Cannot access DSM via OpenVPN

Currently reading
Cannot access DSM via OpenVPN

47
5
NAS
DS920+
Operating system
  1. Windows
Mobile operating system
  1. Android
Hi,

I set up and enabled OpenVPN on my Synology NAS but I am not able to access the DSM when connecting from a device which is outside the NAS local network.
The VPN connection is correctly established, I am able to see the NAS shared folder when digiting the NAS local IP address in Windows File Explorer, but when I digit it inside the browser I am not reaching the login screen.

My NAS is a DS920+, DSM 6.2.4

Any suggestion for solving this issue?
Thank you in advance!

Giacomo
 
Solution
Actually I created only this reverse proxy rule, so I don't know if others would work.
Now that you‘ve said this, it (might) make more sense now. Your domain is not under Synology?
That also might explain the “NXDOMAIN” error.

I think you’ll need to create a CNAME in your DNS records (with your domain registerer) with “dsm” or whatever you choose the subdomain to be. Do you know how to do that?

Edit:
See if you have an option to “enable wildcard” instead of the above. It’s easier.
-- post merged: --

Here’s what no-ip says about wild cards:
“A wild card allows anything typed before your hostname to be resolved to your IP address. For example if you enable wild cards for hostname myhostname.no-ip.com, hostnames like...
Sorry @WST16 , I now have an issue with the SLL certificate. I tried to get one for mydsm.mydomain.com from Let's Encrypt but I obtain this error:
cert.PNG

How should I enable Port 80 in the Reverse Proxy?
 
Upvote 0
For the time being, to obtain the certificate, forward port 80 on the router to your NAS.
On the reverse proxy, choose web station. To the best of my knowledge, the certificate will be (should be) issued for domain.com not subdomain.domain.com

Once you've successfully obtained a certificate, you can remove the forward and the web station proxy setting and check later if the certificate renews (it will try to renew by itself about one month before expiry).

However, if you're running a website. You might want to leave 80 forwarded, otherwise visitors who try to reach your site without specifying "https" will go nowhere, so if someone types website.com instead of specifying https://website.com will have a “website cannot be found” or a similar error if (80) is not forwarded. That’s my experience.

I believe I've had success with Let's Encrypt renewing over 443/reverse proxy only. But I’ve never nailed –and didn’t bother spending time researching– how the LE renewal behaves and if you search the internet, you’ll find mostly the same :)
 
Upvote 0
For the time being, to obtain the certificate, forward port 80 on the router to your NAS.
On the reverse proxy, choose web station. To the best of my knowledge, the certificate will be (should be) issued for domain.com not subdomain.domain.com
Ok, I obtained the certificate, but I needed to request it for mydsm.mydomain.com for not obtaining any security warning from the browser.

However, if you're running a website.
Yes, that's my case, I would like to host a website on the NAS. So, I am forwarding Port 80 on the Router.
Which rules should I add to the Firewall and to the Reverse Proxy?

And for example, if I would like to access via SSH to the NAS, in that case I should forward Port 22 on the Router and create other rules in the Firewall and in the Reverse Proxy? If it is like this, I am not seeing the pros of Reverse Proxy because in any case I am required to open many ports.
 
Upvote 0
Ok, I obtained the certificate, but I needed to request it for mydsm.mydomain.com for not obtaining any security warning from the browser.
That's good if it's working for you.

Yes, that's my case, I would like to host a website on the NAS. So, I am forwarding Port 80 on the Router.
Which rules should I add to the Firewall and to the Reverse Proxy?
That's it for 80, just keep it as is, with web station/port 80 rule. It's best to configure your site to transfer traffic to https when received. So you leave (80) forwarded, however, if someone types website.com, their traffic will be forced on https and the browser bar will change to https://website.com
I know how to do it with Apache but not ngnx.

And for example, if I would like to access via SSH to the NAS, in that case I should forward Port 22 on the Router and create other rules in the Firewall and in the Reverse Proxy? If it is like this, I am not seeing the pros of Reverse Proxy because in any case I am required to open many ports.
The reverse proxy will take care of http/https traffic. Other protocols will need their own ports. If all you're exposing are these services, it might not feel beneficial, however, when you (and I believe you will eventually) start exposing more services, like File Station, a media player (e.g. Plex, Emby), other packages with web interfaces (perhaps Docker containers like I do), it'll become clear how useful it is security wise and organizational too. However, for now your DSM web interface for example is behind a proxy. That by itself, security wise, is much better than a direct access where someone (or some bot) can try to figure out your DSM port and might succeed in getting to your login screen. I'd rather keep them roaming the streets than on my doorstep 🙂

So it’s layered security. Here we have the reverse proxy, the firewall, the account blocking, the certificate that you've created, strong passwords and 2FA perhaps. They'll all come together to mitigate the risks, and we'll have to accept whatever remains for the sake of accomplishing our goals (e.g. website) and convenience (e.g. accessing important documents while outside or on a different continent).

For SSH, I'd rather not forward it on the router (and if you do, it won't go through the RP, remember RP can handle http/https only).
You said you've got the OpenVPN working, so I'd use that to reach the NAS and SSH "locally" for the occasional SSH sessions. SSH is dangerous in the wrong (or malicious) hands and the last thing I want to do is expose it externally. However, if you decide to do it, limit it’s source with the firewall and use a different port (not 22). The same for your VPN rule, don’t use “All”, limit it. Less is more here.

So far you've forwarded three ports, 443, 80 and the OpenVPN port. You shouldn't need more than that for a long time.

On a side note, take a look at this for more about website security.
 
Upvote 0
Last edited:
A simple solution is here i.e. untick "Enable Multiple Gateways" in Control Panel > Network > General (tab) > Advanced Settings:

To route each network interface through their respective gateways:​

  1. Go to Control Panel > Network > General.
  2. In the General section, click Advanced Settings.
  3. In the pop-up window, check Enable Multiple Gateway.
  4. Click Apply to save your settings.
This will lead to routing for each network interface in your network to go through their respective gateways.
Src: Network Routing | DSM - Synology Knowledge Center

 

Attachments

  • Screenshot 2022-06-06 at 09.46.40.png
    Screenshot 2022-06-06 at 09.46.40.png
    108.9 KB · Views: 15
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Have you configured the new router to provide the same LAN subnet as the old router? How are IP addresses...
Replies
1
Views
2,695
Sorry, I thought I could edit my post but I can't see where to do that. Some additional info: I have also...
Replies
1
Views
3,226
While using the "admin" is a a security issue and that account should be disabled, it is odd that it works...
Replies
1
Views
1,276
  • Question
I cannot access the web station pages internally for my 2 root domains. Subdomains are not a problem...
Replies
0
Views
2,713
  • Question
FWIW, I use WebDAV to map folders from my DS110j to a Win10 laptop. Perhaps importantly for this thread...
Replies
16
Views
5,556
See the message about multiple connections. That is your issue.
Replies
1
Views
1,274
I'm hoping someone can help confirm if this is an issue with my set up, or an issue introduced by DSM 7. I...
Replies
0
Views
1,200

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top