If you have a QNAP NAS server with the new operating system QTS 5.0 or higher, we have a very important news regarding VPN servers. The new QVPN3 service allows us to configure the fastest, safest and most efficient VPN server that we can currently use, since it allows us to configure the popular WireGuard VPN in a very easy way through its graphical user interface. If you want to know how to install and configure the fastest VPN server that we can currently use, today in RedesZone we are going to show you a step-by-step tutorial on how to do it with any QNAP NAS.
Requirements and installation of QVPN3 on the NAS
To install the new QVPN3 service it is absolutely necessary to have the QTS 5.0 operating system, a visually renewed operating system, but also with very important internal changes that improve speed, overall NAS server performance and security, since it uses connections and support for TLS 1.3 among many other important enhancements.
In the main menu of the QTS 5.0 operating system, we must go to the ” App Center ” section and install the new ” QVPN Service ” if you haven’t installed it yet.
In this App Center menu we can click on «All applications» and we will see all the software that we have the possibility of installing on our NAS server. To carry out this tutorial and performance tests we have used the NAS server and QNAP router QMiroPlus-201W, but any device that is compatible with QTS 5.0 can install the latest version of QVPN Service.
As you can see, the version of QVPN Service is version 3.0 or later, it is absolutely necessary to install this program on our NAS to enjoy the different VPN servers that we have available. Once we have installed it, we can open it.
Once installed, we proceed to run this program, either from the App Center or from the shortcut that has been created on the NAS desktop.
WireGuard VPN Server Configuration on QNAP
The first thing we should look at when we open QVPN Service 3 is the network architecture we are using, if we are using our NAS server as such, then we will have a single LAN port for output and as a default gateway. If we have several interfaces and we have used the “Networks” application to create virtual networks internally, then it is recommended that you always use the interface of the default gateway in the different VPN services.
If we go to the menu ” VPN Server / WireGuard ” we can see the configuration menu of the VPN server with everything that we will have to fill in. In this menu we must make the following settings:
- Server name : we put a name to the server, you can put whatever you want.
- Private key : if we click on “Generate key pairs” it will be generated automatically. This private key should not be copied anywhere.
- Public key : it is generated automatically with the button that we have clicked before. This public key must be owned by each and every one of the clients that are going to connect to the WireGuard VPN server. We have a “copy” button to make it easier for us to copy the key.
- IP address : is the IP address and subnet that the VPN server will use. We recommend an IP address such as 192.168.99.1/24, that is, a private subnet that is not in use on the local network, as is the case with OpenVPN and other tunneling VPNs.
- Listening port: it is the port where WireGuard is operating, the application layer protocol is always UDP, and the port can be easily changed, by default the port is 51820.
- Network interface : we can listen on all network interfaces, or only on the default gateway interface.
- DNS server : we can choose a DNS server, or use the internal one that the NAS server already has that it has obtained from the main router.
Once we have configured how we want this, we must click on «Apply».
In our case we have only changed the default subnet that comes in the NAS, we have set 192.168.99.1/24 and we have clicked on «Apply». We have not changed the UDP port number, we have used the default port.
In the case that you have several physical or logical interfaces internally on the NAS, you should edit the part of ” Network interface ” and choose the one of ” Default gateway ” so as not to have any problem, because there may be routing problems internal on the VPN if you don’t select the correct interface.
In our case we have used adapter 1, which is the 2.5G Multigigabit port of the QMiroPlus-201W, to perform performance tests and obtain the maximum possible speed.
Once we have configured the server, we must configure the “Peers”, for this we must click on “Add counterpart” that we have in the lower right part of the menu.
WireGuard VPN Peers or Clients Configuration
The configuration of the WireGuard VPN peers or clients is very simple, but it is necessary to know the WireGuard syntax to properly configure the configuration file. The first thing to do is download the official WireGuard VPN client from the official website , however, we prefer to use TunSafe because the VPN client does not return errors when we want to route all Internet traffic through the VPN tunnel. In the past we have had problems with the official WireGuard program for Windows, and the best option we have found is to use TunSafe.
Once TunSafe or the official VPN client is installed, what we must do is open the application, and go to a menu to generate the WireGuard keys randomly.
In the case of TunSafe, this menu is found in « File / Generate Key Pair «, we click on the «Randomize» button and we will have the keys created. The private key must always be in the VPN client and must not leave the configuration file, in the case of the public key it must be copied directly to the NAS to add the “peer”.
Once the cryptographic keys for WireGuard have been created, we can start creating the configuration file in a Notepad ++ or in any text editor. What we have to put is:
PrivateKey = clave privada creada en TunSafe
Address = la IP que tendrá el cliente VPN, nosotros hemos puesto 192.168.99.2/32
DNS = los servidores DNS
PublicKey = la clave pública que hemos generado en el servidor VPN
AllowedIPs = si ponemos 0.0.0.0/0 reenviaremos todo el tráfico por el túnel, puedes hacer un split-túnel poniendo la subred o subredes a las que quieres acceder.
Endpoint = IP o dominio del servidor VPN y el puerto de uso.
In the following screenshot you can see the cryptographic keys generated and the complete configuration file, which only lacks the public key of the VPN server that we have generated.
In the “Add counterpart” section, you will be asked to enter the following information:
- Name : Sergio
- Public key: the key generated by TunSafe VPN client or WireGuard official.
- Pre-shared key : empty, we have not generated a pre-shared key
- Extreme : empty, any origin is valid, we are mounting a remote access VPN server and not a Site-to-Site.
- Allowed IPs : the IP that we have defined in the client
- Keep Alive : by default 10 seconds.
In the following screenshot you can see all the options, click on apply and the client would already be configured.
Once the VPN server is fully configured, we should see something like this:
Here you have the server configuration on the left, and the configuration file on the right, which we will run with TunSafe to connect.
In TunSafe or in the official WireGuard software, once we have successfully created the client configuration file, click on «Connect» to connect to the VPN server and it will automatically show us that the connection has been made successfully. We will also be able to see the exchanged traffic, and even in the VPN server we will be able to see in real time the transferred and received data, as well as other general status information.
So far we have arrived with our tutorial on how to configure the WireGuard VPN server on a QNAP NAS with QVPN3, in the case of wanting to introduce more “Peers” we will simply have to add one by one to the server to make way for them. If you are going to use Android or iPhone to connect to the VPN server, the configuration is done exactly the same, you only have to take into account filling in the data that will be requested to connect, that yes, you will have to generate the cryptographic keys on the mobile, and pass it to the server the generated public key, you will also have to copy the public key from the server to the client.
WireGuard VPN Performance Test on the QMiroPlus-201W
This tutorial has been carried out with a router that also performs the functions of a NAS server, the QMiroPlus-201W model has a high performance 2.5G Multigigabit port, we have used this port to carry out speed tests in a local network, we have I installed the iperf3 software directly on the NAS server to check the performance that it is capable of providing us via VPN, and the result has been truly amazing: 1,500Mbps of performance.
We have tried to carry out another test, and you will be able to see that the amount of information transmitted is almost 2GB of information (1GB in each test approximately), in this case the speed obtained is 1466Mbps, therefore, we are facing a performance really spectacular. We must bear in mind that the processor that this NAS incorporates is a mid-high-end Intel J4125, therefore, other QNAP NAS with more powerful processors such as AMD Ryzen and even Intel Xeon, will be able to provide us with greater speed. .
As you have seen, the new QVPN3 in the QTS 5.0 operating system will allow us to have the WireGuard VPN, the fastest and most efficient we can have today, in addition, we have verified that the real performance of this VPN in the QMiroPlus-201W router / NAS is about 1.5Gbps, a real marvel considering that we have one of the best encryption suites that we currently have in a VPN service.