Is quickconnect security good enough?

Currently reading
Is quickconnect security good enough?

14
1
NAS
DS216
Hello,

Is using quickconnect to access the NAS safe or is using port forwarding safer? I'm concerned about privacy and security because it will go through the synology relay server.
 
Hi Subie,

That’s a tough one. You’ve said it, QuickConnect goes through Synology. However, if you take that variable out, then QuickConnect should be safer than port forwarding because the connection is initiated internally from your DS.

The downside is that it’s slower (you’ll notice the impact when streaming video if I’m not mistaken).

I don’t use it and I prefer DDNS.

Someone more knowledgeable might contradict the above.
 
Thank you for your input WST16! I will be using it for note station and maybe pictures. I think my internet is too slow for video.
 
Would agree with @WST16 for sure on security, however, personally I use ddns over QC coz of speed but extra security needs to be set on your end then.

Also, QC tends to stop working from time to time, so there might be a bit more downtime then via ddns.
 
That’s a tough one. You’ve said it, QuickConnect goes through Synology.

Does it always go trough Synology? I tought (if you have Relay enabled) it first only searches for the best way how to connect to your NAS. For that it uses Synology's end to make initial searches for the NAS. So it even uses the local IP if the NAS appears to be in the same network as you are. I've even seen it using the public IP+poort whenever it's available (from an external network). But when even that is not avaible, then all traffic will be 'tunneled' trough Synology's relay service. Right?
 
Rusty could you do a brief on what we should do to harden and tighten security; including some best practices with one way vs another.
Well as @WST16 already said, opening up to the internet is always a problem. In case of DDNS there are several things that I think need to be done

  • Disable admin account
  • Set up 2FA for account and use complex passwords.
  • Access your nas via https using a valid ssl certificate
  • Change default port to any higher then 1024
  • Use firewall (and geo option) to limit the locations in the world you allow access to your nas and services.
  • Setup a vpn server to access your nas and minimize the number of direct services on your nas being visible on the internet.
  • In case of multiple services being served and vpn not being an elegant solution, setting up proxy server (or using a default one) would be highly recommended.

These are my recommendations. If you need any detail info on this I/we can make a Resource tutorial on how to make all of this work.
 
A benefit to quickconnect is that it can automatically detect whether you’re remote or on the lan. If on the lan it will automatically route locally through the router, and if detected as outside the lan routing the connection would be routed through quickconnect.

@Rusty with that being said, since you use DDNS, do you continue to use this address locally or do you just switch to the local IP?
 
since you use DDNS, do you continue to use this address locally or do you just switch to the local IP?
My router has NAT loopback function, so I can use my DDNS name localy and it will access it just like I used an IP address
 
Ahh, I don’t think Verizon fios has a Nat loopback option. I could add the ddns name into the routers dns, so when the ddns is typed locally it should route to the local ip right?

It seems lately I’ve had issue with quickconnect and ddns running along side of each other. Especially if I try and change the default dsm ports to something different. I’m also trying to make the notifications play nice when having reports emailed. The notifications will list the quickconnect, ddns, and local ip links.
 
That's why i only connect true VPN.
Via QuickConnect was when i had moment to think about it way to easy to get in and communicate with the NAS.
As i run my own VPN at home and only need my internal network ip addresses and no need to connect from the outside.
I don't like (not even a peekhole) to have open gaps from the outside in besides the custom VPN port offcourse.
 
I could add the ddns name into the routers dns, so when the ddns is typed locally it should route to the local ip right?
Yes that should work if your router is your LAN DNS server as well.

Especially if I try and change the default dsm ports to something different
In what way exactlly?

I’m also trying to make the notifications play nice when having reports emailed. The notifications will list the quickconnect, ddns, and local ip links.
That is true... I have stoped getting them on email and switched to push notifications but not for reports anyway. I view them on demand.

That's why i only connect true VPN.
Via QuickConnect was when i had moment to think about it way to easy to get in and communicate with the NAS.
As i run my own VPN at home and only need my internal network ip addresses and no need to connect from the outside.
Def agree with @Siewert_JR. I have only a few ports open up. One is VPN rest is pushed via a revers proxy (for services that I do want to be out there and not force my users to use VPN). But in general I favor VPN above all of them.
 
In what way exactlly?

When I made the change to the ports quickconnect would stop working, where I had to turn it off and turn it back on again. I have the option set for dsm to push the ports out to the router, not something I like but as a new user I’m still messing around with it and I had to get it up and running for a family members business to continue to run. He vpn connects into the network, but one thing I did was turn the dsm page into a password reset only page for them. So when their password expires or they need to reset their password, I have a quickconnect link for them to get to.

When dsm pushes out (UPNP - not something that can be disabled on the router side) the ports to the router, it does the random source port which forward to the new local port. Issue was when quickconnect was working and falling back to ddns, the random port was hard to remember. I ended up changing where I picked the port and forwarded to the exact same port. Dsm would keep reverting my changes to the router and push out new random source ports (most likely because that option to do so was still selected).
 
These are my recommendations. If you need any detail info on this I/we can make a Resource tutorial on how to make all of this work.

Please do make a tutorial. I find that while Synology's resources are good at explaining individual components, they do not bring them all together into a comprehensive solution very well, especially for rookies like myself.
 
Please do make a tutorial. I find that while Synology's resources are good at explaining individual components, they do not bring them all together into a comprehensive solution very well, especially for rookies like myself.
That is correct. One reason why I’m working on a syno 101 5 post series on my blog on the matter of setting up syno for beginners. Main reason is coz their Kb is detail but not made as a tutorial
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Thank you Rusty that worked so you've saved me some time and effort :)
Replies
4
Views
296
  • Question
Now go to your Synology account and see if you can unlink the quick connect id. Afterward can you create a...
Replies
3
Views
1,582
  • Question
I had something similar on phones at local Hospital’s Rec Center with DS APPS on Rec Centers WIFI. Also at...
Replies
2
Views
1,437
This way I can get to any device when away from home. Was gonna post this before, but we’ve been visited...
Replies
5
Views
1,955
https://global.download.synology.com/download/Document/Software/WhitePaper/Firmware/DSM/All/enu/Synology_Qu...
Replies
2
Views
2,383
Thanks. That has been my opinion as well for built in apps, but now that I am using more docker apps, if...
Replies
2
Views
5,433

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top