Question Need some help to clarify some doubts (about security)

[pxr5]

Thank you both (Telos and WST16) for your replies. I'm sorry I should have started a new thread, but my problem seemed exactly the same as the OPs. Anyway, good news. I'd forgotten that I'd changed the default https port on my NAS, so I had to put a port forward into my router to the NAS and all works well now.

So thanks again, and apologies to the OP (hopefully your issue will be as simple as a port forward)

 

[LolloCollo]

Unfortunately I'm not having the same luck as pxr

I have setted up the port forwarding into the Router: the right port, TCP/UDP, to the right IP address.
Then, I have enabled the DDNS. The main address is still pointing me to the router admin page, while the address and the port is giving me the error "connection refused". I thought it was the firewall, so I have disabled it without luck (both inside and outside the lan).

I have also tried the EZ-Internet configuration, enabling only the DSM HTTPS (without the 80 port) but still the same result (It have enabled the UPnP port). The DDNS is correct (i have checked it with nslookup), and the router log is giving me a "Lan access from remote" event.

The NAS' fixed ip is setted properly.

Do you want to use QuickConnect or DDNS? I’m assuming DDNS but I’m a bit confused by your answers. Correct me if I’m wrong.

I'm sorry but yes, I'm trying to configure the DDNS right now. Quickconnect is working well.

 

[WST16]

Let’s check a few things. Keep the firewall turned off for now.

Try IP Location while on your LAN. This should return your public (external) IP address. Make sure no VPN service is enabled.

Now try the “what’s my DNS propagation” checker posted above. Almost all the DNS servers on the list should show your external address (shown in the previous step).

Double check the ports you’ve forwarded on your DS by going to:
Control panel > Network > DSM settings tab

On the router make sure that you’ve forwarded the correct port(s) shown in the previous step to your DiskStation IP address using the router’s forwarding rules, not port trigger rules.

When you try reaching your DS, you should add the port number to the URL (e.g. https://myds.synology.me:1234).

BTW, is the IP address assigned by your ISP (external IP address), static or dynamic?

 

[LolloCollo]

Thanks!

BTW, is the IP address assigned by your ISP (external IP address), static or dynamic?

Dynamic I think.

I have tried again, this time enabling both HTTP and HTTPS port on the router and it actually worked, when I connect to domain:port now it gives me an access to the NAS
I have used the Synology me domain instead of my own one to make it a bit easier. I'll try to configure it later, maybe.

Now for the last step, I want to block everyone who try to enter the domain without the OpenVPN connection. I have managed to have it configured, and without firewall I can connect to the VPN correctly, but when I enable the firewall I can't connect to it. The firewall is still configured in the same way as the post #13. With those settings, it seems to block everyone from accessing the domain (even from the LAN) and the VPN.

I have already enabled the port for openVPN in the router.

 

[WST16]

If it’s a dynamic address assignment, you’ll need to make sure the IP address on Synology’s DDNS service gets updated when it changes.

Go to Control panel > external access > DDNS tab
Add Synology as a service provider.
Test it by clicking “test connection”. It should show your current external IP address.

If the only port forwarded on the router is the OpenVPN port then everything else is blocked by default. However, enabling the firewall will allow for extra security and a granular control of the VPN port (like limiting it to a certain country).

According to post 13 above, you’ve forwarded other ports too. You’ll need to add an allow for the VPN port. But VPN is a bit tricky. Did you go through the OpenVPN configuration resource and compare your settings?
If you didn’t, please do and let us know if you need any help somewhere.

 

[LolloCollo]

Thank you, I have followed the guide and now I have the firewall configured this way:

• 192.168.1.0/Subnet - 255.255.255.0: every port, allow
• VPN, UDP, from my country: allow
• 192.168.10.0-192.168.10.10, every port: allow (should be the IPs of the clients connected to the VPN).
• Everything: reject

I haven't enabled the "Allow LAN access" from the VPN settings.

Now it seems I can connect to the DSM by using 192.168.10.1: port (I have tested it with Video Station while on 4G). The only thing I have noticed is openVPN who complain about a lack of certificate.

Is everything else ok? By using the VPN, can I still use the Windows network drive (the drive Z: ) while I'm outside my home?

 

[WST16]

192.168.10.0-192.168.10.10, every port: allow (should be the IPs of the clients connected to the VPN).

192.168.10.1 not .0
I’m sure it’s a typo, because you can’t have .0 (Just to highlight it for anyone interested in this thread). However, if you’re not allowing access to the LAN, you don’t need this rule in the firewall.

The only thing I have noticed is openVPN who complain about a lack of certificate.

On my iPad and iPhone, the OpenVPN client doesn’t complain and I’m not using any certificates. Check the settings on your client to see if there’s an option to shut it up. If you’re feeling adventurous, try installing certificates

Is everything else ok? By using the VPN, can I still use the Windows network drive (the drive Z: ) while I'm outside my home?

Sorry, I don’t know much about Windows. That’s why I have a warning next to my username– a Mac/iOS user
However, if it connects while you’re on your LAN, it should connect while on the VPN. Just mind the VPN’s dynamic IP addresses. I’m guessing, if you enable “Allow LAN access”, it’ll work without any changes because it’ll use your DS’ LAN IP address (as highlighted by the referenced resource under “important” at the very end). It’s like if the traffic goes out of the DS and comes back through the LAN’s subnet.

BTW, I use http (not https) when connecting over OpenVPN for things like Video Station or if I’m on a slow WAN link. Since traffic is already encrypted with the VPN connection removing the extra encryption layer of https gives it a speed boost (should make a difference).

 

[Telos]

The only thing I have noticed is openVPN who complain about a lack of certificate.

If you are using Android, just choose "Continue" when screen mentioning "Certificate" appears after sign-in.