Connect to VMs and NAS externally with reverse proxy

[Whitefxdesign]

I've decided to open my DiskStation so I can access it externally and think I finally have grasped the fundamentals needed to accomplish this yet can't seem to get this working right despite reviewing countless forums, tutorials, and of course syno docs.

Prior to now, I have simply been able to connect to DSM locally or via Quick Connect

My current setup:

• I've decided to disable Quick Connect and just use DDNS (myaccount.synology.me), which gets a "green light" connected status
• Changed default DS ports (5000 and 5001) to 7100 and 7200
• Forwarded port 443 on my router to 443 of the static IP 192.168.1.300 (which I've set for the DiskStation in my router)
• Enabled the firewall within DSM and enabled all services associated with 7100 and 7200, HTTPS and reverse proxy, and 3389 for remote desktop (RDC)
• Generated a Let's Encrypt cert for myaccount.synology.me making sure to include "*.myaccount.synology.me" in the SAN for wildcards
• Have added two domains to the reverse proxy section:
  → https://dsm.myaccount.synology.me:443 that forwards to http://192.168.1.300:7100
  → https://rdc.myaccount.synology.me:443 that forwards to http://192.168.1.400:3389
  (400 is the static IP I assigned within a virtual machine, which I can connect to locally with the Windows RDC client)
• Configured the LE certs for both additions to reverse proxy to be on the myaccount.synology.me cert

Problems

• I can no longer connect to DSM (dsm.myaccount.synology.me) externally from WAN since I have disabled Quick Connect
• I cannot connect to the Windows VM that has been set up via Syno VMM

What works

• I can connect to DSM locally with 192.168.1.300
• I can connect to the VM using RDC (Mac and PC clients) locally with 192.168.1.400

Other considerations

• I've noticed when connecting to https://myaccount.synology.me that it does not connect securely but does connect to web station (it's installed but not set up, so the default landing page is there)
• I am under the impression that I do not need to use a VPN since I'm using a reverse proxy
• I don't have port 80 forwarded from my router (which I've tried) since I want to connect securely
• I've tried generating a LE cert without SAN but want to use future subdomains without generating a new cert every time
• One PC that I will be using to access the VM remotely does not have admin access so I cannot install a VPN client but will allow me to enter RDC info, hence why I'm trying to avoid VPN (plus I have plenty of reverse proxy use cases I'd like to be available in the future)

I realize there are many things to investigate but suspect I'm not port forwarding something properly (despite checking for typos) or have a firewall issue.

Current DSM firewall rules

Eventually, I plan to move away from the built-in reverse proxy that DSM offers but am simply experimenting for now and am curious to see what the experience is like using a VM from my own remote server without a VPN connection. Maybe I completely missed an important point (several times) in my research but any thoughts or comments will be greatly appreciated.

 

[Rusty]

I've noticed when connecting to https://myaccount.synology.me that it does not connect securely but does connect to web station (it's installed but not set up, so the default landing page is there)

That would point to the fact that reverse proxy is wrong or port forward on the router

 

[Whitefxdesign]

That would point to the fact that reverse proxy is wrong or port forward on the router

I failed to mention any of the resources I previously reviewed, one in which is from your site (and also posted on this forum somewhere) Synology Reverse Proxy

Beginning with the router, I know for certain I am forwarding 443 as shown below

I do not have UPnP enabled on my router. Do I also need to forward ports in:
DSM Control Panel → External Access → Router Configuration?

I am under the impression this is for UPnP connectivity if I want DSM to handle everything with my router for me so I don't have to manually do so myself.

 

[Rusty]

I am under the impression this is for UPnP connectivity if I want DSM to handle everything with my router for me so I don't have to manually do so myself.

Correct, upnp is not needed.

Well, there is no much when it comes to reverse proxy, I just said that the common situation for an error of that type is wrong to reverse proxy config, as you are landing on the default page for the web station.

Are you sure that the settings for the reverse host are correct? Also, the connection is not secure, which means that your certificate could be a problem as well. Have you configured your reverse proxy host to match and use a certificate on your nas?

 

[Whitefxdesign]

Are you sure that the settings for the reverse host are correct?

Not entirely sure but here's what I have:

Also, the connection is not secure, which means that your certificate could be a problem as well. Have you configured your reverse proxy host to match and use a certificate on your nas?

I'm using a wildcard cert, which I believe only works with synology.me DDNS (I noticed a comment at the reverse proxy post on Blackvoid that seems to contradict this, so maybe I do need a cert for each??)

 

[Rusty]

RP hosts look fine, but the cert is not a wildcard one. If it was it would be "*.yourname.synology.me". I do see that you have it configured to be used with your 2 hosts, but I do not see any SAN values in that cert, and if its not a wildcard one, then it will be working only for yourname.synology.me domain name (not the subdomains).

So that might be the problem regarding your SSL part.

Still, with that problem, getting access to your RPs is a separate issue. .300 is your NAS IP address, correct?

Do you have any firewall configured on that NAS?

 

[Gerard]

Dsm reverse proxy destination should be httpS and httpS port

 

[Rusty]

Dsm reverse proxy destination should be httpS and httpS port

Not needed. It will work on http as long as the port is correct. But what @Gerard said was actually my next question.

What is your HTTP and HTTPS port for DSM and do you have redirect configured from http to https?

 

[Whitefxdesign]

Dsm reverse proxy destination should be httpS and httpS port

Thanks @Gerard! This solved one of my issues, the issue that wasn't allowing me to connect to DSM using dsm.myaccount.synology.me.

• I updated to HTTPS and changed to the 7001 secure port

However, after looking through much documentation, I understood that the destination is fine to be HTTP since this connection is happening behind the reverse proxy and local to the NAS.

 

[Rusty]

However, after looking through much documentation, I understood that the destination is fine to be HTTP since this connection is happening behind the reverse proxy and local to the NAS.

correct but that means that you might have auto redirect configured on your dsm.

At least now you can focus on the ssl elements

 

[Whitefxdesign]

RP hosts look fine, but the cert is not a wildcard one. If it was it would be "*.yourname.synology.me". I do see that you have it configured to be used with your 2 hosts, but I do not see any SAN values in that cert, and if its not a wildcard one, then it will be working only for yourname.synology.me domain name (not the subdomains).

As noted in my reply to @Gerard, I am now able to connect to DSM securely with dsm.myaccount.synology.me. I shall note that my browser also displays the lock icon, so I feel that wildcard is set up correctly (since I only have one cert and myaccount.synology.me still goes to the Web Station page).

Still, with that problem, getting access to your RPs is a separate issue. .300 is your NAS IP address, correct?

Yes

Do you have any firewall configured on that NAS?

Yes, the firewall is enabled on DSM as noted in a reply above. However, I have made some changes to the RDC ports but still cannot seem to connect through the RDC app.

Updated firewall settings shown, which include both 3389 and 3390 ports for TCP and UDP bot set as destination (I also tried setting these as source with no luck either)

When attempting to connect to the VM remotely using the correct URL (i.e. rdc.myaccount.synology.me), I continue to get the same error as shown

I can confirm that I have set a static IP within the Windows OS of the VM that is 192.168.1.400 (this displays in both the VMM interface and my router as the address).

Remote connections are enabled in the Windows guest OS as mentioned previously because I can connect locally. (The remote machine is also turned on)

 

[Rusty]

Personally I suggest not to open 3389 RDP to the internet. That’s just plain dangerous.

Would recommend a vpn back to lan and the. running rdp connection “locally”.

This will eliminate the need to troubleshoot this problem and increase security.

 

[Whitefxdesign]

Personally I suggest not to open 3389 RDP to the internet. That’s just plain dangerous.

Would recommend a vpn back to lan and the. running rdp connection “locally”.

This will eliminate the need to troubleshoot this problem and increase security.

Okay, I guess I will try to see if I can configure a VPN client with the Windows machine that is needing to connect to the VM remotely. It's a PC that does not have admin access and a lot of things are locked down, which is why I was trying to connect to the VM in a similar way that I am connecting to DSM remotely.

Thanks for your help @Rusty !

 

[Gerard]

If you’re trying to access 3389 (rdp) through a web browser (http/httpS) it won’t work. The reason is because rdp isn’t (and can’t) run as an http(s) protocol.

only way that will work is connect vpn, then use the rdp apps to connect.

only way to accomplish this, is look for a remote access software based off http protocol. Maybe vnc viewer in a web browser, you’ll have to read up it and may require some leg work to setup. Honestly vpn to rdp is easiest, so that, as @Rusty mentioned, it’s one less thing opened and exposed to the internet.