Recommended Posts

If you have a dynamic IP, you will need to setup a DDNS to access your NAS from outside your local network.

 

So to start thing off you will need to open an account with a DDNS service provider. There are plenty out there, some paid, some free. The two below are the ones that I use personally. They are free. If you find others then you should also be able to use those. Some of these providers might already be part of the list included by Synology in which case you can skip the 'Customize' button and simply use the 'Add' button and select your service provider from there. The configuration example I am giving below will be based on duckdns.org because it's the easiest I have seen out there but unfortunately it is not included in the DDNS service providers list included by Synology so you will need to use the 'Customize' button first.

- http://www.duckdns.org

- http://www.nsupdate.info

 

Once you have chosen your domain with duckdns.org you will need to configure DSM accordingly. So here is how to:

 

In Control Panel go to External Access (1), then click on Customize (2).

595b5e63ed08d_ScreenShot2017-07-04at4_16_08PM.thumb.jpg.5f61eb90d2319bfa43c809541372ee26.jpg

 

A new window should open. You need to fill in as per the image. To save you some time you can copy paste from the code tag provided below the image:

595b5e66b4605_ScreenShot2017-07-04at3_55_36PM.jpg.88332f01f9bb4be7709befaead4ce80f.jpg

 

http://www.duckdns.org/update?domains=__HOSTNAME__&token=__PASSWORD__&ip=__MYIP__
 

When you are done click Save. The window should close.   Now click on Add (3), see first image. A new window should open. Select *DuckDns from the service provider list and fill in your duckdns domain, username and token:

595b5e6c42b27_ScreenShot2017-07-04at3_58_52PM.jpg.3b33477998ab7f5e38fc92c839b8619b.jpg

Click on Test Connection to verify that it's working. If it is working you should see the word Normal in green next to Status. You can then click Ok. If it is not working then it means you screwed up somewhere. Recheck query URL, domain, username and token.

 

All that is left to do is to configure port forwarding on your router. This is called at times "port forwarding" or "port mapping". You need to check with your router's user guide as sometimes the wording differs from one brand to the other. The port(s) you will be forwarding to your box also need to be opened on DSM's firewall else DSM will refuse access to the port/service requested. If your ISP implements double NAT you might have to do some additional configuration to your router to allow the ports to be forwarded correctly. Check with your ISP first and also check this site or this site on how to overcome double NAT. Google is your friend.

 

Note of caution here: If you want to make things very safe you would only port forward VPN ports. This means that you can only access your box via VPN which in turn then gives you full access to the box (and to your local network if configured accordingly) once a VPN connection is established. You could also port forward the GUI ports (usually 5000/5001 or the ones you would have customised). This would give you full GUI access to DSM from outside of your network but this can be unsafe specially if you don't have a strong password and proper firewall and safety mechanisms configured in DSM. You could also just forward the port(s)/service(s) that you need. It really all depends what you are using your box for but in most cases the VPN solution is the safest although not the most convenient.

 

NEVER EVER port forward port 22 unless you know exactly what you are doing.

 

To test that your box is accessible from the outside world while being at home you could use your smart phone in data mode (not in wifi) at the following address: http://[yourdomain].duckdns.org:[port number] or https://[yourdomain].duckdns.org:[port number] - :!: Do no put www :!:

Edited by Polanskiman
Clarified the need to use the 'Customize' button.
  • Like 6

Share this post


Link to post
Share on other sites

I would just add a small piece , some ISP do not allow any port forward option.So unfortunately even though the DDNS part is fine, we cannot do the port forwarding :(.

 

Some ISP implement double NAT.

 

Good article / guide thanks!

Share this post


Link to post
Share on other sites

I can't account for all ISP network configuration in this tutorial. This said double NAT is not always an issue. Even on a double NAT infrastructure one could do port forwarding. It's not always possible though. There are several ways of overcoming a double NAT.

 

I have added a note in the OP for those behind double NAT.

Share this post


Link to post
Share on other sites

I don´t get duckdns. I have 2 lan, is this double NAT? I use changeip.com and no-ip.com without problems...

 

I have one account with this, what is the problem???

 

domain apriliars3test

account apriliars3@gmail.com

token 5e389a31-f5ce-4db4-beee-2ece05c6b8d6

 

 

 

Edited by apriliars3

Share this post


Link to post
Share on other sites

I had original synology a few ago and it was easy to share links to people. Does it work with this method of ddns? How example of shared link looks like?

Share this post


Link to post
Share on other sites

You share a File, you get a Link:

https://192.168.1.2:5001/sharing/7e9Fv1Mdf

You replace the local IP with your domain name.

 

https://your.domain.com:5001/sharing/7e9Fv1Mdf

 

And done... if you have Portforwarding 5001 in your Router.

 

Does it automaticcaly replace Local IP with Domain name if you have an Active DDNS? I'm using the DDNS functionality from my Router so i don't know.

 

Edited by haldi

Share this post


Link to post
Share on other sites

An example

https://www.noip.com/

Login: gavi

Pass: 1234

Domain: gavi.myddns.me

MyIP local 192.168.1.2

I don’t know this http:/www.noip.com/update?domains=gavi.myddns.me_&token=_1234_&ip=_192.168.1.2_

 

examp.JPG.093f5b5321a77c298d91fa0a2ebe7fd5.JPG

exam1.JPG.65c2763a9e1acc71630995c47d55b915.JPG

 

 

 

 

Share this post


Link to post
Share on other sites

Why did you create a custom DDNS for No-IP with the 'Customize' button? No-IP is already included in the service providers list. There is no need to do this: http:/www.noip.com/update?domains=gavi.myddns.me_&token=_1234_&ip=_192.168.1.2_

 

Delete the custom No-IP you created and then simply select NO-IP from the default list and add your credentials.

Share this post


Link to post
Share on other sites

@dasis If your No-IP domain is a free one, theres little point using the DDNS settings in DSM. As it will only update, you'll still have to re new it each month.

 

FYI, DSM will only let use one domain per provider.

I have two with No-IP so I set one up as a custom domain using an alias as the Title.

No-IP did work as a custom DDNS this way, but with a recent update it started throwing up an error "host name does not exist" 

Share this post


Link to post
Share on other sites

A very useful guide, thanks.

 

You mention that the best way to make things very safe is to only forward VPN ports. Could you expand on this a bit more please? I'm keen to access the services needed (DS Cam, a few file folders) through a secure VPN connection (e.g. VPN connection setup on Xpenology box and then access the relevant services remotely from my laptop through a secure VPN connection). Is this possible? Any help would be much appreciated.

Edited by ad19

Share this post


Link to post
Share on other sites
3 hours ago, ad19 said:

A very useful guide, thanks.

 

You mention that the best way to make things very safe is to only forward VPN ports. Could you expand on this a bit more please? I'm keen to access the services needed (DS Cam, a few file folders) through a secure VPN connection (e.g. VPN connection setup on Xpenology box and then access the relevant services remotely from my laptop through a secure VPN connection). Is this possible? Any help would be much appreciated.

There is a difference between accessing the NAS via a DDNS setup and via a VPN. For DDNS you setup as the tutorials and your DDNS domain, then you access via http://yourddns:5000(1) and get to the web page of the server, if you forward port 5000(1)

For VPN, you setup the VPN server package on the NAS and setup users etc. But you have to set your router to allow VPN traffic through to the NAS. Depending on the VPN server you choose the port to forward will be different.

A 'neat' solution might be to look at your router and see if it supports DDNS. If so, setup the DDNS on that and forward the VPN port to the NAS. You then use a VPN client to 'yourDDNS' which connects to the NAS, then you can access network services. 

Share this post


Link to post
Share on other sites
On 11/23/2017 at 1:28 AM, ad19 said:

A very useful guide, thanks.

 

You mention that the best way to make things very safe is to only forward VPN ports. Could you expand on this a bit more please? I'm keen to access the services needed (DS Cam, a few file folders) through a secure VPN connection (e.g. VPN connection setup on Xpenology box and then access the relevant services remotely from my laptop through a secure VPN connection). Is this possible? Any help would be much appreciated.

 

On 11/23/2017 at 4:59 AM, sbv3000 said:

There is a difference between accessing the NAS via a DDNS setup and via a VPN. For DDNS you setup as the tutorials and your DDNS domain, then you access via http://yourddns:5000(1) and get to the web page of the server, if you forward port 5000(1)

For VPN, you setup the VPN server package on the NAS and setup users etc. But you have to set your router to allow VPN traffic through to the NAS. Depending on the VPN server you choose the port to forward will be different.

A 'neat' solution might be to look at your router and see if it supports DDNS. If so, setup the DDNS on that and forward the VPN port to the NAS. You then use a VPN client to 'yourDDNS' which connects to the NAS, then you can access network services. 

 

DDNS solves the problem of dynamic IP addresses by associating your IP address with a permanent domain name. It gives you the repeatable ability to access your local network if you don't have a fixed IP address. Of course, if you have a fixed IP you don't need to setup a DDNS.

A VPN tunnel on the other hand gives you the ability to create a secure connection between 2 distant networks.

 

Whether you setup a DDNS or have a fix IP, you need to port forward on your router the desired ports of the services you want accessible from the outside. This is the general way of doing things but is potentially less safe. Why? Because you are opening several ports to several services. If you don't have a tight security protocol (strong password, DoS protection, Auto block etc etc) on your box then potentially you could get hacked. This is the most effective and convenient way of doing things though.

 

There is another more secure way. Instead of port forwarding on your router all desired ports for all the services you want accessible from the outside, you simply port forward your VPN's server ports. Depending on the VPN protocol it could be 1 to 3 ports. I would recommend OpenVPN or L2TP/IPSec or both for redundancy. OpenVPN requires more setting up.

 

L2TP/IPSec 500 UDP

L2TP/IPSec 1701TCP

L2TP/IPSec 4500 UDP

OpenVPN 1194 UDP

 

What does this mean and why it's more secure? Well, for one thing, in order to be able to connect via VPN to your box from the outside one needs to have credentials. That's only to make the connection. Without that it's just not even possible to merely connect to the box. Secondly once you establish a connection via VPN, you create a tunnel between you and the box. At this point it is like if you were on your local network. You can even use local IP addresses to access devices. You still need credentials to access your box and other secured devices though.

 

When connected via VPN, all your data flowing in and out is encrypted. No one can see what's happening. In principle only the NSA has the ability to do that according to Edward Snowden! Connecting via VPN also gives you the ability to access opened services of your box as well as your entire local network (if configured properly). In other words, connecting through VPN is virtually the same thing as if you were physically accessing your box from within your local network.

 

Personally I use a VPN to access all services I need on my box. The only other port I port forward is the GUI port for convenience but I know exactly how my box is configured and I have set a high level of security. That box also does not contain sensitive information.

 

Hope this helps.

Share this post


Link to post
Share on other sites

Thanks sbv3000 and Polanskiman, your responses are much appreciated - i'm trying to implement your 'neat' recommendation by utilising the router's DDNS functionality and forwarding the VPN server's port by following the steps below:

 

1. I’ve enabled the DDNS client on my router and assigned a host name
2. Port forwarding is setup on the router (1194 | UDP)
3. OpenVPN is running within the Diskstation’s VPN Server package (port 1194 | UDP)
4. I’ve exported the configuration file and imported it to the VPN client

 

The VPN client is asking for the public IP of the Diskstation to enable connection. Would this be a combination of the DDNS host name ('your DDNS') and the dynamic IP address within the OpenVPN section of the Diskstation’s VPN server package?

Share this post


Link to post
Share on other sites
2 hours ago, ad19 said:

Thanks sbv3000 and Polanskiman, your responses are much appreciated - i'm trying to implement your 'neat' recommendation by utilising the router's DDNS functionality and forwarding the VPN server's port by following the steps below:

 

1. I’ve enabled the DDNS client on my router and assigned a host name
2. Port forwarding is setup on the router (1194 | UDP)
3. OpenVPN is running within the Diskstation’s VPN Server package (port 1194 | UDP)
4. I’ve exported the configuration file and imported it to the VPN client

 

The VPN client is asking for the public IP of the Diskstation to enable connection. Would this be a combination of the DDNS host name ('your DDNS') and the dynamic IP address within the OpenVPN section of the Diskstation’s VPN server package?

So lets say your hostname is 'myhome.myddns.net'

Check the router logs to make sure that the 'myhome.myddns.net' is registered

Try a ping to 'myhome.myddns.net' and it should resolve your routers external (public) IP address, but will probably time out

If that all works, then in the openvpn client on your  PC you put the 'myhome.myddns.net' string in the public ip field, plus the username and password of the DSM vpn user account

That should connect

If it connects ok, open a command prompt and try ipconfig, you should see an vpn adapter with an ip address from the NAS vpn server.

If you open a web browser you should then be able to access the nas with http://nasip:5000, where nasip is the ip address of the nas INSIDE YOUR HOME LAN

Share this post


Link to post
Share on other sites

Thanks sbv3000, it's up and running! One point which i neglected in the steps above was opening port 1194 within the Diskstation's firewall. 

Share this post


Link to post
Share on other sites
6 hours ago, ad19 said:

Thanks sbv3000, it's up and running! One point which i neglected in the steps above was opening port 1194 within the Diskstation's firewall. 

you are welcome and thats good to hear.

As a test, try closing the port 1194 on the diskstation firewall and retry the connection. If it works then leave the port closed. In theory you should only need to open the router firewall for this to work. 

Share this post


Link to post
Share on other sites

I closed port 1194 on the Diskstation firewall and the connection still worked so i'll keep it closed permanently. Thanks again!

Share this post


Link to post
Share on other sites
On 11/25/2017 at 2:43 AM, sbv3000 said:

you are welcome and thats good to hear.

As a test, try closing the port 1194 on the diskstation firewall and retry the connection. If it works then leave the port closed. In theory you should only need to open the router firewall for this to work. 

 

@sbv3000 Can you elaborate on this? I have tried closing port 1194 on my machine and I am then unable to connect so I am not sure what the rational is here. The only way this would work is if the firewall is totally disabled which automatically allows access to all services/ports.

 

On 11/25/2017 at 3:09 AM, ad19 said:

I closed port 1194 on the Diskstation firewall and the connection still worked so i'll keep it closed permanently. Thanks again!

 

I am unsure why closing port 1194 on DSM's firewall would still allow a connection. The purpose of a firewall is to allow or disallow access to certain services by opening or closing ports. If it's closed then it shouldn't allow a connection to the service the port is assigned to. Reboot your machine and try connecting again via VPN from outside. I am curious to see if it still works.

 

I'm surprised by this.

Share this post


Link to post
Share on other sites

@Polanksiman, you're right - after having closed port 1194 and rebooting the Diskstation, i could no longer connect from outside. The only way to reconnect was to open port 1194 in the firewall and reboot to allow the changes to take effect

Share this post


Link to post
Share on other sites
On 11/28/2017 at 2:10 PM, ad19 said:

@Polanksiman, you're right - after having closed port 1194 and rebooting the Diskstation, i could no longer connect from outside. The only way to reconnect was to open port 1194 in the firewall and reboot to allow the changes to take effect

 

Port 1194 needs to be permanently open. Keep it that way.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now