SSL on Private LAN + VPN access

[bimbo]

Hi all, the problem/topic in question is driving me crazy. I’ve looked all over the internet and although I found lots of tutorials none has worked. You are my last hope.

My case:

- external IP is static
- NAS is accessed only in private LAN, plus remotelly using VPN (no quickconnect, port forwarding etc)
- Asus router AX88U

What I need:

- SSL certificate for Dsm and all services (containers in docker). It’s not just a thing that is annoying (browser warnings), but also some containers (like Vault/Bitwarden) won’t work without it
- a domain name (with an SSL certificate) should point to the Nas/services/containers to both local LAN users and thise connecting through VPN

What I don’t want:

- open up a port on the router to the internet
- since I own a domain already (website hosted on a shared server), I don’t want to create a subdomain and then have it to pount to the local network
- Cloudflare account and stuff related to that process (if possible)

What I did:

- I created a subdomain. nas.example.com
- the cpanel used AutoSSL and generated the certificate for that subdomain
- I exported the certificate and added it to Synology (Security > Certificate). I didn’t put that certificate as default, I left the synology one as default
- under Network > General I turned on the option “Manually configure DNS server” and added 8.8.8.8 as primary and 8.8.4.4 as secondary. So far so good
- then I installed Pi-hole
- I changed the router’s DNS server to be the IP LAN address (static) of the NAS
- in pi-hole I added a DNS record that points my nas.example.com subdomain to the IP LAN address of the NAS.
- when I write in the browser nas.example.com it resolves to 192.168.x.x, so it seems that ip-hole is working but no SSL. It still gives the warning that there is no SSL certificate

I’m sure I’m missing some critical steps here. I’m not an experienced man. Please help.
In addition, if this gets fixed, will I be able then to access every service on the NAS with the SSL just by typing nas.example.com:7777 (example port for sonarr) or I will have to create multiple subdomains and add DNS records in pi-hole for every service/container in docker?

Thanks in advance!

 

[bimbo]

UPDATE: I followed this tutorial: Synology DSM 7 with Lets Encrypt and DNS Challenge

Everything worked. The only difference is that I registered on Cloudflare, not GoDaddy like the guy in the tutorial.

What is the next step? What do I have to do on cloudflare? I tried adding a A record that pointed to my static WAN IP but it didn’t work (putting the domain in the address resolved in an error that the site cannot be reached).

What am I missing? Should I use nginx on my Synology? Please someone help.

 

[Rusty]

Well you stated you don’t want to open ports. Having a public cert and a domain hosted on CF how do you plan on getting from the outside to your local nas without passing over the router on an exposed port?

 

[bimbo]

Well you stated you don’t want to open ports. Having a public cert and a domain hosted on CF how do you plan on getting from the outside to your local nas without passing over the router on an exposed port?

Maybe I’m missing something, but isn’t that done by using the DNS challenge method instead of the HTTP? The tutorial that I linked in my previous post does that.

 

[Rusty]

Maybe I’m missing something, but isn’t that done by using the DNS challenge method instead of the HTTP? The tutorial that I linked in my previous post does that.

DNS challenge does not require you to have open ports for cert generation, that's why it's a better option than doing the challenge on your end via 80/443 ports. But your previous question was what's the next step. Adding a record resulted in the site cannot be reached. So I'm guessing you are trying to get to some of your internal sites from the outside? If so, then you will have to have open ports, that was my previous comment.

 

[Telos]

Since OP is signed up with Cloudflare, it's possible to set Cloudflare tunnel, which would not require opened ports.

... just a thought

 

[bimbo]

DNS challenge does not require you to have open ports for cert generation, that's why it's a better option than doing the challenge on your end via 80/443 ports. But your previous question was what's the next step. Adding a record resulted in the site cannot be reached. So I'm guessing you are trying to get to some of your internal sites from the outside? If so, then you will have to have open ports, that was my previous comment.

No, everything stays within the private network. I either access by being on site, connected to the NAS physically or by using a VPN. I’ll never have to reach it externally.

I believe I did everything fine by following that tutorial. I got the Let’s Encrypt on the domain (registered at Cloudflare) and imported the certificate into Synology, all by using the acme script.

What came after that wasn’t covered in the tutorial, and so by searching the net further I think I undestand what I did wrong:

1. I tried to reach the NAS by simply writing domain.com, instead of using a subdomain (nas.domain.com) with an A record that points to my WAN external IP (like I said, I have a static IP, so no need for DDNS). A record is used for static IPs, while CNAME for dynamic, correct?
2. second mistake, which is why I didn’t work for me, was that I didn’t use any reverse proxy to tell my private network that nas.domain.com corresponds to https://NAS-LOCAL-IP:NAS-PORT. Is it enough to use the built in reverse proxy or should I use nginx docker container? Also, I saw a tutorial where the guy obtained the Let’s Encrypt certificate by adding a subdomain (from Cloudflare) to nginx container. Nginx obtained it. He didn’t use the acme script and, which confused me, he didn’t import the certificate later into the Synology DSM, but rather just managed it on nginx. He didn’t explicitly say that nginx didn’t import the certificate into DSM, but I think that must be the case. Is this a correct way if doing it? I guess it’s ok if the certificate isn’t going to be used as a default one, for Synology services like Drive, Notes etc. Right?
3. third mistake was, because I though I messed badly something and went crazy at the time, to delete the Let’s Encrypt from the Synology DSM. I wanted to delete the certificate on the domain too, in order to start over from scratch, but then I saw that’s not possible on Cloudflare. I can only disable the certificate, can’t delete it, correct? I can’t find the option to do it.

The guy who did the nginx tutorial is here:

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Accept third party cookies

. Is this a good tutorial for my case? It seems so. I’m just not sure whether is a good idea to hold the certificate on nginx and not having it in DSM (also, I have no clue how to get it into DSM if I obtain it via nginx).

 

[Rusty]

So actually did a lot (that you didn't originally state) so I assumed (wrong) that you were just getting the idea of how it all works, and not that you already tried and failed on multiple fronts because of the reasons stated.

A record is used for static IPs, while CNAME for dynamic, correct?

As a simple explanation, yes, that's correct

Is it enough to use the built in reverse proxy or should I use nginx docker container?

Depends on your reverse proxy needs

Is this a correct way if doing it?

There is no reason to import it into DSM certificate store if you will not use the built-in reverse proxy. That was the reason he didn't import it, and that's fine

I guess it’s ok if the certificate isn’t going to be used as a default one, for Synology services like Drive, Notes etc. Right?

if the internal reverse will not be used, then there is no reason to import it. You can still use the built-in apps while running them over an external reverse proxy

I can only disable the certificate, can’t delete it, correct?

Depends on the case. In some DSM versions, you will need to have a minimum of one cert in the "store". So that might be the case here, but with no info on it, it's just my guess atm.

I’m just not sure whether is a good idea to hold the certificate on nginx and not having it in DSM (also, I have no clue how to get it into DSM if I obtain it via nginx)

Again, if you are not running and using the internal reverse, then you don't have to import any certs into it.

 

[bimbo]

So actually did a lot (that you didn't originally state) so I assumed (wrong) that you were just getting the idea of how it all works, and not that you already tried and failed on multiple fronts because of the reasons stated.


As a simple explanation, yes, that's correct


Depends on your reverse proxy needs


There is no reason to import it into DSM certificate store if you will not use the built-in reverse proxy. That was the reason he didn't import it, and that's fine


if the internal reverse will not be used, then there is no reason to import it. You can still use the built-in apps while running them over an external reverse proxy


Depends on the case. In some DSM versions, you will need to have a minimum of one cert in the "store". So that might be the case here, but with no info on it, it's just my guess atm.


Again, if you are not running and using the internal reverse, then you don't have to import any certs into it.

Thanks for the answers! I’m gradually pushing away these clouds of confusion

Number 3. Question/problem was actually about me not being able to delete the certificate from the domain on Cloudflare. Like I mentioned, I went crazy and deleted it on Synology, and then I wanted to remove it from the domain on Cloudflare but seems like that is not possible. I can’t find an option inside the Cloudflare dashboard. Any tips? Should I even delete it? Since you shed some new light on the whole thing, it seems like I don’t have to have the cert in DSM (I’m going to use nginx). Will I be able to “pull” it on nginx if it’s already installed on the domain (on Cloudflare)?

 

[Rusty]

Thanks for the answers! I’m gradually pushing away these clouds of confusion

Number 3. Question/problem was actually about me not being able to delete the certificate from the domain on Cloudflare. Like I mentioned, I went crazy and deleted it on Synology, and then I wanted to remove it from the domain on Cloudflare but seems like that is not possible. I can’t find an option inside the Cloudflare dashboard. Any tips? Should I even delete it? Since you shed some new light on the whole thing, it seems like I don’t have to have the cert in DSM (I’m going to use nginx). Will I be able to “pull” it on nginx if it’s already installed on the domain (on Cloudflare)?

Well in that case, if you will proxy at the cf level it will push out and use its own cert so you will not need it on your local reverse at all.

 

[bimbo]

Well in that case, if you will proxy at the cf level it will push out and use its own cert so you will not need it on your local reverse at all.

Thanks for all the answers so far!

Do I have to set a DNS server on Synology for all this to work properly? I have an Asus AX88U router and I’m not sure it has NAT loopback enabled (I read somewhere that could cause problems). In the admin dashboard of the router I can only choose the type of NAT to be symetric or full-cone. Any suggestions?

 

[Rusty]

Thanks for all the answers so far!

Do I have to set a DNS server on Synology for all this to work properly? I have an Asus AX88U router and I’m not sure it has NAT loopback enabled (I read somewhere that could cause problems). In the admin dashboard of the router I can only choose the type of NAT to be symetric or full-cone. Any suggestions?

If you try and access your services using the FQDN (public) name, and it doesn't work then loopback is either not active or not supported.

In that case, you will need to configure an internal DNS yes in order to access your services using a domain name instead of an IP address.

Search the forum for @fredbert posts on setting it up, and see if that will work for you.

 

[bimbo]

If you try and access your services using the FQDN (public) name, and it doesn't work then loopback is either not active or not supported.

In that case, you will need to configure an internal DNS yes in order to access your services using a domain name instead of an IP address.

Search the forum for @fredbert posts on setting it up, and see if that will work for you.

Sorry for bothering you, but you are quite fast with replies. I sent a private message to fredbert since I couldn’t find his thread/posts about the internal DNS.

Maybe you’ll have some ideas where should I look next. This is what I managed to do successfully up to this point:

- bought a domain on Cloudflare
- created A record name “nas” for that domain that points to my static WAN IP
- I didn’t turn on the proxy on that subdomain yet (I intended to do that later)
- in Cloudflare SSL is set to Full mode (not Full strict mode, just Full)
- installed nginx proxy manager (jlesage/nginx-proxy-manager)
- added proxy host with the subdomain nas.example.com and the Let’s encrypt certificate
- installed pi hole and added a Local DNS entry with nas.example.com and the IP pointing at the local IP address of the NAS (where the pi hole is installed)

I tried turning the firewall off on the router, tried to disable Dos protection, tried to add in the router the DNS server as the kocal IP of the NAS (where pi hole is) to use pi hole as DNS server. Nothing works. I keep getting ERR_CONNECTION_REFUSED or DNS_PROBE_FINISHED_NXDOMAIN. When I try the command ns lookup nas.example.com in the terminal it shows my static WAN IP address.

 

[Rusty]

installed pi hole and added a Local DNS entry with nas.example.com and the IP pointing at the local IP address of the NAS (where the pi hole is installed)

But where is your dns server zone for your domain? if you have a record the request will fly out of your lan towards the CF (as it is authoritative for your domain), look up the record there and ofc hit your router again. With 443 closed on your router you get the error as it can reach your reverse proxy that would ultimately lead to the internal destination.

Fred is on vacation do response will be delayed

 

[bimbo]

But where is your dns server zone for your domain? if you have a record the request will fly out of your lan towards the CF (as it is authoritative for your domain), look up the record there and ofc hit your router again. With 443 closed on your router you get the error as it can reach your reverse proxy that would ultimately lead to the internal destination.

Fred is on vacation do response will be delayed

Unfortunately, I’m not sure I’m following here. It might be a basic thing but I’m still learning. Can you please explain in detail what do I have to do, and where, regarding the “Dns server zone”? On cloudflare? Somewhere locally? Thank you

 

[bimbo]

Update: do I even have to go outside my local network (to Cloudflare, from Cloudflare to my WAN external static IP, to my local DNS etc) to be able to use the SSL? I mean: the SSL was issued to the domain and imported into Synology using the DNS challenge method via the acme.sh script.

How can I now setup things to stay within the local network? And will this actually work?

 

[bimbo]

Update: I’m getting closer to the solution. I did this, using this time pi hole and the Synology internal reverse proxy:

In pi hole:

- added local DNS record: example.com
- added CNAME record: dsm.example.com that targets example.com

In my Asus router: added that the DNS server is the IP address of the NAS so that it uses pi hole as DNS server.

In Synology DSM reverse proxy created a new proxy host:

- under “Source” selected protocol HTTPS, hostname dsm.example.com, port 5001.
- enabled HSTS (I tried with that disabled as well).
- under “Destination” selected HTTP, hostname added local IP address of the NAS, port 5000.

This configuration right here is giving me the best result so far: when I try to reach dsm.example.com all browsers (tried in incognito as well) change it to https://dsm.example.com:5001, which is good, and the certificate icon is good (if I click on it I can see that the certificate is valid and issued by Let’s encrypt), but after a few seconds of trying to load the page it just stops on a blank screen and that’s it. No errors. Nothing.

What am I missing?

-- post merged: 20. Jul 2022 --

New update: when I uncheck the option “Automatically redirect HTTP connection to HTTPS for DSM desktop” it works! Finally!

Is this how is supposed to be or should I do something to force this redirection?

 

[bimbo]

Update: false alarm. I didn’t change anything anywhere, and after 10 minutes I got back to where I was before: entering dsm.example.com gives the error that the certificate is not valid.

Why?

 

[Rusty]

Completely missed this thread. So yes, you will need a dns server internally that will hold the records that you need. In this case you really do not need a reverse proxy if the destination service/app can handle https requests (and DSM can).

This should work just fine for you. Have you tried with multiple devices?

 

[bimbo]

Completely missed this thread. So yes, you will need a dns server internally that will hold the records that you need. In this case you really do not need a reverse proxy if the destination service/app can handle https requests (and DSM can).

This should work just fine for you. Have you tried with multiple devices?

If I don’t use a reverse proxy, how can I then point to the right port? Example: I need to access the DSM https port 5001. In the reverse proxy I insert the domain dsm.example.com and everything I wrote in one of my previous posts. If I don’t do that how will the browser know where to go?

What confuses me is that the same device gets a good resolve of the domain with the SSL certificate and then 5 minutes later it doesn’t. It seems to work only occasionally and I mostly only after I restart the web server on the synology.

I tried with different devices. The same issue is there.

I don’t want to give up, but this is driving me crazy. I have no one to help me and the tons of tutorials and threads all over the internet didn’t solve this specific problem. Based on the described issue, do you think it is possible that my Asus router (with stock firmware) is doing this? DNS rebinding? The router doesn’t have the option to turn it off.