Question Need some help to clarify some doubts (about security)

Currently reading
Question Need some help to clarify some doubts (about security)

LolloCollo

Bit Poster
NAS
DS218+
Operating system
Windows
Mobile operating system
Android
Hi! I'm new here and a general newbie in this world, and because of something out of my control I need to setup my NAS, a DS218+, in a way that I've never configured before.

Until now, I have used my NAS as a Backup and to store some personal data, music, videos and something else. I have always connected to it via the local IP address and a some times I have used Quickconnect to use applications when I was outside (also connected to a laptop with Synology Drive). I have also used the file sharing inside File Station, which I'm not entirely sure if it is Quickconnect or not.

So, a pretty basic use. I have tried my best to make it more secure, like disabling the admin/guest account, creating another administrator account with a different name, using for everyone a randomly generated long password and 2 step verification for everyone. I have never setup a DDNS, HTTPS or something like that. On Windows, I use the drive Z: as a drive network (I don't think is samba?).

The problem I'm facing right now is that a member of my family is moving out, but I still want to give an access to the NAS as always to this person. I have read a lot of things, and basically what I have understood is that setting up OpenVPN is the most secure option for me, but it also makes me confused about a lot of things.

First of all, I think I've understand that I need a domain. I have a very old domain registered to me, where I had a website. Now, the register was pretty basic, without SSL and such, so now I've requested it to move into Google Domains, as I thought it was pretty cheap and it offered an HTTPS connection. My issue is that this domain is still used as a personal website, and I really don't want strangers to discover my (sub?) domain (like synology.domain.com) to enter my NAS. This is making me unconfortable because I have sensitive data inside the NAS and I always tried my best to avoid data leak due to misconfiguration.

After the domain, I need to generate a certificate (Let's encrypt?) and I need to import it into the NAS. I don't actually understand how I should do it the right way.

Lastly, I have seen about the NAS' firewall. I have seen people configuring it with rules to blocking everyone outside my country, concede a full access to protocols and apps only to people connected inside my local network and blocking everyone else, but the firewall settings are pretty confusing and I can't figure out how I really should put those settings.

Basically this is the whole situation. It can be summed up with: I need to configure the NAS for external access, and I don't really know how to configure it the secure way.
I don't know if that can be useful, but my router is a Netgear R6400, with UPnP enabled.

I'm sorry for the long post and for the eventual grammatical horrors I have written here, and thanks in advance!
 

jeyare

Giga Poster
NAS
1811+, 3x 1813+, 214play ... multisite Ubiquiti Unifi networks (USG-Pro,PoE,NanoHD)
Operating system
Linux, Windows
Mobile operating system
Android, iOS
First, welcome here
Second, you aren't first with such request, don't worry :)
Third - take your time and use our Resources as first step into this word

Start point:
download Security Checklist and check your NAS setup
You need write here step by step what is done and understand by you, what doesn't. Then we can move your steps to finish
 

Telos

Mega Poster
NAS
DS418play, DS213j, DSM 7.0.1-14401
I have a very old domain registered to me, where I had a website. Now, the register was pretty basic, without SSL
You can create a DDNS and use that (along with a LE cert) to make a VPN connection...
I need to generate a certificate (Let's encrypt?) and I need to import it into the NAS. I don't actually understand how I should do it the right way.
This is done by NAS' "wizard"... Just follow the steps...
 

LolloCollo

Bit Poster
NAS
DS218+
Operating system
Windows
Mobile operating system
Android
First, welcome here
Second, you aren't first with such request, don't worry :)
Third - take your time and use our Resources as first step into this word

Start point:
download Security Checklist and check your NAS setup
You need write here step by step what is done and understand by you, what doesn't. Then we can move your steps to finish

Thank you! I have downloaded the checklist and I've followed the NAS section. I don't actually know if the port forwarding is enabled on my NAS, but I've changed the default ports for DSM. I haven't found the IP autoblock function though, all the other points (except for the HTTPS which I'm waiting for Google Domains to transfer the domain) are checked.

You can create a DDNS and use that (along with a LE cert) to make a VPN connection...

This is done by NAS' "wizard"... Just follow the steps...
Thanks, I've seen that I can create the synology.me domain in the settings. Is this domain generally more secure than a normal one?
 

WST16

Giga Poster
NAS
DS216+II : DS118 : APC Back UPS ES 700 — Mac/iOS user
First of all, I think I've understand that I need a domain.
You can use the domain provided for free by Synology. It’ll be something like myds.synology.me and use Let’s encrypt with that. It’s working for me.
 

Telos

Mega Poster
NAS
DS418play, DS213j, DSM 7.0.1-14401
Thank you! I have downloaded the checklist and I've followed the NAS section. I don't actually know if the port forwarding is enabled on my NAS, but I've changed the default ports for DSM. I haven't found the IP autoblock function though, all the other points (except for the HTTPS which I'm waiting for Google Domains to transfer the domain) are checked.

Thanks, I've seen that I can create the synology.me domain in the settings. Is this domain generally more secure than a normal one?
I'm good with that. Like others here I use it myself. I also use no-ip, but I find their monthly (practically 3 weeks) verification (for a free account) annoying.
 

jeyare

Giga Poster
NAS
1811+, 3x 1813+, 214play ... multisite Ubiquiti Unifi networks (USG-Pro,PoE,NanoHD)
Operating system
Linux, Windows
Mobile operating system
Android, iOS
There isn't security difference between domain names.
You can use any domain name for you.
What is different:

1. your domain, e.g. www.yourdomain.com
- you need fixed public IP connection from your ISP (Internet Service Provider)
- you need purchase the domain
- you can use LE certificate, what is free of charge, but for people with skills and more time for WtF actions :)
- or you can purchase standard wildcard certificate for your keep calm future (better for unskillful)
- then you can use any sub-domain names based on your domain, e.g. home.yourdomain.com
- also the sub-domain name is out of security issues
Then you need secure your environment behind the public IP, from WAN (Internet) side.

2. shared domain, e.g. yoursubdomain.synology.me
- then you need prepare (easy by few clicks) setup of DDNS in Synology DMS
@WST16 will help you :cool:
- there isn't possible to use normal wildcard certificate, except LE

The certificate isn't a guarantee that when someone will attack you, you are in safe place. To be sure. But the certificate will help you to leverage your security to first level.

Next step is Firewall setup, then VPN
 

LolloCollo

Bit Poster
NAS
DS218+
Operating system
Windows
Mobile operating system
Android
Thanks! I think I'll wait for the domain transfer to be completed (in a few days), then I'll try to set everything up. I'll keep you informed :)
 

fredbert

Giga Poster
You can use dynamic IP with your own domain provided your DNS provider supports updating using an agent or API.

I use Namecheap but DSM doesn’t directly support this service and needs an alternative way to keep my IP up to date. I’m using OpenDNS’s dns-o-matic service to do this, but there are other ways plus a PC or Mac agent.

I used a new domain for my home connection and kept my existing domain for our mail and old http hosting service.
 

NSquirrel

Byte Poster
NAS
DS218+
My use of a DS218+ is very similar to yours, by the sounds of things. Also, I too am looking at extending my access to beyond my router (BT smart hub) and beyond QuickConnect, which I find incredibly slow when away from home.

For your firewal, DDNS, etc. settings, can I recommend a series of youtube videos I went through a couple of weeks back, done by mydoodads. Although there are 34 of them, 32, 33 and 34 seem most applicable. Synoman kindly added them to the media section here. (The website mydoodads.com makes accessing each short episode easy. I actually went through all the videos as they explained many of my misunderstandings, especially about Synology permissions.)

I hope this is of use/interest to you.
 

LolloCollo

Bit Poster
NAS
DS218+
Operating system
Windows
Mobile operating system
Android
Ok, the domain has finally been transfered into Google Domains. So, I have created a new dynamic DNS (a subdomain) and used the page inside the NAS' control panel to configure the Google DDNS with the credential provided. It now says "Normal" but when I access to sub.domain.com I receive a "Unable to reach the website error". The IP is listed normally inside the Domain webpage. I think I still need to configure the certificate and/or the firewall.


My use of a DS218+ is very similar to yours, by the sounds of things. Also, I too am looking at extending my access to beyond my router (BT smart hub) and beyond QuickConnect, which I find incredibly slow when away from home.

For your firewal, DDNS, etc. settings, can I recommend a series of youtube videos I went through a couple of weeks back, done by mydoodads. Although there are 34 of them, 32, 33 and 34 seem most applicable. Synoman kindly added them to the media section here. (The website mydoodads.com makes accessing each short episode easy. I actually went through all the videos as they explained many of my misunderstandings, especially about Synology permissions.)

I hope this is of use/interest to you.
Thanks, I'll take a look!
 

WST16

Giga Poster
NAS
DS216+II : DS118 : APC Back UPS ES 700 — Mac/iOS user
Try checking
Compare with your external IP address to make sure your domain name is propagated correctly.
 

LolloCollo

Bit Poster
NAS
DS218+
Operating system
Windows
Mobile operating system
Android
Thanks, actually when I have checked a second time it was working, but it was directing me to the main page of the router instead of the NAS. I don't know why.

Anyway, in the meantime, I have tried to configure the firewall as follow:
- All ports, IP range: 192.168.1.0 - 192.168.1.255 | allow
- Drive Server, VideoStation, my country | allow
- All ports, all IPs | reject

Is this good? I have allowed drive and videostation from outside because I use it sometimes with quickconnect.
 

Telos

Mega Poster
NAS
DS418play, DS213j, DSM 7.0.1-14401
Is this good? I have allowed drive and videostation from outside because I use it sometimes with quickconnect.
You do not need to open any ports for QuickConnect access "from outside" the LAN.
 

WST16

Giga Poster
NAS
DS216+II : DS118 : APC Back UPS ES 700 — Mac/iOS user
it was directing me to the main page of the router instead of the NAS.
The last thing you want is to expose your router’s admin page to the internet. Usually this is enabled/disabled with the router‘s admin user. Try logging in and disabling that (unless you really need to reach the router over WAN, then you might at least change the port and the admin/password defaults).
 

LolloCollo

Bit Poster
NAS
DS218+
Operating system
Windows
Mobile operating system
Android
You do not need to open any ports for QuickConnect access "from outside" the LAN.
Oh, thanks. I have disabled that section then.

The last thing you want is to expose your router’s admin page to the internet. Usually this is enabled/disabled with the router‘s admin user. Try logging in and disabling that (unless you really need to reach the router over WAN, then you might at least change the port and the admin/password defaults).
I have looked a bit into the router settings and I had found a "remote access" section, but it was already disabled. I was able to access to the router page in the LAN, but not outside it (I have tried with my mobile phone in 4G). I wasn't able to access to the NAS though, even with https://domain : portnumber (both LAN and outside).
 

pxr5

Bit Poster
NAS
DS215J
I can't help as I am in exactly the same postion. I used the free domain myds.synology.me and set up the LE cert. On the LAN when I enter myds.synology.me:port number I get to my router log on page. From a WAN I can't connect to anything, router or NAS.

I'd love to be able to sort this out.
 

WST16

Giga Poster
NAS
DS216+II : DS118 : APC Back UPS ES 700 — Mac/iOS user
I wasn't able to access to the NAS though
Do you want to use QuickConnect or DDNS? I’m assuming DDNS but I’m a bit confused by your answers. Correct me if I’m wrong.

If DDNS:
Are you sure you’ve forwarded (on the router) the correct port to your DS IP address?
DS IP address should be static (assigned on the DS manually) or DHCP reserved (to provide the same address every time).
 

Telos

Mega Poster
NAS
DS418play, DS213j, DSM 7.0.1-14401
I can't help as I am in exactly the same postion. I used the free domain myds.synology.me and set up the LE cert. On the LAN when I enter myds.synology.me:port number I get to my router log on page. From a WAN I can't connect to anything, router or NAS.

I'd love to be able to sort this out.
If you changed the default https port on your NAS (for example, from 5001 to 25001), you need to forward that port in your router's port-forwarding settings, to the fixed IP you set for your NAS.

Then use the DDNS domain to access your NAS externally (a cell phone browser is a good place to start), for example
hxxps://myds.synology.me:25001

If this isn't working, confirm your NAS's fixed IP is set properly (access via browser using IP address via LAN). For example:

hxxps://192.168.1.11:25001

If that works, check your DDNS access from within your LAN. Again,

hxxps://myds.synology.me:25001

Describe what happened in these steps.
 

WST16

Giga Poster
NAS
DS216+II : DS118 : APC Back UPS ES 700 — Mac/iOS user
I'd love to be able to sort this out.
Then why don’t we try to sort it out :)

How about if you start a new thread under “Remote access and network management“ so we‘ll have a whole thread for you. Just briefly describe what you’ve done so far. Do not post any reference to your public IP address or domain name.
Lots of helpful and brilliant people here who know their stuff very well. I’ll try to do my best too :)
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top