Cannot access DSM via OpenVPN

Currently reading
Cannot access DSM via OpenVPN

47
5
NAS
DS920+
Operating system
  1. Windows
Mobile operating system
  1. Android
Hi,

I set up and enabled OpenVPN on my Synology NAS but I am not able to access the DSM when connecting from a device which is outside the NAS local network.
The VPN connection is correctly established, I am able to see the NAS shared folder when digiting the NAS local IP address in Windows File Explorer, but when I digit it inside the browser I am not reaching the login screen.

My NAS is a DS920+, DSM 6.2.4

Any suggestion for solving this issue?
Thank you in advance!

Giacomo
 
Solution
Actually I created only this reverse proxy rule, so I don't know if others would work.
Now that you‘ve said this, it (might) make more sense now. Your domain is not under Synology?
That also might explain the “NXDOMAIN” error.

I think you’ll need to create a CNAME in your DNS records (with your domain registerer) with “dsm” or whatever you choose the subdomain to be. Do you know how to do that?

Edit:
See if you have an option to “enable wildcard” instead of the above. It’s easier.
-- post merged: --

Here’s what no-ip says about wild cards:
“A wild card allows anything typed before your hostname to be resolved to your IP address. For example if you enable wild cards for hostname myhostname.no-ip.com, hostnames like...
Did you try the virtual IP address, or is that what you’re using?
Yes, I can access Shared Folder both with NAS static local IP address and NAS virtual IP address in File Explorer, but both do not work in the browser.

This could be a firewall (NAS) problem
This is the list of Ports and services currently allowed by NAS firewall. Should I add something?

ports.PNG
 
Upvote 0
Yes, I can access Shared Folder both with NAS static local IP address and NAS virtual IP address in File Explorer, but both do not work in the browser.


This is the list of Ports and services currently allowed by NAS firewall. Should I add something?

View attachment 3599
I have seen situations where even though Management UI was listed as allow until I actually set up and opened a specific DSM port (5000/5001 or any other that DSM ui might be running on) there was no way for the VPN subnet clients to reach it.

So, try and add it manually to the list regardless and see if that will help. Also, you could try and add your VPN network range (that you have configured) to the "source IP" just to be certain that it will be picked up.
 
Upvote 0
@Jerry1188

A minor remark on your firewall rules (unless I’m missing the big picture). The source in all the rules is set to “All”. I would revisit this if I were you and limit the sources. As it is now, you might as well disable the firewall.
At the top, I’d have a rule to allow the local subnet (LAN). Currently, You’re not locked out because everything is set to “All”.
 
Upvote 0
@Jerry1188

A minor remark on your firewall rules (unless I’m missing the big picture). The source in all the rules is set to “All”. I would revisit this if I were you and limit the sources. As it is now, you might as well disable the firewall.
At the top, I’d have a rule to allow the local subnet (LAN). Currently, You’re not locked out because everything is set to “All”.
Thank you for the suggestion, @WST16 !
In the "Management UI" line I already set as Source IP the VPN network range, and I could do the same with all the services which should not be reachable by devices outside the network. By adding a top rule to allow the local subnet (192.168.X.X if I understood well), could this conflict with the Source IP of the other rules?

I would like to host a website on the NAS, how would you suggest me to set up the firewall rules?
 
Upvote 0
I would like to host a website on the NAS, how would you suggest me to set up the firewall rules?

Hi,

@Rusty suggestion is the best. If you're not sure about Reverse Proxies, you can check @NAS Newbie guide here. Part 2 covers reverse proxies and references a guide by @Rusty. But I'd recommend starting at the beginning (part 1) if you’re new to all of this.

Keep in mind that the firewall rules are processed sequentially, top to bottom. Once a rule matches, it's processed and no further rules below it are examined.
We had a thread on this a long time ago that you might find useful.
 
Upvote 0
Hi,

@Rusty suggestion is the best. If you're not sure about Reverse Proxies, you can check @NAS Newbie guide here. Part 2 covers reverse proxies and references a guide by @Rusty. But I'd recommend starting at the beginning (part 1) if you’re new to all of this.

Keep in mind that the firewall rules are processed sequentially, top to bottom. Once a rule matches, it's processed and no further rules below it are examined.
We had a thread on this a long time ago that you might find useful.
Thank you, I read all this very useful material!

Then, if I understood correctly, I should do these:
- In the Router port-forwarding to the NAS only port 443
- In the NAS firewall enable port 443 to everyone as a first rule, disable all to everyone as second rule
- Enable Reverse Proxy for each service, adding the Source IP rules in each of them depending on their target.

At this point, would VPN Server in the NAS still be useful? I installed it only because from my understanding this could have been the safest way not to expose the public IP address, am I wrong in this?
 
Upvote 0
In the Router port-forwarding to the NAS only port 443
Yes, 443 for now. Keep in mind that not every service can go through the reverse proxy, only http/https. So for the VPN server for example, you'll need to forward a port for it.

In the NAS firewall enable port 443 to everyone as a first rule, disable all to everyone as second rule
The first rule should be "allow your local subnet". You should always have this at the top.
Then 2nd rule, your reverse proxy for All or to certain geographies. You'll find a rule called "https, reverse proxy". The last rule should always be a deny all.

Enable Reverse Proxy for each service, adding the Source IP rules in each of them depending on their target.
You just add the reverse proxy rule to the firewall as mentioned above. You define the target services under the reverse proxy rules (Control Panel > Application Portal > Reverse Proxy).

At this point, would VPN Server in the NAS still be useful?
You can create a proxy rule for your DSM for example (like mydsm.mynas.synology.me)
However, the VPN server brings other benefits with it like allowing internal access to your LAN devices like if you're on your LAN (if you need something like that).

Since you've already opened up the NAS to the internet, the "not to expose the public IP address" does not apply. It works (in that sense) only if you have nothing else but a VPN port forwarded to the NAS and the VPN service running (IMHO).
 
Upvote 0
Ok, I allowed on my Router 3 ports: one for VPN, 443 for Revers Proxy, one for DSM (port XXXX).

While these are my Firewall settings now:
ports.PNG

I temporarily left Management UI rule for port XXXX since the Reverse Proxy is not working.
I created in Control Panel > Application Portal > Reverse Proxy a rule following @Rusty tutorial.
Source is:
- Protocol: HTTPS
- Hostname: dsm.mydomain.com
- Port: 443
Destination:
- Protocol: HTTPS
- Hostname: 192.168.178.31
- Port: XXXX
I have a SSL certificate issued to mydomain.com by Let's Encrypt and connected to dsm.mydomain.com.

If I go to the browser, https://dsm.mydomain.com shows: "DNS_PROBE_FINISHED_NXDOMAIN".
If I visit https://mydomain.com:XXXX I can reach the login screen.
If I visit https://192.168.178.31:XXXX when connected via VPN I can reach the login screen too.

I would like to remove XXXX port from Router and Firewall list, ut if Reverse Proxy is not working is the only way I have for remote connection. Which could be the cause of Reverse Proxy not working?
 
Upvote 0
Last edited:
Is this how you have it on the proxy rule? Of course in your case it will be dsm.mydomain.com in the source.
Edit: and whatever port you have in the destination.

9B0C247F-8E88-4DF2-93C4-1B4C0E453D73.jpeg
-- post merged: --

Here’s something about "DNS_PROBE_FINISHED_NXDOMAIN". I’ve never encountered this error before!
Although if it works for the other reverse proxy rules, I don’t see why it won’t work for DSM.

Can you try something other than DSM. Like mydsm.mydonain.com and see.
 
Upvote 0
Can you try something other than DSM. Like mydsm.mydonain.com and see.
Even with mydsm.mydomain.com I obtain the same error.

Also, can you try “localhost” instead of IP address and see.
Same result.

Although if it works for the other reverse proxy rules, I don’t see why it won’t work for DSM.
Actually I created only this reverse proxy rule, so I don't know if others would work.
 
Upvote 0
Last edited:
Actually I created only this reverse proxy rule, so I don't know if others would work.
Now that you‘ve said this, it (might) make more sense now. Your domain is not under Synology?
That also might explain the “NXDOMAIN” error.

I think you’ll need to create a CNAME in your DNS records (with your domain registerer) with “dsm” or whatever you choose the subdomain to be. Do you know how to do that?

Edit:
See if you have an option to “enable wildcard” instead of the above. It’s easier.
-- post merged: --

Here’s what no-ip says about wild cards:
“A wild card allows anything typed before your hostname to be resolved to your IP address. For example if you enable wild cards for hostname myhostname.no-ip.com, hostnames like www.myhostname.no-ip.comor blah.myhostname.no-ip.com would resolve to the same IP address as myhostname.no-ip.com.”

Usually this is enabled by default.
 
Upvote 0
Solution
The attempt with wildcard was unsuccessful (it seems that my domain registerer doesn't allow to use it), but I manually created a CNAME record with "mydsm.mydomain.com" as Name and "mydomain.com" as Value.
And now it works!

If I digit https://mydsm.mydomain.com in the browser, I reach the DSM login page.
I removed Router and Firewall rules for Port XXXX since I have no more need to leave it open.
Thank you very much @WST16 !
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Did you already reset W10 network settings and check NTLMv2 setting?
Replies
10
Views
624
Hi everybody. I access my synology ( DS 223J) remotely through different devices, pc and mac included...
Replies
0
Views
355
  • Question
It sounds that the main focus is a LAN reconfiguration of DHCP and DNS services so that dynamically...
Replies
1
Views
619
Had simelar issue last Thursday. Router and 1 NAS worked, 2 NAS’s didn’t! This occurred as I was adding...
Replies
5
Views
942
  • Question
I guess "my Firewall" is the firewall on the Synology? a step by step tutorial can be found online like...
Replies
1
Views
900
OK at last, worked it out, you have to install Synology app on PC first then add name amd password then...
Replies
12
Views
1,462

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top