Local 1522+ (Server) to Remote 920+ (DSM Client) open VPN Routing issue

I’m a huge fan of SpaceRex Videos and they have helped jump start my knowledge of Synology. Thanks so much!

I’m an IT professional at a very large corporation (we are not a carrier and have our own class ‘A’ IP address). I’m struggling to understand what interfaces do what and how they function on a Synology NAS. I’m running a NAS with Open VPN server (Local - as a service) and Open VPN client (Remote - native –DSM). My VPN tunnel comes up, but I am unable to map drives, route packets or Ping. When I use Open VPN Windows Client

on the remote side, the tunnel works fine.

Please seen Network Drawing:

Local Side:

Local NAS 1522+ (Labeled on diagram as (1))
Inside = /32 DG =
VPN Server = / 32

Netgear RX 10 Router and A/P (Labeled on diagram as (2))
Inside = / 32
Outside = Static 104.4.X.X /29 DG =104.X.X.X

Carrier = AT&T
Modem / Router = Nokia BGC320-505 (Not Labeled on diagram)
Outside 99.152.X.X DG=99.152.X.X

Remote Side:

Remote NAS 920+ (Labeled on diagram as (5))
Inside = /32 DG =
VPN Client /32

Reyee AX3000 Router & A/P (Labeled on diagram as (3))
Inside = /32
Outside 75.X.X.X / DG = 75.X.X.X

Router #2 Netgear RX10 (Labeled on diagram as (4))
Inside = /32
Outside= /32

The remote side has laptop wirelessly connected to the RX10 on /32
The remote side has a desktop Ethernet connected to /32
Remote connectivity functions correctly for both the laptop and desktop when connected via the Windows Open VPN client.

I’m a Cisco CCNA/CCDA/CCNP Voice, so I understand routing (not that I’m above doing something stupid – I do that all the time)!

The Windows firewall is enabled on both windows P.C.’s.
The Firewall and Router services on the 1522+ and 920+ are not enabled.
When the Open VPN windows client is run on a P.C. on the remote side , a route is injected to the other side (local) /32 via with GW = (Via Route Print at a CMD prompt) shows up in the ARP Table with a dynamic MAC Address. All the pieces are in place and it works like a champ.
When the Windows Open VPN client is disabled, the route and the dynamic IP Address/MAC address disappear.

What I’m struggling to understand is how the Synology presents interfaces to route table.

Logically the ‘inside’ would be the /32 (local) and 10.60.61 / 32 (Remote). One would think the would be ‘outside’.

Even if I put a static route in the Reyee AX300 ( / 32) pointing 192.1681.0 /32 to the inside interface of the remote NAS ( is does not work.

I suspect the NAS at does not know to send the packet going to /32 out the ‘Outside’ /32 interface. Is there a routing protocol used between the two Synology NAS when the Sever/Client connection is up? Does it have it’s own routing table? If so, can it be viewed? If I need to enable routing in the Synology, what order do services process incoming packets in? Is Router First, Firewall Second, VPN third?

Any help with this will be greatly appreciated.

Synology has a fantastic product with the worst support I have ever seen!

I have about 5-6 hours in this with Synology support. They won’t do a voice call, won’t have a manager contact or call me. It’s clear to me my support person does not understand routing. I’m told my case is escaladed, but I still have to deal with the same Tier 1 support person that has had the case for over 3 weeks. All I get is links to non-specific knowledge base articles (that often have nothing to do with the question I asked). I’m starting to believe that Synology support makes AT&T support look good!

Hi Chuck,

I have some experience with OpenVPN server on Synology NAS but I’ve not heard of using a remote Synology NAS as an OpenVPN client. I got a bit swamped in your explanation but it looks like that is what you’re trying to accomplish from your diagram. I admit it’s very possible I’ve misunderstood. Have you considered connecting the OVPN server on DS1522+ to an OVPN compatible remote router that can create the link? There are several routers that can do that. OpenVPN Client Setup . It’s my understanding that Synology routers can accept .ovpn files to create a VPN link remotely. I’m thinking that if you have a VPN link from local server to remote client router you will have more routing/mapping flexibility and not have to rely on OVPN client installations on each individual workstation. Just a thought. Disregard if I’ve completely misunderstood.

Thank you for you response. I do own a router(s) that should natively work with the Open VPN server and that is most likely where I will end up.

I’m also confident that if I can find someone that understands how the Open VPN service running on the 1522+ interfaces with the other services on the 1522+ (like the NAS and the firewall) and the rest of the network, I can get this to work. It’s all about making the network understand how to get to the subnet on the other side. Most VPN appliances have an inside and outside interface. To get from a local device to a device on the other side of the VPN, you just point those packets at the inside interface of the VPN appliance.

Routing is much more simple than people think it is. The router only make one decision for each packet. A packet comes in, the router looks at it and decides is destined for a subnet on a locally attached interface (if yes, send it out that interface), if not locally attached, does my routing table know about the subnet (if yes, send it out the interface published in the routing table), else when the router has no idea what to do with the packet, send it out the default gateway.

Again, thank you for taking the time to understand my issue as I know it took effort. Once I do get this resolved, I will publish the answer for others.