Advice needed - How to host VPN and HTTPS on limited port numbers

Topics pertaining to SRM usage, usability and management
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your Synology model.
welshboff
Novice
Novice
Posts: 41
Joined: Sun Nov 01, 2015 12:21 pm

Advice needed - How to host VPN and HTTPS on limited port numbers

Postby welshboff » Tue Nov 14, 2017 3:07 pm

I've been using Synology products for a while and I'm struggling to solve this problem. My work has implemented further firewall restrictions so I only have access to ports 80 + 443.

This means at the office, Notestation, drive (formally Cloud Station) do not work which I regularly use as work have a BYOD policy. I can live without DSM and SRM remote access. I host a webpage and private blog on my Synology NAS (over 80 + 443 via port forwarding).

What I would like to do is be able to access Synology VPN via the router over port 443 (via sub domain) and tunnel into the home LAN for notestation and drive access, and also keep port 80 and 443 traffic to the NAS for web services. I'm struggling to achieve this and was after some advice.

I have my own domain and SSL certificate on the router and nas. The VPN has is own subdomain so I have tried DNS redirect i.e. vpn.domain.com to the router and www.domain.com to the NAS which doesn't work. I've tried disabling port forwarding and just enabling all traffic through the firewall and I find on 443 its either NAS or router (i.e. VPN) access not both whether I use sub domain or the FQDN. I've reached the limit of my knowledge so I'm open to ideas.

Any advice welcome
Babylonia
Skilled
Skilled
Posts: 680
Joined: Tue Jul 26, 2016 10:47 am

Re: Advice needed - How to host VPN and HTTPS on limited port numbers

Postby Babylonia » Wed Nov 15, 2017 2:12 am

Two different kinds of services using the same port number is not possible.
Maybe scanning ports to found out more open ports of your work could help you for alternative port numbers:
http://www.advanced-port-scanner.com/
philip67
Beginner
Beginner
Posts: 28
Joined: Thu Oct 02, 2014 8:59 am

Re: Advice needed - How to host VPN and HTTPS on limited port numbers

Postby philip67 » Wed Nov 15, 2017 10:05 am

Actually it is. You have to implement a reverse proxy and synology supports this functionality.
Look here: https://forum.synology.com/enu/viewtopic.php?t=119672

Regards
DS214Play
welshboff
Novice
Novice
Posts: 41
Joined: Sun Nov 01, 2015 12:21 pm

Re: Advice needed - How to host VPN and HTTPS on limited port numbers

Postby welshboff » Wed Nov 15, 2017 10:57 am

philip67 wrote:Actually it is. You have to implement a reverse proxy and synology supports this functionality.
Look here: https://forum.synology.com/enu/viewtopic.php?t=119672

Regards


I have played around with reverse proxy, I can go in on port 80 and reverse proxy to SRM, DSM. I'm using the inbuilt DSM application portal reverse proxy settings. My thinking was since I want to VPN on 443 and have HTTPS working together, that the DNS server on the router would redirect the VPN subdomain to the router (as its running the VPN) and then the DNS would direct all other http://www.domain.com traffic to the NAS. That's how the DNS is currently configured but its not working.


Saying that, would it make sense to run the VPN server on the NAS instead of the router then....
nixjps
Novice
Novice
Posts: 40
Joined: Fri Jun 09, 2017 1:39 pm

Re: Advice needed - How to host VPN and HTTPS on limited port numbers

Postby nixjps » Wed Nov 15, 2017 1:36 pm

philip67 wrote:Actually it is. You have to implement a reverse proxy and synology supports this functionality.
Look here: https://forum.synology.com/enu/viewtopic.php?t=119672

Regards

May sound pedantic. But actually, Babylonia is correct and your assertion is wrong.... :wink:
See https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_ports
By design only one service/application is listening on a TCP/UDP port.

Synology Reverse proxy is a great feature and indeed allows to listen and respond on one port and flow stream to another host/port or proxypass to another application. But it's not regardless application protocol.... It's all http/https driven....
So unless you encapsulate (tunnel) your application protocol inside a http[s] stream, Synology reverse proxy won't help....

I might be wrong, but I don't think that, out of the box, DSM provides VPN encapsulated over HTTP[s] (like SSTP for instance).
An alternative option, still not available OOB, is to use the port sharing mode of Openvpn server. When OpenVPN senses a connection which is using a non-OpenVPN protocol, it will proxy the connection to host and port defined in "--port-share" option.

I haven't tried this.... But it might be easier to implement than it sounds....
We would need to hack web station configuration so it stops listening on port 80 (or 443) and starts listening on another port, let's say 1080. Openvpn server would be configured to listen on port 80 (or 443) and redirect non openvpn traffic to 127.0.0.1:1080...
Tricky part might be to keep configuration be lost when packages restarted or disk station rebooted.
DS916+ (8G) - DSM 6.1.3-15152u4 - ST4000DM000-1F2168 x 3 - 1 Disk Group SHR - 2 volumes - Home Usage
DS216Play - DSM 6.1.3-15152u4 - ST4000DM000-1F2168 x 2 - Basic Disks - 2 Volumes - Off site backup of DS916+ and local browsing of Photos, Musics and Videos
DS916 and DS216Play MAN link (1Gb FFTH same ISP).
DS916 S2S -> DS216Play, HyperBackup of DS916 config & critical data to DS216Play. HyperBackup of DS216Play configuration and local data to DS916
philip67
Beginner
Beginner
Posts: 28
Joined: Thu Oct 02, 2014 8:59 am

Re: Advice needed - How to host VPN and HTTPS on limited port numbers

Postby philip67 » Thu Nov 16, 2017 8:41 am

welshboff wrote:
philip67 wrote:Saying that, would it make sense to run the VPN server on the NAS instead of the router then....


This is a goot idea. Give it a try.
DS214Play
philip67
Beginner
Beginner
Posts: 28
Joined: Thu Oct 02, 2014 8:59 am

Re: Advice needed - How to host VPN and HTTPS on limited port numbers

Postby philip67 » Thu Nov 16, 2017 9:09 am

nixjps wrote:
philip67 wrote:Actually it is. You have to implement a reverse proxy and synology supports this functionality.
Look here: https://forum.synology.com/enu/viewtopic.php?t=119672

Regards

May sound pedantic. But actually, Babylonia is correct and your assertion is wrong.... :wink:
See https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_ports
By design only one service/application is listening on a TCP/UDP port.

Synology Reverse proxy is a great feature and indeed allows to listen and respond on one port and flow stream to another host/port or proxypass to another application. But it's not regardless application protocol.... It's all http/https driven....
So unless you encapsulate (tunnel) your application protocol inside a http[s] stream, Synology reverse proxy won't help....

I might be wrong, but I don't think that, out of the box, DSM provides VPN encapsulated over HTTP[s] (like SSTP for instance).
An alternative option, still not available OOB, is to use the port sharing mode of Openvpn server. When OpenVPN senses a connection which is using a non-OpenVPN protocol, it will proxy the connection to host and port defined in "--port-share" option.

I haven't tried this.... But it might be easier to implement than it sounds....
We would need to hack web station configuration so it stops listening on port 80 (or 443) and starts listening on another port, let's say 1080. Openvpn server would be configured to listen on port 80 (or 443) and redirect non openvpn traffic to 127.0.0.1:1080...
Tricky part might be to keep configuration be lost when packages restarted or disk station rebooted.


This idea might also work. But if the vpn server is running on the nas it may be easy to resolve the problem.
Changing the ports of the web station and the vpn server to a non standard ports (let's say from port 443 to 8443) will leave standard ports 80 and 443 free for the reverse proxy. Than the proxy will pass the incoming trafic to the apropriate application (web station or vpn server) based on the dns name.

Regards
DS214Play
welshboff
Novice
Novice
Posts: 41
Joined: Sun Nov 01, 2015 12:21 pm

Re: Advice needed - How to host VPN and HTTPS on limited port numbers

Postby welshboff » Fri Nov 17, 2017 10:30 am

I've gotten around the problem, basically by finding another port available to me through the works firewall.

I have port 80, 443, 8080.

So I have normal web traffic on port 80 and 443. I use reverse proxy to access note, DSM and SRM. And I port translate drive (cloud station) in on 8080 and internally on the lan 6690
philip67
Beginner
Beginner
Posts: 28
Joined: Thu Oct 02, 2014 8:59 am

Re: Advice needed - How to host VPN and HTTPS on limited port numbers

Postby philip67 » Fri Nov 17, 2017 12:25 pm

Nice. Problem solved.
DS214Play

Return to “Installation and Configuration”

Who is online

Users browsing this forum: No registered users and 3 guests