Combining a few bits and pieces from the Interwebs in case you have the same need I had: that is, getting to various Web interfaces that were on private IP addresses behind a VPN. Our church has a Synology NAS, and every now and then, I’ll need to login to add a firewall rule to the Comcast router, turn on the projector or update a Windows box. All these devices run in a private IP address space managed via the Synology server’s DHCP server and aren’t accessible to the public Internet.
If you have a Synology NAS running a VPN server, ChromeOS will just do the right thing, networking-wise, after you set up a VPN. Just use the standard Chromebook Help Center recipe to set this up. (The combination of Synology DSM 6.2.2–24922 and ChromeOS stable build (72.03626.122 as of this writing) worked out of the box for me. After I set up and connected to the VPN, I was able to hit the Web interfaces of our projector, the Comcast router, the printer, etc.
But if you are running MacOS (my iMac is running 10.14.5 as I write this), you might need to add a static route in order for you to reach those same devices on the other side of the VPN. The Synology docs tell you how to add the static route from the terminal, but not how to automate it so that MacOS adds route you every time the VPN connects.
Luckily, Rob Allen explains how to do this.
So putting the ingredients together, here’s the recipe:
- Set up the VPN server using the Synology documentation. We use L2TP/IPSec because you don’t need to install any additional software on your clients, but you can use OpenVPN for stronger security if you prefer. We use the default Dynamic IP address (10.2.0.0) and MS-CHAP v2 for authentication. (Hint: don’t forget to add port forwarding rules on your router.)
- On MacOS, set up a L2TP/IPSec VPN connection using this Synology recipe. You’ll need the pre-shared key that you set up in Step 1.
- Connect to the VPN server. You can put a status indicator in your menu bar if you want to easily see whether you’re connected.
- Finally, add a static route so you can “see” all the devices in the private address space on the other side of the VPN. I used Rob Allen’s directions, which puts a 1-line script in /etc/ppp/ip-up, and MacOS automatically executes this script when you connect to the VPN. I used the Synology documentations recommendation of using the Synology server’s static IP address rather than 192.168.1.0/16 (what Rob showed).
Hope this helps!