Safest way to securely access nas remotely?

Currently reading
Safest way to securely access nas remotely?

170
24
NAS
DS1621+, DS1621+, DS918
Operating system
  1. Windows
Mobile operating system
  1. Android
I dont use syno quick connect, I'm sure many do.... Honestly I read too many issues from other vendors about setup/using vendor access methods.

Whats the safest way to securely access you nas remotely should that ever be needed.
 
Last edited:
Install the VPN Server package.

Open it, on Privilege, select the OpenVPN right to the user you want to use it.
Then go to OpenVPN, and do these:
Schermata 2022-04-17 alle 22.54.04.png

Replace the port by a number known only by you, for example: 54728
Apply, then click on Export Configuration.

On the exported zip file, read the README.txt file to know how to install the VPN client on the remote PC.
Open the VPNConfig.ovpn file with a text editor, and change the following:

1)
add
remote-cert-tls server
after
tls-client

2) add
data-ciphers AES-256-CBC
after
cipher AES-256-CBC

3) add
auth-nocache
after
auth SHA512

4) remove
comp-lzo

5) change
auth-user-pass
with
auth-user-pass info.txt

6) create a file info.txt with your username on the first line and your password on the second line, and place it on the same path of your .ovpn file

7) change
remote YOUR_SERVER_IP 50000
with your DDNS name server.

You can create a free DDNS on account.synology.com, and configure it on your NAS.

8) finally forward the port (50000) on your router, via UDP protocol.

EDIT: I added point 4)
 
1)
add
remote-cert-tls server
after
tls-client

2) add
data-ciphers AES-256-CBC
after
cipher AES-256-CBC

3) add
auth-nocache
after
auth SHA512

4) remove
comp-lzo

5) change
auth-user-pass
with
auth-user-pass info.txt

I never had to do these steps. Can you explain what each of these are doing, vs leaving the config as default and only putting in you ddns name? Thanks
 
I never had to do these steps. Can you explain what each of these are doing, vs leaving the config as default and only putting in you ddns name? Thanks
I seen that it depends on the client version.
On Windows, it was working also with the default settings. But on the log there was warnings. And I fixed all warnings with these changes.
 
I'd suggest a reverse SSH tunnel at least that's what I've always used and my company does too. I posted a link on how to set that up but apparently because I'm a new member, my post got removed.
 
I'd suggest a reverse SSH tunnel at least that's what I've always used and my company does too. I posted a link on how to set that up but apparently because I'm a new member, my post got removed.
It would be because links and very short first posts can be suspicious.

The reverse SSH method still requires the external SSH server to listen on a TCP port that is permitted outbound from the NAS's perimeter firewall. In my experience outbound SSH connections in business environments (TCP 22 or, if application-aware FW, otherwise) would be limited to corporate users with specific needs in order to do their jobs. For businesses using non-application-aware FWs then it may be possible to run the external SSH server on one of the handful of ports that are usually open for outbound requests (e.g. TCP 80, 443, 8080 or some HTTP alternative, 21 may still be open, 53 unlikely). You should still be locating the external SSH server in a protected environment, and now it has an exposed SSH server rather than the NAS.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
It sounds that the main focus is a LAN reconfiguration of DHCP and DNS services so that dynamically...
Replies
1
Views
531
Had simelar issue last Thursday. Router and 1 NAS worked, 2 NAS’s didn’t! This occurred as I was adding...
Replies
5
Views
783
  • Question
I guess "my Firewall" is the firewall on the Synology? a step by step tutorial can be found online like...
Replies
1
Views
797
OK at last, worked it out, you have to install Synology app on PC first then add name amd password then...
Replies
12
Views
1,250
There are three MASQUERADE rules* but I cannot see how they relate to the don't NAT name, or anything else...
Replies
45
Views
3,620
  • Question
Good point. I assumed it was 24 due to lack of details, but again, good point.
Replies
3
Views
1,161

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top