Brief explanation on setting up QuickConnect on Synology NAS
The QuickConnect option on Synology NAS has some good merits and some issues. QuickConnect uses hole punching for internet access to your NAS. The good news is that you don't need to allow port forwarding on your router. All connections are outbound.
QuickConnect uses two different methods for access. (See this PDF for more information.)
It uses a relay server for all access. And traffic flows through that relay server.
You can have direct access after connecting the relay server. This method requires DDNS (Dynamic DNS) and UPnP.
Your connection is encrypted using the relay server. As far as I can tell traffic flows over 443/UDP. Your connection can also be encrypted using Let's Encrypt using the second method via UPnP. However, UPnP is extremely insecure, even internally. I set it up just to test out QuickConnect.
To see the ports I setup TCPDUMPs on my DD-WRT router on the WAN interface (vlan2) and the LAN interface (br0). I also did a TCPDUMP on my Synology NAS. An example of my tcpdump command is shown below.
tcpdump -lnpt -i vlan2 tcp and \
port \(5000 or 5001 or 62323 or 62324 or 62325 or 6690\)
Your NAS will send out information to the relay server. When you want to use DS File, or log into the DSM GUI you use the QuickConnect URL or ID (https://quickconnect.to/<your_ID>). It will then connect to the relay server. The relay server will tell your client about the DDNS address (<your_ID>.synology.me) . And then your client will connect directly after the NAS opens the port for your connection. I know I have missed some network magic in how this all works.
This is a brief explanation on how to setup QuickConnect. I don't plan to keep UPnP enabled. But I may need it in the future for something or other. These directions assume you already have a QuickConnect ID. If not, go to the QuickConnect tab in the Synology Control Panel and request a new ID. After that go to the advanced tab. Enable the relay service and also select 'Automatically create port forwarding rules'. And then select one or more applications that are accessible via QuickConnect. See the picture below.
The easiest way to setup everything else is to use 'E-Z Internet' from the main menu. This will setup DDNS on your NAS and setup the router configuration on your NAS. And it will setup the UPnP port forwarding rules on your router.
You should be able to setup everything manually as well. First go to the 'External Access' tab in the control panel. And add a new DDNS provider that will map to your WAN IP address from your ISP. Use the synology.me DDNS and select a new hostname for your NAS.
Next go to the router configuration tab. Create two new rules for the applications. And test the connection afterwards. See the picture below.
Verify Your Router UPnP Setup
Verify your router has the correct UPnP rules. These may very slightly depending on which applications you enabled via QuickConnect. The last two octets of my NAS IP address have been whited out. Not that my private address matters too much anyway. Your router may display the information differently. See the picture below.
Yes you can use Let's Encrypt and QuickConnect. You still need to own your own domain. (example.com) And then you need to add a CNAME record for your synology.me DDNS hostname. You use the QuickConnect ID or URL to access your device. It will then use your synology.me hostname.
First create a DDNS synology.me hostname. In this example we will use 'mysyno.synology.me'. And that will map to your WAN IP address. In this example it is 18.104.22.168. Xfinity owns 73/8.
DDNS: mysyno.synology.me A 22.214.171.124
You need to own your own domain. In this example I own 'example.com'. And in your DNS records you need to create a CNAME for a subdomain. In this example our CNAME will be 'mysyno.example.com'. This will then map to the DDNS hostname. The 'mysyno.synology.me' hostname will be an alias to your CNAME of 'mysyno.example.com'.
Setting up calendars on Synology. I am using the WebDAV package. This package includes calDAV. I cannot use the Calendar package on my old Synology NAS. I think it is time to buy a new NAS.
Please follow the documents below. Feel free to create a new unique SSL certificate for use with calendar. This new SSL certificate will be used for WebDAV and CalDAV. Or you may use the same SSL certificate you use for other services.
I am not using the calendar package from Synology. It isn't supported on my old NAS. But the basics of using calendars on Synology should be the same. I am using calDAV from the WebDAV package.
My post on setting up WebDAV covers the basics of installing this package. Once that is done, open the WebDAV server application from the main menu. Next click on the 'Calendar' tab. Then 'click' Enable CalDAV and click 'Apply'. See the picture below.
I will create two groups for calendar access. One will have Read/Write access and the other will only have Read Only access. I will create a shared folder for holding all my calendars that has limited access.
NOTE: The read only access will be used to allow users to access one or more calendars but not allow them to edit the calendar. This is useful if you want to publish a schedule. This is not necessary for most home users.
First create a shared folder. I will name it 'caldav'. Next create the two new groups described in the next section. Then come back and verify the group permissions for the 'caldav' shared folder.
Create Two New Groups
Create the following two new groups.
The settings are shown below. For the RW group make 'caldav' folder writeable. For the RO group make the 'caldav' folder read only.
Create Two New Users
Now create two new users. One user will have read write access. The other user will only have read only access. Make sure you can log into DSM with each user. I am creating the following two users.
The goal is to limit access for each ID to just the 'caldav' shared folder. See the permissions below.
RW Calender User Permissions
Create a Calendar
I will use Mozilla Thunderbird to create a calendar. But any calendar application should work as long as it supports CalDAV. When you create a new calendar a new folder will be created in the 'caldav' shared folder. I will create 2 calendars. One will be named 'calone' and the second will be named 'caltwo'. These directions assume you have used the default port of 5006. Feel free to change this port. If you use the calendar package from Synology the port will be different. My port is secured by SSL/TLS. Follow the steps below.
Create a New Calendar in WebDAV
First we need to create a new calendar in WebDAV. Launch the WebDAV application from the Synology main menu. Go to the calendar tab. Click 'View calendar list' and then click 'Add'. Provide a calendar name and select 'caldav' as the destination. See the screen shot below.
When you create 'calone' and 'caltwo' you will have two new folders named 'calone' and 'caltwo' under 'caldav'. Each folder will have the hidden folder '.DAV'. I will publish a new calendar into each directory.
Install Mozilla Thunderbird and launch it
Go to "File // New // Calendar" - Choose the following options
You need to setup dynamic DNS in order to access your WAN IP from the public internet. Most people have DHCP from the ISP. As a result the WAN IP address may change from time to time. There are numerous free and paid dynamic DNS services available. Feel free to pick anything you desire. You can setup dynamic DNS on most home routers. You can also setup dynamic DNS on the Synology NAS as well.
You don't need your own domain to use OpenVPN. Nor do you need a Let's Encrypt certificate. It is best to create your own CA (Certificate Authority) and sign your own certificates. The setup of the root CA is described in detail below.
Setup port forwarding on your home router. The default port for OpenVPN is 1194/UDP. But you can choose any port and change the protocol as well. Every router has a different interface. Use https://portforward.com/ for instructions if needed. Do not buy there little tool. Port forwarding is quite simple to setup. It is recommended to setup a DHCP reservation or use a static IP address for your Synology NAS device. Setting up either option varies from device to device and is beyond the scope of this document.
The user should always read the official documentation first. This document is based on the official documents plus a few other websites. The official documents will help explain in detail all of the various settings.
For the root CA (certificate authority) I mainly used the directions from the Feisty Duck SSL cookbook. I also borrowed from a few different websites. The openssl.cnf file has tons of options. And there are probably better ways to configure it. I previously created my own CA on my DD-WRT router. This setup is a bit better. And I suspect if I do this in the future I will learn a bit more then. The OpenVPN setup has also improved over my DD-WRT setup. I used a few websites to help setup OpenVPN.
This is a very long document. But the steps are not hard. I found a new WordPress plugin that will allow for tabs. That will make long documents like this a lot more usable.
I created a script to help setup the root-ca and make it easier. And to make it more consistent. The script follows the high level procedures below. More information about the script can be found at the bottom of this document.
Transfer SYNO-OVPN.tar.gz to your NAS. This file has my script and a few configuration files. And it includes a nice little README file.
Install the Synology OpenVPN package
Configure the Synology OpenVPN package
Test the Synology OpenVPN package before making any manual changes.
Now use the script or follow the manual directions to build your own root CA and to secure OpenVPN. Extract the files in /tmp or in /root. It will make a sub-directory name 'SYNO-OVPN'.
Now edit the files and update the variables for your environment. Use the included README for instructions on what to edit. Then run './syno-ovpn.ash build) to setup the basic directory structure and copy over a few configuration files.
Setup the directory structure for the Root CA (./syno-ovpn.ash BUILD)
Setup /etc/ssl/root-ca and sub-directories
Copy the key files
Switch to /etc/ssl/root-ca. Double check the configuration files and finish editing them if required. The script renamed some of the files when it copied them to the new directory.
Setup the Diffie Hellman file (./syno-ovpn.ash DH)
Add Users (./syno-ovpn.ash -f john -l doe add)
This will create the CSR and private key for the user
Sign the CSR and create the public key for the user
Setup an OVPN file for the user
The script will also make it easier to revoke client certificates
(./syno-ovpn.ash -f john -l doe revoke)
Overwrite the Synology openvpn.conf server configuration file with our more secure configuration.
Manually add the new SSL/TLS certificates to the Synology GUI for the OpenVPN package
server.key (server private key)
server.crt (server public key)
ca.crt (Root CA public key)
Install the OpenVPN Package
Synology has a VPN Server package. It has 3 VPN protocols.
PPTP = Point to Point Tunneling Protocol (Do not use. There are known security vulnerabilities.)
L2TP/IPSec - Layer 2 Tunneling Protocol with IPSec (Internet Protocol Security) - L2TP doesn't encrypt. Encryption is done by IPSec. There may be security issues with IPSec.
OpenVPN - Recommended - Very configurable and it is open source.
Go to the package center and install 'VPN Server'. Once it is installed go to the main menu and select VPN Server. There are very few native configuration options within this package. Click on the 'OpenVPN' tab and fill in the information as desired.
Check 'Enable OpenVPN Server'
Dynamic IP address = Pick any /24 private subnet you desire. In this example I am using 10.1.1.0/24.
Maximum connection number = choose a number from the drop down box (5, 10, or 15)
Maximum number of connections with the same account - I changed this to '1' from the default value of '3'. By default the Synology OpenVPN uses ID and password. I plan to change this to certificate authentication for better security.
Port = 1194 (Default) - It is a good idea to change this to another port to reduce port scanning. Additional layers of security are always a good thing.
Protocol = UDP (Default) You can change this to TCP if you like. Some people use 443/TCP to help them connect through various firewalls. If possible use UDP.
Encryption = AES-256-CBC - Choose this or another encryption algorithm. NOTE: This cipher is being deprecated. Perhaps the next release of OpenVPN on Synology will have current ciphers.
Authentication = SHA512 - Do not use SHA1 anymore. SHA256 is probably more than enough. But I went for the highest HMAC.
Check "Enable compression on the VPN link"
[OPTIONAL] - Check "Allow clients to access server's LAN - Enable this if you want to SSH or RDP to other boxes on your home LAN.
[OPTIONAL] - Do not check - Enable IPv6 server mode. Most people are not using IPv6 at this time.
Update the Synology Firewall
Based on the document 'Securing Synology NAS' mentioned above update your firewall to allow 1194/UDP. Or choose another port if desired.
Before changing anything else test out the basic configuration. Export your configuration from the OpenVPN GUI. Edit it with your dynamic DNS name. And install it on your phone or something else. Make sure everything works before proceeding.
Create Your Own CA
The default Synology OpenVPN setup uses ID and password for authentication. This is not recommended for several reasons. I am following the hardening guide from OpenVPN. At the time of this writing Synology is running OpenVPN v2.3.11 and OpenSSL v1.0.2n-fips. Two factor authentication is not an option with the Synology OpenVPN server at this time. It may be possible to compile the code yourself and update PAM.
NOTE: Once you manually update the configuration files you cannot hit 'apply' in the VPN Server configuration panel GUI. It will overwrite your settings. Make a backup of all your changes. It is possible that package updates may overwrite things as well.
Follow the steps below to configure your CA (Certificate Authority). The v1.0.2 MAN pages are here. And links to the main commands used are shown below with a brief explanation of each option.
CA Man Page - ca - This is a minimal CA application. It can be used to sign certificate requests (CSR) in a variety of forms and generate CRLs. It also maintains a text database of issued certificates and their status.
REQ Man Page - req - PKCS#10 certificate request and certificate generating utility. The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as a root CA.
X509 Man Page - x509 - A certificate display and signing utility. The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a 'mini CA' or edit certificate trust settings.
Please note that in all of the commands below we must specify the updated openssl.conf file using the '-config' flag. We are not using the system default file.
1. Setup a New SSL Directory
Synology OpenSSL uses '/etc/ssl' as the default directory. (openssl version -d) I don't want to mess up any of the other items using SSL. So I will create a new openssl.conf file and directory structure for my CA. SSH to the Synology NAS and run the following commands as root or use sudo.
# Temporarily change the umask to ensure the newly created files and directories are secure
# Make a new directory for root-ca - /etc/ssl/root-ca
mkdir -m 0700 /etc/ssl/root-ca
# Change to that directory to lessen the amount of typeing
# Make the sub-directories (certs - For PEM formatted certificates 'hash_of_name.pem' // db - For text based control files // private - For the private keys '*.key' // pub - For the public certificates '*.crt' // csr - For the certificate signing request '*.csr')
mkdir -m 0700 certs db private pub csr
# Optionally make a directory to hold the OpenVPN OVPN client configuration files for each user. Note, my script requires this directory.
mkdir -m 700 ovpn
# Each private key should be secured by a unique strong password. To help secure these files the directory is only available to 'root'.
chmod 0700 private
# Seed the '.rand' file. This file is used to help create entropy.
# For extra security we limit access to this file.
chmod 0600 /etc/ssl/root-ca/private/.rand
# Create the text based database file for openssl.
# Create a random unique string to start the count of each public key. Each public key gets the next number in the sequence.
openssl rand -hex 16 > db/serial
#The number with which to start a sequence of numbers to identify revoked certificates. Each one will get a unique number.
echo 1001 > db/crlnumber
# For security make sure everything is owned by root. On other systems it is best not to run this as root.
chown -R root:root /etc/ssl/root-ca
2. Create a New Openssl.conf (aka openssl.cnf)
Now we need to create a new openssl.conf file. The file should be owned by 'root:root' with permissions of 0600. Synology OpenSSL uses '/etc/ssl/openssl.cnf' as the configuration file. You can copy that file over, or use the file from the *.tar.gz file I provide. The script from the *.tar.gz file will copy over the initial file.
I am using the Feisty Duck site and PKI tutorials to help me configure the openssl.cnf file. I am not creating OCSP responders. Use the sample file below to create openssl.conf. Edit the lines in blue as desired.
# The [default] section contains global constants that
# can be referred to # from the entire configuration file. It may also hold
# settings pertaining to # more than one openssl command.
# EDIT AS APPROPRIATE
# base_url = http://FQDN of your NAS
# Optional - update aia_url and crl_url [ default ] default_ca = ca_default # The default CA section base_url = http://your_nas.lab.example.com
aia_url = $base_url/pub/ca.crt
crl_url = $base_url/ca.crl
name_opt = utf8,esc_ctrl,multiline,lname,align
prompt = yes
# EDIT THIS AS APPROPRIATE
# Update countryName, stateOrProvince, localityName & organizationName
# Optional - update commonName
# CA Distinguished Name (DN) - called from req section [ ca_dn ] countryName = "US" stateOrProvinceName = "IL" localityName = "Chicago"
organizationName = "Lava VPN" commonName = "Root CA"
# The CA section defines the locations of CA assets, as
# well as the policies # applying to the CA. Used by the 'openssl ca' command [ ca_default ] home = /etc/ssl/root-ca # Base directory database = $home/db/index # dB index file serial = $home/db/serial # Serial number file crlnumber = $home/db/crlnumber # CRL number file certificate = $home/ca.crt # CA public cert private_key = $home/private/ca.key # CA private key RANDFILE = $home/private/.rnd # Private random number file new_certs_dir = $home/certs # Public certs directory unique_subject = no # Require unique subject copy_extensions = none # Copy extensions from the CSR default_days = 3650 # Certify for 10 years default_crl_days = 365 # How long until next CRL crl_extensions = crl_ext # CRL extensions default_md = sha512 # Default signature algorithm
copy_extensions = none # Copy extensions from CSR policy = match_pol # Default naming policy
x509_extensions = client_ext # Default signing extensions
# The next part of the configuration file is used by the # openssl req command. # It defines the CA's key pair, its DN, and the desired
# extensions for the CA certificate. [ req ] default_bits = 2048 # RSA key size encrypt_key = yes # Protect private key default_md = sha512 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings prompt = no # Don't prompt for DN distinguished_name = ca_dn # DN section x509req_extensions = ca_reqext # Extensions for CA self-signed
# Naming policies control which parts of a DN end
# up in the certificate and # under what circumstances certification should be denied. [ match_pol ] countryName = match # Must match cn_dn stateOrProvinceName = match # Must match cn_dn localityName = match # Must match cn_dn organizationName = match # Must match cn_dn commonName = supplied # Must be present
# Certificate extensions define what types of
# certificates the CA is able to create. [ root_ca_ext ] keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:true,pathlen:0 subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always
# CRL extensions exist solely to point to the CA
# certificate that has issued the CRL. [ crl_ext ] authorityKeyIdentifier = keyid:always
# Extensions used to create server [server_ext] keyUsage = critical,digitalSignature,keyEncipherment basicConstraints = critical,CA:false extendedKeyUsage = clientAuth,serverAuth authorityKeyIdentifier = keyid:always subjectKeyIdentifier = hash
I think you can use elliptic curve (EC) parameters instead of Diffie Hellman (DH) parameters. But I need to do some more research. I am using the 'dsaparam' flag to drastically reduce the amount of time it takes to create the file. I am using 2048 bits. Do not use 1024. And 4096 is overkill at this time.
Our default CRL days is 365. We need to create a new CRL every 365 days. Normally this is 30 days. But this is for a small personal OpenVPN instance. We want this as easy to manage as possible. Now create the CRL file before we create any other keys.
Now create the server private key (server.key) and CSR (server.csr). Adjust your '-subj' flags as required to match whatever you set in the 'openssl.cnf' file for the CA. When prompted enter a password for the private key (server.key). We need to remove the password for this key as Synology does not support authentication on the server key.
Now sign the CSR and generate the public key (server.crt). Remember you need to sign the CSR with the password for the CA private key (ca.key). Next we will verify that the public key has the correct information. Check to see the DN is correct and that the x509 extensions are correct. It should not be a CA and should point to the CA issuers public key (ca.crt).
We will use the first and last name of the person for each client certificate. The first and last names will be separated by a '.' (period /aka dot). You can add a '-' (dash) or another '.' (period /aka dot) to either name to help with repeated names. For example you can use 'john.doe-jr' or 'john.doe.jr' as the name. Update the 'subj' flag with the correct DN. Make sure you use client extensions.
Just like the server setup we need to create a private key and a CSR. Then we need to sign the CSR and create the public key. Make sure you use the client extensions.
First create the CSR and private key. Make sure you create a new secure password for the private key and keep track of it.
The script mentioned in this document will copy the 'openvpn.conf' file copied below to "/etc/ssl/root-ca/ovpn/openvpn.conf.SERVER.SAMPLE". Edit this script as required. Then copy it over the default config shown above. Feel free to make additional changes. At a minimum you need to edit the push routes and the server VLAN. And you can also change the port if desired.
# # OpenVPN Server Config # Edit as appropriate #
# Push routes to clients for local LAN subnet # intranet - most home routers use 192.168.1.0/24 push "route 192.168.1.0 255.255.255.0" # VPN network - choose whatever /24 you desire push "route 10.2.192.0 255.255.255.0"
# Set Subnet mode topology subnet
# VPN Server Subnet - OpenVPN uses x.x.x.1 server 10.2.192.0 255.255.255.0
# Do not allow split-tunneling # Force ALL traffic through VPN push "redirect-gateway def1"
# Listen on port (UDP or TCP) default 1194 port 1194
# Set Protocol - tcp or udp proto udp
# Synology only supports TUN (L3) # Set device tun/tap dev tun0
# Keepalive n m = ping n ping-restart m # ping every 10 seconds // restart after no ping in 60 sec keepalive 10 60
# Renegotiate data channel key after N seconds (default=3600) # 0 = disable reneg-sec 0
# SSL/TLS certificates created by OpenSSL - root-ca # ca = Root CA Self Signed Cert # key = server running on Root CA private key # cert = server running on Root CA public key # dh = Diffie Hellman Parameters # Syno default dir = /var/packages/VPNCenter/target/etc/openvpn/keys ca /etc/ssl/root-ca/pub/ca.crt key /etc/ssl/root-ca/private/server.key cert /etc/ssl/root-ca/pub/server.crt dh /etc/ssl/root-ca/dh2048.pem
# "HMAC FW" - helps block DoS attacks and UDP port flooding # openvpn --genkey --secret ta.key tls-auth /etc/ssl/root-ca/private/ta.key 0
# CRL Revocation List File Location crl-verify /etc/ssl/root-ca/ca.crl
# Select a cryptographic cipher. (symmetric) # Used by 'data channel' # NOTE: OpenVPN 2.4 has newer ciphers GCM # openvpn --show-ciphers cipher AES-256-CBC
# For compression compatible with older clients use comp-lzo # If you enable it here, you must also # enable it in the client config file. comp-lzo adaptive
# The maximum number of concurrently connected # clients we want to allow. max-clients 5
# The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun
# Limit TLS v1.2 tls-version-min 1.2
# Limit TLS ciphers to those listed below # Used by 'control channel' # openvpn --show-tls # EC and ECDSA tls ciphers only availble in 2.4 or higher # tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA # Using list below as this is v2.3.x tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
# Limit scripting level # 0 - no calling of external programs # 1 (default) only call built-in executables - ifconfig, ip, netsh # 2 allow calling of user defined scripts # 3 allow passwords to be passed to scripts via environmental variables (unsafe) script-security 2
# Ensure clients have EKU - extended key usage - set to client # Clients must be set to use server # remote-cert-eku "TLS Web Server Authentication" remote-cert-eku "TLS Web Client Authentication"
# Output a short status file showing # current connections, truncated # and rewritten every N (30 sec) status /tmp/ovpn_status_2_result 30
# Status version N - 1, 2 or 3 status-version 2
# Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 # EOF
Setup OpenVPN Client Configuration
Edit the included sample client configuration to match your server configuration. Then for each new client change the name to easily identify each OVPN file. And concatenate the certificates in the proper order. First put CA certificate (ca.crt). Second add the new client public certificate. Third add the new client private key. And fourth add the TLS authentication file (ta.key).
The client configuration file will be identical with 3 exceptions.
For Windows clients comment out the 'user nobody' and 'group nobody' lines.
Each client will have their own unique client public key. (john.doe.crt)
Each client will have their own unique client private key. (john.doe.key)
Edit the sample file below as appropriate. Make sure you add the certificates.
# # OpenVPN Client Config # Needs to match server config # Edit as appropriate #
# Specify that we are a client and that we # will be pulling certain config file directives # from the server. client
# Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. dev tun0
# Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. proto udp
# The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. # Should be dyn dns hostname remote dyn.dns.name.for.nas 1194
# Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite
# Most clients don't need to bind to # a specific local port number. nobind
# Downgrade privileges after initialization (non-Windows only) # WINDOWS - COMMENT OUT USER AND GROUP NOBODY ; user nobody ; group nobody
# Try to preserve some state across restarts. persist-key persist-tun
# Verify server certificate by checking that the # certicate has the correct key usage set. # This is an important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm remote-cert-tls server
# If a tls-auth key is used on the server # then every client must also have the key. key-direction 1
# Allow remote peer to change IP (DHCP) # Accept authenticated packets from any address # not just address specified by 'remote' option float
# Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. # Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage cipher AES-256-CBC
# Select HMAC Authentication # server/client must match auth SHA512
# Verify EKU - Extended Key Usage is set to server on remote box remote-cert-eku "TLS Web Server Authentication"
# Set TLS to min of 1.2 tls-version-min 1.2
# Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo adaptive
# Set log file verbosity. verb 0
# To simplify OVPN client setup concatenate # all certificates here in proper order # 1 <ca> </ca> 2 <cert> </cert> # 3 <key> </key> 4 <tls-auth> </tls-auth> # ADD CERTS BELOW HERE
Concatenate the Client OVPN
The script will create our client OVPN file. If you do this manually you need to concatenate all of the files into the client OVPN file.
Add the user to the root CA using the commands above.
Copy the sample OVPN file and create a client OVPN file. (john.doe.ovpn)
Add the ca.crt file, client crt file, client key file, and ta.key. Each file must be enclosed with the identifiers shown below.
cat ca.crt here
cat john.doe.crt here
cat john.doe.key here
cat ta.key here
Overwrite the Synology openvpn.conf File
Copy are new OpenVPN server configuration file and overwrite the default Synology openvpn.conf file. Our new file is shown below.
By default Synology uses the self-signed synology certificate for everything. We need to add a new certificate to the DSM GUI and then configure OpenVPN to use that new certificate. It has to be a chained certificate and include our new server.key (private key), the server.crt (public key), and the new root CA public certificate (ca.crt).
I tar these three files up before I transfer them.
/etc/ssl/root-ca/pub/ca.crt (Root CA public certificate)
/etc/ssl/root-ca/pub/server.crt (OpenVPN server public certificate)
/etc/ssl/root-ca/private/server.key (OpenVPN server private certificate)
Extract the files somewhere on your computer. Then launch the DSM GUI. (https://your_nas:5001)
Next launch the 'Control Panel'.
Navigate to 'Security' and then open the 'Certificate Tab'.
Choose 'Add a new certificate' and click 'Next'
Choose 'Import certificate'. Optionally add a description. Click 'Next'.
Now import the server.key, server.crt, and ca.crt. See the picture below.
Click OK to import the certificate. Then highlight your new certificate and click 'Configure'. Select 'server' (or what you used for a description) in the drop down box next to 'VPN Server'. And then click OK.
Restart OpenVPN so that it loads the new configuration. You may do this from the GUI or from the command line.
In the GUI open 'Package Center' and then scroll to 'VPN Server'. Open that and use the drop down box labeled 'Action' and select 'Stop'. Use the same box to start the VPN server again.
To check out your server configuration you may run the following.
openvpn --config ./openvpn.conf
Using the Script
Setting everything up manually isn't that difficult. And it is very useful to help learn about SSL and OpenVPN. But adding or revoking users can be a pain if you have to remember the correct syntax. I created a script to help build the root CA. And it will add and revoke users as well. I mentioned the script above. It is included in 'SYNO-OVPN.tar.gz'. The README file shows you how to use the script. And it explains how to edit the included sample files. Enjoy.
Go to the Package Center on your Synology NAS device. Install the 'WebDAV Server'.
There are very few options to configure in WebDAV. But there are some security issues and permission issues to consider. Please feel free to change the permissions described below.
WebDAV Settings Tab
Go to the main menu and then open WebDAV Server. Enable HTTPS. Optionally change the default port from 5006 to whatever you desire as long as it isn't in use already. (1025 - 65535) You may choose to enable the WebDAV log as well. Finally you have the option of limiting the speed. Click 'Apply' once you are done.
Create a WebDAV Group and User
By default only the administrators group has access to WebDAV. However, I don't want to allow administrative access from the web. So I will create a new group and a new WebDAV user. This user should also have 2FA enabled for increased security.
Go to: Control Panel > Group
Group name = webdav (Or whatever you prefer)
Group description = WebDAV Access Group
Skip the shared folder permissions as of now. We will be creating one or more shared folders for WebDAV.
Allow 'WebDAV Server' application permissions.
Go to: Control Panel > User
Name = <choose_name> (I used 'webby' for now)
Description = WebDAV User Access
Email = optional
Password = Create a password that meets your password rules requirements.
Add the user to the 'webdav' group. By default it is already part of the users group. Click 'Next'.
Skip granted shared folder access for now.
Allow the user to access the 'webDAV Server' application.
Create One or More Shared Folders
I don't like the idea of opening every folder in the root directory to WebDAV. I will create one folder for uploads with RW access. And add one or more folders with RO access. This may include some of the existing shared folders.
Go to: Control Panel > Shared Folders
First we will create an upload folder with RW permissions. Click 'Create'.
Name = upload
Description = WebDAV Upload Folder
Optionally encrypt this folder. Click 'Next' and then 'Apply'. Now we can setup our basic folder permissions.
admin - No access
Your new Admin user - will have RW by default. - No access
webby (or whatever WebDAV user you created) -
administrators - RW
webdav - RW
System internal user:
I need to experiment a bit more. Right now all system IDs have no access. But a few may need RO and possibly RW access.
There are some interesting advanced permissions. I need to experiment a bit more before adding any recommended setup steps for those permissions.
Pick one of your existing shared folders. Edit it. Change the group permissions for the webdav group to RO.
Verify DSM Access with New User
First verify that your new user has DSM access and set the password. Verify you can see your new 'upload' folder and whatever RO folder you chose. Upload a test file to your upload directory.
Add WebDAV SSL Certificate
Go to: Control Panel > Security > Certificate
Select your new SSL certificate. Then select 'Configure'. For the 'WebDAV Server' service change the certificate from the default synology.com certificate to your new SSL certificate. Click 'OK'.
Verify WebDAV Access
First we need to edit our hosts file. When we setup our SSL certificate we updated our hosts file and mapped 'syno.lab.example.com' to our internal private IP address (192.168.x.y). Now we need to disable this temporarily while we test out WebDAV. This is a good reason why you may want to get 2 Let's Encrypt SSL certificates with different subdomains.
put a hash tag in front of the 192.168.x.y address for your NAS
save the file
NOTE: Re-enable this mapping and test WebDAV access from your internal LAN as well. You may want to eliminate SMB access or other access methods and simply use WebDAV.
In Windows we can now map a network drive to our new WebDAV setup. Open File Explorer and then right click on 'This PC'. Select 'Map network drive'. Then fill out the new window as shown below.
Drive - choose any free drive letter you desire
Folder = https://syno.lab.example.com:5006
Check 'Connect using different credentials
Click finish and then enter your ID and password
webby (The ID we created above)
passw0rd - Enter your password
Again verify that you can upload a file.
You may want to run 'tcpdump' on your NAS to see if any packets are hitting it.
tcpdump -i eth0 -lnpt tcp and port 5006
Limit Administrators Group WebDAV Access
You can access WebDAV with the new administrator ID you previously created. It actually won't have access to the upload folder. But I don't want administrative access available from the web.
Go to: Control Panel > Group
Select the 'administrators' group and then click 'Edit'. Go to the 'Applications' tab. Scroll down to the WebDAV Server line. Change the permissions from 'Allow' to either 'Deny' or 'By IP'. I am setting up 'By IP' and I will whitelist my internal private subnet. Typically home routers use a /24 subnet from the 192.168/16 network. If your home network is 192.168.55.0/24 you would enter the information as shown below. Adjust the subnet as required.
Limit WebDAV Access for the Admin User
We also need to limit WebDAV access by subnet for the newly created admin user. Go to the user panel in the control panel. Edit your administrator ID. And go to the Applications tab and repeat the steps above. Limit WebDAV access by IP to your local subnet.
Now verify your admin ID can access WebDAV locally but not from the internet.
2FA Not Available for WebDAV
Unfortunately 2FA is not available via WebDAV. At least not at this time. This is another reason to select strong passwords and to limit which folders are accessible over the web.
There are numerous WebDAV clients available for IOS and Android. Choose your favorite and have remote access to your files.
This is actually a better place to store your Keepass database. And other files that you may need to access away from home but want to keep away from prying eyes.
Although access via a VPN is probably a bit more secure. But that is debatable.
Let's Encrypt provides a free automated SSL certificate that can be used to secure your Synology NAS. You can have multiple SSL certificates. Perhaps one for local LAN DSM logins and another for WebDAV internet access. Or you could use the same SSL certificate.
I am not replacing or removing the default Synology self-signed SSL certificate. You can always switch back to that for various services.
Setup Web Station
Let's Encrypt will query your Synology NAS on port 80/TCP and 443/TCP. I can't find the nice technical document I read before. When I do I will add the link to this document. By default the Synology NAS device does not listen on 80/TCP or 443/TCP nor does it have a website.
Go to Package Center and install 'Web Station'. Once that finishes go to the main menu and launch 'Web Station'. Follow the steps below to configure the virtual host.
By default Web Station uses Nginx. I have both PHP 5.6 and PHP 7.0 installed on my NAS. I need to figure out if I can uninstall PHP 5.6. But that is for a future date. I am not sure if Web Station will automatically install PHP. If necessary install that package as well.
General Settings Tab
Select the following items from the drop down boxes.
HTTP back-end server: = Nginx
PHP: = Default Profile ( PHP 7.0 )
Do NOT enable the personal website.
PHP Settings Tab
I think I deleted the PHP 5.6 profile from this tab. I didn't edit anything else.
Before adding the virtual host you need to create a document root. Go to the Control Panel and then click on 'Shared Folder' and then 'Create' a new shared folder in the root directory. Or if you prefer bury the folder in whatever path you desire. The name should be 'www'. But it can be anything you desire.
Shared Folder Setup
Name = www
Description = Virtual Host Root Directory
Permissions Local Users = Your Admin ID = RW
Permissions Local Groups = administrators = RW // http = RO
Go back to the web station settings and finish creating the virtual host. Fill out the panel as shown below. See the screen shot after the explanation.
Let's Encrypt will query our virtual host to verify that we own the domain we wish to secure with the SSL certificate. To allow this we need to create two sub-directories under the 'www' shared folder.
I prefer the command line. SSH into your NAS. (as root) Run the following commands.
Switch to your www directory. - example: cd /volume1/www
mkdir -m 0711 -p .well-known/acme-challenge
chmod -R 0711 .well-known
chown -R http:http .well-known
Setup Port Forwarding on Your Router
Let's Encrypt will query your NAS device using your public IP address given to you by your ISP. Your NAS should not be on the internet or in a DMZ. I don't use UPnP either. Port forwarding is very simple to setup. And just about any consumer router should allow you to setup port forwarding.
One catch to make port forwarding work is that your NAS needs to use the same private IP address at all times. I do this by setting up DHCP reservations on my router. But you could configure your NAS device to use a static IP address.
HTTP-80 // Protocol = TCP // Port from = 80 // IP Address = Private IP address of your NAS (192.168.x.y) // Port to 80
HTTPS-443 // Protocol = TCP // Port from = 443 // IP Address = Private IP address of your NAS (192.168.x.y) // Port to 443
WebDAV-5006 // Protocol = TCP // Port from = 5006 // IP Address = Private IP address of your NAS (192.168.x.y) // Port to 5006
The last rule assumes you will use the default secure WebDAV port. Feel free to change this to any port you desire as long as you change it in the WebDAV configuration as well.
Add additional rules if you enable additional packages on your NAS.
Verify Ports Are Open
I have read that some ISPs will block 80/TCP or 443/TCP. You may be able to get them to open these ports for you. Verify that your NAS is listening on 80/TCP and 443/TCP. You can use nmap or netstat. Synology does not have the 'ss' command as of yet. SSH to your NAS and run the following command.
netstat -latn |egrep "80|443"
Use Shields Up from GRC.com to probe your NAS device. First run tcpdump on your NAS so you can see if any traffic hits your box. The IP address is for shields up. (dig @126.96.36.199 shieldsup.grc.com +short)
tcpdump -i eth0 -lnpt tcp and port 80 or port 443 and host 188.8.131.52
Make sure you see a SYN [S] from GRC and a SYN-ACK [S.] going to GRC for each port you check. Don't worry about the reset flags [R.].
Subdomain = lab.example.com (replace lab with anything you desire)
Fully Qualified Domain Name (FQDN) = syno.lab.example.com (You don't really need to do this. But I wanted to use my Synology FQDN as the URL. You can simply use the subdomain if you desire.)
Go to: Control Panel > Security > Certificate
Click 'Add' to create a new certificate. Leave the default 'synology.com' self-signed certificate alone. It is our fallback certificate if we ever have issues. Follow the steps below.
Select 'Add a new certificate' and click 'Next'
Select 'Get a certificate from Let's Encrypt' and click 'Next'
Fill out Let's Encrypt information as shown below.
Domain name = syno.lab.example.com (FQDN from above. Or you could simply use the subdomain 'lab.example.com'. Whichever you prefer.)
Email = Your email address (must be a valid email)
Subject Alternative Name = mysyno.ddns.net OR mysyno.ddns.net;lab.example.com (The dynamic DNS name you created from a dynamic DNS provider. Since I used my FQDN for the domain name I also add the subdomain as a second SAM. Separate the two subject alternative names with a semi-colon. Again adding the second SAM is optional.)
See the screen shot below.
Once you have filled it out click 'Apply'. Assuming everything is correct you should have a new SSL certificate. If things don't work you can look at the logs on your NAS. SSH and tail '/var/log/messages'.
Configure the New Certificate
To use this new certificate for DSM logins (5001/TCP) you need to set it as the system default certificate. Highlight the newly created certificate and click 'Configure'. You will see a list of all your services. Your list may be different than the screen shot shown below. The certificate column has a bunch of drop down boxes that allow you to select any configured certificate. For the 'System default' service use the drop down box and select your newly created Let's Encrypt certificate. And then click 'OK'.
Update Your Hosts File
I am not allowing DSM access from the web. You can continue to use the IP address of your NAS (https://184.108.40.206:5001) if you desire. But you will get the warning about an improper SSL certificate. The FQDN 'syno.lab.example.com' will resolve to your public IP address.
To allow for easy access from your LAN update your hosts file. Add the private IP address of your NAS and the FQDN and the subdomain. See the example below.
Mapping Synology to a subdomain with DDNS and CNAME
First Secure Your Synology NAS
Secure your Synology NAS before adding enabling internet access. Follow this post for more information.
You need to own your own domain. You need to understand the basics of DNS and have the ability to add a CNAME to DNS.
Setup Dynamic DNS (DDNS)
Your ISP provides you with a publicly routable IP address. You then connect your router to the ISP modem. Your devices inside your home have NAT'ed IP addresses and are all RFC 1918 addresses. These addresses are not routable on the internet. When you go to a website or use anything on the internet your router will translate your private IP to the public IP address provided by your ISP.
Most ISPs provide DHCP addresses. They change from time to time. To get a SSL certificate you need to be able to map your domain to an IP address. Dynamic DNS will automatically update the forward resolution of your domain name to IP address even if it changes. The TTL (time to live) needs to be short. Normally this is about 15 minutes or so. So any changes won't be immediately available. But for home use it is more than good enough.
You can use any number of DDNS providers. Synology also offers a DDNS service. I already added DDNS to my home router. So I am not going to walk through the setup in this article.
Setup DNS CNAME
Once you setup DDNS you will have a resolvable domain name that maps to the IP address given to you by your ISP. For example Comcast (Xfinity) owns all of 73/8. So if your ISP is Comcast you will have a public IP like 73.x.y.z. (where x.y.z are valid numbers between 0-255) Check what it is by going to ipchicken.com. And if you used noip.com as your DDNS provider you resolve your 73.x.y.z IP address to mysyno.ddns.net. You can choose any available hostname and choose from a number of different domains.
mysyno.ddns.net A 73.x.y.z
If you owned the domain 'example.com' you could then create a subdomain and add a CNAME to mysyno.ddns.net. Lets say you create the subdomain syno.lab.example.com. So you have the following.
The domain you purchased. Presumably for your personal website. = example.com
Subdomain = lab.example.com (replace lab with anything you desire)
Fully Qualified Domain Name (FQDN) = syno.lab.example.com (You don't really need to do this. But I wanted to use my Synology FQDN as the URL. You can simply use the subdomain if you desire.)
You now need to setup a CNAME record for either the subdomain or the FQDN. The exact procedure will vary with your DNS provider. But you want to set it up like the following picture.
Here is our DNS zone information.
NAME TYPE VALUE ------------------------------------------------
mysyno.ddns.net. A 73.x.y.z syno.lab.example.com. CNAME mysyno.ddns.net.
The CNAME is 'mysyno.ddns.net.'. The domain 'syno.lab.example.com.' is an alias to our DDNS domain. (mysyno.ddns.net.)
Since we own 'example.com' we can assign a SSL certificate to the subdomain of 'syno.lab.example.com'. In this example this is actually our Synology FQDN. Our home network domain would actually be 'lab.example.com'. And we can use this internally.
I will be writing several posts about Synology. I recently setup Let's Encrypt SSL certificates and will write all of that in a separate post. This article is just about the basic security steps for your new NAS.
Read the Official Documents
Synology provides a nice tutorial that covers the basic setup. Most of this document is based on that tutorial. I am just rewriting it to ensure I have a copy myself and as a quick checklist for my next NAS. Also URLs are subject to change from time to time.
I also found a nice article by Mike Tabor. He has three firewall rules I copied. Especially since I recently setup WebDAV and now my NAS is exposed to the internet.
Most if not all of the following steps will be performed within the Synology Control Panel. Below is a picture of the advanced panel.
1. Create a New System Administrator
Open the User panel and click on 'Create'. Fill in the information as desired. Select a nice long secure password that will meet your password rules. Click next.
Add the user to the 'administrators' group. Add the user to all of the other groups except the guest group. Your list may vary. Click next.
Assign shared folders permissions. (not shown) For the new admin user I select RW for all shared folders. However, that is not necessary. I was lazy for a long time and only had the default admin user. I will be setting up a normal user for day to day access. But I want to ensure my new admin has access to every existing folder. Click next.
Click next on the user quota settings panel. I never enabled this feature.
Assign application permissions. (not shown) For now I am allowing my new admin access to every application. Click next.
I am not setting up any user speed limits. Click next on the user speed limit setting panel.
Confirm your settings and click apply.
LOG IN WITH YOUR NEW ID!!
2. Disable Admin User and Guest User
Go back to the user panel. Click on the admin user. Click 'Edit'. Click 'Disable this account' and click 'OK'. Repeat these steps for the guest ID.
NOTE: You need to create additional users and possibly groups for day to day usage of the NAS. You should limit using the new admin user. This document does not cover all the steps needed to create new users and groups.
3. Setup the Password Strength Rules
Go to: Control Panel > User > Advanced Tab
I am not sharing my NAS with other users. Otherwise I would be even more strict. But I will enforce strong passwords and click all of the options and select a nice long minimum length. I am not setting up password expiration or password history. My new admin ID and any ID available from the web will have 2FA (Two Factor Authentication aka 2 Step Verification) enabled. Click 'Apply'.
I recommend setting up a test ID and verifying you can log into the NAS with that ID. Better safe than sorry.
4. Restrict Suspicious IP Addresses
Go to: Control Panel > Security > Account Tab
Click 'Enable auto block'. If desired change the login attempts and the number of minutes. I don't enable block expiration. See the picture below.
Scroll down and click 'Enable Account Protection' (not shown). I keep the default values. Click 'Apply'.
Enable Additional Security Options
While you are in the security panel go to the other tabs and enable some additional options.
Check the following and then click 'Apply'.
Logout time (minutes): 15 (default value - change if desired)
Improve protection against cross-site request forgery attacks
Improve security with HTTP Content Security Policy (CSP) header
Do not allow DSM to be embedded with iFrame
Clear all saved user login sessions upon system restart
Show notification on DSM desktop when the current IP changes
Click 'Enable DoS protection' and click 'Apply'.
Optionally click 'Enable HTTP Compression'. Under the TLS/SSL Cipher Suites click 'Modern compatibility'. Click 'Apply'.
5. Setup FW Rules
Go to: Control Panel > Security > Firewall Tab
Click 'Enable firewall'. Click 'Enable firewall notifications'. For the firewall profile select 'custom' from the drop down box. Then click 'Edit Rules'. Create three rules. I based this upon Mike Tabor's site mentioned above. As he says the first rule is a bit redundant. When you click 'Create' you will see the window below.
Here are the three rules. Make sure they are listed in this order as firewalls read the rules from top to bottom. The most restrictive rules should be on top.
Block all ports and all protocols from from Russia and up to 15 countries. Do this by using the location option in the source IP section. You can create additional groups of countries to block. Obviously don't block your own country.
Allow Virtual Host 80/TCP, Virtual Host 443/TCP, and WebDAV 5006/TCP from the USA. For the port list use 'Select from a list of built-in applications' and then select the appropriate applications from the list. Adjust this list for other services you may wish to access via the internet. This list is for Let's Encrypt and WebDAV.
Allow all ports and protocols from your local LAN. (RFC 1918 addresses)
Click OK. And then click 'Apply'.
NOTE: I previously enabled Synology QuickConnect. It enables a few additional ports in the FW. I need to update the rules for QuickConnect or disable QuickConnect. I disable UPnP on my router which disables some of the usefulness of QuickConnect. I would like to use a couple of the DS apps on my phone. Use this document for more information on how to use QuickConnect and the flows.
A Few Notes about Let's Encrypt
Let's Encrypt offers two validation methods. You can use DNS validation or HTTP validation. I have read that the TLS validation method is being deprecated. The Synology NAS device uses HTTP validation. All that is required is 80/TCP access from the web to the NAS. However, Let's Encrypt will follow redirects to 443/TCP. That is why 443/TCP is being added to the firewall rules. In a later post I setup a virtual host and use HSTS to force HTTPS connections.
6. Setup 2FA
For the current user click on 'Options' (upper right of the browser window) then click 'Personal'. See the screen shot below.
Click on 'Enable 2-step verification' and the wizard will start. Click 'Next' on the opening screen. See the screen shot below.
Scan the QR code with the authentication app of your choice. I drew a red line through the QR code to prevent scanning. Save the QR code or the secret key so you can add it to a new authentication app in the future if needed.
Enter the 6 digit code to verify it is working. And then click 'Next'.
Enter a valid email address for an emergency verification code. Note, if you haven't yet setup notifications it will ask you if you want to do that now. You can skip this for now. Just make sure you go back and do this later on.
Click 'Close'. Click 'OK'.
LOG OUT AND LOG IN WITH YOUR NEW 2FA!!
Optionally go back to the User panel and open the advanced tab. Scroll down and click 'Enforce 2-step verification for the following users'. And then select administrator groups only or all users.
7. Force HTTPS Connections
We will be using the default self-signed SSL certificate for now. But once the Let's Encrypt certificate is in place we want to ensure we always use a secure encrypted connection.
Go to: Control Panel > Network > DSM Settings Tab
Check the following:
Optionally change the port numbers from the default ports. (5000/TCP & 5001/TCP)
Check "Automatically redirect HTTP connections to HTTPS (Web Station and Photo Station excluded)
Check "Enable HTTP/2"
Check "Enable the "Server" header in HTTP responses
Custom "Server" header = nginx (You may have different options based on which packages you have installed.)
8. Enable SSH Access
Go to: Control Panel > Terminal & SNMP > Terminal Tab
Perform the following steps:
Clear out "Enable Telnet service" to disable this service
Check "Enable SSH service"
Port: 22 - I leave the default port. At this time I am not opening SSH to the internet. The Synology security adviser recommends changing the default port. I would change the port if I opened it to the internet. One article I read mentioned that changing the port dropped the number of casual port scans by 98%. Better yet would be to have a pfSense firewall and update iptables for rate limiting. The Synology NAS can also do this as well. But more layers of security is always better.
Click 'Advanced Settings'
Click "High" to ensure the most recent encryption algorithms are used. Or you can click customize and select the exact algorithms you desire or require.
Click 'Apply' and click 'Apply' again on the next screen.
It is also a good idea to setup public key authentication. And double check the sshd_config file and edit as appropriate.
You can also enable SFTP. To do this see '11. Secure File Services' below.
This document does not cover setting up /etc/sudoers. But it is good practice to avoid using root. Use a normal user and run sudo when you need root access. However, Synology does not have 'visudo'. As of now I haven't played with the Synology sudoers file. You could just edit it with VI directly. Keep in mind that Synology is designed to be run with very little normal human intervention. And editing key files may cause issues with various packages.
Enable root SSH Access
By default you can SSH with the admin ID. And with the newly created admin ID. Note, you do not use 2FA when SSH'ing into the box. And you can sudo to root. But at times you may wish to SSH as root. Not the most secure access method. But until recently I was rather insecure on my NAS. If it doesn't work follow this article to enable root SSH access.
9. Disable IPv6
Most people are not using IPv6 as of yet. This is especially true on your internal LAN.
Go to: Control Panel > Network > Network Interface Tab
Edit the LAN connection. Switch to the IPv6 tab and choose 'Off' from the IPv6 setup drop down box. Click 'OK'.
10. Setup NTP
It is always good to have the correct time.
Go to: Control Panel > Regional Options > Time tab
Select the desired time zone from the time zone drop down box. Under time setting click 'Synchronize with NTP server'. For server address choose your desired NTP server. I use 'pool.ntp.org'. Click 'Update Now' to verify it is working. Click 'Apply'.
11. Secure File Services
Go to: Control Panel > File Services
Only open services you require. Unless required you should disable FTP and TFTP.
If you enable SMB make sure you click on the Advanced Settings and disable SMBv1. That is no longer secure.
I no longer use my MAC. I have a couple of older MacBook Pros. But I actually prefer Windows. (sue me) Plus MAC hardware isn't as good anymore anyway.
FTP should be disabled. But you can scroll down and enable SFTP. Change the port number if so desired.
Disable this unless required. (69/UDP)
I like rsync. (873/TCP) If you enable this make sure you click on 'Edit rsync Account' and change the default 'admin' ID to your new administrator ID.
I disable Bonjour (5353/UDP - zeroconf) and SSDP (1900/UDP). Disabling Bonjour may interfere with some of the DS packages. I need to verify this and see if I lose some of the packages I use.
Click Apply after making any changes on each tab.
12. Setup Notifications
Go to: Control Panel > Notification
You have three options for notifications. You can choose one or all three. The three options are SMS, email, or push notifications.
Setting up email is pretty self explanatory. You can select one of the major email providers and sign into your account. Or you can choose custom SMTP and configure everything based on your requirements.
I haven't tried SMS yet. It appears you need to provide a custom URL with your password. I am not going to do that.
The push notifications require you to install the DS Finder app. It works. But I still am not planning on opening DSM (5001/TCP) to the web. And I don't really need push notifications.
One important note that once you setup notifications make sure you go to the advanced tab. Edit which notifications you receive and how you receive them. By default almost everything is sent via email.
13. Other Steps
I have the cloud storage packages installed. I need to examine the various DS apps and decide if I want to uninstall some of them. As mentioned above I also need to see if I want to disable QuickConnect. The fewer things installed the more secure you are.
I have an older Synology NAS device. I can only encrypt certain folders. It is recommended to encrypt your most sensitive data.
Go to the main menu. Click on Security Advisor. Today I have it setup for home and personal use. Make sure you run the scan and fix any issues. Except I don't change my SSH port. It isn't open to the internet. So instead of using the home and personal scan I setup a custom scan based upon the home profile.
Go to the advanced tab. Select 'custom' as the security baseline. Click customize checklist. Update it based on the list below. Make any changes you desire.
Malware - Potentially malicious programs have been found on your system.
Malware - Malicious system configuration settings were found on your system.
Network - Automatic redirection from HTTP to HTTPS is disabled
Network - Default firewall policy is set to allow on interfaces with public IP
Network - LAN services are accessible from the internet.
Network - Telnet service is enabled
System - LDAP client service is not using encryption
System - FTP service w/o encryption is enabled
System - TFTP service is enabled
System - The option 'Enhance browser compatibility by skipping IP checking' is enabled
System - 'Improve protection against cross-site request forgery attacks' is disabled
System - 'Do not allow DSM to be embedded with iFrame' is disabled
System - Auto Block is disabled
System - Malicious startup scripts were found on your system
System - Optware has been found on your DSM
Update - DSM regular update checking is not enabled
Update - You are not using the latest version of DSM
Update - Email notification for new DSM updates is disabled
Update - Some of your packages are not up-to-date
Account - Password strength rules do not meet requirements for work and business
Account - Anonymous FTP is enabled
Account - The guest account is enabled
Account - Some users have weak passwords
Account - User home directory permission has been incorrectly modified
Account - Password strength rules do not meet requirements
Save your settings. Go back to the overview tab and scan your system. Verify everything is good.
Now schedule a weekly scan. Or scan it more frequently if you desire. Go back to the advanced tab and enable the scan schedule. Pick a day and time that works for you. And then click apply.
17. Update Folder Permissions
If you have previously created shared folders you need to go back and review the permissions of each folder.
It is assumed that you will be creating one or more users for general access. And a lot of the shared folders will only need RO (read-only) access for general usage. For example, if you have a video folder there is no need to allow write access to it to stream your movies around your house.
18. Enable Automatic Updates
Go to: Control Panel > Update & Restore
Go to the DSM Update tab. Click on 'Update settings'. Now you can have DSM install the updates or just download the available updates. With notifications enabled you will be emailed when you need to perform updates.
I select the following options.
Newest DSM and all updates
Check for DSM updates automatically
Download DSM updates but let me choose whether to install them
Schedule it as desired
You can also force automatic updates for your packages. That is done in the package center. Click on settings and then on auto update. Choose if you want to automatically update some or all of your packages.
Back Up Your Configuration
Now that everything is setup backup your configuration. From the 'Update and Restore' tab in the control panel click on the Configuration Backup tab. Then click on back up configuration and save the file. Save it someplace besides your NAS.
How to install Samsung Easy Settings on a Windows 10 box. You must uninstall it first to upgrade from Windows 7 to Windows 10. It must also be uninstalled to upgrade to the Fall Creators Edition.
Samsung Easy Settings
I have the Samsung Series 9 (NP900X4AC) laptop. Samsung created a stupid little application called Easy Settings to "help" with a number of basic settings. The one useful thing it does is control the special 'FN' key to allow you to use the function key shortcuts. You can live without these keys. And there is probably a way to enable these features without the Easy Settings application.
Samsung never updated this application for Windows 10. As a result you cannot upgrade from Windows 7 to Windows 10 without first uninstalling this application. After you upgrade it won't install with the default settings either. But there are workarounds. Samsung Easy Settings also prevented me from updating to the MS Windows Fall Creators Update. And I suspect it will be an issue in future major updates to Windows 10. Here is one way to get around this problem.
Uninstall Samsung Easy Settings
These directions assume you are running your computer as a standard user and not an Administrative user. When I first upgraded to Windows 10 I had to uninstall another Samsung application as well. But I never installed that again and I don't remember what it was. Follow the directions below to uninstall Easy Settings.
Launch command line and run it as an administrator. Click on the start button and then type 'cmd'. Once you see the command prompt application right click on it and select 'Run as administrator'. Then type the following command.
Scroll down and select 'Easy Settings' and click 'Uninstall'. Reboot to be safe.
Upgrade Windows 10
Once you uninstall Samsung Easy Settings it should be straightforward to upgrade Windows 10 using the Windows tools. Once you are done with the upgrade you can reinstall Samsung Easy Settings.
You can use Windows Powershell to check the sha256sum. In the example below I placed 'Samsung_Easy_Settings.tar.gz' in my 'Downloads' directory. The variable '$ENV:USERPROFILE' equates to 'C:\Users\<your_user_name>'. Adjust the path as required.
Use 7-zip or another program to unzip and un-tar it to any directory of your choice.
The setup.exe file has already been renamed to setup1.exe. If you download Easy Settings from Samsung directly you must rename setup.exe to setup1.exe.
Right click on setup1.exe and select "Run as administrator". Follow the prompts to install the application and reboot.
Setup Windows 7 Compatibility
You must enable Windows 7 compatibility on Samsung Easy Settings. I am modifying the EXE itself. But you can also do this using the desktop shortcut for Easy Settings.
Navigate to "C:\Program Files (x86)\Samsung\Easy Settings" in File Explorer. Right click on "ControlCenter.exe" and select "Properties". The following window will open. Please note that I have already changed the compatibility to Windows 7. The values are greyed out. You need to click on "Change settings for all users" and provide the Administrator password.
As stated above click on "Change settings for all users". The following screen will appear. Under 'Compatibility mode' check the box for 'Run this program in compatibility mode for:' and then in the drop down list select 'Windows 7'. I also check the box for 'Run this program as an administrator' at the bottom of the screen. See the screen shot below. The two changes are highlighted by a red box. Click OK. And then click "OK" again on the previous screen. Reboot to be safe.
You should now be able to run Easy Settings. And the function keys should operate correctly. Make sure you check the Easy Settings and change things as you wish. It will default back to the Samsung defaults.
The Registry Values
You can also manually edit the registry if you so desire. The changed values are shown below.
The power management settings may change back to the default settings. This will happen if you modified the default settings but did not create a new power plan. One way to check your values is shown below.
From a command prompt run the following command.
C:> control powercfg.cpl
Make any desired changes. Keep in mind some other settings may have reverted back to the defaults. You may need to change a few other items.
Running MS Settings, Control Panel, Windows Administrative Tools, and GodMode from the command line. This is useful if you run your computer as a standard user.
Standard User vs Administrative User
I run my computers as a standard user. And with the latest creators update if I right click on 'This PC' and select 'Manage' it no longer works properly. It doesn't give me administrative rights. And not all tools in the start menu have the right click option to run as Administrator. Plus I like command line tools anyway. Not that these are true command line tools as they simply launch a GUI window. This chart includes the control panel sub-windows. And it includes a few other tools. This MS post has the official documentation about running control panel from the command line.
You first need to launch the command line, or powershell, as an administrative user. Click on the 'Windows Logo' (aka the start button) in the taskbar and then type 'cmd'. Right click on that application and select 'Ru as administrator'. You can also launch Powershell and right click on that and run it as administrator.
The Command Line Tools
As stated above you need to be running the command line or powershell as an administrative user. Most of these commands may be run without typing 'control'. Not all commands will work on every computer. It will depend on your environment. The second chart shows other useful tools.
This document does not cover computers in Active Directory.
Control Panel Tool
Add New Hardware
control sysdm.cpl add new hardware
control main.cpl keyboard
Microsoft Mail Post Office
(OLD control netcpl.cpl)
control main.cpl pc card (PCMCIA)
(OLD control main.cpl power)
Scanners and Cameras
control mmsys.cpl sounds
Other Useful Tools
This is how to launch the new MS Settings application and most of the Windows Administrative Tools from the command line.
How to setup the NTP client on standalone Windows boxes. And an explanation of the various registry settings. Use powershell and the command line tools to setup NTP.
NTP is Fun
Synchronized time is important and very easy to setup. This article is for setting up the NTP clients on a Windows 10 box. This is NOT for a box that is part of an active directory domain. This is only for standalone boxes. Or in other words it is for your home computer not your business computers. NTP uses 123/UDP.
Links to the Official Docs
This article only touches the surface of NTP. It is a pretty basic service and easy to setup. But it can get rather complicated if you deep dive into the subject. Note that the basic NTP client does not support NTP authentication (NTP keys). You need to use active directory to enable authentication.
I spent some time looking up the various registry settings related to NTP. A typical home user will not need to change most of these settings. This is just a reference. These settings are used when you configure an Active Directory Domain Controller to serve as a NTP server. Most of these settings are hexadecimal (base 16 // 0-9 A-F). You can enter combine options by adding together the values. If you don't understand binary or converting from decimal to hex or decimal, don't play with any of these settings.
Refer to the Windows Time Service Tools and Settings link above for more information about the various registry settings.
This is a space delimited listing of each NTP server the client will query. Each NTP server can be listed as a hostname or an IP address. Each NTP server needs to be followed by a comma and the appropriate hexadecimal flag.
0x1 - Use the special poll interval set in the registry instead of the default value. The default is 7 days (604,800 // 0x00093a80)
0x2 - Use this source only as a fallback if all other time sources have failed.
0x4 - Send request as SymmetricActive Mode. This is for Windows servers.
0x8 - Send NTP queries in client mode
Most home users will use '0x8'. If you want to query the NTP servers more frequently then use '0x9' which is '0x8 + 0x1'.
This determines in seconds how often the computer will poll or query the NTP servers. This is an optional change. If you are uncomfortable changing registry settings do not use this option. You must set the '0x1' flag in the NtpServer settings to use this feature.
The default value is every 7 days. But W32Time will poll on a floating interval, based on the quality of the time samples being returned by the time source. In this example I will be using the public NTP pool servers. And since microsecond accuracy isn't that important for a home user I will be querying the servers every 12 hours. (sec = 43,200 // hex = 0x000a8c0)
IMPORTANT: In build 1702 SpecialPollInterval is contained by the \Config\MinPollInterval and \Config\MaxPollInterval registry values. I am still on build 1607. I need to verify these settings once my computer is finally updated.
This entry indicates from which peers to accept synchronization.
NoSync - The time service does not synchronize with other sources.
NTP - The time service synchronizes from the servers specified in the NtpServer registry key. (Our required value and the default value for standalone boxes.)
NT5DS - The time service synchronizes from the domain hierarchy.
AllSync - The time service uses all the available synchronization mechanisms.
This entry controls whether this computer is marked as a reliable time server. A computer is not marked as reliable unless it is also marked as a time server. The default value for domain members and standalone clients is 10. (hex = a)
0x0 - Not a time server
0x1 - Always a time server
0x2 - Automatic time server
0x4 - Always reliable time server
0x8 - Automatic reliable time server.
As stated above the default value is 10 (0x8 + 0x2). This means our client is an automatic reliable time server and an automatic time server.
This is one of three registry settings that describe how the W32Time process will start. The other two are 'W32Time\Type' and 'W32Time\DelayedAutostart'. All three settings are DWORD data types. The start setting specifies how the service is loaded or started. If the service is a Win32 service, the value of this entry must be 2, 3, or 4. This entry is not used for network adapters. The W32Time service has a start value of 2 (automatic).
Boot (loaded by the kernel loader). Components of the driver stack for the boot (startup) volume must be loaded by the kernel loader.
System (loaded by I/O subsystem). Specifies that the driver is loaded at kernel initialization.
Automatic (loaded by the Service Control Manager). Specifies that the service is loaded or started automatically.
Manual. Specifies that the service does not start until the user starts is manually, such as by using Device Manager.
Disabled. Specifies that the service should not be started.
Identifies the type of service represented by the subkey. The W32Time service has a type value of 32.
A kernel-mode device driver.
A file system driver.
A set of arguments for an adapter.
A file system driver service, such as a file system recognizer.
A Win32 program that runs in a process by itself. This type of Win32 service can be started by the service controller.
A Win32 program that shares a process. This type of Win32 service can be started by the service controller.
A Win32 program that runs in a process by itself (like Type16) and that can interact with users.
A Win32 program that shares a process and that can interact with users.
This subkey is added when an automatic process is set to start at boot but with a delayed start. The Set-Service cmdlet cannot set a process to a delayed start. The 'sc config' command line tool does allow this option. Use the commands below to create this subkey if necessary.
Use the command below to verify all of the settings.
Get-ItemProperty -Path $RegRoot
To just see one of the subkeys and get rid of the various PS values use the 'Format-List' cmdlet. This can be shortened to 'FL'. I am not adding the '-Name' flag to the 'Item-Property' cmdlet as it is not necessary.
It is very simple to setup NTP using the old command line tools. But Microsoft is moving away from those tools. Powershell is the future. Here the the commands to setup everything using Powershell. This assumes you are running Powershell as an administrative user by right clicking and running as an administrator. Everyone should be running Windows as a standard user and not an administrative user. Keep in mind that powershell is not case sensitive.
Start and Stop a Service
Use 'Start-Service w32time', 'Stop-Service w32time', and 'Get-Service w32time' to start and stop the service. And then to verify the status of the service.
To Start = Start-Service w32time (net start w32time)
To Stop = Stop-Service w32time (net stop w32time)
Status = Get-Service w32time
View the Startup Mode
A way to verify the startup mode for a particular service.
ExitCode : 0 Name : W32Time ProcessId : 1076 StartMode : Auto State : Running Status : OK
Setup the NTP Server List
This example uses '0x9'. Change this to '0x8' if you don't want to change the SpecialPollInterval registry value. The command is broken up over several lines using the backtick ( ` ) to make it easier to understand. This doesn't paste well into powershell. You need to remove the backticks and reduce this to a single line before pasting into powershell.
As stated above the 'Set-Service' cmdlet cannot set a service to delayed autostart. I am not sure if the 'DelayedAutostart' registry setting is set to '1' by default for the W32Time service. But it is easy to check first.
You can also use the 'sc config' command line tool within powershell.
sc config w32time start= delayed-auto
Adjust the SpecialPollInterval
This step is truly unnecessary for home users. Home users should use the '0x8' flag on the NTP server list. But it is easy enough to change. The setting is in seconds. One hour (3600) is 60 seconds times 60 minutes. Multiply 3600 by X number of hours to get your desired hour value. Multiply 3600 by 24 and then by X number of days to get the number of seconds for that desired day value.
7 Days = 604800 (Default Value)
12 Hours = 43200
4 Hours = 14400
1 Hour = 3600
15 Minutes = 900
Run the following commands to set the value to 12 hours (43200 seconds).
Now that everything has been setup it is time to resync W32Time. This command is a standard command line tool. But it can be run within the powershell environment. Like the other commands run above you need to be an administrative user to run this command. I am adding the '/rediscover' flag to force W32Time to re-read the configuration information.
w32tm /resync /rediscover
The Easy Setup
If you are just a normal user it is a lot easier to use the old command line tools. Microsoft is trying to deprecate these tools. But it won't happen anytime soon. You must run the command window as an administrative user.
net start w32time
The following command is one line broken up by carrots (^) to make it more legible.