VPN setup across two remote NAS devices

I am looking for some wisdom/opinions on my current setup as well as suggestions for how it can be improved.

Currently, I have two Synology NAS devices - one at my house and a second at a friend’s house. I have OpenVPN Servers running on each so my friend and I can use the OpenVPN tunnel when traveling. Each Synology is replicated to the other via an encrypted connection using DDNS. This requires ports 5566 and 5001 to be open (in addition to 4451 for the OpenVPN protocol).

Because of the non-stop pings/hack attempts that Will mentioned in his most recent video, I have implemented the Synology firewall to block all non-VPN traffic from outside the USA.

I’m looking for alternate solutions that might not require me to have the ports open. Here are some ideas I came up with:

Option 1: Set my home NAS to be the main VPN Server and then create a VPN Client connection under the Network Interface for the remote NAS to connect to the home NAS. I suspect that port 4451 still needs to be open - which might not be a problem.

  • Does this inhibit access for my friend at all to the device from his local network
  • How would he access his files remotely? Would he have to VPN to my home NAS/network?
  • When the remote device initiates the VPN connection, does it then have 2 distinct IP addresses - 192.168.1.x (local network) & 10.0.0.x (VPN network)?
  • How would I know the IP address of the remote NAS to update the Replication Task source/destination locations?
  • If the two NAS devices are connected via VPN (initiated by the client), do the 5566 & 5001 ports still need to be opened/forwarded on both routers?

Option 2: Same as option 1 but reverse the VPN server/client roles between the devices (i.e., remote NAS = VPN server, and home NAS = VPN client)

  • It’s not clear what impacts this would have to my home workflows; I am a heavy user of Photos Mobile, webDAV, and a VPN client from my cellphone/laptop; because I assume I would need to use the remote VPN Server connection because I believe when you setup a VPN network connection, you can no longer run the VPN Server application.

Option 3: My Netgear router (MR60) can also be set up as a VPN Server. It’s not clear though how the IP assignments would work and whether webDAV and Photos Mobile would function as they do currently. If I log in through the router VPN server are the IP addresses treated as if they are on their local subnets, 192.168.x.x? Similar to Option 1, if I configure the remote NAS to log onto the Netgear router via OpenVPN, it’s not clear to me how the Replication server name/IP address would need to change.

Option 4: A friend of mine recommended the GL-MT2500A Security Gateway. I’m still working my way through those instructions but if anyone has suggestions on how this could be used (I’m waiting to hear from my friend), please let me know. My suspicions are that it might be similar to #3.

Option 5: Use Tailscale. I think this was suggested in the past but I feel that it’s just beyond my realm of comprehension. The way I understand it is that each NAS would be assigned a cloud-based IP address on a VPN mesh network. The two NAS devices would talk to one another across that VPN mesh network. I could then access that same VPN mesh network from my phone (and share the account with my friend to do the same if he wants.)

  • What’s not clear with this solution is that if I’m out of the country, I can log into the VPN mesh network to access the NAS devices, am I able to send all internet traffic there as well?
  • And if so, where would it “come up” (aka where would the public IP address show)? My house, my friend’s house, somewhere else?
  • Do ports need to be opened/forwarded with Tailscale?
  • How would the Replication partner server connections need to change? Would it be the mesh network IP address?


If you watched Will’s recent video on basic security, then you should have changed your HTTPS port from 5001. This (and the default “admin” account) is a primary target used by all script kiddies.