Securing your Synology with VPN

I’ve not been shy about wearing my love of Synology Diskstations on my sleeve. As an IT Consultant it’s fairly common to establish a set of tools or recommendations that are go-to options you regularly put in front of clients, but the true test of whether or not those tools and recommendations are worth considering is to turn to your IT person and ask them if they use those in their own businesses. Some things don’t make that cut because they don’t necessarily apply (for example, I have no need of an Okta setup) and others are either cost-prohibitive or simply recommended due to a paucity of options. The NAS space falls into all of those prohibitions, but it says something that a lot of consultants I regularly work with eat their own dog food when it comes to Synology. I know I do. I’ve bought two of the things, after all, and they were both purchases that not only fail to fill me with regret, but that make me quietly relieved. They’re the kind of thing that you put in place, configure, and then leave alone knowing with absolute certainty that they’re doing their job, and that you don’t have to worry about them.

It’s the configuring part that’s kind of interesting, though. There are options in that area that you can go with out of the box that hit the essentials of whatever you’d like to do, security-wise; either keep the thing off the internet entirely, use Synology QuickConnect, or use a VPN.

QuickConnect is fine, but it’s not exactly bullet-proof. Any time you’re opening up a device to the internet at large you’re painting a target on its back, and yes, QuickConnect offers some reasonable protections but it’s fundamentally a way for remote users to connect to specific services, and as such requires exposure of those services. There are times when it’s the only option (when, say, your NAS is hosted at your office behind a captive portal), and there are a lot of things you can do to beef up security to compensate (locking down ports and services, setting up a reverse proxy, using your own domain name, extensive 2FA usage and so on).

Fortunately, setting up a VPN on your Synology box is easy to the point of trivial (provided your DiskStation has a routable connection to the internet that you have some kind of control over. You’ll need to be able to open the appropriate ports for VPN.)

Synology VPN Server is freely accessible from the Package Center of your DSM – once downloaded, open the VPN Server package and click on OpenVPN to configure it. Doing that is terribly simple; just check the “Enable OpenVPN Server” box, choose the maximum number of connections you want to enable.

Note the port that’s opened (1194), and if you want to allow users to connect to other devices and services on the target network then you’ll need to check the box marked “Allow clients to access server’s LAN”.

Synology can do a lot of the heavy lifting for you if you’re lucky enough to have a router that its router configuration (Control Panel -> Router Configuration) can talk to. If you’re in that group then the wizard can walk you through configuring port forwarding; if you’re not then you’ll have to go get access to your router and manually set up port forwarding for port 1194. Going into that is somewhat out of the scope of this article. I mean I can’t see your router model, or write directions for every single one. I’d be here all day.

“But,” I hear you ask, “doesn’t this only apply if you have a static IP address? How will the internet know where my Synology is? My internet provider is terrible and only gives me static addresses if I sign up for their exorbitant business account that’s vastly slower than a residential account despite the fact that it’s on the same exact line and using the same exact modem!”

This is a good point (although oddly specific). Happily, Synology DSM makes it extremely simple to set up DDNS. In the Control Panel, choose “External Access” and then click the DDNS tab. If you have an existing DDNS setup (mine is hosted with dyndns) then you can enter your credentials here, or else opt to use Synology’s included DDNS solution (synology.me). The DDNS client on the Synology DSM runs out and talks to Synology’s DDNS server and updates its current address.

After that, it’s simply a matter of configuring your VPN Client to connect to your newly-created VPN. Handily, you can do a lot of the work by clicking on the “Export Configuration” button at the bottom of the OpenVPN configuration window. This will download a text file and a certificate that you’ll need to install onto your computer to work with your OpenVPN client – Synology includes a helpful read me file that details exactly how this process works and recommends an OpenVPN client for each major platform.

So, there you have it; a simple way to connect to your own network when traveling or working remotely, safe in the knowledge that you’re protected from man-in-the-middle attacks and able to access your critical data in a secure and safe manner.

Leave a Reply

Your email address will not be published. Required fields are marked *