Synology NAS and QuickConnect

Brief explanation on setting up QuickConnect on Synology NAS

QuickConnect Security

The QuickConnect option on Synology NAS has some good merits and some issues. QuickConnect uses hole punching for internet access to your NAS. The good news is that you don't need to allow port forwarding on your router. All connections are outbound.

QuickConnect uses two different methods for access. (See this PDF for more information.)

  1. It uses a relay server for all access. And traffic flows through that relay server.
  2. You can have direct access after connecting the relay server. This method requires DDNS (Dynamic DNS) and UPnP.

Your connection is encrypted using the relay server. As far as I can tell traffic flows over 443/UDP. Your connection can also be encrypted using Let's Encrypt using the second method via UPnP. However, UPnP is extremely insecure, even internally. I set it up just to test out QuickConnect.

To see the ports I setup TCPDUMPs on my DD-WRT router on the WAN interface (vlan2) and the LAN interface (br0). I also did a TCPDUMP on my Synology NAS. An example of my tcpdump command is shown below.

tcpdump -lnpt -i vlan2 tcp and \
port \(5000 or 5001 or 62323 or 62324 or 62325 or 6690\)

The Flow

Your NAS will send out information to the relay server. When you want to use DS File, or log into the DSM GUI you use the QuickConnect URL or ID (<your_ID>). It will then connect to the relay server. The relay server will tell your client about the DDNS address (<your_ID> . And then your client will connect directly after the NAS opens the port for your connection. I know I have missed some network magic in how this all works.


This is a brief explanation on how to setup QuickConnect. I don't plan to keep UPnP enabled. But I may need it in the future for something or other. These directions assume you already have a QuickConnect ID. If not, go to the QuickConnect tab in the Synology Control Panel and request a new ID. After that go to the advanced tab. Enable the relay service and also select 'Automatically create port forwarding rules'. And then select one or more applications that are accessible via QuickConnect. See the picture below.

QuickConnect Advanced Tab
QuickConnect Advanced Tab

E-Z Internet

The easiest way to setup everything else is to use 'E-Z Internet' from the main menu. This will setup DDNS on your NAS and setup the router configuration on your NAS. And it will setup the UPnP port forwarding rules on your router.

You should be able to setup everything manually as well. First go to the 'External Access' tab in the control panel. And add a new DDNS provider that will map to your WAN IP address from your ISP. Use the DDNS and select a new hostname for your NAS.

Next go to the router configuration tab.  Create two new rules for the applications. And test the connection afterwards. See the picture below.

Router Configuration Tab
Router Configuration Tab

Verify Your Router UPnP Setup

Verify your router has the correct UPnP rules. These may very slightly depending on which applications you enabled via QuickConnect. The last two octets of my NAS IP address have been whited out. Not that my private address matters too much anyway. Your router may display the information differently. See the picture below.


Let's Encrypt

Yes you can use Let's Encrypt and QuickConnect. You still need to own your own domain. ( And then you need to add a CNAME record for your DDNS hostname. You use the QuickConnect ID or URL to access your device. It will then use your hostname.

First create a DDNS hostname. In this example we will use ''. And that will map to your WAN IP address. In this example it is Xfinity owns 73/8.


You need to own your own domain. In this example I own ''. And in your DNS records you need to create a CNAME for a subdomain. In this example our CNAME will be ''. This will then map to the DDNS hostname. The '' hostname will be an alias to your CNAME of ''. CNAME

One thought on “Synology NAS and QuickConnect”

Comments are closed.