VPN on a NAS: How to Set Up Synology or QNAP Safely in 2026
A NAS has long stopped being just a "file box": it holds photo archives, backups, media libraries, Docker services and sometimes work documents. That's why VPN on a NAS in 2026 matters not as a trendy checkbox, but as a way to securely connect to your home storage without exposing extra services to the internet. Let's look at when it makes sense to run a VPN directly on Synology or QNAP, when it's better to move it to the router, and which checks help you avoid losing access to your data.
When a VPN on a NAS is actually needed
The main scenario is remote access to home or office files without exposing the NAS panel, SMB, WebDAV or media server to the outside. The idea is simple: from your phone or laptop, you first connect to the VPN, become "as if you were on the home network," and only then open folders, photos, notes or the NAS admin panel.
The second scenario is isolating specific tasks. For example, part of your downloads, syncing with an external service or a test container should go through a separate VPN route. This is useful but trickier: routes, DNS and firewall rules start affecting not only internet access but also local access to the NAS.
The third scenario is a small office without a dedicated network admin. A NAS can serve as an entry point to documents, but then it's important not to turn it into the only — and poorly protected — "edge server." In a work environment, define roles in advance: where the VPN lives, where backups go, who has access, and how a lost device gets revoked.
Synology's official materials describe the VPN Server package and how to set up a VPN server on the NAS; QNAP develops QVPN along with dedicated scenarios for WireGuard/OpenVPN. But in a real home network the question isn't only "which button to press," it's "which traffic will go through the tunnel and what breaks if something goes wrong."
Three schemes: NAS as server, NAS as client, VPN on the router
| Scheme | When it fits | Pros | Risks |
|---|---|---|---|
| NAS as VPN server | You need to reach home files from outside | Fewer exposed services, familiar folder access | Requires NAS updates, strong passwords, careful port rules |
| NAS as VPN client | Specific NAS tasks must go through a tunnel | You can isolate downloads or sync jobs | Easy to break DNS, routes and local access |
| VPN on the router | You need to protect several devices, a Smart TV or consoles | Centralized, NAS stays in its local role | Router can be underpowered, needs VPN client support |
If the goal is "open my photos and documents while traveling," the most logical choice is usually NAS as a VPN server or VPN on the router. If the goal is "only one container on the NAS should use the VPN," be ready for more delicate work with container networks.
For a fuller FoliVPN view of home networking, compare this article with the neighboring guides: VPN on a home router and VPN blocks the local network. And if you need a VPN for work and calls, see VPN for remote work. The main service landing page: FoliVPN.
Safe preparation before configuring
Don't start with port forwarding. First do the basic hygiene, because a NAS stores data — it doesn't just "share the internet."
Checklist before enabling VPN:
- update DSM/QTS and VPN packages;
- enable two-factor protection for admin accounts where available;
- create a separate user for VPN, don't use the main admin;
- disable guest and old accounts;
- verify that you have local access to the NAS by IP, not only via a cloud domain;
- save a backup of the NAS configuration;
- make sure the router doesn't isolate Wi‑Fi clients from the wired network;
- write down in advance which port and protocol you're opening to the outside.
The most common mistake is changing VPN, DNS, firewall and port forwarding all at once. If "nothing opens" afterwards, it's unclear which setting is to blame. Change one block at a time and verify access after each step.
Choosing a protocol: WireGuard, OpenVPN, L2TP/IPsec
In 2026, new setups usually focus on WireGuard and OpenVPN. WireGuard is often simpler to configure and works well on weaker hardware, but its support depends on the specific platform, NAS model and package. OpenVPN is more widely supported and available in many clients, but may require more attention to certificates, profiles and routing parameters.
L2TP/IPsec still appears in older guides and some built-in clients, but for new home setups it's usually not the first choice. PPTP should be ruled out for new installations: it's an outdated option that shouldn't be used to protect access to personal files.
If your NAS is weak, don't promise yourself gigabit speeds through an encrypted tunnel. Real speed depends on the CPU, chosen protocol, remote server, MTU, router and what else the NAS is doing: photo indexing, backups, Plex/Jellyfin, Docker and antivirus can all compete for resources.
Setting up the NAS as a VPN server: the safe order
What follows is not a "press exactly this button" guide for every interface version, because DSM and QTS keep changing. It's an order of operations that reduces the risk of locking yourself out.
1. Verify local access
Open the NAS panel by its local IP from inside your home network. Check that files, the admin panel and the apps you need open correctly. If at this stage everything already relies on an external domain or cloud redirect, sort out the local network first.
2. Enable the VPN package and pick a protocol
On Synology this usually means VPN Server; on QNAP it's QVPN. Enable only the protocol you actually plan to use. Don't leave several servers running "just in case" if you don't know why they're there.
3. Create a dedicated user
The VPN user shouldn't be the main NAS administrator. Give it the minimum rights. If only one folder needs to be accessible, don't expose the entire archive.
4. Configure the router minimally
Open only the port the NAS actually needs. Don't forward the web admin panel, SMB and media services at the same time. If your ISP uses CG-NAT and inbound connections aren't possible, don't try to "force" the network: consider a VPN on a cloud server, a reverse tunnel or a router with a suitable scheme.
5. Test from mobile internet
A test from the same Wi‑Fi network doesn't always show the real picture. Turn off Wi‑Fi on your phone, connect via LTE/5G and check: the VPN connects, the NAS is visible by its local IP, files open, and DNS doesn't redirect you to an external panel.
NAS as a VPN client: where the pitfalls begin
When the NAS connects to an external VPN as a client, it's crucial to understand the default route. If all NAS traffic goes through the tunnel, you may see changes in updates, cloud sync, containers, notifications and access from the local network. If only part of the traffic goes through the VPN, you'll need routing rules.
For a typical user it's safer to frame the task this way: "which app or container should use the VPN?" If there's no answer, don't enable a global VPN client for the entire NAS. A global tunnel is convenient until the first breakage: the NAS is connected, but packets come back through the wrong path, a local folder disappears, and the mobile app only sees the device via the cloud.
With Docker it's especially easy to slip up. One container may use the host network, another a bridge, a third a separate VPN gateway. If you're not sure, document the layout: container name, network, DNS, variables, ports, and how to disable VPN and restore direct access.
Troubleshooting: VPN is connected, but the NAS isn't visible
Start simple and work through the layers.
- IP address. Does the NAS's local IP ping from the VPN client? If not, the issue is in routing or the firewall.
- Subnet. Do the home and remote networks overlap? For example, both sides use 192.168.1.0/24 — then the client doesn't know where "home" is.
- DNS. Does the NAS open by IP but not by name? Then the issue is DNS or the local hostname.
- Permissions. Is the device visible but the folder won't open? Check user rights, not just the VPN.
- NAS firewall. Is access allowed from the VPN subnet, not only from the local LAN?
- Default route. Is the NAS sending replies through an external VPN client instead of the home gateway?
- MTU. If the file list opens but downloads stall, check MTU and fragmentation.
Check for subnet conflicts separately. This is one of the most underrated cases: at home you use 192.168.1.x, and the café or office also uses 192.168.1.x, so the client tries to find the NAS "locally" instead of through the tunnel. The fix is to switch your home subnet to something less common — say 192.168.50.0/24 or 10.20.30.0/24 — but do it carefully so you don't lose local devices.
What you shouldn't do
Don't expose SMB directly to the internet. Don't publish the NAS admin panel "temporarily" if you tend to forget to close ports. Don't reuse a single password for
Use the smallest safe checklist
Open Foli, refresh the subscription and test one network and one route before changing everything.