Been researching this topic for days but haven’t found a lot of threads on it - perhaps this is so simple people just aren’t asking about it? Anywho.. I’m helping the 4-person company for which my wife works get set up for work from home (I’m a total networking novice but work for an IT company which upgrades me to expert, apparently). All employees are non-tech savvy and are used to having their Synology NAS as a mapped drive in their Windows File Explorer - all while at the office. They did not like the Synology Drive experience during Covid-related work from home time.
I proposed we use a VPN to access both the Synology and other important assets on the network at the office. All they had to do was join the VPN. Then while testing it out and I couldn’t map the Synology, I stumbled upon this Synology KBA that simply stated (item 4) VPN users couldn’t see it in File Explorer.
Even though I can access the DSM UI, ping the NAS IP, etc just fine, I can’t map the NAS in File Explorer. Ultimately, to my understanding, VPN users have to be relegated to a different subnet from local assets, and Synology doesn’t accept SMB connections from a different subnet. Is that a hard rule, or is that something I can change?
Our router is a Ubiquiti UDM if that matters. Really appreciate any and all feedback here!
****update fixed - see my late reply below. Number of client logins or path nomenclature may have been the issue
Synology will accept SMB connections from any network unless you firewall it differently. I access about 10 Synology’s over VPN no problem. Assuming SMB and proper versions are enabled can you access the SMB by its IP path? \x.x.x.x
What is managing the VPN? If you’re using syno vpn you access it via the VPN gateway. I think syno also makes the vpn gateway end in .0 so 10.0.0.0 would be both gateway and file server.
If the VPN doesn’t put clients right on the same LAN segment and relay broadcast packets, you can’t use local broadcasted names from mDNS, NetBIOS over IP, or other broadcast discovery in Explorer. You will either need to name the filer by running your own DNS server that VPN users query, or you will have to map the share manually by its raw IP address. If you can ping the filer’s address, you should be able to map the share.
I love synology, but if they have O365, or Google business already, skip the vpn. It won’t be harder than training vpn users, and still works when office power or internet is interrupted.
oh interesting. so what firewall determines this? Synology’s or the UDM? No, putting IP address or network name both fail.
Manual mapping seems like the easiest considering there are only four clients. How does one do that? Although I have a Ubiquiti UDM, so perhaps running my own DNS is easier?
Space requirements aren’t that large so OneDrive could work here - they’re on O365. I’ll take a look at that if all else fails.
In File Explorer address bar, you can type a UNC using the IP address.
e.g.: \\192.168.0.5\
You can also right-click Network in the left pane in Explorer and click “Map Network Drive” and type the UNC in there
e.g.: \\192.168.0.5\Share\
DNS just makes it easier to map the drive by name when you can’t automatically discover it because it is in a different network segment. IP addresses are not very user-friendly and are harder to remember. It’s much easier to ask someone to map to \\archive.corp\share than \\192.168.0.5\share, ya know? 
Thanks for the explanation. Yes, this is exactly what’s not working for users on the VPN subnet. I’ve tried both IP address of the NAS as well as name when attempting to map. They can ping and access the DSM UI just fine. Do I need to approach the DNS route then? Or is there a router config issue here. Again, much appreciated info
If you can both ping and access the DSM Web UI, then it seems like there must be something along the way that is blocking the SMB and NetBIOS over TCP/IP traffic. This kind of traffic is considered very insecure, so I am suspicious that your Ubiquiti UDM or some other device is firewalling it by default. Like others mentioned here, Synology DSM has a firewall, too. Here’s an article that is up your alley.
Unfortunately, I am not familiar with Ubiquiti UDM, so I can’t help troubleshoot that for you, but the first thing I’d try would be to temporarily disable all firewalls (just for a few minutes), and if it works with them off, then you know it is a firewall, and then you turn it back on and establish the right rules to let NBT/SMB through. You need to allow both TCP and UDP on ports 137-139 and TCP 445 through (but just for your private addresses).
You could also ssh into DSM and run tcpdump while trying to access the share from the VPN to see if you see any incoming traffic on those ports, e.g.:
sudo tcpdump -i any port '(137 or 138 or 139 or 445)'
… or if your client VPN address were 192.168.1.55:
sudo tcpdump -i any src 192.168.1.55 and port '(137 or 138 or 139 or 445)'
If you can’t see incoming traffic from your VPN-connected device with that, then it’s firewalled somewhere.
this is fantastic - i’ll play around with this over the break and get back to you. thank you thank you!!
Apologies for the delay - thread update.
welp not sure which item made it work, but it works now!
- went to DSM firewall section and it wasn’t even on, so I turned it on and opened the respective ports for SMB for just the VPN subnet - i dont think this was the fix though
- noticed in the Synology fine print in your linked article users can only log in from one device/instance at a time. My users have both a fixed workstation (onsite) and a laptop, so after creating separate workstation and laptop accounts on the Synology, it seemed to work! Perhaps that was the issue?
- or maybe i was using the wrong path nomenclature as u/mklogic suggested. In fact, on the last user I was setting up, I was getting a different error from the other attempts. google search correctly suggested logging in as “[DSM server name]/[user name]” instead of just the user name, and it worked.
Anyway, super pumped I was able to get all my users set up exactly how we wanted, even after ditching the paid tech support service! Much appreciation to u/illius_sagittarius and the rest of the Synology community for the help! I’m sure i’ll be back with questions in the future 
Glad I could help somehow. Happy new year!