Question VPN Server on DSM - use DDNS for SRM or DSM

71
7
NAS
DS718+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
I have a Synology rt2600ac and 718+. Right now I am running VPN Server on the NAS with openvpn and a Let's Encrypt Certificate. Top picture is from the NAS and bottom is the router. You can see I have 3 certs on the NAS (important to my question): (1) is the self signed, that I don't use (to my knowledge), (2) is my NAS DDNS (that I don't use, and (3) is my DDNS for the router (which I use as the default cert, including for the VPN Server). I port forward the VPN port in the router from all IP/all port to the DSM static IP. My VPN Service seems to work fine. I can't tell from much reading if LE auto-renews or not but I prefer not to have port 80 forwarded unless needed, so I open it for the renewal and close. Then I export the cert from DSM and import to SRM. A few questions:

1 - Should I (or is there a benefit to) changing the default cert (or at least the one for the VPN Server) to the cert for the NAS? Or am I set up correctly already? Could I point the opvn file to the ddns of the NAS (benefit?) or just leave it? I am not a power user; I am at the beginning of this journey (bought router and NAS about 6 months ago); first networking experience.
2 - is there a better way to renew the certificates? One where you do not have to export and then import (without getting crazy with dockers/containers/scripts).
3 - Is there a reason to have a certificate for each ddns (router and nas)?
4 - Interesting that when I log in to my SRM using the DDNS address, I get the happy green lock but with the lan ip address I don't. How do I get that green happy lock to show up when I access the DSM via the DDNS address?

Thanks!


155

153
 

Attachments

  • router cert.JPG
    router cert.JPG
    41.4 KB · Views: 51
1 - Should I (or is there a benefit to) changing the default cert (or at least the one for the VPN Server) to the cert for the NAS? Or am I set up correctly already? Could I point the opvn file to the ddns of the NAS (benefit?) or just leave it? I am not a power user; I am at the beginning of this journey (bought router and NAS about 6 months ago); first networking experience.
So the question here is should you use cert on your nas or on your router?
2 - is there a better way to renew the certificates? One where you do not have to export and then import (without getting crazy with dockers/containers/scripts).
Out of the box, no. Especially if you wanna use a single cert for multiple devices.
3 - Is there a reason to have a certificate for each ddns (router and nas)?
Well, there might be a number of reasons. Do you need it, no. But for that, you will have to make certain changes.
4 - Interesting that when I log in to my SRM using the DDNS address, I get the happy green lock but with the lan ip address I don't. How do I get that green happy lock to show up when I access the DSM via the DDNS address?
This is expected. Considering that an SSL cert is responding as secure when you use a domain name that it's registered with, the opposite thing happens when you don't use it. If you are accessing via https protocol not using a registered name, you will not get a secure connection (well it will be secure just not validated). This is all well and correct.
So you have 2 things to do here. Use your ddns name internally (your router support NAT loopback so there is no reason not to use it), or setup a local dns server and zone to tackle this (not needed imho considering that it will work without it).
 
Hi. My usage of certificates is to minimise them and the thing that would make using more certificates is DSM's character limit for the Subject Alternative Names field: do I need more custom domains, reserve proxy domains, etc. than I can fit in that string (limit is around 250 chars, I think).
 
So the question here is should you use cert on your nas or on your router?
Yes...and why? Trying to understand the principles so I could apply my own use cases. It seemed strange in my untrained mind, that I would use the ddns for my router in my opvn config file when I am trying to access my NAS. So, I'm wondering if I could/should use the ddns for my nas in opvn config file and also use the cert from my nas. Wondering if/how it matters. Also wondering if I ran vpn server on my nas, and used nas ddns in opvn file and defaulted to certificate associated with my nas ddns, then maybe I could use the another certificate on the router associated with the router ddns and then when I entered the ddns inside my lan I would get the green happy lock with each.

Well, there might be a number of reasons.
What are just two use cases so I can get my mind juices flowing?
well it will be secure just not validated)
Good to know that this is secure just not validated by LE.

Do either of you recommend port forwarding port 80 just to allow auto renewal of the certs?
 
Do either of you recommend port forwarding port 80 just to allow auto renewal of the certs?
I do it, but all my web services use HSTS to force HTTP to HTTPS. It works for LE certificate renewal on the NAS.

Photo Station doesn't honour HSTS so if you use this then you might want to think about addressing this.
 
Yes...and why? Trying to understand the principles so I could apply my own use cases. It seemed strange in my untrained mind, that I would use the ddns for my router in my opvn config file when I am trying to access my NAS. So, I'm wondering if I could/should use the ddns for my nas in opvn config file and also use the cert from my nas. Wondering if/how it matters. Also wondering if I ran vpn server on my nas, and used nas ddns in opvn file and defaulted to certificate associated with my nas ddns, then maybe I could use the another certificate on the router associated with the router ddns and then when I entered the ddns inside my lan I would get the green happy lock with each.
This all depends on the fact what will be your main ddns/vpn access point. Personally for me its one of my NAS units and not the router. Reason? Because I had a NAS long ago then I had a dedicated none ISP router that would even allow me this. That being said, I have learned to work with it and too lazy atm to migrate considering that I have a large number of user/services that depend on the current setup.
Is it wrong to have it on a NAS and not on the router or vice versa? No, it can work fine in both scenarios.
What are just two use cases so I can get my mind juices flowing?
Maybe you want to separate some services running on router or NAS but I wouldn't recommend running 2 separate ddns on 2 devices that you have under the same roof/ISP connection.
Do either of you recommend port forwarding port 80 just to allow auto renewal of the certs?
Well I use DNS validation for LE and not port 80, but if you have no other choice and no need to use port 80 then leave it if its a problem to open/close every 3 months. It's up to you.
 
Still strange for me to think about having my VPN Server on my NAS but I am using the router DDNS to get to the vpn on the NAS. I guess then that it doesn't matter if I use the DDNS of the router or NAS, b/c the VPN port fwd set up in the router will send the VPN traffic to the NAS either way, right?
 
A separate question: I'm not at work (obviously not working yet :)). Logged in to my machine via VPN. But, now when I enter my router ddns (with the right :port), the connection times out. However, I can login via the actual local ip address. Is that unusual or expected and why?

I don't get the happy green lock on the browser, but per our discussion above should be secure transmittal of data anyways (i.e. - the vpn is working).
 
Still strange for me to think about having my VPN Server on my NAS but I am using the router DDNS to get to the vpn on the NAS. I guess then that it doesn't matter if I use the DDNS of the router or NAS, b/c the VPN port fwd set up in the router will send the VPN traffic to the NAS either way, right?
Correct

However, I can login via the actual local ip address. Is that unusual or expected and why?
Expected considering that probably your vpn network range doesn’t have permissions on the firewall to get to that ip address/name on that custom port
 
Rusty - I've been going back over my firewall rules and wanted to review this post but the images are gone so it is much less useful. I think you are that same user (could be wrong). Do you have those images somewhere else or have you done a post like that since that you can link to? I want to go over that before I make another post here (can't get my VPN to allow me access to NAS files on my laptop).
 
Rusty - I've been going back over my firewall rules and wanted to review this post but the images are gone so it is much less useful. I think you are that same user (could be wrong). Do you have those images somewhere else or have you done a post like that since that you can link to? I want to go over that before I make another post here (can't get my VPN to allow me access to NAS files on my laptop).
Sorry I have no connections to that topic.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
This might help as well...
Replies
3
Views
454
FYI nothing new, but still worth sharing as patching remains essential, even when we think that using VPN...
Replies
0
Views
1,418
Unless you are a high value target, it's unlikely any of these "security" patches will change your life.
Replies
7
Views
545
My auto-block was always set to block after multiple attempts. Since this login stuff was happening once...
Replies
15
Views
2,253

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top