Security, RP vs VPN (Tailscale?)

Currently reading
Security, RP vs VPN (Tailscale?)

99
8
NAS
DS213J, DS918+
Operating system
  1. macOS
Mobile operating system
  1. iOS
I am looking to lock down my security a bit more, and re-considering my setup. (For reference, It has taken me about 2 years to get where things are now working, and I think I understand the gist of most of what's going on, but would like some help in final setup). By no means an expert but think I am half conversant in the basics now.

Current setup:
-My house has 918+ is primary NAS with 26 TB and this is where I run webdav, audiobookshelf, Jellyfin, DS drive, Synology Photos (quick connect for DS apps and a reverse proxy for JF and ABS)
-My new NAS is DS223 that is backup for 918+ (not connected to internet, but I run home assistant locally and home bridge dedicated on docker on this device)
-My old DS213j is at a family members that I backup to every night for an off site backup

I have a mix of things going on, specifically I'm using a Reverse Proxy for myself only for webdav, family and myself use quick connects for Synology Apps, and my father and I use the reverse proxy for JF and audiobookshelf. I do have a firewall setup but feel like things have got very complex (this is actually the reason I moved home bridge and home assistant to my DS223 since there was no firewall didn't need to worry about opening up ports for every little device I run to home assistant).

It seems like using Tailscale would be the safest (and easiest) option for safety and to be able to just turn off the firewall, but I'm not sure family would be ok with Tailscale (hard enough to get them to use things as is). Also, I finally got my wife to use Synology Photos and quick connect is just easier, so I'm not sure I will get rid of quick connect for her. Also, it is nice to be able to load up Jellyfin on a work PC for example with the Reverse proxy and not have to worry about getting IT admin to allow Tailscale (which they wouldn't do).

Questions.....
1) How unsafe is it using webdav via reverse proxy vs VPN like Tailscale? I predominantly use this for devonthink sync store only and is only 1 user (me) on my Mac, iPad, iPhone so Tailscale would be fine for this use case. If it would be safer since this is personal documents etc I can switch this.
2) How much "Safer" would Tailscale be over using quick connect for the Synology Apps? (if significantly safer I can install everything on my wife's phone but I still feel like there could be issues with this process as its one more app to have to have running)
3) Is there a way to use "quick connect" to be the interface for my webdav, Jellyfin server, audiobookshelf server, etc? And if so any safer than reverse proxy? safer than Tailscale?
4) Are there any resources for best practices for firewall (I have an admin account with 2FA with access to data, most of the users have limited access other than their own home folder in DS drive and Synology Photos, and I have made users for Jellyfin and for audiobookshelf to limit access, only allowing traffic on 443 to the NAS and then after that individual apps have their allowances, and then deny all out of country as well as repeat attempts).
5) Any issues with my "Backup" DS 223 running homebridge and home assistant without internet connection directly (but did install Tailscale to allow me to access home assistant away from home) from a security standpoint? Would it be better to move these 2 dockers back to my DS 918+ and either use Tailscale or Reverse proxy there?

Sorry, loaded question! Appreciate any and all help. (And I understand that some of the above may be subjective, as well as convenience vs security concerns, etc, but would prefer opinions).
 
Questions.....
1) How unsafe is it using webdav via reverse proxy vs VPN like Tailscale? I predominantly use this for devonthink sync store only and is only 1 user (me) on my Mac, iPad, iPhone so Tailscale would be fine for this use case. If it would be safer since this is personal documents etc I can switch this.

I used to be in that situation. WebDAV on reverse proxy. No problems ever, but vpn is undoubtedly much safer in any case.

2) How much "Safer" would Tailscale be over using quick connect for the Synology Apps? (if significantly safer I can install everything on my wife's phone but I still feel like there could be issues with this process as its one more app to have to have running)

Again, every vpn solution is way beyond quickconnect in matter of security.
I have openvpn app (and now wireguard app) on all devices running, no impact on performance. It is not something you have to worry about.

3) Is there a way to use "quick connect" to be the interface for my webdav, Jellyfin server, audiobookshelf server, etc? And if so any safer than reverse proxy? safer than Tailscale?

No, quickconnect I believe cannot be considered as safer than reverse proxy. Experts here can give a more information, but I believe that if security is the first thing to consider then it would be better to avoid adding Synology's servers in the middle and just rely on https port 443 of revere proxy.

More or less in the same situation myself, I ended up using Reverse Proxy and VPN.
I don't appreciate quickconnect. Yes, it was easy and the first thing to do when I first bought a Synology, but it gave me a lot of speed troubles which I had no way to find why! With reverse proxy all solved immediately. Furthermore, many sources argue about quickconnect not being so safe. I don't know if it is the case or not, but I believe finally that reverse proxy is much safer by relying only on port 443 https than having to deal with Synology's servers.
VPN is the safest way to access remotely your personal data. I believe everyone agrees on that. So, sooner or later, if you really care about security you have to setup VPN.
Tailscale is a good choice, it depends on your approach to decide between vpn and Tailscale.

So, in my case, I have only 2 ports open on my router: 443 and vpn port.
I have to have a way for clients to check what I am preparing for them, so Reverse Proxy and Web Station on port 443 is a necessity.
Everything else goes through openvpn: computers, mobile phones, tablets all have openvpn client running all the time and so have access like being in the local network. Synology apps on devices also use/sync local IPs.
I discovered lately that my router (AVM Fritzbox 5530) after some firmware updates has now a very solid and stable wireguard setting, so I am in the process of changing to wireguard on all devices, That way I can access everything in my network and I will leave open only port 443 on my NAS.

I had my firewall already set up before using vpn extensively. I let it like this, I don't change services often anyway, and no issues so far. I just consider it as one more step to security.
 
I used to be in that situation. WebDAV on reverse proxy. No problems ever, but vpn is undoubtedly much safer in any case.



Again, every vpn solution is way beyond quickconnect in matter of security.
I have openvpn app (and now wireguard app) on all devices running, no impact on performance. It is not something you have to worry about.



No, quickconnect I believe cannot be considered as safer than reverse proxy. Experts here can give a more information, but I believe that if security is the first thing to consider then it would be better to avoid adding Synology's servers in the middle and just rely on https port 443 of revere proxy.

More or less in the same situation myself, I ended up using Reverse Proxy and VPN.
I don't appreciate quickconnect. Yes, it was easy and the first thing to do when I first bought a Synology, but it gave me a lot of speed troubles which I had no way to find why! With reverse proxy all solved immediately. Furthermore, many sources argue about quickconnect not being so safe. I don't know if it is the case or not, but I believe finally that reverse proxy is much safer by relying only on port 443 https than having to deal with Synology's servers.
VPN is the safest way to access remotely your personal data. I believe everyone agrees on that. So, sooner or later, if you really care about security you have to setup VPN.
Tailscale is a good choice, it depends on your approach to decide between vpn and Tailscale.

So, in my case, I have only 2 ports open on my router: 443 and vpn port.
I have to have a way for clients to check what I am preparing for them, so Reverse Proxy and Web Station on port 443 is a necessity.
Everything else goes through openvpn: computers, mobile phones, tablets all have openvpn client running all the time and so have access like being in the local network. Synology apps on devices also use/sync local IPs.
I discovered lately that my router (AVM Fritzbox 5530) after some firmware updates has now a very solid and stable wireguard setting, so I am in the process of changing to wireguard on all devices, That way I can access everything in my network and I will leave open only port 443 on my NAS.

I had my firewall already set up before using vpn extensively. I let it like this, I don't change services often anyway, and no issues so far. I just consider it as one more step to security.
With regards to #1 I think I agree (and have already set up) Tailscale for my webdav since it's only on my devices.

I have tried other VPN (specifically open vpn on my home router but can't get it to split tunnel since I have nether orbi) so just use this as a backup for home access, too slow to leave on at all times.

My router only has port 443 open at this time (as tail scale doesn't require this open). Running my RP through this for audiobookshelf and Jellyfin.

I can pretty easily setup the reverse proxy as well for DS drive, Synology Photos (and I would use DS file and management UI through Tailscale most likely), but I definitely would feel more comfortable locking down the firewall a bit. I had difficulties with home assistant on docker seeing all my devices, so to get it to work rather than each individual IP of every device in my house I allowed my firewall all connections on my subnet (my home ip:255.255.255.0 etc) and then devices could be seen. This is the one I have most questions about.....I understand this basically says my house subnet won't get firewalled, but if a bad actor comes in through my RP and gets routed to the local IP address of say my Jellyfin client which is then obviously on the same local IP have I essentially enabled access to all of my house? If this is the case I think my options are #1 just use VPN and no reverse proxy at all or #2 run home assistant on a second NAS that isn't exposed to the internet.
 
Again, every vpn solution is way beyond quickconnect in matter of security.
Ehhh, not necessarily. QuickConnect uses multiple, random, irregular relays to set the connections. If you couple that with end-to-end encryption you've got a pretty decent setup for most cases. I wouldn't run .gov 🕶️ stuff on it, but neither would I use public internet for hyper-sensitive stuff anyway. Then again, my pockets aren't deep enough to do all that sneak-and-peek stuff even if I wanted to. :)

Happy New Year everybody!
 
... while your traffic flows through Synology 😧
Which is a good thing because Synology encrypts the traffic through their relay servers with SSL so they don't have access to the stream anymore than anyone else does.
 
Which is a good thing because Synology encrypts the traffic through their relay servers with SSL so they don't have access to the stream anymore than anyone else does.
I think my problem is not with synology (and honestly quick connect is convenient and works well. My problem is really more with my audiobookshelf, jellyfin, home assistant etc that I screwed up the firewall and may be exposing more than I need to which may set me up for an attack.

That being said in 2022 I had multiple unwanted attacks from outside the country and since blocking all outside my country and limiting firewall haven't had any logged, so maybe I have done something write.
 
Which is a good thing because Synology encrypts the traffic through their relay servers with SSL so they don't have access to the stream anymore than anyone else does.
You misunderstand. Further, QC is significantly throttled. QC is a bad solution when data transfer requires privacy and/or throughput. We all live with the choices we make. Be very cautious.
 
Reviewing my only issues above (and even with messing with Tailscale), I find its a very convenient solution for a quick VPN but still is unlikely to be usable for sharing thing like Jellyfin practically (and in trying it I have run into some issues, such as being slower as well as having issues with remote devices not transcoding and trying to play natively since it thinks its on the same LAN). I already have DDNS setup with a RP, so at this point I think this is a better option.

Questions:
1) continue with quick connect for remote access to management, Synology Photos, ds drive? If not would using the RP and setting up photos.ddns.me etc for photos and drive be a safer alternative? (I would assume management UI would still want to consider Tailscale/vpn for that away from home)
2) Any good references for firewall setup, as if I go all reverse proxy I want to make sure I'm safe as possible (currently only 443 open on router to my synology), but I'm still not super confident my settings are as safe as they should be.
 
You misunderstand. Further, QC is significantly throttled. QC is a bad solution when data transfer requires privacy and/or throughput. We all live with the choices we make. Be very cautious.
If throttling is the issue, I don't believe that to be the case; but throughput certainly is an issue due to the relay-hopping — which is just as bad as, if not worse at times, the run-of-the-mill throttling. Whether your data is relaying through multiple random servers (ala Apple), or simply making the last mile through your ISP's physical plant (which is arguably a very iffy place indeed, it will always come down to the scale of encryption you or willing to suffer. The more encryption, the slower the throughput and higher the overhead. There is an argument to be made (and is currently being made in numerous places on various levels) that the encrypted multi-relay environment is far more secure than a VPN; and of course the opposite is also being argued. As @Telos said, "We all live with the choices we make. Be very cautious."

Speed vs Security vs Cost … the best secrets are those kept to oneself, anything else is a compromise.
-- post merged: --

That being said in 2022 I had multiple unwanted attacks from outside the country and since blocking all outside my country and limiting firewall haven't had any logged,
Would you mind explaining in a bit of detail what you are describing as "…attacks from outside the country…"?
 
If throttling is the issue, I don't believe that to be the case; but throughput certainly is an issue due to the relay-hopping — which is just as bad as, if not worse at times, the run-of-the-mill throttling. Whether your data is relaying through multiple random servers (ala Apple), or simply making the last mile through your ISP's physical plant (which is arguably a very iffy place indeed, it will always come down to the scale of encryption you or willing to suffer. The more encryption, the slower the throughput and higher the overhead. There is an argument to be made (and is currently being made in numerous places on various levels) that the encrypted multi-relay environment is far more secure than a VPN; and of course the opposite is also being argued. As @Telos said, "We all live with the choices we make. Be very cautious."

Speed vs Security vs Cost … the best secrets are those kept to oneself, anything else is a compromise.
-- post merged: --


Would you mind explaining in a bit of detail what you are describing as "…attacks from outside the country…"?
Multiple attempts at logins to DSM from china etc.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Yep saw this too. Why it's best to manually update when the critical release schedule is set by Synology...
Replies
1
Views
1,184
Try adding them one-at-a-time, saving, logging out, restarting* your computer, then logging back in until...
Replies
12
Views
1,085
I receive the reports monthly, just actually got them on 2/1 and verified for some reason this is still...
Replies
4
Views
638
It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
494
  • Question
Unless your home network is CGNAT, Tailscale offers no real advantage over VPN or HTTPS. Keep it simple...
Replies
3
Views
1,263
Why sad Mr. T? I’ve learned much in past 5 years, but last 2…. It’s like someone stepped on the gas! I...
Replies
1
Views
950
QuickConnect is always exposed to Synology. Disabling it removes that exposure.
Replies
5
Views
1,782

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top