Synology SRM router with site-to-site VPN for layer2 connection

I have got a Synology RT2600AC router with VPN Plus server with S2S option. that option is using IPSec, which would not connect my networks over Layer 2. In addition, the Synology VPNPlus S2S service is not free (even though it uses the libreswan package). I have DLNA/ UPnP servers on my network which should be visible automatically on all LANs (even remote ones). To have broadcast packets transmitted to all networks, I have to have them on same local LAN subnet, which is shared among all LANs connected via VPN.

That is achievable with OpenVPN, which is available for free on Synology VPN Plus Server. Synology S2S feature is not free as beer (even it is using libreswan package). The other two routers I have picked TP-Link TL-WR1043ND v4. I have replaced original firmware on them with LEDE-Project one, so I could tune fine my configurations.

OpenVPN server configuration on RT2600AC

drwxr-xr-x    3 root     system        4096 Oct  7 07:35 .
drwxr-xr-x   11 root     system        4096 Nov  6 12:59 ..
drwxr-xr-x    2 root     system        4096 Nov  1 16:24 keys
-rw-r--r--    1 root     system         949 Oct  8 21:25 openvpn.conf
-rwxr-xr-x    1 root     root            48 Oct  6 15:33 openvpn.up
dev tap

management 1195

max-clients 20
cipher AES-256-CBC
auth SHA512

dh /var/packages/VPNPlusServer/target/etc/openvpn/keys/dh3072.pem
ca /var/packages/VPNPlusServer/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNPlusServer/target/etc/openvpn/keys/server.crt
key /var/packages/VPNPlusServer/target/etc/openvpn/keys/server.key #this is shared key, must be uploaded to clients
tls-auth /var/packages/VPNPlusServer/target/etc/openvpn/keys/ta.key 0


verb 3

script-security 2
up /var/packages/VPNPlusServer/etc/openvpn/openvpn.up 

#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /var/packages/VPNPlusServer/target/lib/ /var/packages/VPNPlusServer/target/etc/openvpn/radiusplugin.cnf

proto udp
port 1194

status /tmp/ovpn_status_2_result 5
status-version 2

push "route"
/usr/syno/sbin/brctl addif lbr0 tap0
/usr/syno/sbin/brctl stp lbr0 on
/usr/syno/sbin/brctl setmaxage lbr0 40

OpenVPN client configuration on TL-WR1043ND

dev tap

remote 1194


proto udp

script-security 2

reneg-sec 0

auth SHA512
cipher AES-256-CBC

auth-user-pass /etc/openvpn/xxxxx-xxx.secret

key-direction 1
ca /etc/openvpn/
tls-auth /etc/openvpn/xxxxx-xxx.key


One thought on “Synology SRM router with site-to-site VPN for layer2 connection

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.