I have a DS918+ and have been running a few apps in Docker containers (radarr, sonarr, sabnzbd, etc.). I use Synology’s built-in DDNS (so I have a myds.me domain).
To access these apps, I currently have my ports forwarded with password protection on all the apps.
Now, I’d rather not forward and expose my ports, so I’d like to make use of a reverse proxy (such as Traefik, but it doesn’t seem as straight-forward to install as the other Docker containers), or a VPN so I can remotely access my local network and then just use my local IP when on the VPN.
The reverse proxy would be better as I could access all the containers from any computer, but maybe I need to have both?
A reverse proxy will not be any more secure, just more convenient to access services from the web.
If your web services are properly hardened (as well as the NAS) then web access is fine (it’s not as dangerous as people make it out to be if you do it right).
However putting them all behind a VPN adds another layer of security and privacy.
Your current situation is dangerous… Syno NAS are much better off not being exposed directly on the internet.
If… by using this Traefik… you still need to open & forward port(s) into your Syno NAS…(which is probably the case, unless it’s not a reverse proxy but something else) I’d use a VPN for security reason…much safer.
If you use a reverse proxy then you’re still going to be exposing the services to the whole world, it’ll just be via a URL rather than a specific port. It isn’t really any more secure than forwarding the ports, although I suppose you could add some IP restrictions for a little more peace of mind.
The better choice is definitely not to forward anything to the outside and use a VPN, although it is more hassle to deploy as you need install certificates and config on all client devices. Traefik is a pretty good fit in both cases thanks to its automatic HTTPS with Letsencrypt and good integration with Docker.
u/Kynch, my current setup is pretty much exactly as yours. I’m using DSM’s nginx reverse proxy configuration with LetsEncrypt certificates and I’m exposing ports 80 and 443 and have reverse proxy for my containers. I have them all use authentication and for those I would want to keep private, I have a reverse proxy network restriction to be accessible only from my local network.
As others already pointed out, this is not ideal. Not because it’s impossible to secure, but the fact that it’s not your full time job to monitor each service you run for vulnerabilities constantly. Software have bugs and you never know when the next “heartbleed” will hit. For that reason I’m making a switch myself.
So, let me share how I’m planning to go forward. I’m will migrate to a VPN solution, as it’s more secure than what I currently have. I will not use what’s provided by DSM - OpenVPN, IPSec, etc. I will run a WireGuard (probably in a docker container), which needs one UDP port to communicate with the outside world. Though, WireGuard is designed in such a way that it’s stealthy and will never answer to an unauthenticated packets. So you can pretty much rule out scanning bots to find out the portal to your world. It’s simple to operate, it has mobile support (still in beta) and soon will be part of the Linux kernel. That’s the future of VPN the way I see it.
So I hope my thoughts helped you out a bit. Good luck with tuning your setup!
There is no reason to use a custom revers considering that you have nginx built in already. Setup all your revers needs using Control Panel > Application Portal > Revers Proxy.
Both. Depending on the use-case. Reverse proxy will be a bit more convenient while being transparent to the end user (you). VPN can offer more control and some extra security.
Afraid not. I’ve set up quite a few OpenVPN installations beforehand and found the built-in Synology VPN server to be quite easy to set up and use. Hopefully someone else has some input.
Getting the connection config in can be a bit of a pain. Once the app is installed you can drag a config file over into the app’s storage using iTunes. I think you can also email the config file to yourself and then open it from within the Mail app to import to OpenVPN, although I don’t recommend sending anything with a username/password in over email.
For simplicity, you may wish to use LT2P over OpenVPN as iOS supports L2TP natively. Just open up ports 4500, 1701 and 500 (all UDP) on your router, choose a pre-shared key for the Synology’s L2TP server and then enter the same PSK and your Synology account information into iOS’s VPN settings (remember to choose L2TP) and that’s it.
No fiddling with certificates or anything other that is overly daunting for a neophyte.
Trade-off is that L2TP may sometimes be blocked on some networks by overzealous sysadmins but I’ve never encountered a problem on public WiFi networks.