DDNS requirements and certificate requirements

Currently reading
DDNS requirements and certificate requirements

Operating system
  1. macOS
Mobile operating system
  1. iOS
I only access my NAS from my internal Lan. However, I want to get a certificate so that I can connect to the admin page using SSL without getting browser prompts.

I don't have a static IP or a registered domain name. I was thinking of using Synology DDNS to get an externally resolvable hostname and a Let's Encrypt certificate at the same time. I have a few questions:

1) Does the DDNS registration and auto-obtaining the Let's Encrypt certificate require me to have setup permanent inbound port forwarding to my NAS, or will this not be required as the connection is initiated outbound by the NAS?

2) Same question for keeping the DDNS registration up-to-date and auto-renewing the Let's Encrypt cert?

3) Obviously, I will need to have a port forwarded on my router to the DSM port if I wanted to administer the NAS externally. If I was administering it from the LAN, my router supports NAT loopback, so although the port forward would need to be in place (so the router knows where to direct the traffic), it would never leave the internal network, correct? Although obviously the NAS port would still be accessible from the Internet (for which I have firewall rules on the NAS to block). Is my understanding correct?

4) As an alternative to 3), I could instead setup Synology DNS Server on the NAS, create the external DDNS name zone and hostname (with the NAS internal IP address), then configure it to default forward all other queries to my router. Then configure my router DHCP to hand out the NAS DNS server address. Any potential issues with that?

All input welcome. Thanks.
Thanks Rusty. I logged a ticket with Synology who confirmed the same, so I have what I need now. Thanks again!
Yes, and if your router doesn't support NAT loopback, and LE cert won't solve the OP's desire.

Easier to set up a self-signed cert with a fake CA, to keep the browser padlock happy.

My router does support NAT loopback, so OK in that regard. I'm not happy with having the HTTPS admin port (even on a non-standard number) forwarded on my router just to administer the NAS from internal devices without getting a browser warning, so I'll probably go the option 4 route I mentioned.

I did look into a self-signed cert. Unfortunately, DSM 7 removed the ability to generate those. And if you export the one that came with DSM6, it doesn't contain the root CA ("Synology Inc. CA"). I could generate one using BounCA, but I think browser makers will at some point in the future start disallowing trust of self-signed certs.

Plus, the family use a lot of the services internally, so I would have to install on each PC / tablet / TV etc. And Safari, Chrome (not sure about Firefox) only allow short-lived certs to be trusted (Starting 1 September 2020, Chrome will no longer trust any certificates older than one year) so I'd have to update them every so often.

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I called the provider and he told me that I don't have a nat, just for business(( :cry:
Once I got the NAS up and running with internet connection again, I was able to reauthenticate Tailscale...
A quick search of the Zyxel and port forwarding 443 does seem to be a bit of impossible according to one...
  • Question
Welcome to the forum. I never got it to work. In the end I maintained Namecheap DDNS via DNS-o-Matic...
Yep. Am on 900/900. Fortunately Fiberhop is small enough to talk turkey with, any of the big isps are...

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!