Synology NAS and router - quickconnect and other questions

Currently reading
Synology NAS and router - quickconnect and other questions

11
1
Hi there - I have a DS918+ NAS and a RT2600ac router set-up at home and have been using for a few years now. I set-up quickconnect when I got the devices on the NAS and router, and also DDNS on the router, however I am not sure I fully understand the set-up. I generally use IP addresses at home across the LAN and quickconnect when I am out, to access things like DS photos and Drive via the various apps. I use quickconnect on the router, again so I can use DS router app on my phone. I also realised had DDNS enabled on the router, but I was not using it.

Is quickconnect actually a good solution for a home user? Is it safe, encrypted etc? I use firefox and force HTTPS however I don't think it makes that connection encrypted, but I am not sure about this. I have also never changed my quickconnect ID, should this ever be changed on a regular basis?

I am aware there is a VPN server app on the router that I could use, but when I briefly looked at the package it seemed very complicated to a home user. If I was to get it working, how would it help me access my NAS and mobile apps etc?

Is there a more secure but also practical way for me to set-up my home NAS and router?

Any thoughts or comments helpful. Thanks for reading.
 
Is quickconnect actually a good solution for a home user? Is it safe, encrypted etc?
While inside your LAN there is no reason not to use the local IP address of your NAS to access it. In terms of QC vs DDNS, both can be used to access the NAS from the outside, with QC using access over Synology infrastructure (in most cases) with no hole punching in your router. DDNS on the other hand is faster, but you need to configure it a bit more than QC to get access to your LAN services that way.

I use firefox and force HTTPS however I don't think it makes that connection encrypted, but I am not sure about this
Checking the Control Panel > Security > Certificate, you can identify what certificate is being used for service access or not.

So, QC will be a much simpler solution for the end user with DDNS a bit more complex to maintain and use but also faster.

I have also never changed my quickconnect ID, should this ever be changed on a regular basis?
Registration of a new name is an option, and like any other publicly accessible resource you could change it, but before you go down that road make sure that the end account you are using to access your NAS has all the security elements active. Complex pass, complex username, 2FA option (3rd party, or Secure Signin by Synology). That is what will make a difference in the end for the most part.

If I was to get it working, how would it help me access my NAS and mobile apps etc?
VPN would provide the most secure access to any local resource or service for sure and it would allow you to get to them using the local ip address (just as you were in your LAN) even though you would be on a remote location.

Is there a more secure but also practical way for me to set-up my home NAS and router?
Practical is what QC is there for. VPN on the other end of the spectrum is the most secure but in certain cases not so practical. With most VPN solutions you will need a VPN client up and running on the device of your choice (computer, mobile, tablet...) to connect back to your LAN.

Once all is up and running, you will need a single button push to activate your VPN connection and get access. So, that is not something that requires a lot of effort or knowledge to get up and running.

Just as an example, I use Wireguard VPN. I have it configured that while I am inside my house I access everything locally (in terms of IP addresses). When I leave the house my devices are configured via Wireguard client to automatically connect over 4/5G via VPN back to my LAN. So practically, a few feet away from the house in a matter of seconds when off wifi I am connected back to my LAN as if I never left.

What that means is that I can still use all the services and apps with zero reconfiguration and with no button to push to begin with. For laptops, there are a few steps that need to be executed to get the connection up and running (like connecting to an accessible network, like your phone for example, and then activating a VPN connection) but it takes a few seconds to do it. After that, again, no reconfiguration, you just continue to use your apps and services.

While it might sound complex to get a VPN up and running, once you do, using it will not be an issue no matter how much experience you have or not.
 
Thanks for your detailed reply @Rusty it has given me a alot to think about.

I have re-read it a number of times, and I have been thinking about options. Right now, I have quickconnect off on the NAS and router, and I may go back to it but its fine to run with it off for the time being as I don't need access outside the network.

I have read a few guides on ddns, and I think I could set up, and I presume I would be setting up on my NAS, but I could also do on my router. A bit more thought needed.

I need to read up on the VPN side of things so I can get the hang of it.

Complex pass, complex username, 2FA option (3rd party, or Secure Signin by Synology). That is what will make a difference in the end for the most part.
I think I have this in place, with complex passwords, plug 2fa.

Just as an example, I use Wireguard VPN. I have it configured that while I am inside my house I access everything locally (in terms of IP addresses). When I leave the house my devices are configured via Wireguard client to automatically connect over 4/5G via VPN back to my LAN. So practically, a few feet away from the house in a matter of seconds when off wifi I am connected back to my LAN as if I never left.
This sounds very interesting, did you follow any guide etc? I also have to consider how family would be able to use the NAS as photos and files are backed up there. This is one reason why quickconnect has stayed in use.

I also started looking at my firewall, which was another distraction and one for another thread!!
 
This sounds very interesting, did you follow any guide etc?
Actually no, I have done the articles myself covering this setup. Divided into two articles to be exact. Ofc this is just if you want to go down Wireguard path. There are other more turn key solutions out there, but this one works for me. It’s super stable, and a single button, in worse case, process if it’s not automatic. Essentially, permanent LAN connection.

If you are interested, have a read:


 
@depod what did you decide to do?

I did have a bit of a play over the holidays. I set-up Synology SSL VPN on my 2600 router. I also re-enabled DDNS so I can sign on securely with a self-owned domain name.

I have done some testing and I can log in via a browser and via my android phone. With wifi off on the phone, I can't access my files using the Drive app, but then logging into the VPN gives me access to the files. I hope I have got the settings right. I have a strong password and 2fa set-up in order to use the VPN.

Are there any other settings I should be aware of?
 
@depod I'm not sure, I'm essentially in the same boat but going with reverse proxy. I have a working DDNS with my synology.me domain, and have audiobookshelf, jellyfin, synology photos, synology drive setup and working well. I also have home assistant running, but I had to open up local ports on the firewall to recognize all my devices on my subnet so I'm a bit concerned about my security. (I think it would mean anyone on my network could see my synology, probably not a huge security risk since they still need to access the NAS, but a consideration).

I opened just port 443 on my router, and route this to my synology and use the reverse proxy to access the above services. I have firewall rules setup for the RP, the docker container subnet, and local subnet for home assistant.

I have tailscale setup if I want to access the management UI. (Previously had openvpn setup through my router netgear orbi but doesn't allow split vpn). Still trying to decide if I'm going to continue with this or just use quickconnect, it is very convenient and with passwords probably safe enough for my use case.
 
I have being trying to tighten security, I have split up my admin and user profiles (default admin disabled years ago) and then made some further chages. SMB is now disabled, as I don't currently need it. NFS remains enabled although I have switched some of my shared folders to read only (media).

I also managed to do a proper test of the VPN, logging in as I was travelling and I could access my music software so I am pleased with that result.

The remaining task it to work out how I keep my media folder in sync with a NUC running the software with its own SSD on my LAN.
 
I have being trying to tighten security, I have split up my admin and user profiles (default admin disabled years ago) and then made some further chages. SMB is now disabled, as I don't currently need it. NFS remains enabled although I have switched some of my shared folders to read only (media).

I also managed to do a proper test of the VPN, logging in as I was travelling and I could access my music software so I am pleased with that result.

The remaining task it to work out how I keep my media folder in sync with a NUC running the software with its own SSD on my LAN.
So I've set up Tailscale for everything, and I'm not sure what I will stick with. It's fine for me, but for my wife no way she will be able to this. I think I'm going to keep quick connect on since she uses Synology Photos and drive. I think I'm ok with the inherent safety risks.

My webdav I'm going to stay with Tailscale, and I'm going to stay with Tailscale for accessing my local network as I like the split tunnel (open vpn on my netgear orbi router doesn't support it).

For Jellyfin and audiobookshelf I think I may keep DDNS and route 443 to my reverse proxy......it's just more convenient. Trying to get my dad to run Tailscale to then get access to both is ok on his phone, but his new TV doesn't support Tailscale.....so he can cast videos but not as convenient. There are a few other issues such as when I'm at work etc that would be nice to have access to but not mission critical. I am working more with my firewall to understand it better to be as locked down as reasonably can be. Also looking into putting a 2 factor in for those docker containers (I suppose would need to be something like Authelia, I'm not really sure).

I think if I can get 2 factor for my reverse proxy docker containers, and a half set up firewall, and if I lock down the accounts of Jellyfin and audiobookshelf to not be able to access shares I will probably take the convince of remote access compared to safety of the Tailscale VPN.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Reuse in matter or minutes. New container on the new device with docker using the existing volume. BW will...
Replies
12
Views
1,120
FileZilla ftp’s to the NAS just fine. Kinda points at AliExpress cams. Asked Support if they’ve tried FTP...
Replies
6
Views
1,204
Correct, but DSM offers something called SHR (Synology Hybrid Raid). That is the default raid array that...
Replies
3
Views
2,212
Thank you, I was not aware of this table. From my database you can see which manufacturers' memories are...
Replies
2
Views
702
  • Question
I think it's going to be one of those, 'you'll know when you need to upgrade' type of things. Until then...
Replies
20
Views
4,348
Welcome! To start, the switch here is probably not the issue but just to be on the safe side, check in...
Replies
1
Views
1,116

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top