Trouble connecting to Synology Drive externally

[fredbert]

TCP 6690 port forward is only needed if you are going to have remote (off-the-LAN) desktop client devices connecting to Drive server. If you are not then you can remove it. Just one thought: if you do use desktop clients from the LAN then you will have to decide which server name/IP address you are going to use to access the NAS. With a secured connection it may throw an alert when setting up the client if the SSL certificate doesn't match that server name. See what happens and ask if you need help.

 

[mailhn]

Dear @fredbert, I would like to ask some more questions about Synology Drive Client.

For better security open ports for Synology NAS services access from the internet, I changed the default port for the Synology Drive Client web port to another port number, ex: 43235. So when I connect to Synology Drive using a web browser (on PC) from the internet to my NAS, the address would be like this: https://myddns-domain.myds.synology:43235
To do this I have to redirect the open port 43235 in the router to the local NAS IP.

My question is:
1. Do I need to open port 6690 in the router for Synology Drive Client on my PC to connect to the Synology Drive Server from the internet?
2. Is it safe to open the 6690 port in the router/modem, If don't open the 6690 port, the Synology Drive Client app on the PC can't remote connect to the Synology Drive Server on the NAS in the local network?

3. Should I establish an Open VPN connection from my PC to the NAS, then let the Synology Client connect to the Synology Drive Server as in the local network (on the same LAN) without having to open the 6690 port?

Thank you.

 

[fredbert]

As always it's a balance between risk and convenience. But if you want to use Mac/PC Drive client from the Internet then you'll either have to open TCP 6690 through the router or first use a VPN connection (through or to the router, depending on what VPN server options you have). But whichever you do, these Drive client's cannot have ':port' appended to the computer name setting, and so you cannot use a different port mapping on the router.

So to answer your question:

1. Yes, except when 3.
2. :
   1. Probably: so far I don't recall any security notices on this service.
   2. Drive clients on LAN devices using NAS LAN IP as the computer name can access Drive Server: clients will access other devices on the LAN directly and won't interact with the router's firewall or forwarding rules... unless you use a Drive server name that resolves to a public IP address (i.e. the router's ISP WAN IP). The SSL certificate will be flagged as untrusted when using an IP address since certificates don't include them in the list of 'good' alternative names. With a laptop you'd most likley be setting up Drive client to use secure connections.
3. That's a solution if you don't want to have TCP 6690 directly accessible. You'll have to remember to enable the VPN tunnel when you update files, so the sync works. You can look into split-tunnelling whereby you define the destinations to use the VPN tunnel (i.e. 192.168.MYLAN.0 etc.) and everything else from the client device goes direct to the Internet.

There is the same situation when using Active Backup for Business and Hyper Backup Vault from and across the Internet. These too have fixed TCP ports.