Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

synology DDNS on DSM or SRM (and question on cloudflare)

129
13
NAS
DS213J, DS918+
Operating system
  1. macOS
Mobile operating system
  1. iOS
Pros/Cons of running DDNS on DSM vs SRM (have 918+ which I will be moving to backup only storage and want to keep off internet, just bought 6600 router and wondering if any benefits of running DDNS for my name.myds.me from synology on router vs new NAS?

Also, have been running DDNS on Synology NAS to synology reverse proxy and has been working well for the few services (audiobookshelf, plex) I want to expose out of my house and to my parents. I have moved "server" functions to proxmox on a mini pc, and this has included moving reverse proxy to NGINX Proxy Manager. This got me started playing with cloudflare (already have 2 domains), and I was able to get this working, but not exactly sure what best practice is. (fyi I did get tunnels working but can't use this for media as against TOS, and I also have some concerns about cloud flare seeing all data anyway). At first I set up a name wildcard and sent it to my public ip, which was port forward 443 only to my nginx proxy manager on proxmox to resolved subdomains which worked fine. Still needed DDNS so I deleted a name, and set up a c name wildcard and sent this to my name.myds.me which lives on sinology NAS right now, which then went to nginx proxy manager. Now my *.personaldomain.com seems to be working correctly sending traffic to *.myds.me to nginx and resolves to correct site. Any obvious problems with the way I am setting this up to get personaldomain.com to host home apps when needing DDNS? Should I be using DNS only or proxy on cloudflare (if using proxy, doesn't this again allow them to see data? (I know that it's not a tunnel so I think would be fine to use if just re-directing to my personal server, but the added benefits of 2FA doesn't work for audiobookshelf/plex when using apps only when using web login, so doesn't work. Plex at my parents house on their old TV with built in app can't utilize the extra proxy login so not sure it's helping at all).

Still learning a ton. Am thinking that if cloud flare c name to synology ddns is the way to go, may make more sense to just run the DDNS on the router moving forward.

Thanks as always for the advice and help.
 
Am thinking that if cloud flare c name to synology ddns is the way to go
This will work. You can have an alias pointing to a public ddns name. Still, some services behind it might not work as intended, considering that you are using your reverse proxy on top of it all. This additionally complicates things if you use the CF's DNS record proxy option, but you will have to test it out to know for sure.

As for the ddns on NAS or router, if you have a choice, push it further away from your internal resources towards the edge, in this case, the router. From a functional level, it will not be any different considering you still have port forward rules for your NPM, so what device would be broadcasting the public IP change to Syno DDNS service is almost irrelevant here.
 
Upvote 0
This will work. You can have an alias pointing to a public ddns name. Still, some services behind it might not work as intended, considering that you are using your reverse proxy on top of it all. This additionally complicates things if you use the CF's DNS record proxy option, but you will have to test it out to know for sure.

As for the ddns on NAS or router, if you have a choice, push it further away from your internal resources towards the edge, in this case, the router. From a functional level, it will not be any different considering you still have port forward rules for your NPM, so what device would be broadcasting the public IP change to Syno DDNS service is almost irrelevant here.
It seemed that cloudflare worked with dns or with proxy on (no additional protection). I am working on getting nginx proxy manager extra layer of login auth working, but it seems that audiobookshelf may support authentik but that's a bigger project than I want to take on right now.

Is there a better way to use my public domain to host audiobookshelf and Plex from home network you would recommend trying? I bought domain from cloudflare which is only reason I used it.
 
Upvote 0
Is there a better way to use my public domain to host audiobookshelf and Plex from home network you would recommend trying?
If by better you mean more secure, that would depend on the systems you are trying to protect. With Plex as you said, its buit-in 2fa layer only is in effect via web, not desktop/tv or mobile apps. So from a user perspective there will be no benefits.

Activating any 3rd party SSO/2FA systems such as Authelia or any other, again, as you said its a bigger project that you will look into.

In any case its always security vs convenience. Better security will mean less user friendly setup, and maybe additional education for all in how the systems needs to be used. So if reverse proxy is not an option the only other way would be using a private VPN site to site setup, or something like Tailscale, to get privacy and protection and still maintain a "LAN-like" behaviour. Haven't tested Plex via Tailscale, but Plex by default does not work over IPSec. So if Tailscale depends on that, it might not be a solution.

I'm sure there are members here that have tested it, or user it in that matter to confirm it.
 
Upvote 0
If by better you mean more secure, that would depend on the systems you are trying to protect. With Plex as you said, its buit-in 2fa layer only is in effect via web, not desktop/tv or mobile apps. So from a user perspective there will be no benefits.

Activating any 3rd party SSO/2FA systems such as Authelia or any other, again, as you said its a bigger project that you will look into.

In any case its always security vs convenience. Better security will mean less user friendly setup, and maybe additional education for all in how the systems needs to be used. So if reverse proxy is not an option the only other way would be using a private VPN site to site setup, or something like Tailscale, to get privacy and protection and still maintain a "LAN-like" behaviour. Haven't tested Plex via Tailscale, but Plex by default does not work over IPSec. So if Tailscale depends on that, it might not be a solution.

I'm sure there are members here that have tested it, or user it in that matter to confirm it.
Regarding plex, I'm not sure that authelia/authentik would be an option either I guess as still doesn't work on plex via ios/ipados, roku or google TV, etc. So this still couldn't be turned on for this convenience of using on devices, just web login.

Tailscale works fine for plex, its just been that my parents refuse to use apple tv that has it built in because "there is plex built into the TV" so they want to use that. So its the safest option, but not practical. While it is a pain for kids ipads, I've tried it in past and it didn't pass "wife acceptance" as there was too much stuff to do/troubleshoot and she could't get it working.

Maybe I will look into cloudflare services or nginx services to only allow specific ip whitelist as a security measure. I think I'm about as safe as I can be for now, I moved my DDNS to my router, its sent to a NGINX on proxmox in unprivileged container, which forwards to plex unprivileged container with media files mounted via NFS. Filewalls up at each step, so I think it should at least be a hassle for a hacker and only losing media (not anything sensitive) to a bad actor.

Other option I looked into was a DMZ or a separate vlan for something like plex, but routing data back and forth to just the vlan seemed like a whole lot more overhead and not necessarily much more protection than what I am getting from unprivileged container with firewall and only sharing media via NFS.
 
Upvote 0
Another option is CF tunnel. No open port, reverse proxy features, along with optional authentication.
 
Upvote 0
Another option is CF tunnel. No open port, reverse proxy features, along with optional authentication.
I actually set this up and works reasonably well, but can't do plex/audiobookshelf since its media apparently against cloudflare TOS and people have been getting booted from what I can see. I'm not sure my parents streaming a few episodes of my DVR tuner is going to push it that far, but it is a known issue. So I still need to come up with a better option for audiobookshelf/plex. If I need to Reverse proxy these services anyway, seems like I might as well do the few others if 443 is open.
 
Upvote 0
I wouldn't run Plex through a tunnel... audiobooks? IDK.

Headscale is another option I'm considering (no open ports) I'm looking at. I've found this video useful. But it may be unnecessarily complicated for Mom/Dad.
 
Upvote 0
I wouldn't run Plex through a tunnel... audiobooks? IDK.

Headscale is another option I'm considering (no open ports) I'm looking at. I've found this video useful. But it may be unnecessarily complicated for Mom/Dad.
Head scale is same problem as tailscale, doesn't work for remote "smart tv"'Plex.
 
Upvote 0
Given those constraints, I'd stick with subdomains managed via RP.
 
Upvote 0
Well I'm back after learning a little, trying a lot, and breaking a ton of my stuff. The long and short of it is quick connect works so nice, I'm keeping it for synology apps (drive/photos) for family. Just too darn easy for the wife, and I will trust synology. Tailscale will be for me getting to my network and for things like DSM I don't want open. Also wow, tailscale to help with remote backup to another synology behind CGNAT made things so much easier.

Final part, I still want plex and audiobookshelf to be available to family without tailscale. Tailscale works, but it's just a huge pain to have my young kids have this on iPad, or my parents TV that doesn't support it. Plex itself with a port directly to plex again implies trusting plex auth, but that is honestly pretty good. To add audiobookshelf decided I will keep a reverse proxy. Had a domain pointed to my ip (need to change this to DDNS as it does change every few months) proxied with cloudflare to block outside US and some basic WAF, then with wildcard cert to my reverse proxy (NGINX Proxy Manager) and this works fine. Decided if having one port makes sense will go back and put plex on my domain as well.

Final outstanding issues are recommendations on hardening the RP (I put in place some router firewall rules). I installed Authentic and working on this for OIDC logins in front of RP, but looking for a way to log entrance to the RP as well as additional safety.

Crowdsec? Fail2ban?
And how about easiest way to get logs of what is getting through router to my reverse proxy (logs on synology router vs something to ingest nginx proxy manager logs?) Or would there be a better option for a reverse proxy (aka beginner who likes gui over cli).
 
Upvote 0
Decided if having one port makes sense will go back and put plex on my domain as well.
You can run everything by exposing only port 443 along with reverse proxy. Or... use Cloudflare tunnels to access Audiobookshelf, and there is no port to be opened.
 
Upvote 0
You can run everything by exposing only port 443 along with reverse proxy. Or... use Cloudflare tunnels to access Audiobookshelf, and there is no port to be opened.
I suppose I could do that.

I didn't explain myself well, my thought was I need a port open no matter what, rather than just a port forwarded to plex might as well funnel plex, audiobookshelf and anything else I need for family to the reverse proxy. So the question is how to harden the reverse proxy and log it?

I will have to consider this approach (technically audiobookshelf is also against cloudflare TOS), but I would think it would not be as much data as plex. So maybe a port for plex on router and trust plex auth, and then ABS with tunnel would be reasonable.

Would still have same issues however of wanting logging of the tunnel. I believe the tunnel would allow 2FA on cloudflare then.
 
Upvote 0
So maybe a port for plex on router
Or use reverse proxy with 443 forwarded to your NAS such that
https:\\plex.mydomain.com redirects to 192.168.1.42:32400
https:\\abs.mydomain.com redirects to 192.168.1.42:xxxx (audiobookshelf port)

... and so on.

Re CF TOS... I highly doubt audiobookshelf would be a blip on CF unless you were providing worldwide streaming service to thousands... but that's something you have to come to terms with.

☕
 
Upvote 0
Or use reverse proxy with 443 forwarded to your NAS such that
https:\\plex.mydomain.com redirects to 192.168.1.42:32400
https:\\abs.mydomain.com redirects to 192.168.1.42:xxxx (audiobookshelf port)

... and so on.

Re CF TOS... I highly doubt audiobookshelf would be a blip on CF unless you were providing worldwide streaming service to thousands... but that's something you have to come to terms with.

☕
That is what I have done, 443 on router goes to nginx proxy manager for both plex and audiobookshelf.

I seem to be getting a lot of login attempts to my reverse proxy.
-I have turned on cloudflare proxy with WAF to block other countries
-I have firewall on synology router on
-I am working on authentik for 2 factor

My question is what are good options to monitor login to my nginx reverse proxy and how else can I harden it
 
Upvote 0
Well I essentially gave up on the reverse proxy. While everything works, using cloudflare DNS with proxy with WAF, synology router firewall, I seem to have a lot of attempted logins. I'm sure this is just bots and part for the course, but trying to mitigate. I did get authentik up and working, but was a hassle for audiobookshelf (and can't use it for plex).

I ended up just doing what you suggested @Telos and rather than 443 for RP using one port and for plex and trust plex external authorization. I use tailscale for my personal access, and the only people who use audiobookshelf in my family were ok with tailscale. I ultimately still have quickconnect setup as well because my wife hates the idea of tailscale (aka won't use it), and quickconnect for photos just works. The sharing link options works much easier and is set it and forget it with quickconnect when sharing outside of family to friends. I trust synology enough (and all the admin accounts have 2FA etc) so I'm not worried about intrusion in that case.

Also, I have found out if I turn on tailscale and then connect to my quickconnect account my speeds are improved as it attempts to do a direct connect where prevoiusly I would get the relay speeds. This actually has worked out pretty good for my personal needs as I do like the increased speed when I travel for work. Its a bit less of a hassle then the DDNS especially with Synology Drive.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

QuickConnect has an optional Relay service. I would guess that this is enabled and is why ‘QuickConnect is...
Replies
4
Views
233
I called the provider and he told me that I don't have a nat, just for business(( :cry:
Replies
2
Views
1,102
  • Solved
thank you very much. it worked !! :LOL:(y) I just had to change : /var/packages/Docker/etc/ with...
Replies
4
Views
154
Guess you will have to use mode 1 reset method on the back of the NAS to reset the network settings in...
Replies
5
Views
199
I have quite a few devices (Lutron lights, some wyze devices, a few power plugs that are wifi for energy...
Replies
7
Views
185
No, that's merely Synology's implementation. It's what the Synology devs changed, not OpenVPN's default.
Replies
2
Views
1,497
My Synology version is DSM 6.2.3, and My home network does not have public IPv4, only public IPv6. I use...
Replies
0
Views
684

Thread Tags

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top