Remote access recommendations please

Topics including remote access and management can go here, including port forwarding, telnet, ssh, and advanced network settings.
Forum rules
We've moved! Head over to Synology Community (community.synology.com) to meet up with our team and other Synology enthusiasts!
gdb19
Trainee
Trainee
Posts: 10
Joined: Mon May 28, 2018 9:53 am

Remote access recommendations please

Unread post by gdb19 » Mon May 28, 2018 10:10 am

I've just bought a ds218+ and so far love it. I've upgraded from a raspberry pi and find the interface on dsm so much easier to use.

I've installed various packages like Calibre, sonarr, etc and have configured remote access by using a no ip ddns and forwarding the required ports on my router.

I know quick connect can't be used for non dsm access but I've been looking at ways to make connections more secure. I've stumbled across using a reverse proxy using built in nginx but need a bit of advice please.

As I understand it I'd either need to pay for a Web domain of my own or a paid no ip membership to let me use the reverse proxy function so I could use xxxxxxxxx.ddns/calibre externally to access calibre.

I did think of hosting a private wordpress page with links to all my apps but couldn't figure out how to get this via the reverse proxy either as I couldn't find the port for wordpress.

Is there a way to use a free no ip account along with a reverseproxy setup in dsm using nginx to access multiple applications securely from outside the network?

Any tips would be much appreciated as although I have a working solution I'd like it to be as secure and private as possible.

User avatar
HarryPotter
Honorary Moderator
Honorary Moderator
Posts: 19674
Joined: Mon Oct 23, 2006 12:48 pm
Location: Switzerland

Re: Remote access recommendations please

Unread post by HarryPotter » Mon May 28, 2018 1:26 pm

gdb19 wrote:
Mon May 28, 2018 10:10 am
I'd either need to pay for a Web domain of my own or a paid no ip membership to let me use the reverse proxy function so I could use xxxxxxxxx.ddns/calibre externally to access calibre.
No, a DDNS name like yourname.synology.me or any other DDNS services will do.
*Please do not Private Message me for support questions; leave it on the forum so all members can learn. Thanks!*

DS718+ / DSM 6.2-23511 / ST4000VN000-2AH166 / SA400S37120G SSD cache /16 GB RAM
DS415+ / DSM 6.2-23511

LMS 7.9.1-166, 2 Squeezebox 3 + Boom

APC Smart UPS SUA750i

gdb19
Trainee
Trainee
Posts: 10
Joined: Mon May 28, 2018 9:53 am

Re: Remote access recommendations please

Unread post by gdb19 » Mon May 28, 2018 2:09 pm

Thanks - how does that work? I use no ip so have a xxxxxx.ddns.net address that I suffix with the port that I open up in my router and forward to the nas application ip/port.

Does no ip allow you to use something like xxxxxx.dns.net/calibre and how would you direct that through the router to the app on the nas?

Apologies if this is a dumb question

User avatar
Rusty1281
Sagacious
Sagacious
Posts: 3246
Joined: Fri Jun 03, 2011 10:51 pm

Re: Remote access recommendations please

Unread post by Rusty1281 » Mon May 28, 2018 2:26 pm

You could use the built in revers proxy in DSM for this. Check out control panel > Application portal > Revers Proxy (tab). See help for more info. In short, you can configure your application host name and port and redirect it to an internal ip address and/or hostname and port on your router.
Synology DS918+ (4x4TB WD RED - RAID 5 with 2x250GB 960EVO NVMe) | Synology DS412+ (4x3TB WD RED - RAID 5) | RT1900AC

gdb19
Trainee
Trainee
Posts: 10
Joined: Mon May 28, 2018 9:53 am

Re: Remote access recommendations please

Unread post by gdb19 » Mon May 28, 2018 3:52 pm

Thanks, does that work for non synology applications like those from synocommunity?

Reading the help and taking a look at the options in dsm i can't see how I would set this up for calibre as an example? It looks like I need a router port and a synology port on all entries and can only specify xxxxxx.ddns.net rather than xxxxxx.ddns.net/calibre?

I'm assuming there must be a way to do this as when I installed wordpress to mess around with that I was able to access via xxxxxx.ddns.net/wordpress without any other setup (no idea how though).

gdb19
Trainee
Trainee
Posts: 10
Joined: Mon May 28, 2018 9:53 am

Re: Remote access recommendations please

Unread post by gdb19 » Thu Jun 21, 2018 1:45 pm

Apologies for bringing this up again but I'm still struggling to see how I can get this to work. Does anyone know how to do this with a free noip account and the reverse proxy in synology?

Thanks

User avatar
Rusty1281
Sagacious
Sagacious
Posts: 3246
Joined: Fri Jun 03, 2011 10:51 pm

Re: Remote access recommendations please

Unread post by Rusty1281 » Thu Jun 21, 2018 5:49 pm

Well caliber is a web app? As such it uses a certain port. 8083 by default. You can redirect it to a different port and without a domain name you will need to point it to your local ip or fictional domain name that you can then insert in a host file on your computer. Also specify a port that you wanna use. Is there a specific reason for /calibre format?
Synology DS918+ (4x4TB WD RED - RAID 5 with 2x250GB 960EVO NVMe) | Synology DS412+ (4x3TB WD RED - RAID 5) | RT1900AC

gdb19
Trainee
Trainee
Posts: 10
Joined: Mon May 28, 2018 9:53 am

Re: Remote access recommendations please

Unread post by gdb19 » Thu Jun 21, 2018 8:05 pm

Thanks, no reason for wanting to use /calibre - just an example of what I'd like to be able to do.

As I've got several applications on my synology I've got all working at the moment using forwarded ports but from reading up a bit it seemed more secure to use a reverse proxy - just can't figure out how to set this up.

User avatar
Rusty1281
Sagacious
Sagacious
Posts: 3246
Joined: Fri Jun 03, 2011 10:51 pm

Re: Remote access recommendations please

Unread post by Rusty1281 » Fri Jun 22, 2018 11:06 am

Well you can use your noip account and create a DDNS unique name inside DSM. It in Control panel > Remote Access.

After you have configured that you can create a free let’s encrypt certificate inside DSM as well. Control panel > Security > Certificate.

Register your let’s encrypt to your noip domain name but also add multiple Subject alternate names while using the wizard.

For example: calibre.your-domain.no-ip.com. You can add a number of names that you would like to have a unique domain record.

Once you have done this you can use your Revers proxy to push request from calibre.your-domain.noip (on 443 port for example) to your local nas ip address and port where calibre is being hosted.

This way you are hidings your apps real port number and you are accessing your app via a secure https protocol behind an ssl by lets encrypt. Also all apps can be pushed via a single port (443) because they will be distinguished by a unique domain name that you have registered. On top of it all you need to open up only a single port on your router and not a set of high custom ports.
Synology DS918+ (4x4TB WD RED - RAID 5 with 2x250GB 960EVO NVMe) | Synology DS412+ (4x3TB WD RED - RAID 5) | RT1900AC

gdb19
Trainee
Trainee
Posts: 10
Joined: Mon May 28, 2018 9:53 am

Re: Remote access recommendations please

Unread post by gdb19 » Sat Jun 23, 2018 2:21 pm

Thanks, really appreciate your help as this has been driving me mad.

I've setup the ddns in remote access but when I try to add multiple subject alternate names in the lets encrypt cert generation it always fails.

I can add one cert for domain and alternate name = mydomain.ddns.net but can't specify anything like calibre.mydomain.ddns.net.

When I try to do this I get an error saying please log into dsm and try again. I've checked the logs via the log centre application and can't see anything there.

Checking the error in Google suggests that I may need to register a domain to be able to use calibre.mydomain.ddns.net - should this be possible with a free no ip account?

gdb19
Trainee
Trainee
Posts: 10
Joined: Mon May 28, 2018 9:53 am

Re: Remote access recommendations please

Unread post by gdb19 » Sat Jun 23, 2018 4:52 pm

I've now got this working once I switched to using the built in synology ddns instead of noip.

Once I set that up, added the cert and then setup the reverse proxy entry for one of my apps I've been able to access sonarr.mydomain.synology.me so will be able to replicate the setup for all other apps

Sometimes a little knowledge is a dangerous thing though - I've followed some info off another site and done the change below.

4. Went through the settings in DSM and reset settings for higher security: In Network > DSM Settings > DSM ports, set "automatically redirect HTTP connections to 5001.


Now I can't login to dsm remotely even via quick connect or using ports 5000 or 5001. Hoping I can get into dsm when I am.on my home network.

User avatar
Rusty1281
Sagacious
Sagacious
Posts: 3246
Joined: Fri Jun 03, 2011 10:51 pm

Re: Remote access recommendations please

Unread post by Rusty1281 » Sat Jun 23, 2018 9:07 pm

Glad you got it working. Was gonna say that LE setup could be limited to synology free domain only, as I noticed that when playing around with non syno domain names in /var/logs/messages log file.

Anyway now you can def replicate this and make it usable fo any other app you want.

Regarding the redirect problem. You might not even get it to work in your local network as well but you can try and access it via its ip and hope that you can get pass the cert warning. This means that you failed to configure to map your new cert to the default setting as well so that all requests respond using the new LE cert.

If this is the case and you fail to log in, you will have to use the reset button on the back to reset your network settings, ports and admin account. Use the Synology KB article to follow through.
Synology DS918+ (4x4TB WD RED - RAID 5 with 2x250GB 960EVO NVMe) | Synology DS412+ (4x3TB WD RED - RAID 5) | RT1900AC

MacDivot
Apprentice
Apprentice
Posts: 84
Joined: Tue May 06, 2014 12:30 am

Re: Remote access recommendations please

Unread post by MacDivot » Mon Jun 25, 2018 4:35 pm

Rusty1281 wrote:
Sat Jun 23, 2018 9:07 pm
Was gonna say that LE setup could be limited to synology free domain only,
I’ve got a LE Cert set up in my DS for a purchased domain name and that works fine.
I can type in myds.mydomain.com on a browser and hit my DS login page via HTTPS from anywhere (except unfortunately my office from behind our firewall as I’m still using 5001 which is blocked). The port reference is coded into the redirect on mydomain so I never have to type it. Haven’t tried something like myds.mydomain.com/caliber though but I don’t see any problem with that.

gdb19
Trainee
Trainee
Posts: 10
Joined: Mon May 28, 2018 9:53 am

Re: Remote access recommendations please

Unread post by gdb19 » Mon Jun 25, 2018 7:14 pm

Cheers, redirect issue all sorted - just had to forward an extra port in my router.

Once I used the built in ddns instead of no ip it was all fairly straight forward. Just had a fair bit of messing around as Ive tried to use https for every app so I can use them all via organizr which didn't like a mix of https and http.

Bit odd that the let's encrypt setup works on synology domains but not no ip but that's fine.

Only odd thing now is that I've created the LE cert for all my apps (eg calibre.mydomain.synology.me - couldn't get it to work with /calibre at the end) and have applied the cert to the reverse proxy names but when I access the apps via iphone it tells.me the site is not secure - i can still get to it after accepting the warning.

I've downloaded the LE cert to my iPhone and added it to my profiles but still get the issue, any ideas? Am I missing something simple here?

Thanks

User avatar
Rusty1281
Sagacious
Sagacious
Posts: 3246
Joined: Fri Jun 03, 2011 10:51 pm

Re: Remote access recommendations please

Unread post by Rusty1281 » Mon Jun 25, 2018 8:21 pm

What browser are you using on your iphone? There shouldn't be any need for anything special. It should work just fine
Synology DS918+ (4x4TB WD RED - RAID 5 with 2x250GB 960EVO NVMe) | Synology DS412+ (4x3TB WD RED - RAID 5) | RT1900AC

Locked

Return to “Remote Access and Network Management”