Synology NAS and QuickConnect

Brief explanation on setting up QuickConnect on Synology NAS

QuickConnect Security

The QuickConnect option on Synology NAS has some good merits and some issues. QuickConnect uses hole punching for internet access to your NAS. The good news is that you don't need to allow port forwarding on your router. All connections are outbound.

QuickConnect uses two different methods for access. (See this PDF for more information.)

  1. It uses a relay server for all access. And traffic flows through that relay server.
  2. You can have direct access after connecting the relay server. This method requires DDNS (Dynamic DNS) and UPnP.

Your connection is encrypted using the relay server. As far as I can tell traffic flows over 443/UDP. Your connection can also be encrypted using Let's Encrypt using the second method via UPnP. However, UPnP is extremely insecure, even internally. I set it up just to test out QuickConnect.

To see the ports I setup TCPDUMPs on my DD-WRT router on the WAN interface (vlan2) and the LAN interface (br0). I also did a TCPDUMP on my Synology NAS. An example of my tcpdump command is shown below.

tcpdump -lnpt -i vlan2 tcp and \
port \(5000 or 5001 or 62323 or 62324 or 62325 or 6690\)

The Flow

Your NAS will send out information to the relay server. When you want to use DS File, or log into the DSM GUI you use the QuickConnect URL or ID (https://quickconnect.to/<your_ID>). It will then connect to the relay server. The relay server will tell your client about the DDNS address (<your_ID>.synology.me) . And then your client will connect directly after the NAS opens the port for your connection. I know I have missed some network magic in how this all works.

Setup

This is a brief explanation on how to setup QuickConnect. I don't plan to keep UPnP enabled. But I may need it in the future for something or other. These directions assume you already have a QuickConnect ID. If not, go to the QuickConnect tab in the Synology Control Panel and request a new ID. After that go to the advanced tab. Enable the relay service and also select 'Automatically create port forwarding rules'. And then select one or more applications that are accessible via QuickConnect. See the picture below.

QuickConnect Advanced Tab
QuickConnect Advanced Tab

E-Z Internet

The easiest way to setup everything else is to use 'E-Z Internet' from the main menu. This will setup DDNS on your NAS and setup the router configuration on your NAS. And it will setup the UPnP port forwarding rules on your router.

You should be able to setup everything manually as well. First go to the 'External Access' tab in the control panel. And add a new DDNS provider that will map to your WAN IP address from your ISP. Use the synology.me DDNS and select a new hostname for your NAS.

Next go to the router configuration tab.  Create two new rules for the applications. And test the connection afterwards. See the picture below.

Router Configuration Tab
Router Configuration Tab

Verify Your Router UPnP Setup

Verify your router has the correct UPnP rules. These may very slightly depending on which applications you enabled via QuickConnect. The last two octets of my NAS IP address have been whited out. Not that my private address matters too much anyway. Your router may display the information differently. See the picture below.

DD-WRT UPnP Tab
DD-WRT UPnP Tab

Let's Encrypt

Yes you can use Let's Encrypt and QuickConnect. You still need to own your own domain. (example.com) And then you need to add a CNAME record for your synology.me DDNS hostname. You use the QuickConnect ID or URL to access your device. It will then use your synology.me hostname.

First create a DDNS synology.me hostname. In this example we will use 'mysyno.synology.me'. And that will map to your WAN IP address. In this example it is 73.1.2.3. Xfinity owns 73/8.

DDNS: mysyno.synology.me A 73.1.2.3

You need to own your own domain. In this example I own 'example.com'. And in your DNS records you need to create a CNAME for a subdomain. In this example our CNAME will be 'mysyno.example.com'. This will then map to the DDNS hostname. The 'mysyno.synology.me' hostname will be an alias to your CNAME of 'mysyno.example.com'.

mysyno.example.com. CNAME mysyno.synology.me.

Synology - calDAV Setup

Setting up calendars on Synology. I am using the WebDAV package. This package includes calDAV. I cannot use the Calendar package on my old Synology NAS. I think it is time to buy a new NAS.

Prerequisites

Please follow the documents below. Feel free to create a new unique SSL certificate for use with calendar. This new SSL certificate will be used for WebDAV and CalDAV. Or you may use the same SSL certificate you use for other services.

  1. Securing Synology NAS
  2. Synology - Map Domain with DDNS
  3. Synology - Setup Let's Encrypt SSL Certificates

Not Using the Calendar Package

I am not using the calendar package from Synology. It isn't supported on my old NAS. But the basics of using calendars on Synology should be the same. I am using calDAV from the WebDAV package.

Basic Setup

My post on setting up WebDAV covers the basics of installing this package. Once that is done, open the WebDAV server application from the main menu. Next click on the 'Calendar' tab. Then 'click' Enable CalDAV and click 'Apply'. See the picture below.

Enable CalDAV
Enable CalDAV

Secure Setup

I will create two groups for calendar access. One will have Read/Write access and the other will only have Read Only access. I will create a shared folder for holding all my calendars that has limited access.

NOTE: The read only access will be used to allow users to access one or more calendars but not allow them to edit the calendar. This is useful if you want to publish a schedule. This is not necessary for most home users.

Shared Folder

First create a shared folder. I will name it 'caldav'. Next create the two new groups described in the next section. Then come back and verify the group permissions for the 'caldav' shared folder.

CalDAV Shared Folder Group Permissions
CalDAV Shared Folder Group Permissions

Create Two New Groups

Create the following two new groups.

  1. caldavRW
  2. caldavRO

The settings are shown below. For the RW group make 'caldav' folder writeable. For the RO group make the 'caldav' folder read only.

CalDAV RW Group Settings
CalDAV RW Group Settings

Create Two New Users

Now create two new users. One user will have read write access. The other user will only have read only access. Make sure you can log into DSM with each user. I am creating the following two users.

  1. cally (RO)
  2. kalel (RW)

The goal is to limit access for each ID to just the 'caldav' shared folder. See the permissions below.RW Calender User Permissions

RW Calender User Permissions

Create a Calendar

I will use Mozilla Thunderbird to create a calendar. But any calendar application should work as long as it supports CalDAV. When you create a new calendar a new folder will be created in the 'caldav' shared folder. I will create 2 calendars. One will be named 'calone' and the second will be named 'caltwo'. These directions assume you have used the default port of 5006. Feel free to change this port. If you use the calendar package from Synology the port will be different. My port is secured by SSL/TLS. Follow the steps below.

Create a New Calendar in WebDAV

First we need to create a new calendar in WebDAV. Launch the WebDAV application from the Synology main menu. Go to the calendar tab. Click 'View calendar list' and then click 'Add'.  Provide a calendar name and select 'caldav' as the destination. See the screen shot below.

Add a New Calendar in WebDAV
Add a New Calendar in WebDAV

When you create 'calone' and 'caltwo' you will have two new folders named 'calone' and 'caltwo' under 'caldav'. Each folder will have the hidden folder '.DAV'. I will publish a new calendar into each directory.

Thunderbird Steps

  • Install Mozilla Thunderbird and launch it
  • Go to "File // New // Calendar" - Choose the following options
    • Locate your calendar = "On the Network"
      • Click Next
    • Format = CalDAV
    • Location = https://syno.lab.example.com:5006/caldav/calone
    • Check "Offline Support"
      • Click Next
    • Name = Choose a descriptive name for you new calendar
      • calone
      • caltwo
    • Color = Choose a color for you new calendar
    • Show Reminders = keep checked
    • Email = none - feel free to add an email address
      • Click Next
    • Now provide your user name and password (RW ID)
    • Click Finish

Repeat these steps for 'caltwo' and any other future calendars.

Publish a New Calendar

  • From Mozilla Thunderbird go to "Events and Tasks // Publish"
  • Choose your calendar and click 'OK'
  • Publishing URLs for 'calone' and 'caltwo'
    1.  https://syno.lab.example.com:5006/caldav/calone/calone.ics
    2. https://syno.lab.example.com:5006/caldav/caltwo/caltwo.ics

CalDAV Clients

Now use your favorite CalDAV client and use the URL below to synchronize with your newly created calendar. Use the RW or RO user ID for access.

  1. https://syno.lab.example.com:5006/caldav/calone
  2. https://syno.lab.example.com:5006/caldav/caltwo

Synology OpenVPN Setup

Configuring a secure OpenVPN implementation on Synology NAS devices

Prerequisites

Secure your Synology NAS before enabling internet access. Follow this document before proceeding.

You need to setup dynamic DNS in order to access your WAN IP from the public internet. Most people have DHCP from the ISP. As a result the WAN IP address may change from time to time. There are numerous free and paid dynamic DNS services available. Feel free to pick anything you desire. You can setup dynamic DNS on most home routers. You can also setup dynamic DNS on the Synology NAS as well.

You don't need your own domain to use OpenVPN. Nor do you need a Let's Encrypt certificate. It is best to create your own CA (Certificate Authority) and sign your own certificates. The setup of the root CA is described in detail below.

Setup port forwarding on your home router. The default port for OpenVPN is 1194/UDP. But you can choose any port and change the protocol as well. Every router has a different interface. Use https://portforward.com/ for instructions if needed. Do not buy there little tool. Port forwarding is quite simple to setup. It is recommended to setup a DHCP reservation or use a static IP address for your Synology NAS device. Setting up either option varies from device to device and is beyond the scope of this document.

Official Documentation

The user should always read the official documentation first. This document is based on the official documents plus a few other websites. The official documents will help explain in detail all of the various settings.

For the root CA (certificate authority) I mainly used the directions from the Feisty Duck SSL cookbook. I also borrowed from a few different websites. The openssl.cnf file has tons of options. And there are probably better ways to configure it. I previously created my own CA on my DD-WRT router. This setup is a bit better. And I suspect if I do this in the future I will learn a bit more then. The OpenVPN setup has also improved over my DD-WRT setup. I used a few websites to help setup OpenVPN.

  1. Deprecated OpenVPN Commands - Some of my options will be deprecated in the near future. But for now Synology is running version 2.3.x.
  2. Hardening OpenVPN - I took some of these suggestions.
  3. Another hardening guide
  4. A third hardening guide

High Level Overview

This is a very long document. But the steps are not hard. I found a new WordPress plugin that will allow for tabs. That will make long documents like this a lot more usable.

I created a script to help setup the root-ca and make it easier. And to make it more consistent. The script follows the high level procedures below. More information about the script can be found at the bottom of this document.

Transfer SYNO-OVPN.tar.gz to your NAS. This file has my script and a few configuration files. And it includes a nice little README file.

  1. Install the Synology OpenVPN package
  2. Configure the Synology OpenVPN package
  3. Test the Synology OpenVPN package before making any manual changes.

Now use the script or follow the manual directions to build your own root CA and to secure OpenVPN. Extract the files in /tmp or in /root. It will make a sub-directory name 'SYNO-OVPN'.

Now edit the files and update the variables for your environment. Use the included README for instructions on what to edit. Then run './syno-ovpn.ash build) to setup the basic directory structure and copy over a few configuration files.

  1. Setup the directory structure for the Root CA (./syno-ovpn.ash BUILD)
    1. Setup /etc/ssl/root-ca and sub-directories
    2. Copy the key files
  2. Switch to /etc/ssl/root-ca. Double check the configuration files and finish editing them if required. The script renamed some of the files when it copied them to the new directory.
    1. /etc/ssl/root-ca/openssl.conf
    2. /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf
    3. /etc/ssl/root-ca/ovpn/openvpn.client.ovpn
    4. /etc/ssl/root-ca/syno-ovpn.ash (Script mentioned above)
  3. Setup the Root CA (./syno-ovpn.ash root-ca)
  4. Setup the Diffie Hellman file (./syno-ovpn.ash DH)
  5. Add Users (./syno-ovpn.ash -f john -l doe add)
    1. This will create the CSR and private key for the user
    2. Sign the CSR and create the public key for the user
    3. Setup an OVPN file for the user
  6. The script will also make it easier to revoke client certificates
    (./syno-ovpn.ash -f john -l doe revoke)
  7. Overwrite the Synology openvpn.conf server configuration file with our more secure configuration.
  8. Manually add the new SSL/TLS certificates to the Synology GUI for the OpenVPN package
    1. server.key (server private key)
    2. server.crt (server public key)
    3. ca.crt (Root CA public key)

Install the OpenVPN Package

Synology has a VPN Server package. It has 3 VPN protocols.

  • PPTP = Point to Point Tunneling Protocol (Do not use. There are known security vulnerabilities.)
  • L2TP/IPSec - Layer 2 Tunneling Protocol with IPSec (Internet Protocol Security) - L2TP doesn't encrypt. Encryption is done by IPSec. There may be security issues with IPSec.
  • OpenVPN - Recommended - Very configurable and it is open source.

Go to the package center and install 'VPN Server'. Once it is installed go to the main menu and select VPN Server. There are very few native configuration options within this package. Click on the 'OpenVPN' tab and fill in the information as desired.

  • Check 'Enable OpenVPN Server'
  • Dynamic IP address = Pick any /24 private subnet you desire. In this example I am using 10.1.1.0/24.
  • Maximum connection number = choose a number from the drop down box (5, 10, or 15)
  • Maximum number of connections with the same account - I changed this to '1' from the default value of '3'. By default the Synology OpenVPN uses ID and password. I plan to change this to certificate authentication for better security.
  • Port = 1194 (Default) - It is a good idea to change this to another port to reduce port scanning. Additional layers of security are always a good thing.
  • Protocol = UDP (Default) You can change this to TCP if you like. Some people use 443/TCP to help them connect through various firewalls. If possible use UDP.
  • Encryption = AES-256-CBC - Choose this or another encryption algorithm. NOTE: This cipher is being deprecated. Perhaps the next release of OpenVPN on Synology will have current ciphers.
  • Authentication = SHA512 - Do not use SHA1 anymore. SHA256 is probably more than enough. But I went for the highest HMAC.
  • Check "Enable compression on the VPN link"
  • [OPTIONAL] - Check "Allow clients to access server's LAN - Enable this if you want to SSH or RDP to other boxes on your home LAN.
  • [OPTIONAL] - Do not check - Enable IPv6 server mode. Most people are not using IPv6 at this time.
  • Click 'Apply'
OpenVPN Configuration Panel
OpenVPN Configuration Panel

Update the Synology Firewall

Based on the document 'Securing Synology NAS' mentioned above update your firewall to allow 1194/UDP. Or choose another port if desired.

Before changing anything else test out the basic configuration. Export your configuration from the OpenVPN GUI. Edit it with your dynamic DNS name. And install it on your phone or something else. Make sure everything works before proceeding.

Create Your Own CA

The default Synology OpenVPN setup uses ID and password for authentication. This is not recommended for several reasons. I am following the hardening guide from OpenVPN. At the time of this writing Synology is running OpenVPN v2.3.11 and OpenSSL v1.0.2n-fips. Two factor authentication is not an option with the Synology OpenVPN server at this time. It may be possible to compile the code yourself and update PAM.

NOTE: Once you manually update the configuration files you cannot hit 'apply' in the VPN Server configuration panel GUI. It will overwrite your settings. Make a backup of all your changes. It is possible that package updates may overwrite things as well.

Follow the steps below to configure your CA (Certificate Authority). The v1.0.2 MAN pages are here. And links to the main commands used are shown below with a brief explanation of each option.

GENRSA Man Page - genrsa - Generates an RSA private key.

CA Man Page - ca - This is a minimal CA application. It can be used to sign certificate requests (CSR) in a variety of forms and generate CRLs. It also maintains a text database of issued certificates and their status.

REQ Man Page - req - PKCS#10 certificate request and certificate generating utility. The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as a root CA.

X509 Man Page - x509 - A certificate display and signing utility. The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a 'mini CA' or edit certificate trust settings.

Please note that in all of the commands below we must specify the updated openssl.conf file using the '-config' flag. We are not using the system default file.

1. Setup a New SSL Directory

Synology OpenSSL uses '/etc/ssl' as the default directory. (openssl version -d) I don't want to mess up any of the other items using SSL. So I will create a new openssl.conf file and directory structure for my CA. SSH to the Synology NAS and run the following commands as root or use sudo.

  • # Temporarily change the umask to ensure the newly created files and directories are secure
    • umask 0077
  • # Make a new directory for root-ca - /etc/ssl/root-ca
    • mkdir -m 0700 /etc/ssl/root-ca
  • # Change to that directory to lessen the amount of typeing
    • cd /etc/ssl/root-ca
  • # Make the sub-directories (certs - For PEM formatted certificates 'hash_of_name.pem' // db - For text based control files // private - For the private keys '*.key' // pub - For the public certificates '*.crt' // csr - For the certificate signing request '*.csr')
    • mkdir -m 0700 certs db private pub csr
  • # Optionally make a directory to hold the OpenVPN OVPN client configuration files for each user. Note, my script requires this directory.
    • mkdir -m 700 ovpn
  • # Each private key should be secured by a unique strong password. To help secure these files the directory is only available to 'root'.
    • chmod 0700 private
  • # Seed the '.rand' file. This file is used to help create entropy.
    • dd if=/dev/urandom of=/etc/ssl/root-ca/private/.rand bs=256 count=1
  • # For extra security we limit access to this file.
    • chmod 0600 /etc/ssl/root-ca/private/.rand
  • # Create the text based database file for openssl.
    • touch db/index
  • # Create a random unique string to start the count of each public key. Each public key gets the next number in the sequence.
    • openssl rand -hex 16 > db/serial
  • #The number with which to start a sequence of numbers to identify revoked certificates. Each one will get a unique number.
    • echo 1001 > db/crlnumber
  • # For security make sure everything is owned by root. On other systems it is best not to run this as root.
    • chown -R root:root /etc/ssl/root-ca

2. Create a New Openssl.conf (aka openssl.cnf)

Now we need to create a new openssl.conf file. The file should be owned by 'root:root' with permissions of 0600. Synology OpenSSL uses '/etc/ssl/openssl.cnf' as the configuration file. You can copy that file over, or use the file from the *.tar.gz file I provide. The script from the *.tar.gz file will copy over the initial file.

  • vi /etc/ssl/openvpn/openssl.conf

I am using the Feisty Duck site and PKI tutorials to help me configure the openssl.cnf file. I am not creating OCSP responders. Use the sample file below to create openssl.conf. Edit the lines in blue as desired.

# The [default] section contains global constants that
# can be referred to

# from the entire configuration file. It may also hold
# settings pertaining to # more than one openssl command.

# EDIT AS APPROPRIATE
# base_url = http://FQDN of your NAS
# Optional - update aia_url and crl_url
[ default ]

default_ca          = ca_default            # The default CA section
base_url            = http://your_nas.lab.example.com
aia_url             = $base_url/pub/ca.crt
crl_url             = $base_url/ca.crl
name_opt            = utf8,esc_ctrl,multiline,lname,align
prompt              = yes

# EDIT THIS AS APPROPRIATE
# Update countryName, stateOrProvince, localityName & organizationName
# Optional - update commonName
# CA Distinguished Name (DN) - called from req section

[ ca_dn ]
countryName          = "US"
stateOrProvinceName  = "IL"
localityName         = "Chicago"
organizationName     = "Lava VPN"

commonName           = "Root CA"

# The CA section defines the locations of CA assets, as
# well as the policies

# applying to the CA. Used by the 'openssl ca' command
[ ca_default ]
home                = /etc/ssl/root-ca     # Base directory
database            = $home/db/index       # dB index file
serial              = $home/db/serial      # Serial number file
crlnumber           = $home/db/crlnumber   # CRL number file
certificate         = $home/ca.crt         # CA public cert
private_key         = $home/private/ca.key # CA private key
RANDFILE            = $home/private/.rnd # Private random number file
new_certs_dir       = $home/certs       # Public certs directory
unique_subject      = no                # Require unique subject
copy_extensions     = none              # Copy extensions from the CSR
default_days        = 3650              # Certify for 10 years
default_crl_days    = 365               # How long until next CRL
crl_extensions      = crl_ext           # CRL extensions
default_md          = sha512            # Default signature algorithm
copy_extensions     = none              # Copy extensions from CSR

policy              = match_pol         # Default naming policy
x509_extensions     = client_ext        # Default signing extensions

# The next part of the configuration file is used by the
# openssl req command.
# It defines the CA's key pair, its DN, and the desired
# extensions for the CA 
certificate.
[ req ]
default_bits        = 2048        # RSA key size
encrypt_key         = yes         # Protect private key
default_md          = sha512      # MD to use
utf8                = yes         # Input is UTF-8
string_mask         = utf8only    # Emit UTF-8 strings
prompt              = no          # Don't prompt for DN
distinguished_name  = ca_dn       # DN section
x509req_extensions  = ca_reqext   # Extensions for CA self-signed

# Extensions for CA self-signed Cert ca.crt
[ ca_reqext ]

keyUsage                  = critical,keyCertSign,cRLSign
basicConstraints          = critical,CA:true,pathlen:0
extendedKeyUsage          = clientAuth,serverAuth
subjectKeyIdentifier      = hash
authorityKeyIdentifier    = keyid:always

# Naming policies control which parts of a DN end
# up in the certificate and

# under what circumstances certification should be denied.
[ match_pol ]
countryName           = match     # Must match cn_dn
stateOrProvinceName   = match     # Must match cn_dn
localityName          = match     # Must match cn_dn
organizationName      = match     # Must match cn_dn
commonName            = supplied  # Must be present

# Certificate extensions define what types of
# certificates the CA is able to
 create.
[ root_ca_ext ]
keyUsage                 = critical,keyCertSign,cRLSign
basicConstraints         = critical,CA:true,pathlen:0
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid:always

# CRL extensions exist solely to point to the CA
# certificate that has issued
 the CRL.
[ crl_ext ]
authorityKeyIdentifier    = keyid:always

# Extensions used to create server
[server_ext]
keyUsage                 = critical,digitalSignature,keyEncipherment
basicConstraints         = critical,CA:false
extendedKeyUsage         = clientAuth,serverAuth
authorityKeyIdentifier   = keyid:always
subjectKeyIdentifier     = hash

# Extensions used to create clients
[client_ext]
keyUsage                 = critical,digitalSignature
basicConstraints         = critical,CA:false
extendedKeyUsage         = clientAuth
authorityKeyIdentifier   = keyid:always
subjectKeyIdentifier     = hash
#
#EOF

3. Create the Diffie Hellman Parameters

I think you can use elliptic curve (EC) parameters instead of Diffie Hellman (DH) parameters. But I need to do some more research. I am using the 'dsaparam' flag to drastically reduce the amount of time it takes to create the file. I am using 2048 bits. Do not use 1024. And 4096 is overkill at this time.

  • cd /etc/ssl/openvpn
  • openssl dhparam -dsaparam -rand /dev/urandom -out dh2048.pem 2048

NOTE: This command will still take around 15 to 30 minutes to complete. Newer more powerful Synology NAS devices may require a bit less time.

4. Create the TLS Auth

Creating a TLS auth key helps to harden your VPN. It is a static pre-shared key (PSK) that must be generated in advance and shared among all peers.

  • cd /etc/ssl/openvpn
  • openvpn --genkey --secret private/ta.key

NOTE: This is not an OpenSSL command. It is an OpenVPN command.

On the OpenVPN server configuration file we must add the following line.

  • tls-auth /path/to/ta.key 0

On the clients we will be using inline files (concatenate all crt and key files into the OVPN file). The client configuration file needs the following line.

  • key-direction 1

5. Create the Root CA

The command below will generate a private key file (ca.key) and a public key file (ca.crt) for our new CA. When prompted, supply a secure password for the private key. Keep track of this password.

  • cd /etc/ssl/openvpn
  • openssl req \
    -config ./openssl.conf \
    -days 3650 \
    -x509 \
    -new \

    -keyout private/ca.key \
    -out pub/ca.crt

Check the private and public keys.

  • Private:  openssl rsa -in private/ca.key -check
  • Private:  openssl rsa -in private/ca.key -text -noout
  • Public:  openssl x509 -in pub/ca.crt -text -noout

Verify that the public key (ca.crt) has the correct distinguished name defined by openssl.conf. And verify that the x509v3 extensions list it as a CA.

We will also convert the CA crt to PEM format. This allows us to run 'openssl verify' commands against newly signed certificates.

  • openssl x509 \
    -in pub/ca.crt \
    -outform PEM \
    -out pub/ca.pem

6. Create the CRL (Revocation List)

Our default CRL days is 365. We need to create a new CRL every 365 days. Normally this is 30 days. But this is for a small personal OpenVPN instance. We want this as easy to manage as possible. Now create the CRL file before we create any other keys.

  • cd /etc/ssl/openvpn
  • openssl ca \
    -config ./openssl.conf \

    -gencrl \
    -extensions crl_ext \
    -out ca.crl

NOTE: You must recreate the file every time you revoke a client.

Read the contents with the following command.

  • openssl crl -in ca.crl -text -noout

Revoke a Certficate

The serial number of each CRT is stored in the database. (db/index) Grep for the name in the file and you can see the serial number. The serial number is shown in bold blue in the example below.

grep CN=john.doe db/index

V 280410224051Z 1BA302853C5C152075698774AC393A04 unknown /C=US/ST=IL/L=Chicago/O=Lava VPN/CN=john.doe

You must supply a reason for the revocation. Choose one of the following reasons.

  • unspecified
  • keyCompromise
  • CACompromise
  • affiliationChanged
  • superseded
  • cessationOfOperation
  • certificateHold
  • removeFromCRL

Use the command below to revoke a certificate. Update as appropriate. Make sure you create a new ca.crl file after each certification revocation.

  • openssl ca \
    -config ./openssl.conf \

    -revoke certs/1BA302853C5C152075698774AC393A04.pem \
    -crl_reason keyCompromise

7. Create the Server Key, CSR, & Crt

Now create the server private key (server.key) and CSR (server.csr). Adjust your '-subj' flags as required to match whatever you set in the 'openssl.cnf' file for the CA. When prompted enter a password for the private key (server.key). We need to remove the password for this key as Synology does not support authentication on the server key.

  • cd /etc/ssl/openvpn
  • openssl req \
    -config ./openssl.conf \
    -days 3650 \
    -new \

    -subj '/C=US/ST=IL/L=Chicago/O=Lava VPN/CN=server' \
    -extensions server_ext \
    -keyout private/server.key \
    -out csr/server.csr

Synology will not accept encrypted private keys. We must remove the password from the server private key. When prompted provide the password for the server private key.

  • openssl rsa -in private/server.key -out private/server.key

Now sign the CSR and generate the public key (server.crt). Remember you need to sign the CSR with the password for the CA private key (ca.key). Next we will verify that the public key has the correct information. Check to see the DN is correct and that the x509 extensions are correct. It should not be a CA and should point to the CA issuers public key (ca.crt).

  • cd /etc/ssl/openvpn
  • openssl ca \
    -config ./openssl.conf \
    -extensions server_ext \
    -days 3650 \

    -subj '/C=US/ST=IL/L=Chicago/O=Lava VPN/CN=server' \
    -in csr/server.csr \
    -out pub/server.crt
  • openssl x509 -in pub/server.crt -text -noout

8. Create the Client Key, CSR, & Crt

We will use the first and last name of the person for each client certificate. The first and last names will be separated by a '.' (period /aka dot). You can add a '-' (dash) or another '.' (period /aka dot) to either name to help with repeated names. For example you can use 'john.doe-jr' or 'john.doe.jr' as the name. Update the 'subj' flag with the correct DN. Make sure you use client extensions.

Just like the server setup we need to create a private key and a CSR. Then we need to sign the CSR and create the public key. Make sure you use the client extensions.

First create the CSR and private key. Make sure you create a new secure password for the private key and keep track of it.

  • cd /etc/ssl/openvpn
  • openssl req \
    -config ./openssl.cnf \
    -days 3650 \
    -new \

    -subj '/C=US/ST=IL/L=Chicago/O=Lava VPN/CN=john.doe' \
    -extensions client_ext \
    -keyout private/john.doe.key \
    -out csr/john.doe.csr

Now sign the CSR and create the public key. Remember you need to sign the CSR with the password for the CA private key (ca.key).

  • cd /etc/ssl/openvpn
  • openssl ca \
    -config ./openssl.cnf \
    -extensions client_ext \
    -days 3650 \

    -subj '/C=US/ST=IL/L=Chicago/O=Lava VPN/CN=john.doe' \
    -in csr/john.doe.csr \
    -out pub/john.doe.crt
  • openssl x509 -in pub/john.doe.crt -text -noout

Repeat these steps to add more clients.

Setup OpenVPN Server Configuration

OpenVPN provides a fully annotated sample openvpn server configuration file. They also provide a fully annotated sample client openvpn.ovpn file. To determine the default server configuration file run 'ps -aux | grep openvpn' on your NAS. The default location is shown below.

  • /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf

The script mentioned in this document will copy the 'openvpn.conf' file copied below to "/etc/ssl/root-ca/ovpn/openvpn.conf.SERVER.SAMPLE". Edit this script as required. Then copy it over the default config shown above. Feel free to make additional changes. At a minimum you need to edit the push routes and the server VLAN. And you can also change the port if desired.

#
# OpenVPN Server Config
# Edit as appropriate
#

# Push routes to clients for local LAN subnet
# intranet - most home routers use 192.168.1.0/24
push "route 192.168.1.0 255.255.255.0"
# VPN network - choose whatever /24 you desire
push "route 10.2.192.0 255.255.255.0"

# Set Subnet mode
topology subnet

# VPN Server Subnet - OpenVPN uses x.x.x.1
server 10.2.192.0 255.255.255.0

# Do not allow split-tunneling
# Force ALL traffic through VPN
push "redirect-gateway def1"

# Listen on port (UDP or TCP) default 1194
port 1194

# Set Protocol - tcp or udp
proto udp

# Synology only supports TUN (L3)
# Set device tun/tap
dev tun0

# Keepalive n m = ping n ping-restart m
# ping every 10 seconds // restart after no ping in 60 sec
keepalive 10 60

# Renegotiate data channel key after N seconds (default=3600)
# 0 = disable
reneg-sec 0

# SSL/TLS certificates created by OpenSSL - root-ca
# ca = Root CA Self Signed Cert
# key = server running on Root CA private key
# cert = server running on Root CA public key
# dh = Diffie Hellman Parameters
# Syno default dir = /var/packages/VPNCenter/target/etc/openvpn/keys
ca /etc/ssl/root-ca/pub/ca.crt
key /etc/ssl/root-ca/private/server.key
cert /etc/ssl/root-ca/pub/server.crt
dh /etc/ssl/root-ca/dh2048.pem

# "HMAC FW" - helps block DoS attacks and UDP port flooding
# openvpn --genkey --secret ta.key
tls-auth /etc/ssl/root-ca/private/ta.key 0

# CRL Revocation List File Location
crl-verify /etc/ssl/root-ca/ca.crl

# Select a cryptographic cipher. (symmetric)
# Used by 'data channel'
# NOTE: OpenVPN 2.4 has newer ciphers GCM
# openvpn --show-ciphers
cipher AES-256-CBC

# Select Auth - auth alg
# openvpn --show-digests

# Authenticate packets with HMAC
auth SHA512

# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo adaptive

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 5

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Limit TLS v1.2
tls-version-min 1.2

# Limit TLS ciphers to those listed below
# Used by 'control channel'
# openvpn --show-tls
# EC and ECDSA tls ciphers only availble in 2.4 or higher
# tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
# Using list below as this is v2.3.x
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

# Limit scripting level
# 0 - no calling of external programs
# 1 (default) only call built-in executables - ifconfig, ip, netsh
# 2 allow calling of user defined scripts
# 3 allow passwords to be passed to scripts via environmental variables (unsafe)
script-security 2

# Ensure clients have EKU - extended key usage - set to client
# Clients must be set to use server
# remote-cert-eku "TLS Web Server Authentication"
remote-cert-eku "TLS Web Client Authentication"

# Output a short status file showing
# current connections, truncated
# and rewritten every N (30 sec)
status /tmp/ovpn_status_2_result 30

# Status version N - 1, 2 or 3
status-version 2

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# EOF

Setup OpenVPN Client Configuration

Edit the included sample client configuration to match your server configuration. Then for each new client change the name to easily identify each OVPN file. And concatenate the certificates in the proper order. First put CA certificate (ca.crt). Second add the new client public certificate. Third add the new client private key. And fourth add the TLS authentication file (ta.key).

The client configuration file will be identical with 3 exceptions.

  1. For Windows clients comment out the 'user nobody' and 'group nobody' lines.
  2. Each client will have their own unique client public key. (john.doe.crt)
  3. Each client will have their own unique client private key. (john.doe.key)

Edit the sample file below as appropriate. Make sure you add the certificates.

#
# OpenVPN Client Config
# Needs to match server config
# Edit as appropriate
#

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun0

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
# Should be dyn dns hostname
remote dyn.dns.name.for.nas 1194

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
# WINDOWS - COMMENT OUT USER AND GROUP NOBODY
; user nobody
; group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
key-direction 1

# Allow remote peer to change IP (DHCP)
# Accept authenticated packets from any address
# not just address specified by 'remote' option
float

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC

# Select HMAC Authentication
# server/client must match
auth SHA512

# Verify EKU - Extended Key Usage is set to server on remote box
remote-cert-eku "TLS Web Server Authentication"

# Set TLS to min of 1.2
tls-version-min 1.2

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo adaptive

# Set log file verbosity.
verb 0

# To simplify OVPN client setup concatenate
# all certificates here in proper order
# 1 <ca> </ca> 2 <cert> </cert>
# 3 <key> </key> 4 <tls-auth> </tls-auth>
# ADD CERTS BELOW HERE

Concatenate the Client OVPN

The script will create our client OVPN file. If you do this manually you need to concatenate all of the files into the client OVPN file.

  • Add the user to the root CA using the commands above.
  • Copy the sample OVPN file and create a client OVPN file. (john.doe.ovpn)
  • Add the ca.crt file, client crt file, client key file, and ta.key. Each file must be enclosed with the identifiers shown below.

<ca>
cat ca.crt here
</ca>
<cert>
cat john.doe.crt here
</cert>
<key>
cat john.doe.key here
</key>
<tls-auth>
cat ta.key here
</tls-auth>

Overwrite the Synology openvpn.conf File

Copy are new OpenVPN server configuration file  and overwrite the default Synology openvpn.conf file. Our new file is shown below.

  • /etc/ssl/root-ca/ovpn/openvpn.conf.SERVER

The default file is shown below.

  • /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf

Add Our Server Keys to the GUI

By default Synology uses the self-signed synology certificate for everything. We need to add a new certificate to the DSM GUI and then configure OpenVPN to use that new certificate. It has to be a chained certificate and include our new server.key (private key), the server.crt (public key), and the new root CA public certificate (ca.crt).

I tar these three files up before I transfer them.

  • /etc/ssl/root-ca/pub/ca.crt (Root CA public certificate)
  • /etc/ssl/root-ca/pub/server.crt (OpenVPN server public certificate)
  • /etc/ssl/root-ca/private/server.key (OpenVPN server private certificate)

Extract the files somewhere on your computer. Then launch the DSM GUI. (https://your_nas:5001)

  • Next launch the 'Control Panel'.
  • Navigate to 'Security' and then open the 'Certificate Tab'.
  • Click 'Add'
    • Choose 'Add a new certificate' and click 'Next'
    • Choose 'Import certificate'. Optionally add a description. Click 'Next'.
    • Now import the server.key, server.crt, and ca.crt. See the picture below.
      Import Certificate Files Screen
      Import Certificate Files Screen

      Click OK to import the certificate. Then highlight your new certificate and click 'Configure'. Select 'server' (or what you used for a description) in the drop down box next to 'VPN Server'. And then click OK.

      Select 'server' Certificate
      Select 'server' Certificate

       

Restart OpenVPN

Restart OpenVPN so that it loads the new configuration. You may do this from the GUI or from the command line.

In the GUI open 'Package Center' and then scroll to 'VPN Server'. Open that and use the drop down box labeled 'Action' and select 'Stop'. Use the same box to start the VPN server again.

From a command line run the following command.

  • synoservice --restart pkgctl-VPNCenter
  • Or: /var/packages/VPNCenter/scripts/start-stop-status {stop start}

To check out your server configuration you may run the following.

  • cd /usr/syno/etc/packages/VPNCenter/openvpn
  • openvpn --config ./openvpn.conf

Using the Script

Setting everything up manually isn't that difficult. And it is very useful to help learn about SSL and OpenVPN. But adding or revoking users can be a pain if you have to remember the correct syntax. I created a script to help build the root CA. And it will add and revoke users as well. I mentioned the script above. It is included in 'SYNO-OVPN.tar.gz'. The README file shows you how to use the script. And it explains how to edit the included sample files.  Enjoy.

Synology - WebDAV Setup

Installing and configuring WebDAV on Synology NAS

Prerequisites

Please read and follow the previous Synology setup posts before installing WebDAV.

  1. Securing Synology NAS
  2. Synology - Map Domain with DDNS
  3. Synology - Setup Let's Encrypt SSL Certificates

Install WebDAV

Go to the Package Center on your Synology NAS device. Install the 'WebDAV Server'.

Configure WebDAV

There are very few options to configure in WebDAV. But there are some security issues and permission issues to consider. Please feel free to change the permissions described below.

WebDAV Settings Tab

Go to the main menu and then open WebDAV Server. Enable HTTPS. Optionally change the default port from 5006 to whatever you desire as long as it isn't in use already. (1025 - 65535) You may choose to enable the WebDAV log as well. Finally you have the option of limiting the speed. Click 'Apply' once you are done.

Create a WebDAV Group and User

By default only the administrators group has access to WebDAV. However, I don't want to allow administrative access from the web. So I will create a new group and a new WebDAV user. This user should also have 2FA enabled for increased security.

Go to: Control Panel > Group

Click 'Create'.

  • Group name = webdav (Or whatever you prefer)
  • Group description = WebDAV Access Group

Skip the shared folder permissions as of now. We will be creating one or more shared folders for WebDAV.

Allow 'WebDAV Server' application permissions.

Go to: Control Panel > User

Click 'Create'.

  • Name = <choose_name> (I used 'webby' for now)
  • Description = WebDAV User Access
  • Email = optional
  • Password = Create a password that meets your password rules requirements.
  • Click 'Next'.

Add the user to the 'webdav' group. By default it is already part of the users group. Click 'Next'.

Skip granted shared folder access for now.

Allow the user to access the 'webDAV Server' application.

Create One or More Shared Folders

I don't like the idea of opening every folder in the root directory to WebDAV. I will create one folder for uploads with RW access. And add one or more folders with RO access. This may include some of the existing shared folders.

Go to:  Control Panel > Shared Folders

First we will create an upload folder with RW permissions. Click 'Create'.

  • Name = upload
  • Description = WebDAV Upload Folder
  • Click 'Next'

Optionally encrypt this folder. Click 'Next' and then 'Apply'. Now we can setup our basic folder permissions.

  • Local users:
    • admin - No access
    • Your new Admin user - will have RW by default. - No access
    • webby (or whatever WebDAV user you created) -
  • Local groups:
    • administrators - RW
    • webdav - RW
  • System internal user:
    • I need to experiment a bit more. Right now all system IDs have no access. But a few may need RO and possibly RW access.

There are some interesting advanced permissions. I need to experiment a bit more before adding any recommended setup steps for those permissions.

Pick one of your existing shared folders. Edit it. Change the group permissions for the webdav group to RO.

Verify DSM Access with New User

First verify that your new user has DSM access and set the password. Verify you can see your new 'upload' folder and whatever RO folder you chose. Upload a test file to your upload directory.

https://syno.lab.example.com:5001

Add WebDAV SSL Certificate

Go to: Control Panel > Security > Certificate

Select your new SSL certificate. Then select 'Configure'. For the 'WebDAV Server' service change the certificate from the default synology.com certificate to your new SSL certificate. Click 'OK'.

Verify WebDAV Access

First we need to edit our hosts file. When we setup our SSL certificate we updated our hosts file and mapped 'syno.lab.example.com' to our internal private IP address (192.168.x.y). Now we need to disable this temporarily while we test out WebDAV. This is a good reason why you may want to get 2 Let's Encrypt SSL certificates with different subdomains.

  • notepad C:\Windows\System32\drivers\etc\hosts
  • put a hash tag in front of the 192.168.x.y address for your NAS
  • save the file
  • NOTE: Re-enable this mapping and test WebDAV access from your internal LAN as well. You may want to eliminate SMB access or other access methods and simply use WebDAV.

In Windows we can now map a network drive to our new WebDAV setup. Open File Explorer and then right click on 'This PC'. Select 'Map network drive'. Then fill out the new window as shown below.

  • Drive - choose any free drive letter you desire
  • Folder = https://syno.lab.example.com:5006
  • Check 'Connect using different credentials
  • Click finish and then enter your ID and password
    • webby (The ID we created above)
    • passw0rd - Enter your password
WebDAV - Map Network Drive
WebDAV - Map Network Drive

Again verify that you can upload a file.

You may want to run 'tcpdump' on your NAS to see if any packets are hitting it.

tcpdump -i eth0 -lnpt tcp and port 5006

Limit Administrators Group WebDAV Access

You can access WebDAV with the new administrator ID you previously created. It actually won't have access to the upload folder. But I don't want administrative access available from the web.

Go to: Control Panel > Group

Select the 'administrators' group and then click 'Edit'. Go to the 'Applications' tab. Scroll down to the WebDAV Server line. Change the permissions from 'Allow' to either 'Deny' or 'By IP'. I am setting up 'By IP' and I will whitelist my internal private subnet. Typically home routers use a /24 subnet from the 192.168/16 network. If your home network is 192.168.55.0/24 you would enter the information as shown below. Adjust the subnet as required.

Whitelist Private Subnet
Whitelist Private Subnet

Limit WebDAV Access for the Admin User

We also need to limit WebDAV access by subnet for the newly created admin user. Go to the user panel in the control panel. Edit your administrator ID. And go to the Applications tab and repeat the steps above. Limit WebDAV access by IP to your local subnet.

Now verify your admin ID can access WebDAV locally but not from the internet.

2FA Not Available for WebDAV

Unfortunately 2FA is not available via WebDAV. At least not at this time. This is another reason to select strong passwords and to limit which folders are accessible over the web.

WebDAV Clients

There are numerous WebDAV clients available for IOS and Android. Choose your favorite and have remote access to your files.

This is actually a better place to store your Keepass database. And other files that you may need to access away from home but want to keep away from prying eyes.

Although access via a VPN is probably a bit more secure. But that is debatable.

Synology - Setup Let's Encrypt SSL Certificates

Setting up Let's Encrypt SSL certificates on Synology NAS devices

Prerequisites

Before following this article please first secure your Synology NAS. And setup DDNS and a CNAME.

Let's Encrypt SSL Certificates

Let's Encrypt provides a free automated SSL certificate that can be used to secure your Synology NAS. You can have multiple SSL certificates. Perhaps one for local LAN DSM logins and another for WebDAV internet access. Or you could use the same SSL certificate.

I am not replacing or removing the default Synology self-signed SSL certificate. You can always switch back to that for various services.

Setup Web Station

Let's Encrypt will query your Synology NAS on port 80/TCP and 443/TCP. I can't find the nice technical document I read before. When I do I will add the link to this document. By default the Synology NAS device does not listen on 80/TCP or 443/TCP nor does it have a website.

Go to Package Center and install 'Web Station'. Once that finishes go to the main menu and launch 'Web Station'. Follow the steps below to configure the virtual host.

By default Web Station uses Nginx. I have both PHP 5.6 and PHP 7.0 installed on my NAS. I need to figure out if I can uninstall PHP 5.6. But that is for a future date. I am not sure if Web Station will automatically install PHP. If necessary install that package as well.

General Settings Tab

Select the following items from the drop down boxes.

  1. HTTP back-end server: = Nginx
  2. PHP: = Default Profile ( PHP 7.0 )
  3. Do NOT enable the personal website.

PHP Settings Tab

I think I deleted the PHP 5.6 profile from this tab. I didn't edit anything else.

Virtual Host

Before adding the virtual host you need to create a document root. Go to the Control Panel and then click on 'Shared Folder' and then 'Create' a new shared folder in the root directory. Or if you prefer bury the folder in whatever path you desire. The name should be 'www'. But it can be anything you desire.

  • Shared Folder Setup
    • Name = www
    • Description = Virtual Host Root Directory
    • Permissions Local Users = Your Admin ID = RW
    • Permissions Local Groups = administrators = RW // http = RO

Go back to the web station settings and finish creating the virtual host. Fill out the panel as shown below. See the screen shot after the explanation.

  • Select 'Name-Based'
    • Hostname = syno.lab.example.com
    • Port = check 80/443
  • Document root = www (browse and select)
  • HTTPS settings:
    • Check HSTS
      • HSTS - Force connections to use HTTPS (443/TCP)
    • Check HTTP/2
      • HTTP/2 - Newest HTML standards
  • HTTP back-end server = Nginx
  • PHP = Default Profile ( PHP 7.0 )
  • Click OK
Create Virtual Host Panel
Create Virtual Host Panel

Create the .well-known/acme-challenge Directory

Let's Encrypt will query our virtual host to verify that we own the domain we wish to secure with the SSL certificate. To allow this we need to create two sub-directories under the 'www' shared folder.

I prefer the command line. SSH into your NAS. (as root) Run the following commands.

  • Switch to your www directory. - example: cd /volume1/www
  • mkdir -m 0711 -p .well-known/acme-challenge
  • chmod -R 0711 .well-known
  • chown -R http:http .well-known

Setup Port Forwarding on Your Router

Let's Encrypt will query your NAS device using your public IP address given to you by your ISP. Your NAS should not be on the internet or in a DMZ. I don't use UPnP either. Port forwarding is very simple to setup. And just about any consumer router should allow you to setup port forwarding.

One catch to make port forwarding work is that your NAS needs to use the same private IP address at all times. I do this by setting up DHCP reservations on my router. But you could configure your NAS device to use a static IP address.

PC World has a good article on setting up port forwarding. It varies from router to router. But the basics are the same. The site https://portforward.com/ has a number of guides on how to setup port forwarding on various routers. Just don't buy there tool. You need three port forwarding rules.

  1. HTTP-80 // Protocol = TCP // Port from = 80 // IP Address = Private IP address of your NAS (192.168.x.y) // Port to 80
  2. HTTPS-443 // Protocol = TCP // Port from = 443 // IP Address = Private IP address of your NAS (192.168.x.y) // Port to 443
  3. WebDAV-5006 // Protocol = TCP // Port from = 5006 // IP Address = Private IP address of your NAS (192.168.x.y) // Port to 5006

The last rule assumes you will use the default secure WebDAV port. Feel free to change this to any port you desire as long as you change it in the WebDAV configuration as well.

Add additional rules if you enable additional packages on your NAS.

Verify Ports Are Open

I have read that some ISPs will block 80/TCP or 443/TCP. You may be able to get them to open these ports for you. Verify that your NAS is listening on 80/TCP and 443/TCP. You can use nmap or netstat. Synology does not have the 'ss' command as of yet. SSH to your NAS and run the following command.

netstat -latn |egrep "80|443"

Use Shields Up from GRC.com to probe your NAS device. First run tcpdump on your NAS so you can see if any traffic hits your box. The IP address is for shields up. (dig @8.8.8.8 shieldsup.grc.com +short)

tcpdump -i eth0 -lnpt tcp and port 80 or port 443 and host 4.79.142.206

Make sure you see a SYN [S] from GRC and a SYN-ACK [S.] going to GRC for each port you check. Don't worry about the reset flags [R.].

Install the Let's Encrypt SSL Certificate

Remember in a previous post we setup DDNS and a CNAME for our subdomain. Here is a review of the information we setup for our domain.

  1. The domain you purchased. Presumably for your personal website. = example.com
  2. Comcast public IP address (73/8) = 73.x.y.z
  3. DDNS = mysyno.ddns.net with A record of 73.x.y.z
  4. Subdomain = lab.example.com (replace lab with anything you desire)
  5. Fully Qualified Domain Name (FQDN) = syno.lab.example.com (You don't really need to do this. But I wanted to use my Synology FQDN as the URL. You can simply use the subdomain if you desire.)

Go to: Control Panel > Security > Certificate

Click 'Add' to create a new certificate. Leave the default 'synology.com' self-signed certificate alone. It is our fallback certificate if we ever have issues. Follow the steps below.

  1. Select 'Add a new certificate' and click 'Next'
  2. Select 'Get a certificate from Let's Encrypt' and click 'Next'
  3. Fill out Let's Encrypt information as shown below.
    1. Domain name = syno.lab.example.com (FQDN from above. Or you could simply use the subdomain 'lab.example.com'. Whichever you prefer.)
    2. Email = Your email address (must be a valid email)
    3. Subject Alternative Name = mysyno.ddns.net OR mysyno.ddns.net;lab.example.com (The dynamic DNS name you created from a dynamic DNS provider. Since I used my FQDN for the domain name I also add the subdomain as a second SAM. Separate the two subject alternative names with a semi-colon. Again adding the second SAM is optional.)

See the screen shot below.

Lets Encrypt Certificate Information Panel
Lets Encrypt Certificate Information Panel

Once you have filled it out click 'Apply'. Assuming everything is correct you should have a new SSL certificate. If things don't work you can look at the logs on your NAS. SSH and tail '/var/log/messages'.

Configure the New Certificate

To use this new certificate for DSM logins (5001/TCP) you need to set it as the system default certificate. Highlight the newly created certificate and click 'Configure'. You will see a list of all your services. Your list may be different than the screen shot shown below. The certificate column has a bunch of drop down boxes that allow you to select any configured certificate. For the 'System default' service use the drop down box and select your newly created Let's Encrypt certificate. And then click 'OK'.

Configure Certificates Panel
Configure Certificates Panel

Update Your Hosts File

I am not allowing DSM access from the web. You can continue to use the IP address of your NAS (https://1.2.3.4:5001) if you desire. But you will get the warning about an improper SSL certificate. The FQDN 'syno.lab.example.com' will resolve to your public IP address.

To allow for easy access from your LAN update your hosts file. Add the private IP address of your NAS and the FQDN and the subdomain. See the example below.

  • notepad C:\Windows\System32\drivers\etc\hosts
  • 192.168.x.y  syno.lab.example.com lab.example.com
  • Save the file. Ensure there is no 'txt' extension

Now test out the connection from your browser.

https://syno.lab.example.com:5001

Setup WebDAV

In my next post I will install and configure WebDAV.

Synology - Map Domain with DDNS

Mapping Synology to a subdomain with DDNS and CNAME

First Secure Your Synology NAS

Secure your Synology NAS before adding enabling internet access. Follow this post for more information.

Prerequisites

You need to own your own domain. You need to understand the basics of DNS and have the ability to add a CNAME to DNS.

Setup Dynamic DNS (DDNS)

Your ISP provides you with a publicly routable IP address. You then connect your router to the ISP modem. Your devices inside your home have NAT'ed IP addresses and are all RFC 1918 addresses. These addresses are not routable on the internet. When you go to a website or use anything on the internet your router will translate your private IP to the public IP address provided by your ISP.

Most ISPs provide DHCP addresses. They change from time to time. To get a SSL certificate you need to be able to map your domain to an IP address. Dynamic DNS will automatically update the forward resolution of your domain name to IP address even if it changes. The TTL (time to live) needs to be short. Normally this is about 15 minutes or so. So any changes won't be immediately available. But for home use it is more than good enough.

You can use any number of DDNS providers. Synology also offers a DDNS service. I already added DDNS to my home router. So I am not going to walk through the setup in this article.

Setup DNS CNAME

Once you setup DDNS you will have a resolvable domain name that maps to the IP address given to you by your ISP. For example Comcast (Xfinity) owns all of 73/8. So if your ISP is Comcast you will have a public IP like 73.x.y.z. (where x.y.z are valid numbers between 0-255) Check what it is by going to ipchicken.com.  And if you used noip.com as your DDNS provider you resolve your 73.x.y.z IP address to mysyno.ddns.net. You can choose any available hostname and choose from a number of different domains.

mysyno.ddns.net A 73.x.y.z

If you owned the domain 'example.com' you could then create a subdomain and add a CNAME to mysyno.ddns.net. Lets say you create the subdomain syno.lab.example.com. So you have the following.

  1. The domain you purchased. Presumably for your personal website. = example.com
  2. Comcast public IP address (73/8) = 73.x.y.z
  3. DDNS = mysyno.ddns.net with A record of 73.x.y.z
  4. Subdomain = lab.example.com (replace lab with anything you desire)
  5. Fully Qualified Domain Name (FQDN) = syno.lab.example.com (You don't really need to do this. But I wanted to use my Synology FQDN as the URL. You can simply use the subdomain if you desire.)

You now need to setup a CNAME record for either the subdomain or the FQDN. The exact procedure will vary with your DNS provider. But you want to set it up like the following picture.

DDNS Setup
DDNS Setup

Here is our DNS zone information.

NAME                    TYPE   VALUE
------------------------------------------------
mysyno.ddns.net.        A      73.x.y.z

syno.lab.example.com.   CNAME  mysyno.ddns.net.

The CNAME is 'mysyno.ddns.net.'. The domain 'syno.lab.example.com.' is an alias to our DDNS domain. (mysyno.ddns.net.)

Since we own 'example.com' we can assign a SSL certificate to the subdomain of 'syno.lab.example.com'. In this example this is actually our Synology FQDN. Our home network domain would actually be 'lab.example.com'. And we can use this internally.

Next Steps

Follow this post to setup Let's Encrypt SSL certificates.

Securing Synology NAS

Securing Synology NAS

SSL Certificates In Another Post

I will be writing several posts about Synology. I recently setup Let's Encrypt SSL certificates and will write all of that in a separate post. This article is just about the basic security steps for your new NAS.

Read the Official Documents

Synology provides a nice tutorial that covers the basic setup. Most of this document is based on that tutorial. I am just rewriting it to ensure I have a copy myself and as a quick checklist for my next NAS. Also URLs are subject to change from time to time.

I also found a nice article by Mike Tabor. He has three firewall rules I copied. Especially since I recently setup WebDAV and now my NAS is exposed to the internet.

Another good document lists all of the ports used by Synology.

Brief Synopsis

I will perform the following steps. At the time of this writing I am running DSM 6.1.6-15266 on a DS413. It is assumed you have already setup the LAN connection and setup your disks.

  1. Create a new system administrator
  2. Disable the default admin account & guest
  3. Setup password strength rules
  4. Restrict suspicious IP addresses with auto block
  5. Setup firewall rules
  6. Setup 2 Factor Authentication
  7. Force HTTPS connections
  8. Enable SSH access
  9. Disable IPv6 (Optional)
  10. Setup NTP
  11. Secure File Services
  12. Setup notifications
  13. Other Steps
  14. Encryption
  15. VPN
  16. Security Advisor
  17. Update folder permissions
  18. Enable Automatic Updates

I am not covering the following topics. They will be covered in future posts.

  1. Map your Synology NAS with your own domain and dynamic IP address
  2. Enable Let's Encrypt SSL certificates
  3. Setup WebDAV
  4. Setup CalDAV (Calendar)
  5. Setup OpenVPN

Most if not all of the following steps will be performed within the Synology Control Panel. Below is a picture of the advanced panel.

Synology Control Panel
Synology Control Panel

1. Create a New System Administrator

Open the User panel and click on 'Create'. Fill in the information as desired. Select a nice long secure password that will meet your password rules. Click next.

Create User Panel
Create User Panel

Add the user to the 'administrators' group. Add the user to all of the other groups except the guest group. Your list may vary. Click next.

New User Join Groups Panel
New User Join Groups Panel

Assign shared folders permissions. (not shown) For the new admin user I select RW for all shared folders. However, that is not necessary. I was lazy for a long time and only had the default admin user. I will be setting up a normal user for day to day access. But I want to ensure my new admin has access to every existing folder. Click next.

Click next on the user quota settings panel. I never enabled this feature.

Assign application permissions. (not shown) For now I am allowing my new admin access to every application. Click next.

I am not setting up any user speed limits. Click next on the user speed limit setting panel.

Confirm your settings and click apply.

LOG IN WITH YOUR NEW ID!!

2. Disable Admin User and Guest User

Go back to the user panel. Click on the admin user. Click 'Edit'. Click 'Disable this account' and click 'OK'. Repeat these steps for the guest ID.

NOTE: You need to create additional users and possibly groups for day to day usage of the NAS. You should limit using the new admin user. This document does not cover all the steps needed to create new users and groups.

3. Setup the Password Strength Rules

Go to:  Control Panel > User > Advanced Tab

I am not sharing my NAS with other users. Otherwise I would be even more strict. But I will enforce strong passwords and click all of the options and select a nice long minimum length. I am not setting up password expiration or password history. My new admin ID and any ID available from the web will have 2FA (Two Factor Authentication aka 2 Step Verification) enabled. Click 'Apply'.

I recommend setting up a test ID and verifying you can log into the NAS with that ID. Better safe than sorry.

4. Restrict Suspicious IP Addresses

Go to:  Control Panel > Security > Account Tab

Click 'Enable auto block'. If desired change the login attempts and the number of minutes. I don't enable block expiration. See the picture below.

Scroll down and click 'Enable Account Protection' (not shown). I keep the default values. Click 'Apply'.

Security - Account Tab
Security - Account Tab

Enable Additional Security Options

While you are in the security panel go to the other tabs and enable some additional options.

Security Tab

Check the following and then click 'Apply'.

  • Logout time (minutes): 15 (default value - change if desired)
  • Improve protection against cross-site request forgery attacks
  • Improve security with HTTP Content Security Policy (CSP) header
  • Do not allow DSM to be embedded with iFrame
  • Clear all saved user login sessions upon system restart
  • Show notification on DSM desktop when the current IP changes
Security - Security Tab
Security - Security Tab

Protection Tab

Click 'Enable DoS protection' and click 'Apply'.

Advanced Tab

Optionally click 'Enable HTTP Compression'. Under the TLS/SSL Cipher Suites click 'Modern compatibility'. Click 'Apply'.

5. Setup FW Rules

Go to: Control Panel > Security > Firewall Tab

Click 'Enable firewall'. Click 'Enable firewall notifications'. For the firewall profile select 'custom' from the drop down box. Then click 'Edit Rules'. Create three rules. I based this upon Mike Tabor's site mentioned above. As he says the first rule is a bit redundant. When you click 'Create' you will see the window below.

Create Firewall Rule Panel
Create Firewall Rule Panel

Here are the three rules. Make sure they are listed in this order as firewalls read the rules from top to bottom. The most restrictive rules should be on top.

  1. Block all ports and all protocols from from Russia and up to 15 countries. Do this by using the location option in the source IP section. You can create additional groups of countries to block. Obviously don't block your own country.
  2. Allow Virtual Host 80/TCP, Virtual Host 443/TCP, and WebDAV 5006/TCP from the USA. For the port list use 'Select from a list of built-in applications' and then select the appropriate applications from the list. Adjust this list for other services you may wish to access via the internet. This list is for Let's Encrypt and WebDAV.
  3. Allow all ports and protocols from your local LAN. (RFC 1918 addresses)

Click OK. And then click 'Apply'.

NOTE: I previously enabled Synology QuickConnect. It enables a few additional ports in the FW. I need to update the rules for QuickConnect or disable QuickConnect. I disable UPnP on my router which disables some of the usefulness of QuickConnect. I would like to use a couple of the DS apps on my phone. Use this document for more information on how to use QuickConnect and the flows.

A Few Notes about Let's Encrypt

Let's Encrypt offers two validation methods. You can use DNS validation or HTTP validation. I have read that the TLS validation method is being deprecated. The Synology NAS device uses HTTP validation. All that is required is 80/TCP access from the web to the NAS. However, Let's Encrypt will follow redirects to 443/TCP. That is why 443/TCP is being added to the firewall rules. In a later post I setup a virtual host and use HSTS to force HTTPS connections.

6. Setup 2FA

For the current user click on 'Options' (upper right of the browser window) then click 'Personal'. See the screen shot below.

User Options Personal Panel
User Options Personal Panel

Click on 'Enable 2-step verification' and the wizard will start. Click 'Next' on the opening screen. See the screen shot below.

2FA Wizard
2FA Wizard

Scan the QR code with the authentication app of your choice. I drew a red line through the QR code to prevent scanning. Save the QR code or the secret key so you can add it to a new authentication app in the future if needed.

Scan QR Panel
Scan QR Panel

Enter the 6 digit code to verify it is working. And then click 'Next'.

Enter 6 Digit Code
Enter 6 Digit Code

Enter a valid email address for an emergency verification code. Note, if you haven't yet setup notifications it will ask you if you want to do that now. You can skip this for now. Just make sure you go back and do this later on.

Click 'Close'. Click 'OK'.

LOG OUT AND LOG IN WITH YOUR NEW 2FA!!

Optionally go back to the User panel and open the advanced tab. Scroll down and click 'Enforce 2-step verification for the following users'. And then select administrator groups only or all users.

7. Force HTTPS Connections

We will be using the default self-signed SSL certificate for now. But once the Let's Encrypt certificate is in place we want to ensure we always use a secure encrypted connection.

Go to:  Control Panel > Network > DSM Settings Tab

Check the following:

  1. Optionally change the port numbers from the default ports. (5000/TCP & 5001/TCP)
  2. Check "Automatically redirect HTTP connections to HTTPS (Web Station and Photo Station excluded)
  3. Check "Enable HTTP/2"
  4. Check "Enable the "Server" header in HTTP responses
  5. Custom "Server" header = nginx (You may have different options based on which packages you have installed.)
Force HTTPS Connections
Force HTTPS Connections

8. Enable SSH Access

Go to:  Control Panel > Terminal & SNMP > Terminal Tab

Perform the following steps:

  1. Clear out "Enable Telnet service" to disable this service
  2. Check "Enable SSH service"
  3. Port: 22 - I leave the default port. At this time I am not opening SSH to the internet. The Synology security adviser recommends changing the default port. I would change the port if I opened it to the internet. One article I read mentioned that changing the port dropped the number of casual port scans by 98%. Better yet would be to have a pfSense firewall and update iptables for rate limiting. The Synology NAS can also do this as well. But more layers of security is always better.
  4. Click 'Advanced Settings'
    1. Click "High" to ensure the most recent encryption algorithms are used. Or you can click customize and select the exact algorithms you desire or require.
  5. Click 'Apply' and click 'Apply' again on the next screen.

It is also a good idea to setup public key authentication. And double check the sshd_config file and edit as appropriate.

You can also enable SFTP. To do this see '11. Secure File Services' below.

sudoers

This document does not cover setting up /etc/sudoers. But it is good practice to avoid using root. Use a normal user and run sudo when you need root access. However, Synology does not have 'visudo'. As of now I haven't played with the Synology sudoers file. You could just edit it with VI directly. Keep in mind that Synology is designed to be run with very little normal human intervention. And editing key files may cause issues with various packages.

Enable root SSH Access

By default you can SSH with the admin ID. And with the newly created admin ID. Note, you do not use 2FA when SSH'ing into the box. And you can sudo to root. But at times you may wish to SSH as root. Not the most secure access method. But until recently I was rather insecure on my NAS. If it doesn't work follow this article to enable root SSH access.

9. Disable IPv6

Most people are not using IPv6 as of yet. This is especially true on your internal LAN.

Go to: Control Panel > Network > Network Interface Tab

Edit the LAN connection. Switch to the IPv6 tab and choose 'Off' from the IPv6 setup drop down box. Click 'OK'.

10. Setup NTP

It is always good to have the correct time.

Go to: Control Panel > Regional Options > Time tab

Select the desired time zone from the time zone drop down box. Under time setting click 'Synchronize with NTP server'. For server address choose your desired NTP server. I use 'pool.ntp.org'. Click 'Update Now' to verify it is working. Click 'Apply'.

11. Secure File Services

Go to: Control Panel > File Services

Only open services you require. Unless required you should disable FTP and TFTP.

SMB/AFP/NFS Tab

If you enable SMB make sure you click on the Advanced Settings and disable SMBv1. That is no longer secure.

Ports = 139/TCP & 139/UDP (netbios-ssn), 445/TCP & 445/UDP (microsoft-ds), 137/UDP & 138/UDP (nmbd)

Optionally enable NSF. One of these days I need to learn how to setup kerberos and NFSv4.

Ports = 111/TCP & 111/UDP (rpcbind), 892/TCP & 892/UDP, 2049/TCP & 2049/UDP (NFS)

I no longer use my MAC. I have a couple of older MacBook Pros. But I actually prefer Windows. (sue me) Plus MAC hardware isn't as good anymore anyway.

FTP Tab

FTP should be disabled. But you can scroll down and enable SFTP. Change the port number if so desired.

TFTP Tab

Disable this unless required. (69/UDP)

rsync Tab

I like rsync. (873/TCP) If you enable this make sure you click on 'Edit rsync Account' and change the default 'admin' ID to your new administrator ID.

Advanced Tab

I disable Bonjour (5353/UDP - zeroconf) and SSDP (1900/UDP).  Disabling Bonjour may interfere with some of the DS packages. I need to verify this and see if I lose some of the packages I use.

Click Apply after making any changes on each tab.

12. Setup Notifications

Go to: Control Panel > Notification

You have three options for notifications. You can choose one or all three. The three options are SMS, email, or push notifications.

Setting up email is pretty self explanatory. You can select one of the major email providers and sign into your account. Or you can choose custom SMTP and configure everything based on your requirements.

I haven't tried SMS yet. It appears you need to provide a custom URL with your password. I am not going to do that.

The push notifications require you to install the DS Finder app. It works. But I still am not planning on opening DSM (5001/TCP) to the web. And I don't really need push notifications.

One important note that once you setup notifications make sure you go to the advanced tab. Edit which notifications you receive and how you receive them. By default almost everything is sent via email.

13. Other Steps

I have the cloud storage packages installed. I need to examine the various DS apps and decide if I want to uninstall some of them. As mentioned above I also need to see if I want to disable QuickConnect. The fewer things installed the more secure you are.

14. Encryption

I have an older Synology NAS device. I can only encrypt certain folders. It is recommended to encrypt your most sensitive data.

15. VPN

I setup a VPN on my dd-wrt router. But I need to revisit that setup. I used this document to setup OpenVPN on my Synology NAS.

16. Security Advisor

Go to the main menu. Click on Security Advisor. Today I have it setup for home and personal use. Make sure you run the scan and fix any issues. Except I don't change my SSH port. It isn't open to the internet. So instead of using the home and personal scan I setup a custom scan based upon the home profile.

Go to the advanced tab. Select 'custom' as the security baseline. Click customize checklist. Update it based on the list below. Make any changes you desire.

  • Malware - Potentially malicious programs have been found on your system.
  • Malware - Malicious system configuration settings were found on your system.
  • Network - Automatic redirection from HTTP to HTTPS is disabled
  • Network - Default firewall policy is set to allow on interfaces with public IP
  • Network - LAN services are accessible from the internet.
  • Network - Telnet service is enabled
  • System - LDAP client service is not using encryption
  • System - FTP service w/o encryption is enabled
  • System - TFTP service is enabled
  • System - The option 'Enhance browser compatibility by skipping IP checking' is enabled
  • System - 'Improve protection against cross-site request forgery attacks' is disabled
  • System - 'Do not allow DSM to be embedded with iFrame' is disabled
  • System - Auto Block is disabled
  • System - Malicious startup scripts were found on your system
  • System - Optware has been found on your DSM
  • Update - DSM regular update checking is not enabled
  • Update - You are not using the latest version of DSM
  • Update - Email notification for new DSM updates is disabled
  • Update - Some of your packages are not up-to-date
  • Account - Password strength rules do not meet requirements for work and business
  • Account - Anonymous FTP is enabled
  • Account - The guest account is enabled
  • Account - Some users have weak passwords
  • Account - User home directory permission has been incorrectly modified
  • Account - Password strength rules do not meet requirements

Save your settings. Go back to the overview tab and scan your system. Verify everything is good.

Now schedule a weekly scan. Or scan it more frequently if you desire. Go back to the advanced tab and enable the scan schedule. Pick a day and time that works for you. And then click apply.

17. Update Folder Permissions

If you have previously created shared folders you need to go back and review the permissions of each folder.

It is assumed that you will be creating one or more users for general access. And a lot of the shared folders will only need RO (read-only) access for general usage. For example, if you have a video folder there is no need to allow write access to it to stream your movies around your house.

18. Enable Automatic Updates

Go to:  Control Panel > Update & Restore

Go to the DSM Update tab. Click on 'Update settings'. Now you can have DSM install the updates or just download the available updates. With notifications enabled you will be emailed when you need to perform updates.

I select the following options.

  • Newest DSM and all updates
  • Check for DSM updates automatically
    • Download DSM updates but let me choose whether to install them
  • Schedule it as desired
  • Click OK

You can also force automatic updates for your packages. That is done in the package center. Click on settings and then on auto update. Choose if you want to automatically update some or all of your packages.

Back Up Your Configuration

Now that everything is setup backup your configuration. From the 'Update and Restore' tab in the control panel click on the Configuration Backup tab. Then click on back up configuration and save the file. Save it someplace besides your NAS.

Delete @eaDir on Synology

@eaDir Indexing

There are numerous sites that explain how to delete the irritating @eaDir directories on Synology NAS devices.  This directory is used by the indexing service.  And there are ways to disable this.  However this post is just a quick reminder on how to delete the directories or some other file or directory before copying files to another directory or device.

I tend to avoid doing any command starting from the root directory.  I prefer to limit commands to a specific directory.  And it is always a good idea to test out new commands first to ensure no drastic mistakes are made.  Instead of deleting a file echo a command first to a log file and review it.

Using xargs

find /volume1/music/flac -type d -name "@eaDir" -print0 |xargs -0 rm -rf

The '-print0' flag separates the full file name with a null character instead of a new line character.  This is useful if the path has spaces or other odd characters.

The '-0' flag in the xargs command tells xargs that items are separated by null characters.

Using -exec

find /volume1/music/mp3 -depth -type d -name "@eaDir" -exec rm -rf {} \;

The '-depth' flag will process each directory's contents before the directory itself.  You can use the '-delete' flag instead.  Either flag will prevent the find command from reporting that a directory doesn't exist after you remove it.  Otherwise the command will work without that flag but you will see "false" alerts about missing directories.

DSM ROBOCOPY

Using ROBOCOPY on DSM

It is far easier to simply create a batch file to copy files from a Windows box to a Synology NAS device.  The examples below show some quick options I most often use.  This website is mainly for my own personal use anyway.  For more information on robocopy refer to the MS Command Line Reference guide.  Note, this URL is subject to change.  This example does not take the place of a proper backup and restore policy.

This is useful for quick one time backups before making changes.  Or to copy photographs from a SD card and only copy the new files.  Perhaps copying RAW files to one directory and JPEGS to another directory.  I mainly use robocopy to mirror directories and this allows me to run the command and come back a few hours later and rerun if necessary.  The examples below are using CIFS mounted NAS directories.

Basic Usage of Robocopy

There are numerous options.  This only highlights the flags I most often use.  The basic command is as follows.

robocopy  <Source>  <Destination>  [<File>[ ...]]  [<Options>]

File is optional.  But it can be used for multiple file types or to only copy one file type.

*.CR2 *.JPG  (Copy both raw and jpegs)
*.mp3  (Only copy MP3 files)

My commonly used options:

/copy:DAT  (File Properties to copy = D data / A attributes / T timestamps)
/MIR  (Mirrors a directory tree (equivalent to /e (copy sub-dirs and empty dirs) && /purge (deletes destination files and dirs no longer in source))

/v  (Increases verbosity of logging - shows skipped files)

/MT:16  (Number of threads between 1 and 128  - Default is 8)

/TEE  (Write the status output to the console window as well as to the log file.)

/LOG:%USERPROFILE%\Desktop\robo.txt  (Log file for review.  Adjust path as necessary.  Don't forget the colon after log.)

/XF <Filename>[ ...]  (Exclude file that matches specified name or paths.  Wildcards are acceptable.  Add multiple files in space delineated list.  Use double quotes for names with spaces.)

/XD <Directory>[ ...]  (Exclude directories that match the specified names and paths.  Wildcards may be used.  Add multiple paths in a space delineated list.  Use double quotes for names with spaces.)

Robocopy Examples

Here are some examples.  I am using the caret (^) to extend a long command over multiple lines and make it more readable.

Copy ALL of iTunes to Synology:

robocopy %USERPROFILE%\Music\iTunes ^
X:\iTunes-5-31-2016 ^
/copy:DAT ^
/MIR ^
/V ^
/MT:16 ^
/LOG:%USERPROFILE%\Desktop\robo-itunes.txt

Copy JPEG Locally

This example will copy all of the JPEGs from one directory to another.  This is useful if you have RAW and JPEGs images in one directory and you want to split them.

robocopy %USERPROFILE%\Pictures\GreatWhiteNorth ^
%USERPROFILE%\Desktop\GreatWhiteNorth ^
*.jpg ^
/copy:DAT ^
/MIR ^
/V ^
/MT:16 ^
/TEE ^
/LOG:%USERPROFILE%\Desktop\robo-jpg.txt

 

 

DSM RSYNC

Using rsync to Copy Files to USB Drives

UNIX commands tend to have different flags on different versions of the OS.  A quick review of the MAN page or running 'command --help' may be helpful.  This post is just a quick reference of the command I most often use on my Synology NAS device.

Here is a quick usage of rsync:
rsync  [OPTION]  SRC  DEST

My Options for RSYNC

Here are the flags I most commonly use.

-a, --archive   (archive mode; equals -rlptgoD)

-r = recurse into directories
-l = copy symlinks as symlinks
-p = preserve permissions
-t = preserve modification times
-g = preserve group
-o = preserve owner (super-user only)
-D = preserve device files (--devices) (super-user only) && preserve special files (--specials)

--delete = delete extraneous files from destination dirs

--exlude='@eaDir' --exclude='Thumbs.db'  (Don't include @eaDir or Thumbs.db which are synology and windows items I don't care about.)

--log-file=/volumeUSB1/usbshare/rsync.log (Optional log file for review.  Synology rsync doesn't seem to do very good logging compared to other OS'es even with increased verbosity enabled.)

Example Command - Local to USB

The command below will copy files from '/volume1/video/BBC' (Local Synology Volume) to '/volumeUSB1/usbshare/BBC' (USB Drive BBC Folder).

rsync -a \
--delete \
--log-file=/volumeUSB1/usbshare/rsync.log \
--exclude='@eaDir' \
--exclude='Thumbs.db' \
/volume1/video/BBC/* \
/volumeUSB1/usbshare/BBC &