With ^^, but I want to add another important reason: if your NAS gets breached, not only can people hop-in to your network, but also steal valuables from your NAS (pictures from your doggo, bank statements, expense reports, tax income, ... ). In my network, my NAS is in the inner-intranet where nobody can enter, not from guest wifi, not from outside. Better be safe than sorry: openVPN at the edge of your network, not inside your network.
I once reworked a dual site Synology NAS with synchronisation, then the idea was to have OpenVPN connect-wise synchronise, but even that is not a requirement as you could easily construct a point2point ssh tunnel for example.
Good luck!
CC