I have something very similar to what you have setup for myself and my brother who works on stuff remotely.
A couple of things to keep in mind:
- If your employees are in fixed places with Internet access, there are hardware solutions that may be faster to implement, but a bit more expensive.
- If your employees are NOT using work devices to connect to your network this way, they can introduce dangerous malware that can compromise your entire business as well as possibly destroy or ransomware your data. This is a VERY serious risk that I would not take lightly.
- If your employees have direct access to the data in this way, it can be taken, copied, and transmitted to anyone and any place. This again is a business security issue.
With these things in mind, depending on the model Synology you have and how powerful it is and how many clients (employees) will connect to it, there is a way for the Synology to act as a vpn server. This will allow employees to connect directly to the nas and work with the files. However, in this configuration, you are dangerously exposed to all 3 of the caveats above. But there are other ways to get the same access safely.
If your employees have machines that they either normally use in the office or works laptops that they now have at home, this offers the opportunity for more secure access to be configured. I would have to know more about your complete network configuration as well as your workflow, but I will share my workflow and how we secure things.
We have an enterprise grade ipsec vpn router at our home base. It is the main router and is the dhcp server. It also is an ipsec vpn server.
The devices that connect to the vpn server are mobile windows thin clients. They run an embedded version of windows that basically can boot into windows and that's about it. It can also be completely locked down so an employee cannot change any settings permanently (a reboot restores it back to how you set it up). Using the normal built-in vpn clients in windows, these machines can log into the vpn server at home base.
Once these machines log into home base, they cannot access anything except the same machine that the person would be using if they were present in the office--so they can access the nas like usual with the same screen they are used to. They access this machine via remote desktop.
So to recap--they are using a thin client, which is essentially a toaster with no data on it and useless as a computer (not a theft target), they connect into a network where they cannot connect to anything directly (compromised entry can't directly access the nas), and they have the full power of their normal system working right there as if they were physically present. I've simplified everything a bit as we have some other layers of complexity in our setup, but essentially this is how it works for us.
Because enabling remote desktop on a system on a lan and setting up a thin client for remote access is trivial, these two tasks are easy. The biggest part of this setup is the enterprise router and configuring that.
If your employees are fixed at home, a used hp t510 or similar thin client is well under $50 ea and you can set this up so that the employee literally goes home, plugs it into their network, and then logs into their work machine. This makes everything smooth on the employee side.
If you already have work laptops, you can add the configuration to log into to the vpn server and configure them to directly access the nas. However, this does add some risk as the data is physically leaving your location.
VPN routers capable of 15 employees start at about $250. Many of them have support contracts, but these are optional after they expire on some brands and required for other brands. This is the hard part--researching what you need and finding the right fit. It doesn't help that enterprise IT distribution still relies on 'salesmen' and other middle men to muddle things even more, but luckily this setup is relatively 'simple' for most of these devices. The one we have is designed for 500 employees, but we knew what we were looking for and exactly how it worked so we picked it up for under $400 with a support contract.
Hopefully this will give you some ideas. Feel free to ask me any questions.