DDNS requirements and certificate requirements

[dpg50000]

I only access my NAS from my internal Lan. However, I want to get a certificate so that I can connect to the admin page using SSL without getting browser prompts.

I don't have a static IP or a registered domain name. I was thinking of using Synology DDNS to get an externally resolvable hostname and a Let's Encrypt certificate at the same time. I have a few questions:

1) Does the DDNS registration and auto-obtaining the Let's Encrypt certificate require me to have setup permanent inbound port forwarding to my NAS, or will this not be required as the connection is initiated outbound by the NAS?

2) Same question for keeping the DDNS registration up-to-date and auto-renewing the Let's Encrypt cert?

3) Obviously, I will need to have a port forwarded on my router to the DSM port if I wanted to administer the NAS externally. If I was administering it from the LAN, my router supports NAT loopback, so although the port forward would need to be in place (so the router knows where to direct the traffic), it would never leave the internal network, correct? Although obviously the NAS port would still be accessible from the Internet (for which I have firewall rules on the NAS to block). Is my understanding correct?

4) As an alternative to 3), I could instead setup Synology DNS Server on the NAS, create the external DDNS name zone and hostname (with the NAS internal IP address), then configure it to default forward all other queries to my router. Then configure my router DHCP to hand out the NAS DNS server address. Any potential issues with that?

All input welcome. Thanks.

 

[Rusty]

1

You will need port 80 incoming open for LE cert to auto renew every 3 months.

3

correct

4

also an option yes

 

[dpg50000]

Thanks Rusty. I logged a ticket with Synology who confirmed the same, so I have what I need now. Thanks again!

 

[Pig712]

Wouldn't a self signed certificate be much easier to set up and administer?

 

[Telos]

Wouldn't a self signed certificate be much easier to set up and administer?

Yes, and if your router doesn't support NAT loopback, and LE cert won't solve the OP's desire.

Easier to set up a self-signed cert with a fake CA, to keep the browser padlock happy.

 

[dpg50000]

Yes, and if your router doesn't support NAT loopback, and LE cert won't solve the OP's desire.

Easier to set up a self-signed cert with a fake CA, to keep the browser padlock happy.

My router does support NAT loopback, so OK in that regard. I'm not happy with having the HTTPS admin port (even on a non-standard number) forwarded on my router just to administer the NAS from internal devices without getting a browser warning, so I'll probably go the option 4 route I mentioned.

I did look into a self-signed cert. Unfortunately, DSM 7 removed the ability to generate those. And if you export the one that came with DSM6, it doesn't contain the root CA ("Synology Inc. CA"). I could generate one using BounCA, but I think browser makers will at some point in the future start disallowing trust of self-signed certs.

Plus, the family use a lot of the services internally, so I would have to install on each PC / tablet / TV etc. And Safari, Chrome (not sure about Firefox) only allow short-lived certs to be trusted (Starting 1 September 2020, Chrome will no longer trust any certificates older than one year) so I'd have to update them every so often.

 

[Telos]

I only access my NAS from my internal Lan

Unless you have a "man-in-the middle" intruder resident on your LAN, the lack of a padlock (aka, insecure) is cosmetic. Since you prefer to go the LE route, you should otherwise be fine.