Synology VPN compatibility

7 Jan 2023 14:52 synology-srm

I recently experimented with using Tailscale Subnet Router as a VPN, to allow me to connect to my home network from the pub. It sorta works, but it’s been unreliable recently. I’m going to look at the VPN options that my Synology router gives me.

I’ve got a Synology RT2600ac which has “VPN Plus Server”. I want to connect to it from my Windows laptop and, occasionally, from my Android phone.

Server support

Synology VPN Plus Server supports a number of different VPN standards: IPsec, L2TP, OpenVPN, PPTP, Remote Desktop, SSLVPN, SSTP, WebVPN.

Android

Android (at least on my Pixel 5a) only supports IKEv2/IPsec, with MSCHAPv2, PSK or RSA authentication.

I’m using Android 13, so the following disclaimer on the Synology Knowledge Center applies:

L2TP and PPTP are not supported on Android 12 and later; clients will need to connect using OpenVPN instead.

But: OpenVPN’s a hot mess.

Windows

Windows 11 supports IKEv2, SSTP, L2TP/IPsec (certificates or PSK) and PPTP. According to How do I connect to Synology’s VPN Server via Windows PC? – which only goes up to Windows 10 – I need to:

  1. Poke around in the Windows registry.
  2. Use either PPTP or L2TP/IPsec.

PPTP’s not particularly secure, so I guess that means L2TP/IPsec. I don’t like the idea of poking around in the registry.

Conclusions

Options

Tailscale

Stick with Tailscale and figure out why Tailscale’s being flaky.

It occasionally screws up networking (particularly with WSL2) on my Surface Go.

I also couldn’t access my DS416, even though it was showing up on the Tailscale UI as recently connected. Since this is where I’ve got Tailscale subnet routing set up, this is probably why I couldn’t connect to the rest of my network.

So, yeah, that wasn’t Tailscale’s fault.

Wireguard

Run a wireguard server somewhere.

I could probably do this with a Raspberry Pi (I’ve got several of various vintages kicking around). But I think I’d prefer to run it in a container.

I could just stick it in my K8s cluster, but that strikes me as too clever – it introduces too many points of failure, and I don’t think my wife wants to become CNCF-certified just to use the home printer when she’s in a coffee shop.

On balance, I think I’m leaning towards upgrading my NAS to something that can run docker, which I’ve been considering for Pi-hole anyway. Then I can run Wireguard there.