Is quickconnect security good enough?

Currently reading
Is quickconnect security good enough?

WST16

Giga Poster
NAS
DS216+II : DS118 : APC Back UPS ES 700 — Mac/iOS user
I find that while Synology's resources are good at explaining individual components, they do not bring them all together into a comprehensive solution very well, especially for rookies like myself.
I think it’s very difficult. Each case is different with many variables, and there’re a myriad of ways to accomplish a things.

Best option is to understand the components and make up the solution by enabling and configuring what you need. This flexibility brings power at the cost of a bit of a steep learning curve.
 

NAS Newbie

Byte Poster
NAS
DS918+
I think it’s very difficult. Each case is different with many variables, and there’re a myriad of ways to accomplish a things.

Best option is to understand the components and make up the solution by enabling and configuring what you need. This flexibility brings power at the cost of a bit of a steep learning curve.
That's fair enough, but it'd be nice if there was at least one beginning to end package that was available. I started my backups with I believe Cloud Station because that was the first link that popped up when I searched for backups on Synology's website. I came to find out later that I should have been using Drive. There's too much parallel info available to rookies like myself on Synology's website to easily whittle down what is the best solution. I'm grateful for all the help more experienced users are willing to share on forums like this.
 

WST16

Giga Poster
NAS
DS216+II : DS118 : APC Back UPS ES 700 — Mac/iOS user
There's too much parallel info available to rookies like myself on Synology's website to easily whittle down what is the best solution.
Agree. Unfortunately, all big players (especially in the technology field) suffer from this as development often goes faster than documentation for various reasons.

It’s the nature of the beast :)
 

ed.j

Byte Poster
NAS
DS416slim
Well as @WST16 already said, opening up to the internet is always a problem. In case of DDNS there are several things that I think need to be done

  • Disable admin account
  • Set up 2FA for account and use complex passwords.
  • Access your nas via https using a valid ssl certificate
  • Change default port to any higher then 1024
  • Use firewall (and geo option) to limit the locations in the world you allow access to your nas and services.
  • Setup a vpn server to access your nas and minimize the number of direct services on your nas being visible on the internet.
  • In case of multiple services being served and vpn not being an elegant solution, setting up proxy server (or using a default one) would be highly recommended.

These are my recommendations. If you need any detail info on this I/we can make a Resource tutorial on how to make all of this work.
Would love to know more about a few of these. I know there are various threads and questions etc on the forum and net but they are usually quite high brow / assume a lot of knowledge.

Despite a few people thinking i am very unhappy with my NAS due to a thread I made - I am not! It's a learning process. I am keen to make it secure as well but not to the point of making it a huge pain to access. For eg, yesterday my Mum wanted to download a few videos I had and I decided to walk her through (over the phone) installing DS File and to download that way, which was great, but because I had 2FA set up and I couldn't for the life of me work out how to turn it off just for her account it took probably 15 mins longer than it had to.

So a few questions based on your security 101 above:

- access your nas via https and a valid SSL cert - are you talking about remote access here? How do you force https and how do you implement an SSL cert?
- default port > 1024, please explain more! local port or router port? and....... how?
- VPN. this is something i keep looking into but keep giving up. i think you are referring to accessing your nas remotely and through windows file share (rather than the NAS accessing the internet through a VPN)? if so, it seems a prerequisite for this is having a static IP, is this correct? or is there some other way of doing it? i have a huawei b110 router that doesn't have port forwarding and this seems to be an issue. or am i barking up the wrong tree? because i would love to be able to access my nas remotely. currently i can only do it through the android apps, which is half way there!
 
Last edited:

Rusty

Staff member
Moderator
NAS Support
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
- access your nas via https and a valid SSL cert - are you talking about remote access here? How do you force https and how do you implement an SSL cert?
This is something that I still have to do as part of my Syno101 blog series but haven't had time to get around to actually do it. So, in Control Panel you will see "Security" icon that has a "certificate" tab in it. There you can configure free Let's Encrypt cert for your usage.

- default port > 1024, please explain more! local port or router port? and....... how?
In Control Panel you can change your DSM (http/https) default ports from 5000/5001 to any custom port (most that are not in use and/or reserved) that you want to use to access your nas. This will be the local port of the NAS that will translate to a port on your router if you want access from the outside as well (port forward). Ofc you can use port forward already to move traffic from lets say 1024 public port to 5000 local port. But if you want to have the same port (local and public) then be sure to change the default one to something else. In control panel > Network > DSM settings (tab) you can find all the settings to make this happen

i think you are referring to accessing your nas remotely and through windows file share (rather than the NAS accessing the internet through a VPN)?
Correct. This is an option to get to your NAS remotely without pushing various services on it via multiple ports (port forward) but rather use one port (VPN one) and have an encrypted private tunnel. On top of this you can use your nas just like you would inside your LAN.

if so, it seems a prerequisite for this is having a static IP, is this correct? or is there some other way of doing it
No, static IP is not a prerequisite. Most people have dynamic public IPs that change within 24h or once a week etc (depends on the ISP). To get past this you can set up free DDNS servis on your NAS. This will allow you to have a custom public DNS name that will always target your NAS as a final destination regardless on what public ip address its currently on. DDNS will update your public IP upon change and you will just access your nas directly or via VPN using its custon ddns name. In order to set it up use Control Panel > External Access > DDNS tab

i have a huawei b110 router that doesn't have port forwarding and this seems to be an issue. or am i barking up the wrong tree? because i would love to be able to access my nas remotely. currently i can only do it through the android apps, which is half way there!
Hmm not familiar with that model and not sure I can find it on the web. What model is that exaclty? Can you send a picture or a link to it? Regardless, port forward can be locked down by your ISP if the router is on a loan from them. Custom firmware on it can restrict access to certain functions. This is something that only your provider can fix or elaborate on.
The general idea is that yes, without port forward, most of these things you will not be able to setup. Even for VPN you will need to open up at least one port as well as direct access to your NAS if you chose so.
Setting up an SSL certificate on your nas will require to have access to your nas via port 80 or 443 every 3 months so the certificate can renew itself and that will also require having a port or 2 open on your router.
Best to check with your ISP, get the exact model of your router and have look what your options are. For the rest of these DSM configurations we are all here to help out if and when needed.
 

fredbert

Mega Poster
So a few questions based on your security 101 above:

- access your nas via https and a valid SSL cert - are you talking about remote access here? How do you force https and how do you implement an SSL cert?
(I would usually refer to 'remote access' as a service that permits authorised users located on the Internet to access home/work services using a VPN service, such as IPsec VPN, SSL-VPN, L2TP VPN. Otherwise accesses would be termed external access.)

Within DSM there are a few places that define HTTP/HTTPS accessible services and each of these have the option to enable HSTS to force HTTP requests to be redirected to HTTPS (enable these):
  • Control Panel for:
    • main DSM web interface;​
    • Synology packages (e.g File Station) that can have direct URLs defined in Application Portal;​
    • Other web redirects can be set up in Reverse Proxy of Application Portal;​
  • Web Station for the normal HTTP/80 and HTTPS/443 web server plus any virtual web services you create.
You can create new SSL certificates in Control Panel's Security section. By creating a Let's Encrypt certificate then web browsers will be able to confirm that Let's Encrypt has authorised it (aka signed it) and see the web server as secure. If you create a self-signed certificate then web browsers won't be able to check who signed it (because it wasn't) but the connecting will still be secured.

When creating a LE certificate you must enter any Subject Alternative Names in full so that web browsers know that, e.g., file.domain.com is ok with the domin.com certifcate.

Once created, you need to assign the new certificate to the appropriate services (do this from the same Security page).

- default port > 1024, please explain more! local port or router port? and....... how?
UDP and TCP ports up to 1024 are reserved for system services. The device that is running the service needs to listen on a known port for incoming traffic, this will be the local port on the NAS. To then allow access inbound from the Internet you have to configure a port forwarding rule on your router to pass traffic to its port onto the NAS. To complicate matters, if you want, the router's port can be different to the NAS's port because the router will switch the numbers as it passes the traffic: this may be useful if you don't want to change default port numbers on the NAS but also don't want to advertise services on default ports to the Internet.

- VPN. this is something i keep looking into but keep giving up. i think you are referring to accessing your nas remotely and through windows file share (rather than the NAS accessing the internet through a VPN)? if so, it seems a prerequisite for this is having a static IP, is this correct? or is there some other way of doing it? i have a huawei b110 router that doesn't have port forwarding and this seems to be an issue. or am i barking up the wrong tree? because i would love to be able to access my nas remotely. currently i can only do it through the android apps, which is half way there!
To access any service on your NAS from the Internet you need at least:
  1. Static IP, with or without a domain name
  2. Dynamic IP with a domain name and a dynamic DNS service supported by DMS
  3. QuickConnect which controls whether access will be direct to the NAS or managed via the Synology proxy.
The previous questions would imply you intend to have Internet accessible services so you're already looking at a situation where VPN services can be used: they don't mandate static IP.

If your router doesn't do port forwarding then you can't host any services on the NAS and have them accessed from the Internet. I suggest you recheck this. If you can configure the router to act in bridge/modem mode then you should be able to add another full-featured router to do port forwarding and all other stuff (e.g. a Synology SRM router: RT2600ac or MR2200ac).
 

ed.j

Byte Poster
NAS
DS416slim
@Rusty @fredbert Guys thank you both very much for the comprehensive replies above - some good stuff to get started on next weekend for sure!

Re the port forwarding thing, i just did some deeper research on my router (Huawei B311s-220) and you can do port forwarding - but they call it a "Virtual Server" instead, which is why I couldn't find it before.

Very excited about being able to access the nas "offshore" so thanks both for the starter tips. I'll probably be back on here asking daft questions on Saturday :)
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for all who likes NAS related topics.

Registration is free, easy and fast!

Top