- 88
- 19
- NAS
- DS920+
- Operating system
- Linux
- macOS
- Mobile operating system
- iOS
Last edited:
Hi all,
My current setup is:
DS920+ NAS running services, some in Docker i.e. Vaultwarden, and some bare metal i.e. Calendar. As I share some services with family members outside my network, I use Nginx proxy manager as my reverse proxy. I use Cloudflare for DNS and a Lets Encrypt wildcard certificate to keep this all secure. So, services are accessed by something like htttps://service-name.my-domain.com. On my router I have one port forwarded for Plex and another for 443 to NPM (reverse proxy). I have a basic understanding of how this is working, but just to be clear, have only managed to set this up by following guides on the internet and asking for the help of kind people on this site. It might also be relevant to point out that I've not been able to configure Synology's internal firewall for the services running in docker. I believe this might be possible to use the firewall if I use Synology's built-in reverse proxy instead, but for now the internal firewall is off.
The issue:
I understand that 'best practice' might be to have no ports forwarded in my router, but I need/want to share services with external family. However, the firewall on my router (UDM Pro) is detecting, and blocking, threat attempts from IPs categorised as either CI Army or DShield, trying to access either Plex's or NPM's ports. It's great that these IPs are being blocked, but its making me wonder about how secure my current setup actually is? Perhaps an IP that's not been categorised as a particular threat, could be getting through? My passwords are strong, and I have 2FA enabled on the NAS's admin account, but no password is 100% safe, and then there's always the possibility of exploits right? Or am I just paranoid, is using a reverse proxy secure enough?
So I've been playing with tailscale. I've discovered, by putting my external family members computers and my remote devices (mobile phone etc.) and my NAS, all on the same tailscale network. I can access all the required services without opening any ports (well perhaps just for Plex) on my router. Furthermore, I can turn on my NAS internal firewall too. Is this method any more secure? Or can anyone advise on a better way to do this, or any downsides I need to be aware of? Thanks for any advice you can offer.
My current setup is:
DS920+ NAS running services, some in Docker i.e. Vaultwarden, and some bare metal i.e. Calendar. As I share some services with family members outside my network, I use Nginx proxy manager as my reverse proxy. I use Cloudflare for DNS and a Lets Encrypt wildcard certificate to keep this all secure. So, services are accessed by something like htttps://service-name.my-domain.com. On my router I have one port forwarded for Plex and another for 443 to NPM (reverse proxy). I have a basic understanding of how this is working, but just to be clear, have only managed to set this up by following guides on the internet and asking for the help of kind people on this site. It might also be relevant to point out that I've not been able to configure Synology's internal firewall for the services running in docker. I believe this might be possible to use the firewall if I use Synology's built-in reverse proxy instead, but for now the internal firewall is off.
The issue:
I understand that 'best practice' might be to have no ports forwarded in my router, but I need/want to share services with external family. However, the firewall on my router (UDM Pro) is detecting, and blocking, threat attempts from IPs categorised as either CI Army or DShield, trying to access either Plex's or NPM's ports. It's great that these IPs are being blocked, but its making me wonder about how secure my current setup actually is? Perhaps an IP that's not been categorised as a particular threat, could be getting through? My passwords are strong, and I have 2FA enabled on the NAS's admin account, but no password is 100% safe, and then there's always the possibility of exploits right? Or am I just paranoid, is using a reverse proxy secure enough?
So I've been playing with tailscale. I've discovered, by putting my external family members computers and my remote devices (mobile phone etc.) and my NAS, all on the same tailscale network. I can access all the required services without opening any ports (well perhaps just for Plex) on my router. Furthermore, I can turn on my NAS internal firewall too. Is this method any more secure? Or can anyone advise on a better way to do this, or any downsides I need to be aware of? Thanks for any advice you can offer.