This has been my most requested video! Create VPN Server on Synology NAS | 4K TUTORIAL - Any feedback is great!
You opened up too many ports for the VPN. For L2TP over IPsec you only need 500 and 4500. 500 is for the initial key/token negotiation and then 4500 is for the actual traffic. Opening 1701 is a pretty big hole as that allows an attacker to completely bypass the IPsec part. Essentially, this completely negates the pre-shared key or pre-shared certificate part.
By the way I know that the message in DSM tells you to open 500, 1701 and 4500. It’s misleading, it should really say to only open 500 and 4500 unless you want to allow bypass of the pre-shared key, which as I said is insecure so I don’t think it should advise that.
First off I’d like to thank you for making content like this. We could use more content like this. Keep posting regularly and you’ll have a lot of subs before you know it.
Now for some criticism: Your little spiel about needing to use a VPN being a scare tactic is not entirely true. Any WiFi hotspot can be compromised making MITM attacks easy from those APs. Additionally, it is possible for certificate authorities to have compromises on their end: Compromised certificate authorities: How to protect yourself | TechRepublic This makes using a VPN pretty much essential if you are to truly trust the network you are on.
Additionally VPNs don’t only help guard against MITM attacks but shield your traffic usage from the AP’s ISP and moves it to your network’s ISP. Which really helps with privacy. It also allows you to potentially access content that is locked down due to location. There are several benefits to using a VPN that I recommend you read up on. I don’t mean to pick your argument apart or anything but merely sharing what I’d like to see from a channel like yours.
It would be worthwhile to do some research up front and talk more about such implications and nuances (in separate videos perhaps). If you did a good job of that, I and others that are tech savvy would gladly subscribe.
Something I’ve noticed is that very few people in general are detail oriented. If you can do your best to not mislead your audience and help inform that would really help set you apart. Best of luck to you and your channel!
EDIT: I’m noticing you are talking about rsync now and how to go about backing up which is good to share knowledge about but it seems like you are all over the place with this video. If I see your video title say it’s a synology VPN tutorial I’d expect it to only be a tutorial. Maybe a bit of intro and conclusion but keep the bulk of your video be about the topic you advertise. Otherwise you’ll get people skipping around in the video and that’s something that doesn’t look good to the YouTube algorithm. Ideally you’ll have most of your users watching most of your video with minimal skipping of content.
You are also explaining things at a pretty basic level which is good. But in that case you can potentially confuse potential new users by jumping around on topics a lot. When making videos keep your target audience in mind and tailor your content to them as much as possible. That means explaining things at an introductory level which you are doing which is good. But also means don’t jump around to many different topics too quickly. Also you didn’t really divulge what a raspberry pi is. A new user would be confused at this point.
Feel free to make many videos about many different topics and merely make call outs to those prior videos.
Hey ! Nice tutorial !
At 7.35 in the video you forgot to mask your external ip address. Take care and keep the tutorials coming !
10:47 machine secret?
where to find i?
Good video, here’s a post of mine about an alternative/Docker-based approach if you’re interested: https://www.reddit.com/r/synology/comments/74te0y/howto_deploy_openvpn_on_synology_using_docker/
I personally kind of disagree with you recommending users use IPSec over OpenVPN. The difficulty of using openvpn over ipsec at this level is really not much at all. I use tunnelblick on my mac and the OpenVPN iOS app. It works flawlessly and was very easy to setup, you can look up the benefits of OpenVPN over ipsec.
One huge one is if you are using a VPN to avoid MITM attacks on a random public wifi at like an airport or shopping mall, there is a decent chance they will block VPN traffic all together.
Synology’s VPN server GUI makes it very easy to change the port to 443 TCP (typically SSL) to circumvent these VPN usage blocks. It’s not easy for network admins to block OVPN traffic on that port without deep packet inspection as having that port open is almost essential for normal web browsing.
First, great thanks to this video. Following it, I have successfully created a VPN server on DS1618+ and a VPN client on iMac. I also click ‘all traffic through VPN’ in the Advanced setting.
However, the VPN does not change my ‘real’ IP address when I check it with ‘What is my IP’ in a couple websites.
I changed DNS server in the NAS and in the Mac between the one given by my ISP and Google’s 8.8.8.8, in the NAS. Still didn’t work.
What have I missed in the configuration?
enjoy your content but there is one very large issue with Synology VPN
If I have on-site Synology and off-site Synology; both running Synology VPN; using the OpenVPN process.
and my goal is to Hyperbackup from on-site to off-site
as well as
Hyperbackup from off-site to on-site
Synology VPN then fails due to TUN (can only work one way, not both ways)
I am a network noob so if I missing something above, please let me know.
Ok thanks for letting me now about this! I will definitely look into this. One thing that really does somewhat worry me about Synology is the number of times that they directly tell you something that goes against security protocols. It’s not the first time that this is happened and does say something about how they treat IT security
Thanks for the support!
A big question I always have with these videos is how much simplification to add to them. As we all know if there is not an air gap around your computer it is hackable. And to me I see it as really unlikely that you are both subject to a MITM attach at the exact time where a certificate company has also been breached and the attacker has access to these certificates private keys.
Thanks for the kind words!
I stopped watching after half a minute of speech because the pacing wasn’t satisfactory.
I expected more than a bland monologue without any tonal differentiations.
I sound harsh, but my interest faded extremely quickly for the video and I wanted to seek out someone else that could provide the same information, in a much more captivating way.
Keep improving I say! 
Edit: autocorrect
Thanks for letting me know! Thankfully that was an old refresh of the DDNS (from the web hosting tutorial) and my external has changed since then.
The ID you specified when setting up the VPN. Had to enter it 2x
So the VPN should show you your home IP when you connect from outside your home network
Just always have one be the VPN server and the other always be the client. They can both contact each other fine this way. The sever will be say 10.8.0.0 on its VPN interface and the client will be 10.8.0.1. So have the server do its backup to 10.8.0.1 and the client do its backup to 10.8.0.0.
Leave the VPN always on and the IP of the client will never change. If it does drop the connection ever just reconnect it when nothing else is VPN’d in and it will get the x.x.x.1 address again anyway.
There is no need to have two VPN servers. You can achieve this with an always-on server-client as both devices can then contact each other without issue.
So why are you using hyper backup for this?
Right now it appears as though you have created an infinite loop of backups.
I would instead recommend using Synology Drive Sharesync if you want the off-site and the main to be synced
Unfortunately, I don’t think Synology is unique in this way. They, and other manufacturers, are just responding to the market demand, which seems to be absolute convenience ahead of everything else. You just need to look at many of the posts in this subreddit to see this. Usually when a suggestion is made that what someone is doing is insecure, and that they should tighten security or switch to using VPN, the general response is along the lines of either “What I have now works fine so I’m not changing anything” or “I’m just going with the fastest/easiest option”.
I’m still going through your video and editing my initial post with updated feedback for you. I have a very close friend that is a Youtuber with 500k+ subs that I used to assist heavily, so I’m familiar with the whole process. Feel free to reach out with any questions.
It’s a common practice among Youtubers to make their videos longer than 10 minutes. Many videos should be much more concise.
It’s funny that audience these days would rather spend 10+ minutes to watch a video than 2 min to read a written tutorial with same information.