MOMA
da, wo Menschen arbeiten, wird es immer Fehler geben.

Remotely accessible Synology NAS secured with Let’s Encrypt

I have a Synology NAS, a pretty fast internet connection, and a friendly ISP with an awful router-modem. If you have a similar setup, then these notes will help you setup a remotely and locally accessible Synology NAS using dynamic DNS with a domain name and a free SSL certificate provided by Let’s Encrypt. These notes assume you are already somewhat familiar with terms like port-forwarding, and know how to do setup intermediate configurations on your router like reserving IP addresses.

Configuring the network and router

If you haven’t already, start by giving your NAS a static IP address so it has a consistent and predicable address. Typically this will have to be done outside whatever your router’s default DHCP range is. I have my range set to start at 100, giving me more than enough addresess to play with.

For consistency in the notes, I’m going to assume the following variables, you can of course, change them as you would lik:

Next, setup port forwarding on your router to forward incoming requests from the internet to your router. If you are lucky, and your router can handle UPnP well and plays nice/is supported by Synology, you can use the wizard found in XXX to have the NAS put in the appropriate ports for all the services itself. If however, you’re not so lucky, then you will have to set up these ports manually (there are a lot).

In my case, I only really want to access the DiskStation web panel and Plex remotely, which requires just three entires–besides, I’d rather open ports (and expose services to the public internet) as I need them, rather than open everything at once. By defualt, Synology’s HTTP and HTTPS ports are 5000and 5001, respectively, but these can also be changed to your liking in XX. I’m going to assume that you left them as defaults. Your port forwarding entires on your router should look, at a minimum, like this (excluding Plex), where Server IP Address” or your router’s equivielent is the IP address of your NAS:

Now that your router can communicate with the internet, you need to find out if you can reach it using your public IP-address. 99% of the time, you will be allocated a random (dynamic) IPv4 address from your ISP–so first find out what your public IP-address is. Then make sure you’re not behind a Carrier Grade NAT (CGN), which is basically when your ISP has a public, internet-facing IP address, and then gives you a local (ex. 10.x) address on their network. It’s the equivalent of being behind another router and is very difficult to work with unless you can either get static-IP from your ISP (best solution, but unlikely), get a dynamic public address (fine solution, I did this), or use a VPN/tunneling (hard and I won’t get into this). The quickest way you can check if you’re behind a CGN is to find the public IP address your requests are coming from, and then go into your router and look the WAN-address (or something similar). If they are the same then you’re all good, if they are different, then you’re most likely behind a carrier-grade NAT.

Once you have your public IP address, confirm that you can in fact, connect to your NAS using it. If you can, then you’re ready to setup a dynamic DNS (only for dynamic IP addresses) and a domain to resolve to.

Setting up dynamic DNS, reverse proxy, and a domain name

Dynamic IP addresses are annoying in the sense that they are, well, dynamic. Thankfully, dynamic DNS (DDNS) services pretty much take care of these annoyances and ensure that your hostname is always resolving to the correct address by pinging and updating the DNS record automatically with whatever IP address you have at that time. Synology even has built-in support for a number of DDNS providers, including their own, free-to-use DDNS which we will be using here. The benefit of Synology’s DDNS is that you do not have to re-authenticate your account every 30 days–a common security measure against spam for many other providers if you’re using their free plans.

To set it up, navigate to External Access > DDNS and click on Add”. Choose Synology” as the provider and fill in the information. The only things you really have to decide on is what you would like your hostname and Synology domain to be, and whether you want to enable notifications (called Heartbeat) in case the connection dies. Again, I’ll just assume your name is mynas.synology.me. Click on Test Connection” to once again ensure that your NAS is accessiable from the outside internet.

Setting up DDNS with your own domain varies depending on your provider. Namecheap offers DDNS and it’s pretty easy to setup. Synology’s 3rd party DDNS function is however, very buggy, and will throw errors at you even though it’s updating the IP address just fine. I ignored adjusting the update URL to support Synology’s DDNS variables and just hardcoded the values in the URL, so far it seems to be working fine.

Once you have DDNS setup, you have two options: set up access via a domain name e.g. mynas.mytld.com, or just use the Synology domain name you just setup. You can also use both, and have to ways two URLs to connect from. In both cases, what would happen now is if you accessed, say, mynas.synology.me, and if your port forwarding is working, you should be forwarded to mynas.synology.me:5000 and see your NAS login screen. If you are getting timeout/connection errors check out my note at the bottom of the page on how to fix it.

We can clean this up a bit further and remove the port numbers entirely and make for a much cleaner URL by setting up a reverse proxy. Navigate to Control Panel > Application Portal > Reverse Proxy. I created 4 records, a HTTP and HTTPS record for both my own domain mynas.mytld.com and the Synology domain mynas.synology.me. The destination ports for HTTP and HTTPS would be 5000 and 5001, respectively, if you are using the default Synology ports, and of course, enable HSTS and HTTP/2 on your HTTPS connections. Now when you navigate to mynas.synology.me you should see your Diskstation panel right away, and not be forwarded to the :5000/:5001 address.

Getting a Let’s Encrypt certificate

If everything above has been set up correctly, then getting a Let’s Encrypt certificate will be incredibly easy. Navigate to Security > Certificate and click on Add Certificate”. Then simply chose the option Get a certificate from Let’s Encrypt” and follow the wizard. For the domain name, you could either enter your own domain or the Synology domain, it doesn’t really matter because underneath in the Subject Alternative Name” you can add more domains that you have setup to access your NAS from. This is very useful if you, for example, host websites or want to accsess other Synology services via domain names. A single LE certificate will cover all the specified domains, removing the need for requesting individual certificates and (potentially) hitting LEs rate limits. Once your certificate request comes through, your Synology’s web server will restart. Once it’s restarted, you should be able to access your Diskstation via HTTPS.

Hardening your NAS

Now that you have publically exposed your NAS to the internet, you should probably take a few extra steps to secure it against potentially malicious or curious individuals snooping for vulnerable Synology NASes. Some of the things that I did include:

  1. Disable the default admin and guest accounts. I created my own personal account with admin rights and enabled extra security measures like 2-factor authentication to ensure it stays safe. For guest” users, I have a seperate account inteded to be used by family or friends for whom I’ve given the password to. This account has only read access to select folders (TV, movies, etc.).

  2. Enable DoS protection and auto-block for brute-force attempts. DoS protection and auto-block can be setup under Security > Protection and Security > Account. At the moment, I haven’t setup more granular account protection (disabling an account after X amounts of failed login attempts) or trusted cliens, but the option to do so looks very interesting.

  3. Always install the latest Synology updates. I have it set up so updates are automatically downloaded and installed in the night between Sunday and Monday. If you’re worried about Synology breaking something, then you can also set the update channel to only get the latest critical and security updates.j

End notes

Fixing loopback issues first make sure that your ports are set-up correctly, and that the DDNS services can ping your NAS. If they can, try connecting to mynas.synology.me on a device that is not on your LAN, like your phone. If you can reach it using a device not on your LAN, then your router cannot correctly handle loopbacks. To fix the loopback issue, download the DNS Server package from the Synology Package Center and