Help needed to understand my VPN needs

[Huggy]

Hi, I have a very basic understanding of VPN's having used them to surf and download anonymously. However, I'm having trouble getting my head around what my VPN needs are when It comes to my NAS. I'll try to explain my situation and what I would like to accomplish in the hope that someone can point me in the right direction.

My situation
I have a DS920+ that I run several services on including Plex, Sonarr, Photos, Drive, Bitwarden, LanguageTool etc.
Family members access these services using desktops and mobile devices, and over both LAN and WAN.

What I want to achieve
Protect all users' privacy.
Secure all data on the NAS as much as possible.
Ensure the services running on my NAS can access the web with as much privacy and security as possible.
Allow users to access the NAS, and services able to access the web, without being slowed down too much.

What I have
I've just paid for a 2-year subscription to a VPN service (NordVPN).
A reasonable internet connection, 350mbps down and 36mbps up.


Questions:

1. If I set up a VPN server on the NAS, I presume users can only access the NAS by connecting to the VPN server first?
2. Does this mean all users need to use VPN client software i.e., built into Windows/Android etc. when connecting to the NAS?
3. If so, how does this affect things like the Plex and the Synology Photos or Audio Station apps?
4. Does QuickConnect work through a VPN? Or do I need to bypass the VPN for some services, is this split tunnelling?
5. To secure the services that access the web like Sonarr and Radarr I presume I also need to set up the NAS as a VPN client too. Is this feature built into the NAS or do I need to install something i.e., Docker?
6. To try to keep connections as fast as possible, WireGuard seems to be the way to go from what I've read, but after searching the web it seems to be quite difficult to set up. If this is what you recommend is there any other advice you can offer, or resources you can point me too?
7. I believe I need to whitelist my LAN, but are those devices still connected to the VPN full time to increase their privacy/security?
8. Obviously I don't fully grasp this yet, so is there any other advice/help you can offer?

Thanks for any help

 

[fredbert]

1. 2. 3…

Running VPN Server on the NAS is like running any other network service (web server, file sharing, DNS, mail, etc). Clients will connect directly to it to consume its services. Having a VPN Server on the NAS doesn’t mean the other services will stop allowing direct connections.

Of course to have direct connections, from the Internet, then your router/firewall must have explicit port forwarding (NAT) rules to whichever services you want to expose. If you only port forward the ports for the VPN services then your users will have to establish a secure tunnel to VPN server and then access other NAS services through it.

5.

The NAS as VPN client is a feature in Control Panel’s Network settings.

 

[Huggy]

Thanks for the reply,

Running VPN Server on the NAS is like running any other network service (web server, file sharing, DNS, mail, etc). Clients will connect directly to it to consume its services. Having a VPN Server on the NAS doesn’t mean the other services will stop allowing direct connections.

Of course to have direct connections, from the Internet, then your router/firewall must have explicit port forwarding (NAT) rules to whichever services you want to expose. If you only port forward the ports for the VPN services then your users will have to establish a secure tunnel to VPN server and then access other NAS services through it.

I think I'm just going to have to set it up and see how it works, my little brain can't visualise how it's going to work. For example, on a desktop, do users have to log into the VPN server on the NAS before they open a tab in their browser and connect to i.e., https://[reverse_proxy_name].[DDNS_name].synology.me ? And then on their mobile, do they need to connect to the VPN server before launching the Synology Photo's app?

I want to make it as secure as possible so if only having the VPN server port open on the router is the most secure way then so be it. I'm just struggling to understand how external services like Plex will work unless they aren't routed through the VPN.

The NAS as VPN client is a feature in Control Panel’s Network settings.

Cool, that bits easy then.


Thanks again @fredbert I really appreciate it

 

[Rusty]

Running incoming and outgoing vpn on a single box is not allowed by default in synology-verse.

However, you can it several ways that will be compliant with their rules.

Saying this it does come down to port forward. If you are looking to have only a single port open then, you will maybe have to have some compromises to make. One al example that comes to mind from your list is Drive. Drive desktop client uses a hard coded port (apart from the web access port that can be reversed) so using that service to its fullest potential will not be possible without an open port.

One zero hassle vpn that you could use, and that’s user and platform friendly is Tailscale. It support synology using its native package as well as all desktop and mobile platforms. It will allow you to have access to any device running tailscale client without the need to open any specific ports or mess with firewall. Best of all, it runs on Wireguard.

So let’s say Tailscale covers your incoming needs, that leaves your outgoing ones. You have NordVPN, but the question is what do you want to protect with it?

Just the NAS outgoing traffic or your while LAN and it’s devices?

There are multiple ways to implement both and if it’s only specific services in your NAS that you want to protect or hide, there are ways to do it as well (especially if those services are in docker).

 

[Huggy]

Thanks @Rusty

I'm curious to learn why it's not allowed to run incoming and outgoing VPN's?

TBH I'm only interested in doing what I can to increase privacy and security, I'm not out to break rules or up to anything really nefarious. I've listened to the advice on this forum and taken all the steps suggested, to try to secure my NAS as much as possible. Adding a VPN is just the next thing on the list that I've been advised to do. I'm more than happy to take the advice from the knowledgable users like yourself on what I need to do.

One zero hassle vpn that you could use, and that’s user and platform friendly is Tailscale. It support synology using its native package as well as all desktop and mobile platforms. It will allow you to have access to any device running tailscale client without the need to open any specific ports or mess with firewall. Best of all, it runs on Wireguard.

Sounds good, I knew I should have asked this question before I subscribed to Nord, but it was a time limited offer.

So let’s say Tailscale covers your incoming needs, that leaves your outgoing ones. You have NordVPN, but the question is what do you want to protect with it?

I'm moving house soon and will have to change to a different ISP. The new ISP, has in the past at least, been known to throttle connections if they detect anything like BitTorrent. So for example, in case I grabbed a new Linux image over BitTorrent, that's why I'd like to increase outgoing privacy.

Just the NAS outgoing traffic or your while LAN and it’s devices?

I'd like to protect the whole LAN and it's devices. My router has basic OpenVPN ability if that helps.

There are multiple ways to implement both and if it’s only specific services in your NAS that you want to protect or hide, there are ways to do it as well (especially if those services are in docker).

The only service that isn't in docker is Plex.


Thanks for the help.

 

[Rusty]

I'm curious to learn why it's not allowed to run incoming and outgoing VPN's?

DSM limitations and design from Synology

Sounds good, I knew I should have asked this question before I subscribed to Nord, but it was a time limited offer.

Keep in mind that Tailscale is an incoming VPN not an outgoing/commercial like Nord. So Tailscale will work on any device it supports that you control, with Nord you have no control of it, other than connecting to its infrastructure and surf the web.

So for example, in case I grabbed a new Linux image over BitTorrent, that's why I'd like to increase outgoing privacy

This can be configured to a torrent client level only, if needed.

I'd like to protect the whole LAN and it's devices. My router has basic OpenVPN ability if that helps.

See that's the problem. If you want to protect the whole lan using an outgoing vpn service, you will lock yourself from getting to your internal services while outside your lan. This is the reason that combining outgoing and incoming openvpn is a problem in some cases.

Your router might have openvpn ability but is it an outgoing or incoming vpn? Can it be a client or just a server? There are all the elements that you need to take into consideration when putting vpn into play. It can increase security, but usually with that comes commodity restrictions.

The only service that isn't in docker is Plex.

Regardless of whether it is or not, putting an outgoing vpn on your router will lock you out of Plex usage. This is also the kind of scenario that I meant.

Best to go with priorities imho. List what absolutely needs to be protected by vpn, what would be nice to be covered if possible, and what doesn't have to be. Then you can see what will need incoming or outgoing vpn, and finally how to implement it best depending on the hw and sw you have.

 

[Huggy]

Hey @Rusty, sorry for the late reply, I don't get much time when the kids are home.

DSM limitations and design from Synology

Keep in mind that Tailscale is an incoming VPN not an outgoing/commercial like Nord.

So I've installed Tailscale on my NAS, laptop and mobile. Wasn't expecting it to be so easy and free! I presume it's only worth using from outside my LAN?

This can be configured to a torrent client level only, if needed.

I'd be grateful if you can point me in the right direction of the best way to do this. Is it a matter of routing just certain services through a VPN?

See that's the problem. If you want to protect the whole lan using an outgoing vpn service, you will lock yourself from getting to your internal services while outside your lan.

So do I just use NordVPN on my devices(laptop/mobile) when accessing the internet, and use Tailscale when accessing my NAS remotely then?

Your router might have openvpn ability but is it an outgoing or incoming vpn? Can it be a client or just a server?

Outgoing only I think…

Regardless of whether it is or not, putting an outgoing vpn on your router will lock you out of Plex usage.

Yeah, I can't do that.

Best to go with priorities imho. List what absolutely needs to be protected by vpn, what would be nice to be covered if possible

So I guess any data on the NAS I want to access over the WAN could be accessed via Tailscale. Then there are services like Sonarr, Radarr and NZBget (all running in docker containers) that I'd like to hide from my ISP. The only other thing I would like to secure as much as possible is Vault/Bitwarden. It's already accessed through https through Synology's reverse proxy, I'm not sure if that's enough?

Here's a quick mind map I knocked together to try to help visualize what I need to do, If you have any suggestions of what else I need to do I'd be really grateful.

Thanks for any help and advice you can offer mate

 

[Rusty]

So I've installed Tailscale on my NAS, laptop and mobile. Wasn't expecting it to be so easy and free! I presume it's only worth using from outside my LAN?

As a general idea, no need to use it while you are inside the LAN.

I'd be grateful if you can point me in the right direction of the best way to do this. Is it a matter of routing just certain services through a VPN?

The best option would be to use the vpn+torrent combo via a docker deployment. Have a look here.

So do I just use NordVPN on my devices(laptop/mobile) when accessing the internet, and use Tailscale when accessing my NAS remotely then?

That would make more sense, yes

Outgoing only I think…

No this is incoming only

Then there are services like Sonarr, Radarr and NZBget (all running in docker containers) that I'd like to hide from my ISP.

Guessing it's only NZBget here that needs "hiding". But saying this, doesn't your Usenet provider supports HTTPS/secure access? If so, there is no need to hide it behind another layer. As for sonarr and radarr, they are download manager org platforms, not download platforms themselves, so not sure why you need those covered.

The only other thing I would like to secure as much as possible is Vault/Bitwarden. It's already accessed through https through Synology's reverse proxy, I'm not sure if that's enough?

That is fine. With a valid certificate and strong protection of your vault (with 2FA on top of it), you could maybe (in case if you haven't) just disable the option for new registrations. To avoid any new 3rd party users registering. Another way to protect it is by using reverse rules and protecting its /admin path so that you can only access it via LAN and not WAN.

If you have any suggestions of what else I need to do I'd be really grateful.

Rest looks fine to me. Tailscale for incoming, and VPN outgoing traffic only for torrent traffic. If you are using usenet make sure to use it over a secure connection so there is no need for added vpn protection. BW hardening might be one thing to focus on if it already hasn't been additionally secure.

 

[Huggy]

Hey @Rusty,

As a general idea, no need to use it while you are inside the LAN.

Thought so

The best option would be to use the vpn+torrent combo via a docker deployment. Have a look here.

Great stuff, thanks. TBH I can't remember the last time I used BitTorrent but will probably set this up just in case.

No this is incoming only

Doh!

Guessing it's only NZBget here that needs "hiding". But saying this, doesn't your Usenet provider supports HTTPS/secure access?

I have server encryption set to yes in nzbget news-servers settings, I presume this is the same thing/is correct?

As for sonarr and radarr, they are download manager org platforms, not download platforms themselves, so not sure why you need those covered.

Thanks, I presumed they grab .nzb files from indexers and didn't know if hiding this would be necessary. But looking through my settings I can see they connect to an API over https. I obviously just don't understand this stuff lol. If SSL/https etc. is secure enough, then why do we need VPN's at all? I guess I thought that additional layers of security wouldn't hurt in case a site's certificate expires or something like that. But thinking about it, I guess they would just fail to connect if that happened.

That is fine. With a valid certificate and strong protection of your vault (with 2FA on top of it), you could maybe (in case if you haven't) just disable the option for new registrations.

All good

Another way to protect it is by using reverse rules and protecting its /admin path so that you can only access it via LAN and not WAN.

I share this with family members who don't live with me and also use it on my phone so would need WAN access.


Thanks so much for your help, It really is appreciated.

 

[Rusty]

I have server encryption set to yes in nzbget news-servers settings, I presume this is the same thing/is correct?

Ok but be sure of the note: By changing this option you should also change the option [URL='http://192.168.20.30:6789/#']Port[/URL] accordingly because unsecure and encrypted connections use different ports.

If SSL/https etc. is secure enough, then why do we need VPN's at all?

Well, that is because if you want to hide all of your traffic from the ISP, or in the other direction, provide a protected route to your LAN from an unsecured location. In most cases, you wouldn't want to use public wifi that will allow anyone to scan your traffic and transactions right? So you protect yourself with a VPN to encrypt the traffic and lose yourself in the masses.

I share this with family members who don't live with me and also use it on my phone so would need WAN access.

By default, using BW has to be sorted over a valid HTTPS URL and cert, so as long as you have that in order, and maintain it, you will be just fine.

 

[Saqr]

LanguageTool

I hope you figured out the fit solution for VPN by now. Nevertheless it is nice to come across someone interested in language and NLP software !