Setting up site-to-site on Synology router
  • 1 Minute to read

    Setting up site-to-site on Synology router

      Article Summary

      Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

      Follow the steps below to establish a Site-to-Site VPN connection between a pair of Synology Router:

      1. Set up your Synology Router and activate the Site-to-Site VPN feature on the SRM (refer to this web page for more information on the licensing plan).
      2. On your Synology Router, go to VPN Plus Server > Site-to-Site VPN.
      3. Click Add > Manually.
      4. Configure the settings at the General and Encryption tabs, and then save the settings.


      • Profile name: NordLayer
      • Pre-shared key: Specify the pre-shared key that you would like to use
      • Enable this connection: Tick this checkbox to start the connection right after setup
      • Enable DNSSEC validation: Tick this checkbox to secure DNS resolutions via DNSSEC
      • Local Site:
        • Outbound IP: Specify one of the network interfaces on your Synology Router to set up the Site-to-Site VPN service.
        • Local ID: Specify a local ID, which can be either a public IP address or FQDN (Fully Qualified Domain Name).
        • Private subnet: Specify the local network under the private subnet
      • Remote Site:
        • IP address/FQDN: Enter your NordLayer dedicatated server IP address
        • Remote ID: Same as IP address
        • Private subnet:
      • Dead Peer Detection:
        • Enable: Tick the checkbox to enable Dead Peer Detection (DPD).
          • DPD Delay: Specify the time interval between DPD packets. We use 30.
          • DPD Timeout: Specify a time threshold. We use 120.


      • IKE version: Select IKEv2
      • Mode: Select Main Mode
      • Encryption: AES-256
      • Authentication: SHA2-256
      • DH group: 14
      • Key lifetime: Specify how long the validity of your key is. Once the key expires, both sites will exchange a new key. Set to 3600.
      • Enable Perfect Forward Secrecy (PFS): To be enabled

      Ending note:

      In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:

      • Pre-shared key - you can generate it or we can provide it
      • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
      • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
      • Remote subnet and mask (the subnet is used in your local network)

      Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.

      Was this article helpful?