Is quickconnect security good enough?

[subie]

Hello,

Is using quickconnect to access the NAS safe or is using port forwarding safer? I'm concerned about privacy and security because it will go through the synology relay server.

 

[WST16]

Hi Subie,

That’s a tough one. You’ve said it, QuickConnect goes through Synology. However, if you take that variable out, then QuickConnect should be safer than port forwarding because the connection is initiated internally from your DS.

The downside is that it’s slower (you’ll notice the impact when streaming video if I’m not mistaken).

I don’t use it and I prefer DDNS.

Someone more knowledgeable might contradict the above.

 

[subie]

Thank you for your input WST16! I will be using it for note station and maybe pictures. I think my internet is too slow for video.

 

[Rusty]

Would agree with @WST16 for sure on security, however, personally I use ddns over QC coz of speed but extra security needs to be set on your end then.

Also, QC tends to stop working from time to time, so there might be a bit more downtime then via ddns.

 

[Shadow]

That’s a tough one. You’ve said it, QuickConnect goes through Synology.

Does it always go trough Synology? I tought (if you have Relay enabled) it first only searches for the best way how to connect to your NAS. For that it uses Synology's end to make initial searches for the NAS. So it even uses the local IP if the NAS appears to be in the same network as you are. I've even seen it using the public IP+poort whenever it's available (from an external network). But when even that is not avaible, then all traffic will be 'tunneled' trough Synology's relay service. Right?

 

[Gerard]

.....however, personally I use ddns over QC coz of speed but extra security needs to be set on your end then.

Rusty could you do a brief on what we should do to harden and tighten security; including some best practices with one way vs another.

 

[WST16]

Does it always go trough Synology?

Yes, I think so. Didn’t spend much time thinking about it though since I’m not using it, so I’m not very sure. Take a look at this.

 

[Rusty]

Rusty could you do a brief on what we should do to harden and tighten security; including some best practices with one way vs another.

Well as @WST16 already said, opening up to the internet is always a problem. In case of DDNS there are several things that I think need to be done

• Disable admin account
• Set up 2FA for account and use complex passwords.
• Access your nas via https using a valid ssl certificate
• Change default port to any higher then 1024
• Use firewall (and geo option) to limit the locations in the world you allow access to your nas and services.
• Setup a vpn server to access your nas and minimize the number of direct services on your nas being visible on the internet.
• In case of multiple services being served and vpn not being an elegant solution, setting up proxy server (or using a default one) would be highly recommended.

These are my recommendations. If you need any detail info on this I/we can make a Resource tutorial on how to make all of this work.

 

[Gerard]

A benefit to quickconnect is that it can automatically detect whether you’re remote or on the lan. If on the lan it will automatically route locally through the router, and if detected as outside the lan routing the connection would be routed through quickconnect.

@Rusty with that being said, since you use DDNS, do you continue to use this address locally or do you just switch to the local IP?

 

[Rusty]

since you use DDNS, do you continue to use this address locally or do you just switch to the local IP?

My router has NAT loopback function, so I can use my DDNS name localy and it will access it just like I used an IP address

 

[Gerard]

Ahh, I don’t think Verizon fios has a Nat loopback option. I could add the ddns name into the routers dns, so when the ddns is typed locally it should route to the local ip right?

It seems lately I’ve had issue with quickconnect and ddns running along side of each other. Especially if I try and change the default dsm ports to something different. I’m also trying to make the notifications play nice when having reports emailed. The notifications will list the quickconnect, ddns, and local ip links.

 

[Siewert_JR]

That's why i only connect true VPN.
Via QuickConnect was when i had moment to think about it way to easy to get in and communicate with the NAS.
As i run my own VPN at home and only need my internal network ip addresses and no need to connect from the outside.
I don't like (not even a peekhole) to have open gaps from the outside in besides the custom VPN port offcourse.

 

[Rusty]

I could add the ddns name into the routers dns, so when the ddns is typed locally it should route to the local ip right?

Yes that should work if your router is your LAN DNS server as well.

Especially if I try and change the default dsm ports to something different

In what way exactlly?

I’m also trying to make the notifications play nice when having reports emailed. The notifications will list the quickconnect, ddns, and local ip links.

That is true... I have stoped getting them on email and switched to push notifications but not for reports anyway. I view them on demand.

That's why i only connect true VPN.
Via QuickConnect was when i had moment to think about it way to easy to get in and communicate with the NAS.
As i run my own VPN at home and only need my internal network ip addresses and no need to connect from the outside.

Def agree with @Siewert_JR. I have only a few ports open up. One is VPN rest is pushed via a revers proxy (for services that I do want to be out there and not force my users to use VPN). But in general I favor VPN above all of them.

 

[Gerard]

In what way exactlly?

When I made the change to the ports quickconnect would stop working, where I had to turn it off and turn it back on again. I have the option set for dsm to push the ports out to the router, not something I like but as a new user I’m still messing around with it and I had to get it up and running for a family members business to continue to run. He vpn connects into the network, but one thing I did was turn the dsm page into a password reset only page for them. So when their password expires or they need to reset their password, I have a quickconnect link for them to get to.

When dsm pushes out (UPNP - not something that can be disabled on the router side) the ports to the router, it does the random source port which forward to the new local port. Issue was when quickconnect was working and falling back to ddns, the random port was hard to remember. I ended up changing where I picked the port and forwarded to the exact same port. Dsm would keep reverting my changes to the router and push out new random source ports (most likely because that option to do so was still selected).

 

[Rusty]

Well, upnp might be the reason you are getting all these problems. With that disables and using only ddns with manually forwarded ports will guarantee that you will not have any problems with ports.

 

[wwwampy]

Setup a vpn server to access your nas and minimize the number of direct services on your nas being visible on the internet.

Some tutorial for this would be great too. I'm not sure if I understand the VPN right.

 

[Rusty]

Will do in time

 

[NAS Newbie]

These are my recommendations. If you need any detail info on this I/we can make a Resource tutorial on how to make all of this work.

Please do make a tutorial. I find that while Synology's resources are good at explaining individual components, they do not bring them all together into a comprehensive solution very well, especially for rookies like myself.

 

[Rusty]

Please do make a tutorial. I find that while Synology's resources are good at explaining individual components, they do not bring them all together into a comprehensive solution very well, especially for rookies like myself.

That is correct. One reason why I’m working on a syno 101 5 post series on my blog on the matter of setting up syno for beginners. Main reason is coz their Kb is detail but not made as a tutorial

 

[NAS Newbie]

That is correct. One reason why I’m working on a syno 101 5 post series on my blog on the matter of setting up syno for beginners. Main reason is coz their Kb is detail but not made as a tutorial

Yes, I've read some of your blog and look forward to new releases. Thanks for all the hard work.