecting “IPSec pre-shared key” explicitly.

Troubleshooting checklist

If connections fail, step through the following checks:

  • Confirm NAS VPN Server is running and L2TP/IPsec is enabled.
  • Verify the PSK matches exactly on both server and client (including no accidental whitespace).
  • Check router port forwarding: UDP 500 and 4500 must point to the NAS internal IP.
  • Look at Synology logs (Log Center) for error messages regarding IKE negotiation or user authentication failures.
  • Test from a mobile network (cellular) to bypass potential client-side NAT issues imposed by the home router.
  • If clients are behind double NAT, ensure both devices allow port forwarding or enable NAT traversal (NAT-T).
  • For authentication errors, verify the DSM user account password and that the account is allowed in VPN Server privileges.
  • If you see fragmented packets, reduce the MTU on the client or enable MSS clamping on the router to avoid reassembly problems.

Security best practices

  • Use a strong, unique PSK and rotate it periodically. Store it in a secure password manager.
  • Restrict VPN-capable users to least-privilege access. Consider creating VPN-only accounts when appropriate.
  • Enable DSM firewall rules to allow only necessary traffic to the VPN service and log suspicious activity.
  • Use multi-factor authentication (MFA) for DSM accounts where possible to reduce risk from compromised credentials. Note MFA applies to DSM logins; consider MFA-capable VPN solutions for per-connection MFA.
  • Keep DSM and the VPN Server package patched with the latest security updates.

When to consider alternatives

L2TP/IPsec is a solid choice for many scenarios, but there are times to evaluate alternatives:

  • If you need modern cryptographic agility and certificate-based authentication at scale, consider IKEv2 with certificate auth or a dedicated VPN appliance supporting strong crypto suites.
  • For easier NAT traversal and better performance through firewalls, WireGuard or OpenVPN (TCP/UDP) may be preferable — Synology supports OpenVPN via the VPN Server package as well.
  • For enterprise-grade remote access with built-in SSO and MFA, look at VPN services integrated with your identity provider or SASE solutions.

By following these steps—setting a dedicated VPN IP range, using a strong PSK, opening the correct ports on your router, and assigning appropriate user privileges—you can run a reliable L2TP/IPsec VPN on your Synology NAS that supports remote staff and secure access to internal resources. Regular auditing, firmware updates, and following the security best practices above will keep the deployment robust over time.

For more guides and detailed VPN tutorials, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.