1

We we have a remote office with a Synology NAS and we would like it to connect to the home office Synology NAS. We have setup VPN Server (Synology package) on the home office NAS and enabled OpenVPN. The next step would be to open the appropriate port on our home office firewall to enable the inbound OpenVPN connection, however I am concerned this opens us up to security risks/threats and want to see if there are any steps I can take to make sure this is secure as possible.

What steps can I take to strengthen the security of our Synology VPN setup? Should we change the default OpenVPN port, or will that not matter? Any other steps to harden our configuration?

We have already selected AES256 encryption.

SamErde
  • 3,324
  • 3
  • 23
  • 42
Swisher Sweet
  • 609
  • 2
  • 8
  • 19
  • 1
    In general when you open new ports in your firewall only for specific white-listed ip-addresses, which you can easily do for a site-to-site VPN, your risk level won't really increase all that much. – HBruijn Jul 29 '18 at 05:45

1 Answers1

2

At the very least, you'll want to make sure you have the following bases covered:

  1. Make sure that your Synology NAS[es] and other endpoints are always caught up on security updates.
  2. Make sure both Synology endpoints have valid SSL certificates in use and that all traffic is going through encrypted ports.
  3. Configure and use MFA (multi-factor authentication) for all users on your Synology endpoints.
  4. Enforce decent password complexity rules.
  5. Make sure that you only allow remote access to the local network ports and applications that are truly required over the VPN. Don't open up all of your Synology applications and services just because you can.
  6. If you have static IP addresses at your two offices, you can use network ACLs to only allow those IP addresses to connect to the VPN.
SamErde
  • 3,324
  • 3
  • 23
  • 42