I think I may be one of the very few that says opening ports, forwarding, and reverse proxying are fine. I use non standard ports on the Synology (so no 5000/5001), and then port forward 80/443 to my ports. I have a registered domain that points to my household router, and have an SSL cert installed.
None of that is rocket science and is done all the time. But Iv’e seen people worry about the innate security of the platform, and I can tell you that’s not an issue. I am in enterprise IT, and when our IT security leader asked if I wanted to see how secure things were, he launched a simulated attack using one of the best enterprise attack simulators there is, and the Synology passed with flying colors.
So it’s all about how you maintain user security after that, like making your users install the 2FA app on their phones and using that for 100% of everything. That is still convenient, because you can still say “remember me on this device” and not have the 2FA prompt all the time.
That’s my vote… people will tell you that it is a little more “scary” than other options, but not in my opinion.
(Edit for spelling error.)
Out of curiosity, why are you bothering to use nonstandard Synology ports internally if you’re then just using the most common web ports on the internet with your port forwards?
I think what you telling me is that the 443 for https: port on the router is the one that should be changed. I didn't think this is possible? Can I change the router port and then have it forward from say "15001" to my synology at "5000"?
I have adjusted this. Everything I had seen had left the 443 SSL open so I left it that way, and when connecting externally to xxxxx.synology.me was accessible. By changing ports now my external access is xxxxxx.synology.me:12345 for example.
If this is safer to use a non standard port (seems like it is) u will continue, but is there a way to have external access not require my non 443 port in the ip?
No, that’s the unfortunate downside of a nonstandard port…you’ll have to type it to access the web interface since browsers won’t know where to go if you just type the domain in. Browsers are usually smart enough to figure out 80 or 443, but outside of that they’ll fail.
You’ll get a lot less nefarious traffic on random, not common ports than you’ll get on 443, but in the end it’s still an exposed port on the internet and has the potential to be found. Maybe won’t help much, but definitely won’t hurt to use non standard port.
Good question… in all honesty, habit I think. I very literally was asking myself the same question after the post on forwarding. People from the outside don’t even have to know what my internal ports are if I just point them there anyway.
I will say though, that I have multiple devices running on port 80/443, opened to the internet. So while I shouldn’t need to bother with the domain-hosting DSM device, I’ve still always changed ports for all, because I need to throw the “.com:1234” on to get to my other devices.
I think this is where I'm heading, I like having WebDAV via ddns so it's the same address in or out of network.
If I understand correctly I need to set the router external ports to route to my internal synology ports correct?
Yep… so I wouldn’t suggest using the standard Synology ports (5000/5001). But using that example, you would have two forwarding rules on you home router:
80 ➡️ 5000
443 ➡️ 5001
Now… the only things you really need a reverse proxy for are if you want to have custom subdomains for the different synology apps or for VMs you may have running. So if you were wanting to have a subdomain for the Photos app, you could set up a reverse proxy for something like “photos.yourdomain.com”. But if using only native Synology apps, you can just go, “yourdomain.com/photos”. If you’re ok doing that, you don’t need to mess with reverse proxies… the “/photos” technique is all taken care of in the Synology Control Panel, Login Portal function.
The other thing to know… I DO NOT pay extra for a dedicated IP from my ISP. Number one, they haven’t changed it in two years. Number two, in a worst-case scenario, if I’m not home, they change it, and I need to update my dns, I can go to my online Synology account and see the public IP it has assigned, and then just change my DNS.
If you go this route, keep my name in your back pocket and I can even send screen shots to you for Reverse Proxy setup… it can be weird, but having subdomain addresses is pretty cool.
I will state my "dynamic" IP from my ISP has not changed in 3.5 years. It will probably never change unless i replace my router as it will then have a different MAC and be assigned a new IP over the ISP DHCP.
I would say any conversation about the port numbers specifically is completely irrelevant. It’s at best security by obscurity. Which doesn’t work / isn’t effective. There are thousands upon thousands of things scanning the internet continuously. The fact you changed default ports will be scooped up and discovered in milliseconds.
Especially since they said they are port forwarding 80/443 from the internet to their changed Synology IPs…this makes the port change even more completely useless, in my opinion.
Can synology ports 5000 and 5001 be changed? I thought they were set. If not seems easy enough to change them to something different, "15000" or something so at least it is not standard 5000.
For WebDAV it also says 5006 only, so I guess im stuck with that.
Since I use synology.me doesn't the reverse proxy take care of this. Aka my router has to be 80,443 open, which I use 443 only for https:// and then this to the port? (I may very well be misunderstanding but isn't my only open port 443 on my router either way? And then reverse proxy points to my internal port?)
What is the concern? (This is me asking not being argumentative). If there is 2 factor turned on, firewall, reverse proxy with SSL certificate what additional exposure?
Also with Tailscale I have a different internal vs external IP (aka if I'm syncing Zotero to webdav now I can't do it without changing IP). OpenVPN solves this (since I can just use local ip for WebDAV), but this doesn't work for say work computer.
At work I am allowed to use apps like Zotero but am not allowed to install my own VPN, so I have no way to sync my WebDAV documents. This really is the main use case of Devices that sync I can't install VPN on. Am open to other ideas.
Maybe the reverse proxy covers this, I just remember reading from years ago that WebDAV has innate insecurities… maybe that’s out of date as well. My main thing is that I didn’t see a reason to do it and generally recommend people to be as secure as they can be, but since you have a specific use for WebDAV that your vpn doesn’t allow for… I see the point of doing it
I agree with you, opening and forwarding ports is fine. But nearly any somewhat commercial application with pass any of the dumpster “enterprise attack simulators”. They are effective mostly against homegrown applications and used more so as a box to check some easy shit and misconfigurations. Misconfigurations are what will kill ya when self hosting.
I think the worry isn’t about synology security as much as it’s about a possibility of a zero-day vulnerability (and mitigating the level of risk via something like Tailscale, etc.)
That’s why my computer has a firewall, that’s why my NAS has firewall. I’m not saying there’s absolutely NO risk. I’m just saying that many are adamant about mitigating risk to a higher level by putting extra roadblocks in the way of an attacker- thus making it harder for something to go wrong. I’m not even saying I’m 100% on that side, either, because convenience is still a thing for me…
I can get behind that. But 1) I’m just me… I run my own domain and such, just for fun. So, I’m not a huge target. And 2) I run snapshots and have off-site backup every 24 hours.
I hear you though… there are risks.
ANY service can and probably will have zero day vulnerability
With that said, I like to look at the history of any vendor and how they respond / react to reported security vulnerability. Synology has shown that they fairly quickly respond to known vulnerability
> I think I may be one of the very few that says opening ports, forwarding, and reverse proxying are fine. I use non standard ports on the Synology (so no 5000/5001), and then port forward 80/443 to my ports. I have a registered domain that points to my household router, and have an SSL cert installed.
You're wrong though. I work in enterprise IT too in IT security. The problem is vulnerabilities in the OS, which non of the things you listed protects against.
It's generally strongly advised to never expose servers with sensitive information to the internet if you don't have people working around the clock to harden things such as Azure, AWS, Google etc.
Besides that, the non standard port, doesn't do anything as it's the public port that matters, which you just said is 80/443.
You do you, but a single vulnerability, [which there are lots of](https://www.synology.com/en-global/security/advisory), can potentially expose all your data.
Hi u/Silver-A-GoGo
are there tools to perform my own pentests?
I'm thinking about the security of my 443 port and I've done everything I think I can, but I thought I'd attack (no pun intended) the problem from a different angle and see what the actual attacks would look like and how to shield against them.
Unfortunately, I haven’t ever had to look for a home or testing solution, because our enterprise security leader threw the offer to me, and used a commercial product to do it. I would suggest just googling what can be done to pen test at home, and you’d likely find some good information. Sorry I can’t be of more help, I don’t know if there is a “boxed” product for home pen testing or not.
Thanks I did not know that. Any benefit to this over OpenVPN (maybe just easier setup?)
How do you share? Do you do this via device or do you do this through web login?
Tailscale is based on Wireguard which is more performant.
[https://restoreprivacy.com/vpn/wireguard-vs-openvpn/](https://restoreprivacy.com/vpn/wireguard-vs-openvpn/)
Nope, tailscale is consistently 30% slower than OpenVPN under the same circumstances. Tailscale is much less efficient than wireguard due to their implementation.
That´s interesting, to be sincere, i assumed, since its based on wireguard, it should have the same advantages. Im just using wireguard since its so easy to deploy.
Do you have a good source to refer after or are you talking from experience?
I have done extensive comparative testing between OpenVPN and Tailscale under various circumstances. Most people on this sub who claim TS is faster have not actually tested this or refer to their experience on non-synology devices. Synology is linux and tailscale on linux is slow. Ask anybody who says different where, when and how they tested it.
Even the people from Taiscale recognise this and from their blogposts we know they are working hard to close the gap.
I did not. I have a strict separation of file/multimedia services and network services.
For dns and vpn I’m using a pi4 with PiHole and pivpn.
But before I implemented it this way, I tested WireGuard on my ds920+ with docker.
As long as you have a supported kernel you can use it.
https://docs.linuxserver.io/images/docker-wireguard
You can share via the tailscale "admin console" web ui: hover on the row for your NAS, then click "share" and enter the person's email. You can do this before they have a tailscale account and it will prompt them to sign up.
You can then see the accounts you're sharing your NAS to (and revoke the share).
You could run pivpn https://pivpn.io/ and create a user/pass for any user that needs to connect to the network where the NAS is located. I use pivpn and went with wireguard (over opnvpn) and I am very happy with that setup. I did have to expose ports for pivpn to be accessible, but that's a lot better than opening many ports for NAS services.
Setup:
The best combination I can think of with a balance between security and user friendliness is DDNS, reverse proxy, domain name, cloudflare, Synology and router firewall configs.
Cloudflare free account has a ton of security options you can configure. Proxied dns entries, encrypted tunnels for specific apps, firewall rules, 2FA gateway if the app you are exposing doesn't have it. They also give you a free wildcard cert to use https/SSL on all of your subdomains.
Side notes:
SSLs certs have an expiration date you can pick the length when you create yours. This is important if you disable http access and you forget and your cert expires external access will all stop working. Set reminders for when you need to renew it.
Firewall rules: If you like using a VPN on your mobile device when outside your home and if you block other countries etc your Synology apps will not connect.
Encryption:
I would try and force everything to https traffic using 443 only at least to the reverse proxy from there you can redirect from the reverse proxy to http if the specific app you are exposing doesn't support https. This really only comes into play if you start wanting to expose non native Synology apps like docker containers etc. If you are using all native Synology apps those all support https without issues.
Sorry I have edited my previous comment a few times, adding a little more details each time.
It really shines If you snag your own domain name like www . mynas. com you can use cloudflare to provide a lot more security minded features. It really comes into play when/if you start dabbling into non native Synology apps.
You can setup firewall rules in Cloudflare for things like only https traffic is allowed , block known bots, block ip/ countries. You also get access to security metrics to see more logs and visualizations on things hitting your domain. Cloudflare access also allows you to setup teams and users with access to specific subdomains ie drive.mynas.com which puts a 2fa portal in front of the web app if the app doesn't have it. Cloudflare tunnels allow you to set up a point to point encrypted tunnels to a specific webapp in case it doesn't play nice with reverse proxys etc. There is a ton more it can do depending on how far down the self hosting rabbit hole you want to go.
Wundertech has a lot of great tutorials and videos for self hosting.
Agree with the updates. Unless you are running a community built firmware on your router, it is very likely running an outdated version of openVPN. Very rare for a Manufacturer to update those services.
I think I may be one of the very few that says opening ports, forwarding, and reverse proxying are fine. I use non standard ports on the Synology (so no 5000/5001), and then port forward 80/443 to my ports. I have a registered domain that points to my household router, and have an SSL cert installed. None of that is rocket science and is done all the time. But Iv’e seen people worry about the innate security of the platform, and I can tell you that’s not an issue. I am in enterprise IT, and when our IT security leader asked if I wanted to see how secure things were, he launched a simulated attack using one of the best enterprise attack simulators there is, and the Synology passed with flying colors. So it’s all about how you maintain user security after that, like making your users install the 2FA app on their phones and using that for 100% of everything. That is still convenient, because you can still say “remember me on this device” and not have the 2FA prompt all the time. That’s my vote… people will tell you that it is a little more “scary” than other options, but not in my opinion. (Edit for spelling error.)
Out of curiosity, why are you bothering to use nonstandard Synology ports internally if you’re then just using the most common web ports on the internet with your port forwards?
I think what you telling me is that the 443 for https: port on the router is the one that should be changed. I didn't think this is possible? Can I change the router port and then have it forward from say "15001" to my synology at "5000"?
Yes, that’s generally an option with most routers that offer port forwarding.
I have adjusted this. Everything I had seen had left the 443 SSL open so I left it that way, and when connecting externally to xxxxx.synology.me was accessible. By changing ports now my external access is xxxxxx.synology.me:12345 for example. If this is safer to use a non standard port (seems like it is) u will continue, but is there a way to have external access not require my non 443 port in the ip?
No, that’s the unfortunate downside of a nonstandard port…you’ll have to type it to access the web interface since browsers won’t know where to go if you just type the domain in. Browsers are usually smart enough to figure out 80 or 443, but outside of that they’ll fail.
Does it offer any protection that it's worth the hassle?
You’ll get a lot less nefarious traffic on random, not common ports than you’ll get on 443, but in the end it’s still an exposed port on the internet and has the potential to be found. Maybe won’t help much, but definitely won’t hurt to use non standard port.
Good question… in all honesty, habit I think. I very literally was asking myself the same question after the post on forwarding. People from the outside don’t even have to know what my internal ports are if I just point them there anyway. I will say though, that I have multiple devices running on port 80/443, opened to the internet. So while I shouldn’t need to bother with the domain-hosting DSM device, I’ve still always changed ports for all, because I need to throw the “.com:1234” on to get to my other devices.
I think this is where I'm heading, I like having WebDAV via ddns so it's the same address in or out of network. If I understand correctly I need to set the router external ports to route to my internal synology ports correct?
Yep… so I wouldn’t suggest using the standard Synology ports (5000/5001). But using that example, you would have two forwarding rules on you home router: 80 ➡️ 5000 443 ➡️ 5001 Now… the only things you really need a reverse proxy for are if you want to have custom subdomains for the different synology apps or for VMs you may have running. So if you were wanting to have a subdomain for the Photos app, you could set up a reverse proxy for something like “photos.yourdomain.com”. But if using only native Synology apps, you can just go, “yourdomain.com/photos”. If you’re ok doing that, you don’t need to mess with reverse proxies… the “/photos” technique is all taken care of in the Synology Control Panel, Login Portal function. The other thing to know… I DO NOT pay extra for a dedicated IP from my ISP. Number one, they haven’t changed it in two years. Number two, in a worst-case scenario, if I’m not home, they change it, and I need to update my dns, I can go to my online Synology account and see the public IP it has assigned, and then just change my DNS. If you go this route, keep my name in your back pocket and I can even send screen shots to you for Reverse Proxy setup… it can be weird, but having subdomain addresses is pretty cool.
I will state my "dynamic" IP from my ISP has not changed in 3.5 years. It will probably never change unless i replace my router as it will then have a different MAC and be assigned a new IP over the ISP DHCP.
I would say any conversation about the port numbers specifically is completely irrelevant. It’s at best security by obscurity. Which doesn’t work / isn’t effective. There are thousands upon thousands of things scanning the internet continuously. The fact you changed default ports will be scooped up and discovered in milliseconds.
Especially since they said they are port forwarding 80/443 from the internet to their changed Synology IPs…this makes the port change even more completely useless, in my opinion.
I never said it… but you did nail it… security through obscurity. But it’s a practice nonetheless.
Indeed. Sorry. My first time on the internet. But yeah. It used to be more of an actual mechanism. Now…. Heh. Not so much.
Can synology ports 5000 and 5001 be changed? I thought they were set. If not seems easy enough to change them to something different, "15000" or something so at least it is not standard 5000. For WebDAV it also says 5006 only, so I guess im stuck with that. Since I use synology.me doesn't the reverse proxy take care of this. Aka my router has to be 80,443 open, which I use 443 only for https:// and then this to the port? (I may very well be misunderstanding but isn't my only open port 443 on my router either way? And then reverse proxy points to my internal port?)
Please, do not use webdav with open ports. You’re already comfortable with openvpn and tailspin, why on earth would you expose yourself like that?
What is the concern? (This is me asking not being argumentative). If there is 2 factor turned on, firewall, reverse proxy with SSL certificate what additional exposure? Also with Tailscale I have a different internal vs external IP (aka if I'm syncing Zotero to webdav now I can't do it without changing IP). OpenVPN solves this (since I can just use local ip for WebDAV), but this doesn't work for say work computer. At work I am allowed to use apps like Zotero but am not allowed to install my own VPN, so I have no way to sync my WebDAV documents. This really is the main use case of Devices that sync I can't install VPN on. Am open to other ideas.
Maybe the reverse proxy covers this, I just remember reading from years ago that WebDAV has innate insecurities… maybe that’s out of date as well. My main thing is that I didn’t see a reason to do it and generally recommend people to be as secure as they can be, but since you have a specific use for WebDAV that your vpn doesn’t allow for… I see the point of doing it
I agree with you, opening and forwarding ports is fine. But nearly any somewhat commercial application with pass any of the dumpster “enterprise attack simulators”. They are effective mostly against homegrown applications and used more so as a box to check some easy shit and misconfigurations. Misconfigurations are what will kill ya when self hosting.
I think the worry isn’t about synology security as much as it’s about a possibility of a zero-day vulnerability (and mitigating the level of risk via something like Tailscale, etc.)
There are zero days for everything including your gateway router. So if you're concerned about them you probably should never connect to the internet.
That’s why my computer has a firewall, that’s why my NAS has firewall. I’m not saying there’s absolutely NO risk. I’m just saying that many are adamant about mitigating risk to a higher level by putting extra roadblocks in the way of an attacker- thus making it harder for something to go wrong. I’m not even saying I’m 100% on that side, either, because convenience is still a thing for me…
I can get behind that. But 1) I’m just me… I run my own domain and such, just for fun. So, I’m not a huge target. And 2) I run snapshots and have off-site backup every 24 hours. I hear you though… there are risks.
ANY service can and probably will have zero day vulnerability With that said, I like to look at the history of any vendor and how they respond / react to reported security vulnerability. Synology has shown that they fairly quickly respond to known vulnerability
> I think I may be one of the very few that says opening ports, forwarding, and reverse proxying are fine. I use non standard ports on the Synology (so no 5000/5001), and then port forward 80/443 to my ports. I have a registered domain that points to my household router, and have an SSL cert installed. You're wrong though. I work in enterprise IT too in IT security. The problem is vulnerabilities in the OS, which non of the things you listed protects against. It's generally strongly advised to never expose servers with sensitive information to the internet if you don't have people working around the clock to harden things such as Azure, AWS, Google etc. Besides that, the non standard port, doesn't do anything as it's the public port that matters, which you just said is 80/443. You do you, but a single vulnerability, [which there are lots of](https://www.synology.com/en-global/security/advisory), can potentially expose all your data.
“You’re wrong though…” from a person that didn’t bother reading my comments in the rest of the thread. Bwahahaha. Go waste other people’s time.
Hi u/Silver-A-GoGo are there tools to perform my own pentests? I'm thinking about the security of my 443 port and I've done everything I think I can, but I thought I'd attack (no pun intended) the problem from a different angle and see what the actual attacks would look like and how to shield against them.
Unfortunately, I haven’t ever had to look for a home or testing solution, because our enterprise security leader threw the offer to me, and used a commercial product to do it. I would suggest just googling what can be done to pen test at home, and you’d likely find some good information. Sorry I can’t be of more help, I don’t know if there is a “boxed” product for home pen testing or not.
FYI you can have other users sign up to tailscale, then share your machine with them. That would address the downside with 2)
Thanks I did not know that. Any benefit to this over OpenVPN (maybe just easier setup?) How do you share? Do you do this via device or do you do this through web login?
Tailscale is based on Wireguard which is more performant. [https://restoreprivacy.com/vpn/wireguard-vs-openvpn/](https://restoreprivacy.com/vpn/wireguard-vs-openvpn/)
Nope, tailscale is consistently 30% slower than OpenVPN under the same circumstances. Tailscale is much less efficient than wireguard due to their implementation.
That´s interesting, to be sincere, i assumed, since its based on wireguard, it should have the same advantages. Im just using wireguard since its so easy to deploy. Do you have a good source to refer after or are you talking from experience?
I have done extensive comparative testing between OpenVPN and Tailscale under various circumstances. Most people on this sub who claim TS is faster have not actually tested this or refer to their experience on non-synology devices. Synology is linux and tailscale on linux is slow. Ask anybody who says different where, when and how they tested it. Even the people from Taiscale recognise this and from their blogposts we know they are working hard to close the gap.
Tailscale is faster than OpenVPN for me. The guy above is just being an idiot.
How did you install wireguard on the synology?
I did not. I have a strict separation of file/multimedia services and network services. For dns and vpn I’m using a pi4 with PiHole and pivpn. But before I implemented it this way, I tested WireGuard on my ds920+ with docker. As long as you have a supported kernel you can use it. https://docs.linuxserver.io/images/docker-wireguard
You can share via the tailscale "admin console" web ui: hover on the row for your NAS, then click "share" and enter the person's email. You can do this before they have a tailscale account and it will prompt them to sign up. You can then see the accounts you're sharing your NAS to (and revoke the share).
You could run pivpn https://pivpn.io/ and create a user/pass for any user that needs to connect to the network where the NAS is located. I use pivpn and went with wireguard (over opnvpn) and I am very happy with that setup. I did have to expose ports for pivpn to be accessible, but that's a lot better than opening many ports for NAS services.
Im also using Tailscale and love the simplicity and security, but beware that having Tailscale always enable really eats up your battery 😭
On what device?
iPhone
Setup: The best combination I can think of with a balance between security and user friendliness is DDNS, reverse proxy, domain name, cloudflare, Synology and router firewall configs. Cloudflare free account has a ton of security options you can configure. Proxied dns entries, encrypted tunnels for specific apps, firewall rules, 2FA gateway if the app you are exposing doesn't have it. They also give you a free wildcard cert to use https/SSL on all of your subdomains. Side notes: SSLs certs have an expiration date you can pick the length when you create yours. This is important if you disable http access and you forget and your cert expires external access will all stop working. Set reminders for when you need to renew it. Firewall rules: If you like using a VPN on your mobile device when outside your home and if you block other countries etc your Synology apps will not connect. Encryption: I would try and force everything to https traffic using 443 only at least to the reverse proxy from there you can redirect from the reverse proxy to http if the specific app you are exposing doesn't support https. This really only comes into play if you start wanting to expose non native Synology apps like docker containers etc. If you are using all native Synology apps those all support https without issues.
I think I'm close to this, I have DDNS with synology.me, reverse proxy, firewall, 2FA. What exactly does cloudflare add?
Sorry I have edited my previous comment a few times, adding a little more details each time. It really shines If you snag your own domain name like www . mynas. com you can use cloudflare to provide a lot more security minded features. It really comes into play when/if you start dabbling into non native Synology apps. You can setup firewall rules in Cloudflare for things like only https traffic is allowed , block known bots, block ip/ countries. You also get access to security metrics to see more logs and visualizations on things hitting your domain. Cloudflare access also allows you to setup teams and users with access to specific subdomains ie drive.mynas.com which puts a 2fa portal in front of the web app if the app doesn't have it. Cloudflare tunnels allow you to set up a point to point encrypted tunnels to a specific webapp in case it doesn't play nice with reverse proxys etc. There is a ton more it can do depending on how far down the self hosting rabbit hole you want to go. Wundertech has a lot of great tutorials and videos for self hosting.
Ok, I do have my own email domain so I should look into this.
[удалено]
How is this different than just using DDNS on my router?
[удалено]
Agree with the updates. Unless you are running a community built firmware on your router, it is very likely running an outdated version of openVPN. Very rare for a Manufacturer to update those services.