is Quick Connect Secure for Synology?
HTML-код
- Опубликовано: 31 янв 2023
- Quick connect is an easy way to access your NAS outside of your home. But it it secure?
Hire Me! www.spacerex.co/hire-me/
Support the Channel & Get Early Access to ALL Videos: / spacerexwill
#QuickConnect #Synology #ransomware
Synology White Paper on QC: global.download.synology.com/... 
Наука
I appreciate the deep dive into how Quick Connect works under the hood. Your channel was a fantastic resource to me while shopping for (an setting up) my Synology NAS. Thanks for putting out such high quality videos. They really make a difference for new Synology users!
Well done, Will! Great video to educate and help us understand a little more detail of how QC works. QC is great for my small business. Thanks again! 👍🏽
Thanks man! I recognize that logo! Hope you are doing well!
Thanks again for the video very much appreciated, very helpful and informative, greetings from Italy
Thanks for doing this topic. I’ve been using it assuming it’s safe, but it’s good to have confirmation.
I was trying to set up DDNS with custom domain just to avoid brutforce offload of quickconnect addresses and knowing that someone potentially can see my Synology web address, but I was not successful with DDNS. So decided to open quickconnect and give admin account random 80 character password and different name. With 12character passwords for other users. So based on you information i am fairly safe then. Nothing is 100% on the internet. Thank you for the video.
I find all your videos to be very informative, based on solid research, and superbly done. I found this one in particular to be especially useful, as it has given me the best and most relevant information that anyone has done on this topic. Kudos and many thanks!
Thanks man!
Thanks Will, very awesome, makes me more in peace after seeing this
I have one very quick question. So I have 4 different synology NAS units two at my home and two at my work. I use QuickConnect on all of them for remote access to DSM as well as file transfers. The issue I am facing is that QuickConnect file transfer speeds on three of them are seemingly capped for some reason at around 300KBs whereas the fourth unit is running at near full sustained network speed at my home which is around 1.2MBs. Is there a way I can get the other three units to speed up the transferring of files remotely or is this not possible?
Good video - much to think about.
Thanks Will, again a very informative video. What would have helped me even more would have been a comparison of Twingate and Quickconnect. Since you published the Twingate Video just 3 days earlier I am now asking myself, what is the best solution for me.
Good analysis !
You can setup 2FA as well.
Thanks!!!
Thanks for the video. I’m new to Synology and all of your content has been fantastic!
Is there any way to tell when Quick Connect is going through the relay server vs direct WAN connection (or hole punch)?
if you look for the 'direct' in the URL you know you are direct connected
Can you manualy set up DSM and Mikrotik router to use hole punching? Or if you set a port forwarding manualy will quickconnect use it for direct tunnel, instead of going through relay server?
Great video! Thanks :)
I would love to have you do case study type videos for the home user such as, and this is what I'd really like, the ability to have your Synology act like Dropbox.
I simply want to have a folder and deposit files and then send anyone a link to download said file.
Is this possible? I have heard of Synology Drive, but it seems rather involved and I was hoping for something more accessible to home users.
When using QC, can I block certain ports somehow? I'm comparing it to IPv4 where is ist a good Idea bo block all ports on your router and forward what you definitely need.
Goodday Spacerex Syno Obi-wan , i got a question my Syno is taking endless time writing, scanning and what not, sometimes like a week. I read more user have these problems over the years, but i never found a reason, and even better a solution, im about th reset the whole thing and start anew. Have you got any Obi-wan news or tips ? Thanks for the great video's ! Very help and insightfull.
Thanks Will, another great video and very reassuring. I would value your thoughts on moving up to Tailscale at some point, when you get time.
I have a video planned with that coming out april 19th!
im glad you made this. if you read forums the general consensus is use a vpn connection or youre an idiot. i use quickconnect and all users use 2 factor auth. ive never had an issue and the nas just works. cheers
The forums tend to be very gate keepery
Is a VPN more secure: yes, but that then means you can’t share files from your NAS or get your family to backup their photos
For small organizations VPNs may be sufficient but in many cases they will not protect you from targeted attacks. It is often that companies get their network compromised through VPN because of vulnerabilities or leaked credentials. Also once VPN is breached the attacker often gains access to more than just a NAS, but other than this I am not convinced that QC will provide you with a better security.
@@SpaceRexWill Yes, indeed. You can set up a VPN connection to the firewall server and from there to the NAS, which is very secure. It's also going to exclude those family members unless you give them the configuration files to connect themselves, which largely makes the whole exercise moot.
I originally used QC, but then switched to DDNS and port forwarding. Can’t remember why… but I think it was because not all services (Active Backup for Business?) would work on QC. Now I’m using Bitwarden (Vaultwarden docker container) and I think DDNS with port forwarding is the best/only solution for that.
Probably the most secure thing would be to require a VPN connection to firewall computer and then forward anything coming in through the authenticated VPN to be forwarded to the NAS. But, that's probably not necessary for most users.
That's not a good practice to directly open any port to the internet all the time. Better to have a PiVPN and open just the VPN port and you can access your network through the vpn. That said, QC is better than raw port opening.
Yes, my NAS is exposed with DDNS but with strict firewall rules and 2FA in place I’m not worried about it. I keep the nuclear codes stored offline 🤣
Thank you for the video. What about extra Security with 2fa isn't that possible?
hey m8 im having some connectivity issues i think - is there a way to setup my smb with my nas using quickconnect? I was hoping to make it appear like a folder in finder the way it does when it is local. having trouble finding info online. could this be a port forwarding issue (even though it is handled by DSM7) or am i asking the wrong things of my nas
Do you suggest to activate firewall of the nas itself? It works well?
I use one of my NAS for surveillances station. Is there a benefit to using VPN over QC for viewing recordings remotely? Or would it essentially be a wash due to the network speed limitations?
Do you have a tutorial video anywhere on how to disconnect quick connect and connect a different way? I would like to install tailscale but can't do that when on via quick connect?
Almost a year has passed. I am new in that theme, is there any positive changes about "showing my NAS to all the World"? I tried to make some hard settings(https, inner vpn, ports, router end so on) but I don't sure that I did everything. I want hide my NAS and make it maximum secured, but I feel that am not as experienced in those stuff and it's easier to simply use that QC+2fa.
Hello, I am new in Synology Nas. I am using a Nighthawk wifi router to my computer and my Synology nas is plugged-in directly to my wifi router. My question is how can I connect my synology nas directly to dns server or use a domain host name to open my synology nas if I`m using a wifi router (not on Ethernet). I hope you get what I mean. Because I don`t want to use always the quickconnect to open my synology nas.
I'm absolutely not a fan which hardware Synology offers for the money they asking but on software side it's the best in Nas world for home users.
What would you suggest as alternative
@@hundredfireify I tried doing it with my computer and it was frustrating not having the apps on my phone that’s tells me computers temps, wake on, storage size, status and etc.
You’re not paying for hardware, you’re paying for software
Perhaps it arrived after this video was made, but I use two step authentification.
MFA helps too
But QuickConnect is super slow right!? Or am I doing something wrong? I cant get more than 1 Mbps up/down
I'd be really interested in comparing QC to Tailscale in two key respects :
1) Synology appears to "take calls" from both your local and remote devices and then hand off that connection so that it's direct. If I understand correctly, an open port on the router is still required ? Or is that port only opened upon request of QC ?
2) How much better or worse is file sharing on QC vs Tailscale ?
I absolutely also want a comparison with Tailscale.
Open ports for inbound connections are not required, since the QC will fall back to synology relay service if its not possible to establish direct connection between the client and NAS. If your firewall allows hole punching then QC will try that first to make direct connection possible.
@@zaraza.ow do I allow holepunching? By enabling upnp on my pfsense/router? And after 2x has punched a hole in my router, does it close the hole after a certain time or does ist stay there for later usage?
tailscale is:
- opensource
- based on wireguard
- uses strong encryption
- the provider it self dont know what's happening in your tunnel
- keys changes everytime you connect/reconnect to another tailscale connected computer
- login security is pretty much handled with the most experienced guys out there (google, github etc..)
quickconnect:
- not open source
- damn who knows how their tunnel works
- is it even secure to begin with?
- are you even sure that theyre not snooping on your traffic while in proxy mode?
- your login security is heavily dependent on your NAS
if you know how wireguard works in terms of handshake, yeah is damn secured as the tailscale relay it self really dont take with that handshake anymore even if your connected via DERP servers.
Do you do consultations at all?
Hi, thanks for this video. I do agree with and I enable QuickConnect on all my clients' Synology boxes. FWiW, the login page of your demon server was still accessible as I'm writing this comment 😉. I still have a doubt on one aspect: does Synology Drive also use direct LAN connection if you use the QuickConect name in the setup? Thanks again.
Do you have a tutorial on using cloudflare instead?
Combinated with 2FA hardware wallet is it a good option
I think the backdoor for guessing the url is let's encrypt? They list everything?
I haven’t been able to find a list of all the let’s encrypt sites. Do you know of one?
So if my ISP has blocked port forwarding can I only use Quick connect to get access to my NAS externally?
or Tailscale
Can anyone here please help me? When I enable the Quickconnect check box and then click continue when taken to my Synology account page, the Quickconnect ID field is greyed out, preventing me from typing in anything there. I've tried DDNS, but my router isn't automatically detected and I am having trouble with port forwarding as I don't know what I'm doing.
I am connected to my NAS directly using a static IP address. All I want to do is to setup Quickconnect, but it's not working for me at all.
HELP!! :)
Do you have a video creating an ssl certificate? I keep getting the message saying it's not private.
On the LAN, unfortunately, it will always tell you that it is insecure. SSL certificates will only work for WAN connections
I use it with 2FA TOTP.
Wasn't there an issue last year with ransomware attacks on Synologys?
2Factor Authentication is the next security step.
Had to use it for synology drive and photos on mobile due to cloudflare's 100mb rule
Quickconnect is great until I notice there's no way to use it as replacement for webdav to sync contacts. Is good but very limited. Now I'm hoping either synology create a way to sync contacts with it or for Proton(mail) to create it first.
“Yes, but is less secure than no port forwarding at all” 🤯🤯
Any idea why the mobile login page does not use 2MFA ? It just lets me login with username and password .
You have to enable MFA for each account
@@SpaceRexWill thanks where can I find it to enable for mobile?
6:23 well that's what at least they want you to know to be honest.
Is quickconnect possibly the cause of my slow download speeds? I have a Synology that I connect to externally through quickconnect with SynologyDrive. Very simple setup, 1 shared folder, no extra configuration at all. Files that are not local get downloaded at speed of max 50-70 KB/s. Speedtest at both locations shows ~100 Mbps.
After a few google searches I see a few people mention that this might be because of quickconnect. Is it true? Any fast fixes/tests I can do?
If QC uses synology relay instead of a direct connection then the performance will be usually bad. At least this is my personal experience. Alternative is to open your firewall for inbound connections and configure NAT (risky security-wise) to allow direct connection between NAS and client or set up a VPN or a cloudflare tunnel etc. But if you don't know how to do it it's probably better to stay with QC since you don't have to worry too much about more complex configuration as opposed to other methods.
How about comparing Quick Connect to Tailscale?
Tailscale is better
1:41 2:10 2:32 3:48 5:50 11:20
Is there a way to turn Quick Connect off outside of specified hours, and deny connections coming from outside of a specific country or region?
Perhaps set up a firewall rule ? But I think you may end up with a can of worms before you get what you want.
@@DavidM2002 yeah I think you're probably right
Cloudflare allows for geolocation-based filtering etc. if you have domain registered with their service. But this will not work with quickconnect so you'd have to open your FW for incoming traffic. I think their zero trust tunnel or some VPN solution is probably a more secure option. Alternatively you could set up a reverse proxy with geoip filtering for example with a combination like pfsense+haproxy+pfblockerng.
@@jakesecondname2462 I’d check the Synology forums. I would bet someone has written a script or something that could do that. If you know any Linux, or someone that does, I think most things are possible.
Don't wanna use quickconnect, wanna use local IP but that only works for the DSM panel, not for rsync or FTP.
Asustor recently had a hack that involved their ez connect. While I am sure synology does their homework, if a hacker ever got into people systems on a wide scale they would make more money than they did with asustor. More $$$ means synology has a bigger target on their head. VPN is the method I am going.
can you just delete the default 'admin' user?
You cannot, you can disable it which is basically the same
I would really, really like to know if SynologyDrive security is sufficient enough…??
I presume you mean the Synology drive desktop app. I don’t know why it wouldn’t be if you’ve selected to have it connect via HTTPS. Everything is encrypted then. That’s what I do. I only quick connect in to access apps or files that I don’t have connected through drive. But almost everything I do is synced through drive.
Wouldn’t synologyDrive desktop app and NAS package just open more opportunity for breach? Don’t get me wrong, I want to use it, but I’d like to see somebody explore and discuss its security…
@@dcretney I’m not sure what nas package you’re referring to, but Synology drive connects using your connect ID (if that’s what you put into it, and you need for external access) so it’ll connect the same as the quick connect through the web browser. At least that’s my understanding.
Ok, thanks for the reply. I might not be remembering correctly since it was more than a month ago, but I thought I had to install a package on the Nas to enable SynologyDrive. It’s likely I am wrong.
@@davidcretney9921 oh yes, you’re actually correct. I was having a brain fart at the moment. You had to install Synology drive server and drive on the nas. But since you sign in from the app on your computer using your quick connect id as long as you have the option checked in the app to connect with SSL then everything should be encrypted and it’ll connect through to your nas through quick connect just without you physically opening the browser and logging into your nas.
You failed to mention that if you truly want to be secure you never enable quickconnect without MFA . Synology’s own secure sign in app is great for MFA. So turn on MFA and quick connect plus a very long address you should be safe
:00 - :01 - "eye howz yun yo" ???????????????????
anybody got a TL:DW answer to the title question? Is it secure or not?
yes
The answer is mostly, just not as secure as not having it enabled.
I come across so many ppl even IT guys that are just too lazy to keep the updates happening and this included your PC firmware (Bios Updates) many are including CVE's so don't be that lazy one
As secure something connected to the internet can be. you want your synology secure, don't open it on the internet. period.
I don't need external access so I don't need it.
😨 someone with an 8-character password giving security advice... oh no no no no no...
use a password manager, 16 character minimum, preferably randomly generated, and limit the number of login tries in your Synology security settings
you don't want to assume the current security environment will never change... go a step or two or many beyond the minimum so it doesn't become a problem you have to deal with later
actually new advice says you need at least 32 characters, and including at least some emoji to extend the possible keys by 10x
I usually use a password-manager for that. And all theses passwords worked well. Until I setup OpenVPN from Synology-VPN package. I configured a user only for establishing VPN connections and login kept failing. Unfortunately my DSLmodem/router only speaks IPSec, what I do not wand to use for mobile devices.
Thanks!
Thank you!