Synology: Adding PIA VPN to your NAS

Posted in Synology on Aug 10th, 2017

The Synology NAS provides us with the ability to create our own private cloud on our own private equipment so that we can access our private and sometimes sensitive data wherever and whenever we want so long as there is a reliable internet connection available.

However, it is vital that we have adequate security measures in place to prevent unauthorised access to our cloud.

In addition to providing you relative anonymity when surfing the net, a reliable VPN like PIA is also a cheap way of masking your NAS’s external IP address.

Here is an excellent article by Jonas Carlsen Kjær on how to add PIA VPN to your synology NAS,

Updates @ 6 Nov 2020

My connection died with an “expired certificate” message when I swapped internet service provider. I tried rebuilding the VPN profile with the  latest config files from PIA  without success. Finally got to PIA support who provided a new guide, which was a little different from the article by Jonas above.

Getting OVPN file contains invalid parameters so following up with PIA.

After a long and arduous chats with PIA agents, the final outcome is “your device is not supported, please try the forums“.  As the old saying goes, you get what you pay for.

As swapping VPN provider is not an alternative for me (just renewed my annual subscription), I did some fossicking and stumbled across this article in the Synology forums that worked, see second entry by Paul McCarthy.

Bottom line, Synology does not like the compression and crl verification.

Process (courtesy Paul McCarthy)

  1. Download latest PIA configs from here: OpenVPN Configuration Files (Recommended Default)

  2. Select an appropriate config and make the following edits:

    • Delete the compress line

    • Delete the entire <crl-verify> section

    • Add the line comp-lzo no

  3. Create a new VPN config on the Synolgy and perform the following steps:

    • Choose to import a ovpn file and give the new config a name

    • Enter a username and password

    • Select the ovpn config file that you edited above

    • Select Advanced options

    • Browse for a Certificate revocation file and choose the IPA crl.rsa.2048.pem file and click Next

    • Select ALL three options (I selected 1 & 3 only) on the next screen (this allows Download Station to work). 

  4. Voila, it works.