Okay, I’m just an ordinary guy still learning, so bear with me if I’ve misunderstood something. I have a couple of questions.
This first one isn’t really a question, but a premise. It’s universally agreed that VPN’ing back into your NAS when your outside your wifi is the most secure way. While I understand this, it’s not really possible because of my familiy’s level of tech savyness.
Therefore I’ve opened some ports and set up very strong passwords and 2FA on all account plus block lists, firewall and so on. I hope and believe this is enough.
Question one: On the other hand I would like to uphold a certain level of privacy and use a VPN on our outgoing connections. To do this I must set the VPN up on router level. But if I do so I won’t be able to contact my NAS, will I? I mean there would be no way of knowing what ip adress to contact?
Question 2: If that’s so, I must keep the VPN on each device. But how do I then use Download station in a private fashion? Because there would be no VPN on the NAS - As I then wouldn’t be able to contact it from the outside?
Thanks!
Look into tailscale for your VPN instead of whatever you’re using. You can disable all the port forwarding and other bad security practices.
I’m not really following what your goal is for this part : " uphold a certain level of privacy and use a VPN on our outgoing connections." You want all of your LAN traffic to be routed to a second VPN to keep your ISP from knowing what you’re doing? That should also be possible through a tailscale exit node that routes all traffic through a second VPN but I don’t know offhand how to set that up. Probably something with instructions available on tailscale community forum or /r/Tailscale
Your VPN connects you to your local network. If it’s configured the right way the DHCP server will give the connection it’s IP address and you’ll be virtually connected.
So you can access local ressources when connected to your VPN (Sophos Firewall, Fritz!Box FritzVPN…).
You can run VPN Server on your Synology, either through docker or as a package.
The way a VPN works it’s it just routes your internet activity through another devices router/ISP. It does not hide your data from ISPs, but can help.
Let’s say you have a Synology at home, a Synology at the office, and a Nord VPN app on your phone. And you’re out of town. If you connect your phone to your home Synology’s VPN, your home’s ISP will see all your activity. It’s like you’re on your home’s wifi. Anyone in your home who has Instagram will see ads based on your browsing history. And you’ll see ads based on theirs. But you can now connect to your home’s Synology as though your at your house. You don’t have to open up any ports, you can just use your NAS’s local IP address to securely connect.
Now let’s say you switch to the VPN on your NAS at the office. Privacy wise, now your home ISP doesn’t see your browsing data but the ISP at your office does. As does maybe any IT people that monitor that type of thing. You can no longer connect directly to your home’s Synology like it is in the same network, but you can connect to it over the internet. So if you set up DDNS with something like a [my server].synology.me address you can access it that way. Or through quick connect. You can also now connect to your office’s Synology directly as though you’re in the office.
Now let’s say you connect to the Nord VPN server. Let’s say you choose a server in California. It’s basically doing the same thing as your NAS. Your connecting to a machine in California owned by Nord VPN and using that machines router. You’re also now trusting that Nord (or whatever 3rd party VPN) isn’t tracking or logging any of your data. Their ISP can still collect data, but I think it’s a bit more difficult to track. But remember that browsing data isn’t the only way you get tracked online if that’s a concern. But it can help mitigate things like targeted ads.
While I understand this, it’s not really possible because of my familiy’s level of tech savyness.
That might be true if you insisted that your family members setup the VPN for themselves. If you configure the VPN client on their devices, then enabling the VPN can be as simple as opening an app and tapping a button, maybe entering a password, that’s all. Oh, and even configuring the VPN client on their devices can be easy, e.g., it could just be opening an app and scanning a QR code… these days you have to do that just to read a restaurant menu!
Okay, I’m probably not being clear enough. 
I’m not really comfortable with the fact the one’s ISP knows everything we do online. We don’t do anything interesting but nevertheless it’s weird to me how we all accept this new normal of no privacy.
So I would like to use a VPN for all our queries online. But at the same time I don’t know enough about it to understand how I could do that and at the same time contact my NAS externally. Because if every outgoing connection from home goes to a VPN wouldn’t I have to go through the same VPN (just the other way) to make contact to my NAS? And is that possible in any way?
Thank you so much for this. This gives me some comfort because I actually HAVE understood it all properly. I really appreciate it.
The only way to keep my browsing private from my ISP must be to install a VPN on my server and choose a provider that I trust. Mullvad VPN, for instance.
But if I do this I could still VPN into my NAS using OpenVPN when outside my house, right?
True, I might be able to teach them this. It’s worth a try. I do imagine my wife’s stress levels when the goddamn thing isn’t working because she forgot about that button.
For the intercept of outbound traffic and routing over VPN, just be careful that you trust whichever VPN provider. I get what you mean about privacy but obviously some entity will have all that data either way so be sure you’re comfortable with whomever that is and the laws of whatever country they’re based in.
I’m not sure but I would look into whether your current router (not the ISP modem but your own router) can support this VPN for all outbound traffic. If so you’re pretty much good to go by enabling that for this use case and tailscale for getting into your LAN while you’re away from home. Your tailscale traffic would route through that second VPN too. I think that’s what you said you want right?
That sound like a useable approach! I’m looking at Mullvad for my VPN. So I could implement that at my router level. I trust them.
And then I could look at tailscale - or maybe just the OpenVPN I’ve set up already? - to access my NAS on the go? The only negative would be that my family wouldn’t be able to access my NAS externally on their Apple TV’s.
You can try with Open VPN but just be aware that opening ports to enable that inbound service means that the entire world can try to attack that service to break in. Open ports are one solution but a solution like tailscale is generally preferred by this community because you can get rid of the port forwarding and it still works great. You’ll still need to install the VPN client on every device that you want to access your NAS, and since you mentioned Apple TV you’ll need to look into how that would work with either tailscale or OpenVPN. I’m not sure how flexible Apple TV is going to be for either of those solutions though, being Apple and all.
Yes, the open port is a problem but with very solid passwords and 2fa that should be okay, shouldn’t it?
Tailscale seems to collect a lot of data which I don’t really like, but maybe I need to read up on it.
I think Apple TV’s don’t play nice with VPN’s so I would probably have to airplay from my phone.
very solid passwords and 2fa that should be okay, shouldn’t it?
It’ll help but all you need is one zero day attack vector to be in trouble. And even for known vulnerabilities, router vendors are terrible about patching their stuff. In case it’s not clear what I mean, your password and 2fa help as long as the attacker is trying to actually login, but attacks don’t have to go through that same process always, eg they can send malformed packets to your open port. I dunno, up to you, but that stuff makes me very nervous.
Tailscale seems to collect a lot of data which I don’t really like, but maybe I need to read up on it.
What kind of data were you seeing that they’re collecting? They’re very transparent about their platform so you should find answers to whatever you’re wondering about either on their site or via the tailscale sub. I’ve read a few of their whitepapers and don’t recall them collecting anything really. In fact their model is preferred by this sub partially because of how little they are actually in the loop. For example, once you turn the tailscale client on from your phone while out of the country, there’s a bit of a negotiation with TS to figure out how to connect to your NAS at home and every other device you’ve enabled TS on, but after that initial sync, your devices will talk directly to one another in most cases. TS isn’t going to see any of the traffic between your device and your NAS. They really only have to be in the middle if you’re in some kind of highly complex network environment that won’t allow the devices to communicate directly with one another but my understanding is that that’s pretty rare.
Apple TV’s don’t play nice with VPN’s so I would probably have to airplay from my phone.
Got it. Yeah you would probably need to designate your NAS as an “exit node” then if using TS. That’ll let you remotely connect first to your NAS and then have the NAS route the traffic to your apple TV running on your home network.
Good point about the zero day-exploit. It really is a question of useabilty vs. security. I want to put our photos and documents on Synology photos and drive. While using a VPN for this is fine for me, it’s difficult for my wife and children.
Maybe I’m too paranoid about Tailscale. I saw a lot of queries on pi-hole when my friend used it and I’m always edgy when something is free. Maybe I’m just ill-educated here.
Wont your family need to use a VPN client on their devices either way?
I don’t want to over emphasize tailscale because I’m sure there are other options, including using wireguard (the underlying tech that TS uses) more directly. Just sharing what I’ve learned so please definitely do your own research on what others are saying or what the companies are offering. Good luck!
Thanks for all your help!
No, at the moment they can connect via the host name and user+password.
Just to be sure you’re good to go, are you saying they only log into, say, Synology Drive with their DSM user/pass? And they don’t have to enable the VPN on their device first? If the latter is true, do you have the VPN running on their device always? If not, you sound like you’re describing the situation where they can connect to DSM directly, no VPN at all, which is even worse than having the VPN directly exposed via an open port.
No, but they can stay connected to Synology Photos, Synology Drive and DS Video via the host name+relevant port. They then have to log in with user name + password + 2FA.
Is that insane?
If by relevant host name and port you mean your home router IP / DDNS and a port you’re forwarding from the router to your DSM, then you are shortcutting the VPN, ie you could just turn the VPN off and it will still work. In other words that only actually security is coming from Synology, no VPN. That’s risky because it means you are reliant on Synology to be able to respond to any vulnerability immediately and that you’ll have to patch it immediately when it’s released. I’m not sure how often problems like this are found in the real world but I would suggest you reconsider.
If they are using your local network IP (eg a 192.168.x.x) to connect to the Synology app and the only port they’re using is that one on the NAS itself, then somehow they’ve connected to the VPN first. That’s certainly better than raw exposure of your Synology to the Internet.
It is the former.
Thank you so much for your time and advice. I’ll rethink the setup. I see your point with the vulnerability.
Maybe a solution could be quickconnect, although that would rule out the streaming.