Synology Inc. Online Community Forum

[myCloud]

Lets go back to 192.168.0.x and wherever you have ALG uncheck it.

Now let's go to page 32 of your DIR-635 manual, Advanced/Port Forwarding. This should be where you have your rule for inbound port forwarding. You have some kind of name for the rule and you've set the IP to that of the DiskStation (or maybe the computer name pull down did it for you) . See if you have PPTP in the Application pull down menu. It should set TCP to 1723 and probably leave UDP blank, with Inbound Filter Allow All and Schedule Always.

Give that a try.

[Gabiru]

Well, that's the way it's always been so there's no change.

PPTP is not in the application pull down menu in the port forwarding section, only in the 'virtual server' section.

[myCloud]

Well, that's the way it's always been so there's no change.

PPTP is not in the application pull down menu in the port forwarding section, only in the 'virtual server' section.

I'm learning the DIR-635 as we go here. I wonder if having that configured in the Port Forwarding settings interferes with it on the Virtual Server page, or if the latter set the Port Forwarding to be that?

On the Virtual Server page, do you have a name, IP address of the DiskStation, Application Name something like PPTP, Computer Name = that of your DiskStation, Public 1723, Private 1723, Traffic Type TCP, Protocol 47, Schedule Always, Inbound Filter All?


Edit; If you have DMZ Enabled on page 41, uncheck it.

[Gabiru]

DMZ is unchecked, no worries

Well, in virtual server, when I click on 'PPTP', it will automatically fill in the data: 1723, TCP and number 6 below that (http://i44.tinypic.com/213j1io.png). When I change that number to 47, the 'protocol' will jump to 'other'. Then, when I test it that way, it'll say 'the server doesn't react' again (so it's not even connecting or responding - when I do on other settings it says connecting first, then starting, and then fires an error).

[myCloud]

That number field with the 6 must be something other than the protocol number then.

We've been through pretty much everything, and as far as I can tell it's now all set correctly. Can you attempt to make the VPN connection with wireless turned on in the iPhone where it gets a 192.168.1.x address from the D-Link? You'll also need to change the Server: in the iPhone's VPN config from the DDNS name to the local IP of the DiskStation.

[Gabiru]

Okay, this is weird...

When I try on my iPhone through wifi: no result, same thing.

When I try on my mac through LAN wifi to the EXTERNAL ip address: I can connect.

When I try on my mac through my iPhone's tethered 3G connection: I can connect on the external IP. Mac says I've been assigned an internal IP, which is a correct one as well.

Then, when I go to an IP checking site, it says the my IP is the IP of my iPhone, even though I'm connected to the VPN. It also won't let me access LAN resources (which it does allow me when I'm connected to the LAN wifi and the vpn on my mac).

I probably better give this up...

[myCloud]

Well, the point of all this is to have a secure connection to home when you are away and it sounds like we're getting close. Change the iPhone's VPN settings back to the external DDNS, turn off wifi and see what you get. If you have the iPhone correctly configured to send all data through the VPN, when you browse to whatismyip.com, etc. you should see your home address when the iPhone is connected via VPN and it's own IP when you aren't.

From your testing with the Mac tethered, it sounds like you didn't have it set up to send all data through the VPN.

[Gabiru]

You're quite right!

I changed the Macbook's settings to send all traffic through the VPN and now it displays my home address even when tethered through 3G

So, in principle it should work. Now it's a question of making my iPhone work with it.

[2 mins later]

Amazingly, it now works! I'm connected through 3G. I don't think any of my settings are different. I did however delete the whole VPN thing and created a new profile with the exact same data.

Anyway, thanks a LOT for your help

[myCloud]

You're most welcome! I knew we could do this thing! Enjoy!

[Gabiru]

This will be a most useful feature for me

Not only can I do my TimeMachine backups on the run now when I'm not at home, I can also make a terminal connection to the NAS in case I need to change it (port 22/23 is blocked by my ISP, so I couldn't make remote connections before). And last but not least: my ISP, which is also my cable television provider, has an app that allows you to watch live television on all channels if you're a customer AND logged in through the internet connection that has the subscription. 3G live television, here I come

Edit: for future reference and in case anyone runs into the same setup/router issues, here are the setting that eventually made it work:

In the port forwarding tab (not virtual server), forward port 1723 on TCP only (don't check UDP). In the firewall, I have PPTP ALG unchecked.

On the iPhone I'm using my external IP, encoding on auto.

[Gabiru]

Just a quick last two questions:

In terms of security, it's impossible for a network administrator to check my traffic? (It's not that I want to do anything illegal with it, but when I'm transferring a backup of my whole system, I don't want some campus geek to intercept it; also, some of the wifi networks on my university campus are maintained by computer geeks, I don't want them to be able to sniff through my internet traffic.)

Secondly, I have no idea if it makes any difference or not, but would it be better to make a VPN connection on my iPhone's 3G and then tether the connection to my laptop when I'm on the road; or should I tether the connection and establish the VPN tunnel on my laptop?

[myCloud]

Just a quick last two questions:

In terms of security, it's impossible for a network administrator to check my traffic? (It's not that I want to do anything illegal with it, but when I'm transferring a backup of my whole system, I don't want some campus geek to intercept it; also, some of the wifi networks on my university campus are maintained by computer geeks, I don't want them to be able to sniff through my internet traffic.)

The network admin will know you've made a connection to a PPTP VPN, but not be able to see the contents in the tunnel. To say PPTP isn't the best way to VPN is an understatement, but at least for now, it's all the DiskStation and iOS have in common. I use SSL (HTTPS) on all the connections going through the tunnel.

Secondly, I have no idea if it makes any difference or not, but would it be better to make a VPN connection on my iPhone's 3G and then tether the connection to my laptop when I'm on the road; or should I tether the connection and establish the VPN tunnel on my laptop?

I've never done tethering, so my honest answer is, "I don't know." If the tethered connection is secure, it shouldn't matter, but if it will work, I'd try tethering first and creating the tunnel from the laptop.

Regarding security at home. Most bots that run vulnerability accessors, in fact, many professional companies that do that for you, don't scan all ports--it's not efficient for them. They scan the most used ones. SSH (port 22) is one of those and is often the target of brute force password attacks. The best way to run it at home is to have your inside router (your D-Link) port forward a high-numbered port to port 22 on the computer you wish to access. In fact, you can set up several different high-numbered ports (i.e. 22000+), one for each computer you wish to access on port 22. Port 5000 (uPnP) is another one. I wouldn't port forward that port (or any of the DiskStation 5xxx numbered ports) on the inside router to the DiskStation now that you have VPN working. If you must have access to these outside the VPN, I'd do the same thing with forwarding high-numbered ports to the 5xxx ports on the D-Link.

I have a setup similar to yours with an AT&T UVERSE router (slow networking) feeding an Apple AirPort Extreme. I don't get their TV service or VOIP phone though (still have my POTS line). My DS1512+ is too important to us to expose to the Internet as a web or mail server. For those, I'm going to get an "expendable" 1-bay DiskStation, put it in the DMZ (uses one of the outside router's IP addresses), port forward the needed ports on the outside router, and create differently named and passworded accounts on it (or alternatively, use keys).

Hope this helps.