DDNS + Reverse proxy, and an extremely locked down firewall is the way I've been doing it for years. Since then, I've not had one single unauthorized access attempt. Admittedly it takes quite a bit of initial configuration, but from a performance and flexibility standpoint, while still being secure (enough) I feel that there's no substitute.
Same here. I can't use vpn or tailscale on my work PCs so ddns + reverse proxy, change ports, disable admin, disable quick connect, block ip after 2 failed attempts, firewall, block lists, 2fa etc keep me in control.
If you know what are you doing and set up all the required measures listed on comments above the only worry you will have is your own NAS users and maybe the NSA guys
I do the same, custom domain, reverse proxy, strict firewall rules, Cloudflare WAF, and follow all security best practices (disable admin, 2FA, changed ports,, etc), haven't had a single attempt. Using VPN app not an option for me, but might try CloudFlare Tunnel in the future after they removed some of their restrictions on streaming video.
This was great, always good to watch a refresher video like this to keep you mindful. I use a mix of NGINX Proxy Manager and Wireguard-UI in Docker. All ports closed except for those services. Aside from the 3 user Tailscale limit, I'm not a fan of installing the TailScale agents on all my devices. The VPN just is easier to use and maintain.
I run a Zerotier Docker Container on each of the four Synology NAS boxes that I manage for various members of my family. I've never had any complaints about connection speed although, to be fair, none of the NAS boxes streams video outside of the local LAN. For me, the biggest win is the ease of setup, regardless of whether the NAS is sited behind a NAT or CGNAT connection. The other win (for one of the family) is "transparent" access to his NAS when he is working, in Scotland, and the NAS is at home in Portsmouth. Finally, there is no ongoing cost, because the node count is comfortably within ZeroTier free-use ceiling of 25 nodes. I'm sure Tailscale would do just as good a job. But "if it ain't broke don't fix it"....
Excellent video Frank. the recap of all option was great and personally vote cloudflare, but with added layers of security + 2fa + cloudflare firewall rules
very handy tips and infos, but i just like it to keep it simple... use quickconnect, 2FA, ip blocking after wrong attempts, geographical IP rules. and some other firewall rules.
My needs are fairly simple and Tailscale works beautifully. The user count may not be that relevant to many people; it's the device count that may matter most. I have 8 devices on Tailscale under a single user.
I use DDNS + reverse proxy through a port forwarded Emby docker container server to access my media. Is that still as insecure as port forwarding the port of the NAS itself? Good to learn about the different options to access externally, still just a bit confused how to decide which one is best for me. Would love to have seen a tutorial on how to set them all up but can do that research separately.
Thank you for the helpful guides. Would you be able to do a guide about setting up dns and tail scale? I would love to be able to access services with a subdomain name instead of IP addresses and ports
I followed your ad guard guide and it's working great. Since then have spent a lot of time and headache trying to figure out the best way to do subdomain names for my services
I've been thinking of getting a NAS, but didn't like the idea of it being connected to my router which has access to the internet. And then I decided when I do get a NAS, then I'd just buy a separate wifi router and connect it to that which won't have internet access. As I'd want to access the NAS via wifi as I use laptops and wouldn't want to have to plug in a cable every time I needed to access a file stored on the NAS. Or there may be a better way at doing this. But I like the idea of a NAS that does data integrity checks, and if I replace a hard drive, it can go ahead and copy the files over from the other drives. I'd run mine in mirror mode where 2 or 3 of the drives are all mirrored. I like that better than RAID where it's failed on people during rebuild or whatever.
It is actually ok to port forward DSM as DSM is designed to be exposed to the internet provided you do practice good security measure. 2FA and strong password. And always keep your DSM up to date.
Need to access Synology Photos to view and backup photos (doing so via QC on iPhone/Android app). External connection is slow. Synology KB say open ports 5000 & 5001 for better performance, but you say not to, why? Any other suggestions to view and backup photos via app with better performance (and of course safely) than QC?
DDNS + Reverse proxy, and an extremely locked down firewall is the way I've been doing it for years. Since then, I've not had one single unauthorized access attempt. Admittedly it takes quite a bit of initial configuration, but from a performance and flexibility standpoint, while still being secure (enough) I feel that there's no substitute.
Same here.
I can't use vpn or tailscale on my work PCs so ddns + reverse proxy, change ports, disable admin, disable quick connect, block ip after 2 failed attempts, firewall, block lists, 2fa etc keep me in control.
If you know what are you doing and set up all the required measures listed on comments above the only worry you will have is your own NAS users and maybe the NSA guys
I do the same, custom domain, reverse proxy, strict firewall rules, Cloudflare WAF, and follow all security best practices (disable admin, 2FA, changed ports,, etc), haven't had a single attempt. Using VPN app not an option for me, but might try CloudFlare Tunnel in the future after they removed some of their restrictions on streaming video.
This was great, always good to watch a refresher video like this to keep you mindful. I use a mix of NGINX Proxy Manager and Wireguard-UI in Docker. All ports closed except for those services. Aside from the 3 user Tailscale limit, I'm not a fan of installing the TailScale agents on all my devices. The VPN just is easier to use and maintain.
Best video on the whole topic! Should be a sticky on r/synology for all newbies
Thank you for the kind words! Glad it helped!
I run a Zerotier Docker Container on each of the four Synology NAS boxes that I manage for various members of my family. I've never had any complaints about connection speed although, to be fair, none of the NAS boxes streams video outside of the local LAN. For me, the biggest win is the ease of setup, regardless of whether the NAS is sited behind a NAT or CGNAT connection. The other win (for one of the family) is "transparent" access to his NAS when he is working, in Scotland, and the NAS is at home in Portsmouth. Finally, there is no ongoing cost, because the node count is comfortably within ZeroTier free-use ceiling of 25 nodes. I'm sure Tailscale would do just as good a job. But "if it ain't broke don't fix it"....
Excellent video Frank. the recap of all option was great and personally vote cloudflare, but with added layers of security + 2fa + cloudflare firewall rules
Thanks for watching, Avi!
very handy tips and infos, but i just like it to keep it simple...
use quickconnect, 2FA, ip blocking after wrong attempts,
geographical IP rules. and some other firewall rules.
My needs are fairly simple and Tailscale works beautifully. The user count may not be that relevant to many people; it's the device count that may matter most. I have 8 devices on Tailscale under a single user.
self hosting a VPN, if you don't have static IP {or do not want to pay for it), you also need to setup DDNS
I use DDNS + reverse proxy through a port forwarded Emby docker container server to access my media. Is that still as insecure as port forwarding the port of the NAS itself?
Good to learn about the different options to access externally, still just a bit confused how to decide which one is best for me. Would love to have seen a tutorial on how to set them all up but can do that research separately.
Thank you for the helpful guides. Would you be able to do a guide about setting up dns and tail scale? I would love to be able to access services with a subdomain name instead of IP addresses and ports
I followed your ad guard guide and it's working great. Since then have spent a lot of time and headache trying to figure out the best way to do subdomain names for my services
Spot on as always thank you
How about using the built in VPN on my Synology router?
Great option!
Very nice sumup!
I've been thinking of getting a NAS, but didn't like the idea of it being connected to my router which has access to the internet. And then I decided when I do get a NAS, then I'd just buy a separate wifi router and connect it to that which won't have internet access. As I'd want to access the NAS via wifi as I use laptops and wouldn't want to have to plug in a cable every time I needed to access a file stored on the NAS. Or there may be a better way at doing this.
But I like the idea of a NAS that does data integrity checks, and if I replace a hard drive, it can go ahead and copy the files over from the other drives. I'd run mine in mirror mode where 2 or 3 of the drives are all mirrored. I like that better than RAID where it's failed on people during rebuild or whatever.
Just for reference: Headscale won't work behind a CGNAT, it would require public IP, so for headacale we'll need a cloud server where we can deploy it
Thanks for the information. If I want to access a docker app from outside the network, can I do that with tailscale?
Yes, that will work!
@@WunderTechTutorials thanks I'll try that!
@@WunderTechTutorials I've not managed to make working docker containers on macvlan network yet. Do you have any guides or tips about this case?
It is actually ok to port forward DSM as DSM is designed to be exposed to the internet provided you do practice good security measure. 2FA and strong password. And always keep your DSM up to date.
I'd recommend that you don't do that, but if you do, use Synology's Firewall to limit traffic down as much as you can.
Need to access Synology Photos to view and backup photos (doing so via QC on iPhone/Android app). External connection is slow. Synology KB say open ports 5000 & 5001 for better performance, but you say not to, why? Any other suggestions to view and backup photos via app with better performance (and of course safely) than QC?
Best option is to use a VPN.
Wow I just need a nas not sooo many terms I have no clue about lol. Let’s do it later I cry
Why don't you talk about Netbird or ZeroTier?
I never have issue with DDNS.
there's a 3rd: People that DON'T NEED access the NAS outside the Network and also have in mind about stay aways from be hacked. That's me.
First one 😊
Tailscale