It has been quite some time since I started using Synology as my NAS (thanks JeromeH for the suggestion!) – it has been great its software is one of a kind. Recently I experienced a problem – although the remote access using ssh tunneling / VPN is very safe, it is not very user friendly, especially for connecting from a non-rooted Android Synology apps.
Eventually I decided to give a go of just exposing the Synology NAS ports to the web making the connection as secure as possible in process.
- tried Synology QuickConnect – but dropped it pretty quickly a) awfully slow 2) everything is proxied over Synology servers, explains the slowness and cannot call it very secure neither
- DDNS with port forwarding of HTTPS ports and default (self signed) SSL certificate (443 for PhotoStation and 5001 for the rest of DSM) – very slow, very unstable, I read about the possible reasons why and understood that getting an SSL certificate for the DDNS would probably resolve the issue as apparently lot of time is spent just negotiating exceptions around the self-signed certificate etc.
- DDNS with port forwarding and SSL certificate, this setup was a wee more complex and expensive, but the result is really usable compared to 1 and 2:
- had to get a SSL supporting DDNS provider, went with noip.com since it is well supported on DDNS supporting routers and since I was already using it with the free account that has to be confirmed every month which is a bit irritating anyway 🙂
- bought a domain for this purpose (any domain provider will do), set it to be managed by noip.com DNS servers
- bought a managed DNS service for my domain from noip.com, set up the subdomains including the one to be used for Synology remote access
- set up DDNS ip address renewal to the new subdomains, check that it works
- bought a RapidSSL from noip.com for the subdomain to be used for Synology remote access – there is a procedure to confirm the SSL certificate, easiest if you already point your MX records to a mailserver and can control forwarding of wildcard e-mails arriving as part of the process is to receive an email sent to the subdomain admin user
- make sure to use the intended ports in DSM – 5001 for https (Control Panel -> Network -> DSM settings) and 443 for PhotoStation (default) – they can be forwarded by the router to different external ports
- note – the PhotoStation is a special beast not really integrated well with DSM, it seems it ignores port settings pretty much so just assume it runs on port 443, use that with forwarding for most reliable connection
- enter the hostname and external DSM https port in Control Panel -> External Access -> Advanced section of the DSM
- import the SSL certificate associated with the hostname in Control Panel -> Security -> Certificate