Remote Access Advice for Webdav

Currently reading
Remote Access Advice for Webdav

J

jmanko16

Trophy Media
99
8
NAS
DS213J, DS918+
Operating system
  1. macOS
Mobile operating system
  1. iOS
I am looking into more secure options for my NAS, and have several questions about what would be safest.

Use case, I have several members of the family who use the NAS, and quick connect works fine for multiple members (aka to access synology drive and synology photos app). I personally use webdav to sync devontink and Zotero, so need this setup externally but would only be me. I am started using a few apps like kavita/audiobookshelf that are convenient to access externally for multiple users, but ultimately just me would be ok if safest.

Options:
1) My netgear orbit has openvpn built in and this was very easy to set up, and I have it on my phone, iPad, and MacBook (I just hate having to turn it on to use it).
2) Install Tailscale (was very easy to setup, only negative is only one username allowed so I would have to share it with everyone who wants to use it externally). Ultimately I think this might just be for my personal use.
3) Reverse proxy (which as I understand requires external ports exposed).

Which of the 3 options would be the safest?
If vpn any benefit to Tailscale to synology vs openvpn direct from my netgear orbit?
If VPN what is the best way to webdav (just turn on VPN when wanting to connect and use the internal address?)
If using reverse proxy, what is best practice for ports to open up (80, 443 I believe are standard for HTTP/HTTPS?)
 
If I understand what you're asking.

1 is the safest, but as you said, it's not convenient.
2. Never used it (for privacy reasons). I prefer 3 instead. Some members here use it and might be better informed.
3 is the most convenient.

I'm doing 3 with the firewall enabled to add an extra layer of security.

Try to move away from Quick Connect. The firewall can‘t filter on QC connections.
 
What are the security concerns with Tailscale (is it just the 3rd party component?)

Any suggestions on firewall guides to make sure I'm as zipped up as I can be.
 
WST16 said:
For Tailscale, it's not a security concern for me, it's privacy. Read their privacy statement and makeup your own mind.

You can find some guides on YouTube. Here's one:

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
Click to expand...

Ok that makes sense with regards to privacy.

And thank you for the link. I'm still learning as I go and trying to make sure I don't make a huge security error that should be mitigated. I feel like sometimes I know enough to get in trouble and some online tutorials focus on getting things to work and not security implications. For a relative new comer to all this it helps to have more trusted resources so much appreciated.
 
That's a very good thread. I also went through a few of the wundertech vides, they are high quality! Had not known about them prior to today.

I made some changes:
-My DSM ports are now changed to non-standard port numbers
-Firewall updated with a few changes
-only exposed router port is 443 with let's encrypt for my apps I have running with reverse proxy

A few final questions:
1) Any reason to not use quick connect as well for the synology apps alongside reverse proxy for say kavita/calibre-web/audiobookshelf?/webdav (it really is so much easier to just give family the "quick-connect ID" and then give them access to synology photos and synology drive (I'm not sure they would use VPN at all, and not sure they would get past putting in the xxx.synology.me that I could setup for each app
2) benefits of using openvpn on my router vs my NAS? (already have it setup on my netgear orbit for openvpn, and thinking maybe I will keep that as a backup/need emergency access to something in my network (aka my IP cameras etc)
3) For apps like audiobookshelf that I have running through https: with let encrypt, is there anyway to do 2 factor? (it seems that 2 factor works for quickconnect/synology apps but not through exposed ports like that)

Thanks to the community for so much help.
 
And I ran into an issue (which I think is with my firewall).

When trying to update metadata for books in audiobookshelf and calibre, both now return no search results. When I turn off the firewall it works again. When I turn it on I get no results, so somewhere I am apparently blocking the outgoing search? I have the port of the audiobookshelf and calibre containers setup in the firewall as allowed to test but still get the issue. Any idea of what I am blocking that may be causing the issue?
 
Last edited:
1.
I'm not using QuickConnect so I didn't really care much about it. I know that it establishes a connection to Synology servers (a relay). Wether you trust synology or not is up to you. Personally, I like to eliminate the use of any cloud services or services like QC. I read that a lot of hackers target QuickConnect users with their scripts.

Another (major) concern is that the firewall will not filter QC connections.

On the other hand, all communications go over a relay so they are slower than a direct connection. For example, video streamed over QC might stutter but work fine when using a direct connection.

If you think that you want to keep it, then of course use strong passwords, 2FA and enable auto block and account protection. Default "admin" user should be disabled on the NAS regardless of what you choose.
These settings are also advisable for direct connections.

jmanko16 said:
not sure they would get past putting in the xxx.synology.me that I could setup for each app
Click to expand...
Most apps will save the entered settings after the initial connection. Depends on what you (they) are using.


2.
Yes. It's better to have it on the "perimeter". Use the router's VPN service rather than the NAS. If the router is capable of using WireGuard (faster and lighter), it should be your first choice, if not, OpenVPN. You'll need to add the IP range to the firewall.


3.
Not that I know of. I don't believe so.

Another good source for Synology tutorials on YouTube is spacerex.
-- post merged: --

jmanko16 said:
Any idea of what I am blocking that may be causing the issue?
Click to expand...
Most likely you didn’t add (allow) the Docker subnet to the firewall (usually, 172.17.0.0/16). Try that, if it‘s still not working, double check your Docker network setup to find out if it’s using a different subnet.
 
WST16 said:
1.
I'm not using QuickConnect so I didn't really care much about it. I know that it establishes a connection to Synology servers (a relay). Wether you trust synology or not is up to you. Personally, I like to eliminate the use of any cloud services or services like QC. I read that a lot of hackers target QuickConnect users with their scripts.

Another (major) concern is that the firewall will not filter QC connections.

On the other hand, all communications go over a relay so they are slower than a direct connection. For example, video streamed over QC might stutter but work fine when using a direct connection.

If you think that you want to keep it, then of course use strong passwords, 2FA and enable auto block and account protection. Default "admin" user should be disabled on the NAS regardless of what you choose.
These settings are also advisable for direct connections.


Most apps will save the entered settings after the initial connection. Depends on what you (they) are using.


2.
Yes. It's better to have it on the "perimeter". Use the router's VPN service rather than the NAS. If the router is capable of using WireGuard (faster and lighter), it should be your first choice, if not, OpenVPN. You'll need to add the IP range to the firewall.


3.
Not that I know of. I don't believe so.

Another good source for Synology tutorials on YouTube is spacerex.
-- post merged: --


Most likely you didn’t add (allow) the Docker subnet to the firewall (usually, 172.17.0.0/16). Try that, if it‘s still not working, double check your Docker network setup to find out if it’s using a different subnet.
Click to expand...
Thank you, I had allowed the port of the docker container not the docker subnet that fixed it.

For OpenVPN which ports need allowed (when I connect my OpenVPN gives me the public and private port I'm accessing, but I need to figure out the port my netgear Orbi then routes this through to allow on synology firewall if my thinking is correct?)

Also another question.....any benefit to changing external port for SSL on my router to something other than 443? I know my xxxxx.synology.me turns into xxxxx.synology.me:54321 (random non 443 port), which I can then port forward to my synology 443 and access this way. The IP external has to have that port, but with the reverse proxy does this add any protection as compared to just allowing the normal 443 SSL port?
Thanks
 
Last edited:
Telos said:
Have you looked at Headscale? Or is that too closely tied to Tailscale?
Click to expand...
Thanks. All I know is that it's a Tailscale controller replacement that one can self-host. I'll try to read more about it.
-- post merged: --

jmanko16 said:
Thank you, I had allowed the port of the docker container not the docker subnet that fixed it.
Click to expand...

You should allow the whole bridge network subnet. If you create another container it'll use another address from the pool and it'll be blocked.

You already know what's the subnet but to make it clear:
ssh to your NAS (superuser) and run:

cd /volume1/docker docker network inspect bridge

You'll see what I mean.

jmanko16 said:
For OpenVPN which ports need allowed (when I connect my OpenVPN gives me the public and private port I'm accessing, but I need to figure out the port my netgear Orbi then routes this through to allow on synology firewall if my thinking is correct?)
Click to expand...

You can assign any port to OpenVPN. Are you using port and IP address interchangeably here? I'm not sure I'm following.
There should be a pool of addresses the router uses to assign to clients when they connect over VPN, you should allow that range on the firewall. Unfortunately I know nothing about Orbi routers.

jmanko16 said:
Also another question.....any benefit to changing external port for SSL on my router to something other than 443?
Click to expand...

443 is the standard https port. If you change it to something else then you'll have to add the port. For example if you use 4443, then you'll need to add that when using https, like:
https://xyz.synology.me:4443

It's easier and cleaner to keep it on 443. Your reverse proxy should take care of mapping the connection to its intended service.
It might be useful to go through this resource by @NAS Newbie.
 
Last edited:
WST16 said:
Thanks. All I know is that it's a Tailscale controller replacement that one can self-host. I'll try to read more about it.
-- post merged: --



You should allow the whole bridge network subnet. If you create another container it'll use another address from the pool and it'll be blocked.

You already know what's the subnet but to make it clear:
ssh to your NAS (superuser) and run:

cd /volume1/docker docker network inspect bridge

You'll see what I mean.



You can assign any port to OpenVPN. Are you using port and IP address interchangeably here? I'm not sure I'm following.
There should be a pool of addresses the router uses to assign to clients when they connect over VPN, you should allow that range on the firewall. Unfortunately I know nothing about Orbi routers.



443 is the standard https port. If you change it to something else then you'll have to add the port. For example if you use 4443, then you'll need to add that when using https, like:
https://xyz.synology.me:4443

It's easier and cleaner to keep it on 443. Your reverse proxy should take care of mapping the connection to its intended service.
It might be useful to go through this resource by @NAS Newbie.
Click to expand...
Yes I setup the docker part wrong, it's all good now.

With regards to OpenVPN the netgear Orbi has an auto set up that makes the config file and you download to your device. Simple to set up, but doesn't appear to give the control that setting up OpenVPN on synology would with settings (aka I can't find anything about which ports it uses and no options to even change this).

With regards to 443 it is gold standard for SSL which I understand. I guess I'm asking if I change to another port (4443 as example), is this "safe." Not that anything I do would be a target, but since it's not the typical port might that be less likely to avoid attacks? If so I'll keep it as a different port, if it doesn't provide any additional safety I'll leave as 443. I would still forward the 4443 port to my Reverse proxy. Just not sure if this is worth it or not.
 
jmanko16 said:
With regards to OpenVPN the netgear Orbi has an auto set up that makes the config file and you download to your device.
Click to expand...

Connect over VPN and check the connected device dynamic IP address (assigned by the router) on DSM (connected users on the widget, top right). It'll give you an idea of what to use.

In this case we just want to allow the IP range or the subnet to go through since we have enabled the firewall, we don't want to micro-filter on VPN connections. We'll treat it like your own LAN subnet.

jmanko16 said:
With regards to 443 it is gold standard for SSL which I understand. I guess I'm asking if I change to another port (4443 as example), is this "safe." Not that anything I do would be a target, but since it's not the typical port might that be less likely to avoid attacks?
Click to expand...

Keep 443, used with a reverse proxy and the firewall you should be fine.
 
Last edited:
Well thank you. I got the OpenVPN setup fine and left the RP at 443. Everything working fine (and I actually understand what I did....baby steps).

So I installed jellyfin and am now having issues again with my RP. I had this happen before (see thread from 2 months ago). It's like after jellyfin installed I can't resolve the host name any more. I'm not sure what to do at this point (all services are not accessible remotely, and will be intermittent). I appear to be able to resolve internally, but external will not work. I can see the DNS remotely, so I think there is a RP issue in synology.

If I change the name of my reverse proxy (aka webdav.xxxx.synology.me to say wd.xxxxx.synology.me it works again.

From reading other posts seems like running nginx instead of synology RP May solve this? Also any idea why things work fine unless I have jellyfin going (this is the second time I've tried jellyfin and then everything goes haywire).

Edit: after more fiddling I made a change and got webstation to restart and things started working again.

I'm still not completely sure how to troubleshoot, obviously something is screwing up settings (and it seems like synology RP). I have no clue why jellyfin seems to be the reason it starts.

Actually kind of liking jellyfin probably good enough to get rid of Plex but not until I can resolve this issue.
 
WST16 said:
By Jellyfin?!

Stop it and see. I don’t know Jellyfin so I’m not sure what’s going on. If everything works fine for a few days then you can uninstall it.
Click to expand...
No, I thought the reverse proxy ran through web station. I just deleted web station and now my current RP ( audiobookshelf, WebDAV, and kavita) still work.

Each time I've used jellyfin my RP goes haywire. If Webstation uses 443 do you think it's worth another try of jellyfin (I really have no clue why everything doesn't work when I install it?)
 
Sorry, I’ve never tried Jellyfin (very happy with Emby so far). Best you can do is to find a good Jellyfin installation guide (specifically for Synology).

Web Station is mainly used to enable website hosting and it configures the web servers and other services that are website-hosting related (e.g. PHP).
-- post merged: --

Here’s a guide by Wundertech. Says nothing about Web Station.
www.wundertech.net

How to Set Up Jellyfin on a Synology NAS

In this tutorial, we are going to look at how to set up Jellyfin on a Synology NAS. Jellyfin is an open-source media service that's installed in Docker. The biggest benefit that Jellyfin offers is
www.wundertech.net www.wundertech.net
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

ChAlb
Firewall Settings review - SHA Cluster + Remote Access
Automatically added rules seem to be added using an allow ALL. Which is why not to use the feature and...
Replies
6
Views
1,503
fredbert
fredbert
C
Easiest way to implement Remote Desktop
I don't know what this means. I was just posting that I found a solution with aeroadmin.
Replies
8
Views
5,557
ChrisCPM
C
N
  • Question
Access Control Profile blocks me out from local network also
Just wondering what the general consensus is regarding the move online for access control solutions...
Replies
1
Views
902
carlosboyd
C
bear0214
Shared Folder Access Using 2FA or Key Files?
Thank you for the useful suggestions, I am going to investigate this more. Much appreciated.
Replies
6
Views
2,162
bear0214
bear0214
L
Best method for securing your NAS when giving it inbound access?
We have decided to assign a custom Domain for each NAS with inbound access.
Replies
17
Views
2,613
LetMeKNow
L
P
  • Question
Security certificate for intranet access
Thank you for the detailed reply.
Replies
2
Views
3,137
Paulo_M_
P
B
  • Question
Looking for a way for secure access to folder
I'm considering adding a NAS for storing controlled but unclassified secure documents. We are a...
Replies
0
Views
1,401
bmayer
B

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top