Synology NAS and QuickConnect

Brief explanation on setting up QuickConnect on Synology NAS

QuickConnect Security

The QuickConnect option on Synology NAS has some good merits and some issues. QuickConnect uses hole punching for internet access to your NAS. The good news is that you don't need to allow port forwarding on your router. All connections are outbound.

QuickConnect uses two different methods for access. (See this PDF for more information.)

  1. It uses a relay server for all access. And traffic flows through that relay server.
  2. You can have direct access after connecting the relay server. This method requires DDNS (Dynamic DNS) and UPnP.

Your connection is encrypted using the relay server. As far as I can tell traffic flows over 443/UDP. Your connection can also be encrypted using Let's Encrypt using the second method via UPnP. However, UPnP is extremely insecure, even internally. I set it up just to test out QuickConnect.

To see the ports I setup TCPDUMPs on my DD-WRT router on the WAN interface (vlan2) and the LAN interface (br0). I also did a TCPDUMP on my Synology NAS. An example of my tcpdump command is shown below.

tcpdump -lnpt -i vlan2 tcp and \
port \(5000 or 5001 or 62323 or 62324 or 62325 or 6690\)

The Flow

Your NAS will send out information to the relay server. When you want to use DS File, or log into the DSM GUI you use the QuickConnect URL or ID (https://quickconnect.to/<your_ID>). It will then connect to the relay server. The relay server will tell your client about the DDNS address (<your_ID>.synology.me) . And then your client will connect directly after the NAS opens the port for your connection. I know I have missed some network magic in how this all works.

Setup

This is a brief explanation on how to setup QuickConnect. I don't plan to keep UPnP enabled. But I may need it in the future for something or other. These directions assume you already have a QuickConnect ID. If not, go to the QuickConnect tab in the Synology Control Panel and request a new ID. After that go to the advanced tab. Enable the relay service and also select 'Automatically create port forwarding rules'. And then select one or more applications that are accessible via QuickConnect. See the picture below.

QuickConnect Advanced Tab
QuickConnect Advanced Tab

E-Z Internet

The easiest way to setup everything else is to use 'E-Z Internet' from the main menu. This will setup DDNS on your NAS and setup the router configuration on your NAS. And it will setup the UPnP port forwarding rules on your router.

You should be able to setup everything manually as well. First go to the 'External Access' tab in the control panel. And add a new DDNS provider that will map to your WAN IP address from your ISP. Use the synology.me DDNS and select a new hostname for your NAS.

Next go to the router configuration tab.  Create two new rules for the applications. And test the connection afterwards. See the picture below.

Router Configuration Tab
Router Configuration Tab

Verify Your Router UPnP Setup

Verify your router has the correct UPnP rules. These may very slightly depending on which applications you enabled via QuickConnect. The last two octets of my NAS IP address have been whited out. Not that my private address matters too much anyway. Your router may display the information differently. See the picture below.

DD-WRT UPnP Tab
DD-WRT UPnP Tab

Let's Encrypt

Yes you can use Let's Encrypt and QuickConnect. You still need to own your own domain. (example.com) And then you need to add a CNAME record for your synology.me DDNS hostname. You use the QuickConnect ID or URL to access your device. It will then use your synology.me hostname.

First create a DDNS synology.me hostname. In this example we will use 'mysyno.synology.me'. And that will map to your WAN IP address. In this example it is 73.1.2.3. Xfinity owns 73/8.

DDNS: mysyno.synology.me A 73.1.2.3

You need to own your own domain. In this example I own 'example.com'. And in your DNS records you need to create a CNAME for a subdomain. In this example our CNAME will be 'mysyno.example.com'. This will then map to the DDNS hostname. The 'mysyno.synology.me' hostname will be an alias to your CNAME of 'mysyno.example.com'.

mysyno.example.com. CNAME mysyno.synology.me.

Synology - Map Domain with DDNS

Mapping Synology to a subdomain with DDNS and CNAME

First Secure Your Synology NAS

Secure your Synology NAS before adding enabling internet access. Follow this post for more information.

Prerequisites

You need to own your own domain. You need to understand the basics of DNS and have the ability to add a CNAME to DNS.

Setup Dynamic DNS (DDNS)

Your ISP provides you with a publicly routable IP address. You then connect your router to the ISP modem. Your devices inside your home have NAT'ed IP addresses and are all RFC 1918 addresses. These addresses are not routable on the internet. When you go to a website or use anything on the internet your router will translate your private IP to the public IP address provided by your ISP.

Most ISPs provide DHCP addresses. They change from time to time. To get a SSL certificate you need to be able to map your domain to an IP address. Dynamic DNS will automatically update the forward resolution of your domain name to IP address even if it changes. The TTL (time to live) needs to be short. Normally this is about 15 minutes or so. So any changes won't be immediately available. But for home use it is more than good enough.

You can use any number of DDNS providers. Synology also offers a DDNS service. I already added DDNS to my home router. So I am not going to walk through the setup in this article.

Setup DNS CNAME

Once you setup DDNS you will have a resolvable domain name that maps to the IP address given to you by your ISP. For example Comcast (Xfinity) owns all of 73/8. So if your ISP is Comcast you will have a public IP like 73.x.y.z. (where x.y.z are valid numbers between 0-255) Check what it is by going to ipchicken.com.  And if you used noip.com as your DDNS provider you resolve your 73.x.y.z IP address to mysyno.ddns.net. You can choose any available hostname and choose from a number of different domains.

mysyno.ddns.net A 73.x.y.z

If you owned the domain 'example.com' you could then create a subdomain and add a CNAME to mysyno.ddns.net. Lets say you create the subdomain syno.lab.example.com. So you have the following.

  1. The domain you purchased. Presumably for your personal website. = example.com
  2. Comcast public IP address (73/8) = 73.x.y.z
  3. DDNS = mysyno.ddns.net with A record of 73.x.y.z
  4. Subdomain = lab.example.com (replace lab with anything you desire)
  5. Fully Qualified Domain Name (FQDN) = syno.lab.example.com (You don't really need to do this. But I wanted to use my Synology FQDN as the URL. You can simply use the subdomain if you desire.)

You now need to setup a CNAME record for either the subdomain or the FQDN. The exact procedure will vary with your DNS provider. But you want to set it up like the following picture.

DDNS Setup
DDNS Setup

Here is our DNS zone information.

NAME                    TYPE   VALUE
------------------------------------------------
mysyno.ddns.net.        A      73.x.y.z

syno.lab.example.com.   CNAME  mysyno.ddns.net.

The CNAME is 'mysyno.ddns.net.'. The domain 'syno.lab.example.com.' is an alias to our DDNS domain. (mysyno.ddns.net.)

Since we own 'example.com' we can assign a SSL certificate to the subdomain of 'syno.lab.example.com'. In this example this is actually our Synology FQDN. Our home network domain would actually be 'lab.example.com'. And we can use this internally.

Next Steps

Follow this post to setup Let's Encrypt SSL certificates.