How to work from Home with Site-to-Site VPN
What is VPN?
Remote connectivity shouldn’t be difficult, even for the entire office. VPN Plus transforms your Synology Router into a powerful VPN server, designed to be easy to set up and manage. Support your company’s remote workforce with secure access to internal resources, no matter where they are at.
It creates a tunnel between your computer at home and a network at your workplace. Connected clients will be able to see all network drives and computers just like there would be actually in the office.
|
||||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
How is Site-to-Site VPN different from other VPN solutions?
Normally you would connect your computer to the work network using one of these SSTP, openVPN, L2TP, PPTP protocols. And this will mean that your computer can see work network and network connected devices. But if you have a network device at home or a temporary office which needs to be accessible to the work network then unfortunately these devices will be invisible. Site-to-Site network actually merges together two networks. So you can have 5 users at home/temp office and another 5 at work. You do not need to install software on each client who wants to connect to the work network. Router ensures there is an encrypted channel between these two networks.
What equipment do I need?
Both existing and new owners of Synology’s RT1900ac, RT2600ac, and MR2200ac wireless routers will be able to purchase VPN Plus Client VPN Access and Site-to-Site VPN licenses for free. All licenses are perpetual and do not expire or require additional costs after September 30, 2020.
|
||||||||||||||||||
|
||||||||||||||||||
|
Do I need Site-to-Site setup if I only need to connect one computer?
No, then you will most likely benefit from Synology SSL VPN. You can read more about this below.
Is it difficult to set up?
Your business will do all the configuration bit which is just a few lines. If you know your network it should take less than 5 minutes to complete. Once it is done, Synology will offer to download the configuration files. You can then import this file on your home router by simply uploading the file.
How much does it cost?
Synology is handing out Free licenses now as a support for COVID-19 affected businesses.
If you do not have a Synology router then you will need either MR2200ac or RT2600ac routers.
How safe is this?
Encryption
- IKE version: Select IKEv1 or IKEv2. Both sites must have the same IKE version.
- Mode: Select Main Mode or Aggressive Mode. Both sites must have the same mode.
- Encryption: Select any one or more from AES256, AES192, AES128, and 3DES. You must select at least one encryption method which is adopted by the other site.
- Authentication: Select any one or more from SHA-512, SHA-384, SHA-256, SHA1, MD5. You must select at least one authentication method which is adopted by the other site.
- DH group: Specify the same Diffie-Hellman (DH) group for both sites.
- Key lifetime: Specify how long the key will be valid. Once the key expires, both sites will exchange the new key.
- Enable Perfect Forward Secrecy (PFS): Enabling this option may subtly affect the performance, but will enhance the security.
Note:
- Inconsistency of configuration between the two sites may result in connection failure. We recommend export/import the configuration on one site into the other site to facilitate the setup and minimize the possibility of errors.
What are the other things you can do with Synology VPN solutions?
Synology SSL VPN
Set up Synology SSL VPN and connect via the Synology-exclusive client for safe and swift VPN access to webpages, files, and applications.
Synology SSL VPN is a VPN service that supports SSL (Secure Sockets Layer) authentication and encryption. This service offers fast and secure SSL VPN access to webpages, files, and applications on the Internet or local networks.
You need to install a Synology VPN app on your computer or mobile which will establish this private connection to a work network.
Here is how to set this up: https://www.synology.com//helpfile/help/VPNPlusServer/1.3.1-srm/nsm-VPNPlusServer/enu/vpnplus_server_sslvpn.html
Remote Desktop
Set up Remote Desktop service to access a client desktop remotely within the network of your Synology Router via RDP or VNC protocol.
Remote Desktop allows you to easily access and control the client desktops within the network under the Synology Router from anywhere as long as you have Internet access, without further need of a client software.
This is a much safer way to use remote desktop functionality on your computer. Because you don’t need to open any port and make your computers vulnerable to hackers who scan the internet for computers with open ports. Since you are connected via private tunnel, the remote desktop virtually is done within the local network and not the internet.
Here is how to set this up: https://www.synology.com//helpfile/help/VPNPlusServer/1.3.1-srm/nsm-VPNPlusServer/enu/vpnplus_server_remote_desktop.html
WebVPN
Set up WebVPN and connect via a popular web browser for easy VPN access to webpages, without installing any client.
WebVPN offers clientless VPN access to an organization’s internal websites and web applications through a browser, without any need of additional client software.
Basically this is a window to a work Intranet. You can create shortcuts/ links to commonly used web spaces and clients can click and access these pages. And again, these pages are not visible to the Internet. Thanks to the tunnel you can open and use these links which you would not normally be able to from a home.
Here is how to set this up: https://www.synology.com//helpfile/help/VPNPlusServer/1.3.1-srm/nsm-VPNPlusServer/enu/vpnplus_server_webvpn.html
Standard VPN
Set up standard VPN services and connect via a popular client for VPN access.
VPN Plus Server provides multiple popular VPN solutions—SSTP VPN, OpenVPN, L2TP/IPSec, and PPTP VPN—to suit your needs and networking environments.
Here is how to set this up: https://www.synology.com//helpfile/help/VPNPlusServer/1.3.1-srm/nsm-VPNPlusServer/enu/vpnplus_server_standardvpn.html
Management
Define user/group permissions for various VPN services, monitor and control VPN traffic, and view logs about administrative managements and user connections.
VPN Plus Server provides the network administrator with various management settings and traffic charts to monitor and protect network security.
License
You do not need Licences, since Synology is giving them away for free for time being.
- Client VPN Access License:
- Licenses are required for the premium features including Synology SSL VPN, WebVPN, and SSTP.
- One license allows one concurrent user account to use the premium features from multiple client devices simultaneously.
- Only user accounts given permissions of corresponding premium features (at Permission > Services) are allowed access. The permitted accounts are given access on a first-come, first-served basis. When the license quota is reached, other attempted access will have to wait until there is vacancy.
- Site-to-Site VPN License:
- Licenses are required for setting up secure connections for networks in multiple fixed locations with each other over the Internet.
- Each Synology product which supports VPN Plus Server needs one license to activate this premium feature. Once the license is validated, it will never expire.
Max licences you can have:
RT2600ac: 20
RT1900ac, MR 2200ac: 10
How do you set it up – technical version for workplace network?
- Profile name: customizable name of this profile.
- Pre-shared key: Specify the pre-shared key on both sites to enhance the security. Connections will be successful only when the identical pre-shared key has been specified on both sites.
- Enable this connection: Tick this checkbox to start the connection right after setup. This function will take effect only when enabled on both sites.
- Local Site:
- Outbound IP: Specify one of the network interfaces on your Synology Router to set up Site-to-Site VPN service.
- Local ID: Specify the Local ID, which can be either a public IP address or FQDN.
- Private subnet: Specify the local network under the private subnet.
Note: The options in the drop-down list have been defined in Object. Address pool objects in IP range type is not supported by Site-to-Site VPN configuration. You will only see the objects in Subnet type in the drop-down list.
- Remote Site:
- IP address/FQDN: Fill in your remote site’s public IP address or FQDN which ensures external access.
- Remote ID: Specify the Remote ID, which can be either a public IP address or FQDN.
- Private subnet: local network under the private subnet of the remote site.
- Dead Peer Detection:
- Enable: Tick the checkbox to enable Dead Peer Detection (DPD).
- DPD Delay: Specify the time interval between DPD packets.
- DPD Timeout: Specify a time threshold for the system to recognize the loss of connection to the remote site when not having received any DPD packets for longer than such time threshold.
- Enable: Tick the checkbox to enable Dead Peer Detection (DPD).
Note:
- The private subnets of local and remote sites cannot overlap.
- You may read the RFC 3706 document for more technical information on Dead Peer Detection.
