Setting up a remote access cloud for various family members - easiest way for a novice ?

Currently reading
Setting up a remote access cloud for various family members - easiest way for a novice ?

66
6
NAS
1019+
Operating system
  1. macOS
  2. Windows
  3. other
Mobile operating system
  1. iOS
Hi there. My last Synology NAS purchase was years ago and I now have a new DS1019+ on order. Hoping everything arrives in a week or so and I can start set up.

One of the things I want to achieve is to assign 4 family members with a 1TB folder each that they can read/write access remotely (from overseas). I also want to grant read only access to certain other folders (eg family home videos). My kids are pretty good, but kids are kids and if they leave their laptops open I don't want my entire NAS compromised.

I have searched a few Youtubes but don't know how best to achieve this. I like the idea of QuickConnect as it doesn't involve opening any ports in the firewall, but I don't think it has this functionality. It would be good if files are accessible on pcs, macs and ios.

Please can you suggest easiest way to achieve what I am looking for.

Many thanks in advance. Sorry if this is a super basic question.
 
Synology Drive is a Dropbox style solution for giving access to user home folders plus shared 'team' folders. With Team folders each user has read/write access that's dictated by the privileges that have already been granted to the underlying Shared Folder: if they can only read using File Station then they can only read using Drive.

The Windows desktop Drive app is able to selectively sync down local copies of files from the NAS while being able to see all the folder items, but the Mac app doesn't [yet/will it??] do this so it's all items for the selected sync'ed folders. The mobile apps make local copies if you select them, and the iOS Drive app integrates into iOS Files which is nice.

QuickConnect is available on all Synology NAS so you can use that instead of opening firewall ports.
 
another "easy" way is running a VPN server on your router,
no port forwarding is needed in this case

I have a Sophos XG firewall router running on a mini PC

setting up the VPN server was as easy as following
-making the VPN user(s)
-adding the firewall rule allowing incoming VPN traffic (from drop down menus - no CLI needed)
-downloading OpenVPN apps for mobiles
-downloading the configuration file from the router to the mobiles, PCs etc.

it has built in dynDNS so there was no need to register for such a service

after that I could reach my NAS from everywhere, like being inside my LAN,

its is very secure, extra rules can be applied like restricting traffic from specific IPs
and
there is build in 2 FA if one desires to use it for extra security

I am novice and it was ny first attempt to reach my LAN from outside,
it was setup in 15 min.
 
Synology Drive is a Dropbox style solution for giving access to user home folders plus shared 'team' folders. With Team folders each user has read/write access that's dictated by the privileges that have already been granted to the underlying Shared Folder: if they can only read using File Station then they can only read using Drive.

The Windows desktop Drive app is able to selectively sync down local copies of files from the NAS while being able to see all the folder items, but the Mac app doesn't [yet/will it??] do this so it's all items for the selected sync'ed folders. The mobile apps make local copies if you select them, and the iOS Drive app integrates into iOS Files which is nice.

QuickConnect is available on all Synology NAS so you can use that instead of opening firewall ports.
Thanks so much Fredbert - I have been viewing more youtube on QuickConnect and I think this will probably do what I need.

For Media files, I think the read-only solution is Plex and this looks like an easy setup. If I go Premium, I can get multiple users but I'm not even sure this is necessary as we all may be able to share the same account - I will work this out with trial and error. I like the premium feature of being able to download a local media copy on an iDevice as I fly a lot.

So all I really need is remote (overseas) read-write access to one folder each for 3 people and admin access for me - I think QuickConnect does this. Do I need to use Synology Drive also? Compatibility with Windows and Mac is more important than IOS for this, and I think on one youtube vid it said the Beta version of DS Drive now works well with Macs.

For my existing old Synology NAS I don't need to do anything special as Windows 10 (and my Amazon Firesticks) just find it locally and I don't even need to Map the drives with DA Assistant (which was necessary back in the days of Windows 7 I think), but I have never tried remote access.
 
I think a bit on connectivity terminology and has nothing to do with file access and sharing :)

Remote access, for many in IT, is used to refer to remote users (roaming on the Internet or other non-home/office location) gaining access to the home/office LAN as if they were on the LAN. Typically this is achieved by running a VPN server within the LAN and users use VPN client to login and create a secure tunnel. The VPN client will be either built into the device OS (most support L2TP/IPsec VPN) or an add-on app (e.g. OpenVPN). You'd open firewall ports to allow direct incoming VPN requests to the VPN server.

QuickConnect (QC) is a mechanism provided by Synology that aims to make it easier to access the NAS from wherever you are and however you've configured your Internet firewall. QC will determine the best connectivity method and handover to that:
  1. Test confirms client is on NAS's LAN: direct connection between client and NAS
  2. Test confirms client is on the Internet but DNS resolves to home/office (or direct IP) and firewall port forwarding is setup for to the NAS for this service: client will directly connect to the NAS
  3. Tests confirm that no direct access is possible but NAS has QC Relay enabled:
    1. NAS creates outbound connection to QC Relay.
    2. QC replies to client to send traffic to QC name address (selected by you in the NAS).
    3. QC Relay acts as a proxy to pass packets:
      • Client -> QC Relay -> NAS
      • NAS -> QC Relay -> Client
To use QC: instead of entering a direct DDNS/DNS/IP name in the web browser or mobile app what you enter is the QC URL or QC name (depends what app you are using as to whether just the QC name will work) plus port number (sometimes).

But in the traditional sense QC is not Remote Access it's just access to NAS services and anyone on the Internet will have at least the ability to get to the NAS service's login page, provided they know your QC name, so use strong passwords. Whereas Remote Access is an additional layer of protection that the user authenticates to and that then allows access to LAN services.

==============

So the question is: Do you want Remote Access or normal access (whether gained by direct connection or QC Relay)?

To enable Remote Access you use DSM's VPN Server package to setup OpenVPN and/or L2TP/IPsec VPN servers (PPTP VPN is considered too weak so don't use it). You will then configure your Internet firewall (and DSM firewall) to permit inbound connections for the various ports needed and send them to the NAS. Within DSM you can setup and maintain a dynamic DNS (DDNS) that will track your Internet IP that your ISP gives you.

Similarly, to enable direct access to whichever DSM services you enable you would do the same to configure your Internet and DSM firewalls and setup a DDNS.

If you don't want to do direct access then QC Relay will be the option. Set this up in DSM too. Be aware that while the client and NAS will make secure HTTPS connections to the QC Relay there is no guarantee that traffic across the relay is secure or, at least, not accessed by anyone ... other than Synology's word. QC Relay is in effect a man-in-the-middle: I don't see where they've said that the technology tunnels actual data through a second SSL wrapper so that the outer wrapper is used to manage routing between client, relay, and NAS.

==========

Once you've established the connectivity methods you want to use you can then decide what file and media services you want to use: File Station, Drive, Audio Station, Video Station, Moments, Photo Station, (DSM 7's, when it's released Photos), Plex, SFTP, WebDAV.

Plex Pass gives you access to managing multiple users, but take a look at the Synology Audio/Video/Photo Stations and Moments which all have user management built-in. Specifically look at Audio Station as this (for me) offers better external speaker connectivity than Plex. You don't have to make a decision now as you can run all these packages at the same time and with the same media files (personal media in home folders can't be shared with Plex). You can then decide what's best for you.
 
Wow thanks Fredbert - great info and this makes it really clear for me as a novice. In the interests of keeping things simple, I am leaning towards QC with ultra-strong passwords. The worry I have with my university age kids is that they won't be 100% responsible, but if I only give them access via QC to their own folder then they can't do too much damage. TBH, they have their own clouds and keeping their passwords safe with these and so they should be fine. For QC are there nice applications for windows and Mac or is it just a web interface?

For Plex, I have to admit I like the way it populates with the movie and tv show info and graphics. Do the alternative DS apps do the same?
 
Last edited:
In my experience of having kids at university: don't be surprised if they completely ignore whatever you setup and go straight to the cloud services that they get bundled within student packages/discounts and then get hooked.

There have been a few times mine used NAS services, as far as I can tell it's been single digit times. The only service I pay for that they do use is the 1Password family account, because personal vaults are private to the individual and the admin (me) can only initiate a password reset for them.

I created NAS URL bookmarks items in a 1Password vault that was shared between me (and the CFO downstairs) and one kid. Then repeated for the other kid. Good luck!

The Synology mobile apps work fine. For desktop then there are apps for Drive, Notes, and some photo uploader (I don't use so don't really know), and the rest are browser based. On Mac you can use Fluid to create standalone apps from web pages.

For tagging:
  • I'm taking my audio files from iTunes (non-DRM) and they have embedded tags and artwork: Audio Station reads and uses this.
  • Video Station doesn't use the embedded tags but gets it from TVDB and TMDB, and you can manually edit and lock the tags (exporting tags to disk, .vsmeta, will allow resync/retagging to use your hard work).
  • Plex is more flexible and can use more tag sources. It also allows editing of multiple items at the same time. Though it has foibles too I find Plex to be easier to manage tags than VS.
I've trained the family to use VS on Apple TV as a first migration from 'Computers' and navigating local Macs. The newer Plex is still on the 'huh, what is it? what does it do that VS does not?' spectrum.

I find VS currently selects the first audio track in a movie, which is annoying when I've an AC3 5.1 track. VS also enables local/embedded subtitle tracks for each first play of the logged in account ... argh!!! ... fixed by setting subtitle text to 100% transparent.

QC doesn't support Plex.
 
OK I didnt think QC supported Plex but I assumed I could run both and they would peacefully co-exist - is this the case?
 
OK I didnt think QC supported Plex but I assumed I could run both and they would peacefully co-exist - is this the case?
Yes, QC augments any direct access you setup, and even will use it, but for Synology packages that support it. For everything else you must open Internet firewall ports and forward them to the NAS: Synology include their own DDNS service in DSM or you can use one of your choosing.

Of course you may not want to expose all services to the Internet: just select what QC can access and only open and forward ports for these services, the rest can be left as LAN-only.
 
@ fredbert

Thank you for the detailed explanation of QC,
the best explanation I ever have seen.

Given the restrictions of QC that you already mentioned and other security reasons,
I have the impression that VPN is the most secure way to remote access.

In case of VPN, I think its is the most secure and easy way, to setup a VPN server on the router.
Easier because no port forwarding is required and depending on the router it may be almost plug and play.
More secure, because in the case of a mistake or a vulnerability that compromises the VPN, there is another layer of security, the NAS
 
Here's the official description Synology_QuickConnect_White_Paper.pdf

I need to read it again ...
Relay Tunnel
With SSL enabled, data transmission over the network virtual tunnel is secured with end-to-end encryption. Therefore, QuickConnect guarantees confidentiality and integrity of data transmission between the Synology NAS and client devices.
Though I don't see how this happens and there isn't enough detail to explicitly say that traversing the relay and portal servers doesn't have data decryption.

If you can control the full communication path then that would be more reassuring: so yes, using your own VPN service would be better and what I do. Though I do have some services accessible without VPN.

In case of VPN, I think its is the most secure and easy way, to setup a VPN server on the router.
We had a thread about this last year VPN server: on DSM or SRM?

My thought being to keep network services separate from content services.
 
OK where I'm at with this, for family use across different countries:

(I) Movies, TV, and home vids READ ONLY via PLEX. I'm a big-time Amazon firestick user (which has a nice Plex app) and so I can buy each overseas family member one of these as a gift.

(ii) QC to grant access to an individual folder for each family member. Where I am still a little confused is with the applications to use for mac and windows, as I would prefer something that looks like a desktop folder (similar to dropbox) rather than needing to resort to a web portal. For IOS it looks like DS Cloud could do the job of granting access to a specific folder for each family member.
 
OK having researched a little further I think it's Synology Drive that I need for both Mac and Windows to work with QC. I think if I only grant a user access to a particular single folder then that is all they will see. If this works how I think it does then QC should align nicely with my own requirements.
 
EhcBJ9o.png


This is one reason why QuickConnect should not be used for "mission-critical" connections (it is down worldwide at this time). As well it is bandwidth constrained, relative to DDNS/VPN. Otherwise, fine for casual use.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Hi, Trying to set up DDNS support through a registered hostname (with OVH) & cannot for the life of me...
Replies
0
Views
1,505
  • Question
Thanks for all your help! I finally got it to do what I needed to do. I think I just can't connect to eero...
Replies
15
Views
2,891
Those metrics are over the internet without VPN. I wanted to get some baseline numbers before adding VPN...
Replies
2
Views
403

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top