Synology NAS and QuickConnect

Brief explanation on setting up QuickConnect on Synology NAS

QuickConnect Security

The QuickConnect option on Synology NAS has some good merits and some issues. QuickConnect uses hole punching for internet access to your NAS. The good news is that you don't need to allow port forwarding on your router. All connections are outbound.

QuickConnect uses two different methods for access. (See this PDF for more information.)

  1. It uses a relay server for all access. And traffic flows through that relay server.
  2. You can have direct access after connecting the relay server. This method requires DDNS (Dynamic DNS) and UPnP.

Your connection is encrypted using the relay server. As far as I can tell traffic flows over 443/UDP. Your connection can also be encrypted using Let's Encrypt using the second method via UPnP. However, UPnP is extremely insecure, even internally. I set it up just to test out QuickConnect.

To see the ports I setup TCPDUMPs on my DD-WRT router on the WAN interface (vlan2) and the LAN interface (br0). I also did a TCPDUMP on my Synology NAS. An example of my tcpdump command is shown below.

tcpdump -lnpt -i vlan2 tcp and \
port \(5000 or 5001 or 62323 or 62324 or 62325 or 6690\)

The Flow

Your NAS will send out information to the relay server. When you want to use DS File, or log into the DSM GUI you use the QuickConnect URL or ID (https://quickconnect.to/<your_ID>). It will then connect to the relay server. The relay server will tell your client about the DDNS address (<your_ID>.synology.me) . And then your client will connect directly after the NAS opens the port for your connection. I know I have missed some network magic in how this all works.

Setup

This is a brief explanation on how to setup QuickConnect. I don't plan to keep UPnP enabled. But I may need it in the future for something or other. These directions assume you already have a QuickConnect ID. If not, go to the QuickConnect tab in the Synology Control Panel and request a new ID. After that go to the advanced tab. Enable the relay service and also select 'Automatically create port forwarding rules'. And then select one or more applications that are accessible via QuickConnect. See the picture below.

QuickConnect Advanced Tab
QuickConnect Advanced Tab

E-Z Internet

The easiest way to setup everything else is to use 'E-Z Internet' from the main menu. This will setup DDNS on your NAS and setup the router configuration on your NAS. And it will setup the UPnP port forwarding rules on your router.

You should be able to setup everything manually as well. First go to the 'External Access' tab in the control panel. And add a new DDNS provider that will map to your WAN IP address from your ISP. Use the synology.me DDNS and select a new hostname for your NAS.

Next go to the router configuration tab.  Create two new rules for the applications. And test the connection afterwards. See the picture below.

Router Configuration Tab
Router Configuration Tab

Verify Your Router UPnP Setup

Verify your router has the correct UPnP rules. These may very slightly depending on which applications you enabled via QuickConnect. The last two octets of my NAS IP address have been whited out. Not that my private address matters too much anyway. Your router may display the information differently. See the picture below.

DD-WRT UPnP Tab
DD-WRT UPnP Tab

Let's Encrypt

Yes you can use Let's Encrypt and QuickConnect. You still need to own your own domain. (example.com) And then you need to add a CNAME record for your synology.me DDNS hostname. You use the QuickConnect ID or URL to access your device. It will then use your synology.me hostname.

First create a DDNS synology.me hostname. In this example we will use 'mysyno.synology.me'. And that will map to your WAN IP address. In this example it is 73.1.2.3. Xfinity owns 73/8.

DDNS: mysyno.synology.me A 73.1.2.3

You need to own your own domain. In this example I own 'example.com'. And in your DNS records you need to create a CNAME for a subdomain. In this example our CNAME will be 'mysyno.example.com'. This will then map to the DDNS hostname. The 'mysyno.synology.me' hostname will be an alias to your CNAME of 'mysyno.example.com'.

mysyno.example.com. CNAME mysyno.synology.me.

TCPDUMP

Checking Flows with TCPDUMP

This is a brief rundown on how to use TCPDUMP to verify flows between boxes.  This should be done before calling the network team for help on something that isn't working.  Different OS'es may have different flags.  Always refer to the manpage for your version of TCPDUMP.

Verifying that packets are reaching another box before calling the network team is always a good thing.  And it is quite simple to verify that packets are leaving on the correct interface and port.

Other Sites and References

The following sites contain a lot of useful information.  And they contain far more detailed explanations of how to use tcpdump.  My little document is just a brief reminder for myself of some of the very basics.

http://www.tcpdump.org/manpages/tcpdump.1.html

Wikipedia Article on TCP - Check out the TCP Headers Section

Very Nice Site with Detailed Explanation on How to Use tcpdump

Another Nice Site on Using tcpdump

Nice Site to Explain the Output in Greater Detail

Flags

On Linux the following flags are most often used.

  • tcpdump -lnp -i ent0
    • -l (Lowercase L) - Make stdout line buffered.  This allows you to see the data while it is being captured.
    • -n - Don't convert host addresses to names.  Show the IP Address
    • -p - Do NOT put interface into promiscuous mode.  Since we are not on a router or have a real sniffer we can reduce the amount of traffic.
    • -i <Interface> - Listen on this interface
  • Other useful flags
    • -t - Don't print the timestamp
    • -nn - Don't convert protocol and port numbers into names
    • -q - Print less protocol information to make the lines shorter
    • -A - Print each packet (minus its link level header) in ASCII.  Useful to capture web pages or IDs and Passwords in clear text.

Filters

The proper use of filters will allow us to find the packet information we need quickly and accurately.  And it will dramatically reduce the amount of traffic we need to parse.

tcpdump -lnp -i ent0 <PROTOCOL> <DIRECTION> <TYPE>

  • Protocol = IP, tcp, udp, icmp, arp, rarp, stp (spanning tree protocol), and ether
  • Direction = src (source), dst (destination), src or dst, & src and dst
  • Type = net (CIDR (10.2.1.0/24) or leave off .octet (192.168.1)), host (IP address or hostname), port (Number (512) or name (syslog))

To combine various filters use the following operands.

  • && = and
  • || = or
  • ! = not

Reading the Output

I am not a network guy.  But I have a basic understanding.  A few google searches should help answer any questions about the output of tcpdump.  The basic format of the output is shown below.

timestamp.sequence protocol source.port > destination.port : Flags[S] 

23:37:27.538449 IP 192.168.1.101.53592 > 172.217.4.100.443: Flags [S], seq 3355934968, win 29200, options [mss 1460,sackOK,TS val 18945927 ecr 0,nop,wscale 7], length 0
23:37:27.556056 IP 172.217.4.100.443 > 192.168.1.101.53592: Flags [S.], seq 4030977753, ack 3355934969, win 42540, options [mss 1430,sackOK,TS val 2246473456 ecr 18945927,nop,wscale 7], length 0
23:37:27.556138 IP 192.168.1.101.53592 > 172.217.4.100.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 18945929 ecr 2246473456], length 0

23:37:27.662155 IP 192.168.1.101.53592 > 172.217.4.100.443: Flags [P.], seq 1:278, ack 1, win 229, options [nop,nop,TS val 18945940 ecr 2246473456], length 277

Flags:

  • [S] = SYN
  • [.] = No Flag Set
  • [P] = PSH (Push Data)
  • [F] = FIN (Finish Connection)
  • [R] = RST (Reset Connection)
  • [S.] = SYN-ACK

ACK <NUMBER> = The TCP packet's acknowledgement number

WIN <NUMBER> = The source host's TCP window.

LENGTH <NUMBER> = The TCP packet length in bytes including headers.

A Few Examples

To find the available interfaces run the following command.

# tcpdump -D

The first example shows the results from a dig query on pahoehoe.net with a +trace.  It has been edited to reduce the total number of lines.

# tcpdump -i wlan0 -lnpt udp && port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.1.101.39991 > 8.8.8.8.53: 28569+ A? a.root-servers.net. (36)
IP 192.168.1.101.39991 > 8.8.8.8.53: 40484+ AAAA? a.root-servers.net. (36)
IP 8.8.8.8.53 > 192.168.1.101.39991: 28569 1/0/0 A 198.41.0.4 (52)
IP 8.8.8.8.53 > 192.168.1.101.39991: 40484 1/0/0 AAAA 2001:503:ba3e::2:30 (64)
IP 192.168.1.101.46308 > 198.41.0.4.53: 52876 [1au] NS? . (28) (A root)
IP 198.41.0.4.53 > 192.168.1.101.46308: 52876*- 14/0/25 NS e.root-servers.net., NS h.root-servers.net., NS l.root-servers.net., NS i.root-servers.net., NS a.root-servers.net., NS d.root-servers.net., NS c.root-servers.net., NS b.root-servers.net., NS j.root-servers.net., NS k.root-servers.net., NS g.root-servers.net., NS m.root-servers.net., NS f.root-servers.net., RRSIG (913)
IP 192.168.1.101.42501 > 8.8.8.8.53: 33974+ A? e.root-servers.net. (36)
IP 192.168.1.101.42501 > 8.8.8.8.53: 49502+ AAAA? e.root-servers.net. (36)
.......
IP 192.168.1.101.47892 > 8.8.8.8.53: 27946+ AAAA? k.root-servers.net. (36)
IP 8.8.8.8.53 > 192.168.1.101.47892: 42746 1/0/0 A 193.0.14.129 (52)
IP 8.8.8.8.53 > 192.168.1.101.47892: 27946 1/0/0 AAAA 2001:7fd::1 (64)
IP 192.168.1.101.59375 > 8.8.8.8.53: 31188+ A? g.root-servers.net. (36)
IP 192.168.1.101.59375 > 8.8.8.8.53: 36734+ AAAA? g.root-servers.net. (36)
IP 8.8.8.8.53 > 192.168.1.101.59375: 31188 1/0/0 A 192.112.36.4 (52)
IP 8.8.8.8.53 > 192.168.1.101.59375: 36734 0/1/0 (96)
IP 192.168.1.101.53501 > 8.8.8.8.53: 696+ A? m.root-servers.net. (36)
IP 192.168.1.101.53501 > 8.8.8.8.53: 32497+ AAAA? m.root-servers.net. (36)
IP 8.8.8.8.53 > 192.168.1.101.53501: 696 1/0/0 A 202.12.27.33 (52)
.........
IP 8.8.8.8.53 > 192.168.1.101.56152: 31995 1/0/0 A 192.31.80.30 (52)
IP 8.8.8.8.53 > 192.168.1.101.56152: 58905 0/1/0 (104)
IP 192.168.1.101.35845 > 8.8.8.8.53: 54527+ A? c.gtld-servers.net. (36)
IP 192.168.1.101.35845 > 8.8.8.8.53: 52197+ AAAA? c.gtld-servers.net. (36)
IP 8.8.8.8.53 > 192.168.1.101.35845: 54527 1/0/0 A 192.26.92.30 (52)
IP 8.8.8.8.53 > 192.168.1.101.35845: 52197 0/1/0 (104)
........
IP 8.8.8.8.53 > 192.168.1.101.44186: 26320 1/0/0 A 192.41.162.30 (52)
IP 8.8.8.8.53 > 192.168.1.101.44186: 37854 0/1/0 (104)
IP 192.168.1.101.53102 > 192.5.6.30.53: 15697 [1au] A? pahoehoe.net. (41) (Query A GTLD Server - With Response Below)
IP 192.5.6.30.53 > 192.168.1.101.53102: 15697- 0/6/3 (603)
IP 192.168.1.101.58902 > 8.8.8.8.53: 13390+ A? ns1.hover.com. (31)
IP 192.168.1.101.58902 > 8.8.8.8.53: 58557+ AAAA? ns1.hover.com. (31)
IP 8.8.8.8.53 > 192.168.1.101.58902: 13390 1/0/0 A 216.40.47.26 (47)
IP 8.8.8.8.53 > 192.168.1.101.58902: 58557 0/1/0 (77)
IP 192.168.1.101.42884 > 8.8.8.8.53: 26535+ A? ns2.hover.com. (31)
IP 192.168.1.101.42884 > 8.8.8.8.53: 62352+ AAAA? ns2.hover.com. (31)
IP 8.8.8.8.53 > 192.168.1.101.42884: 26535 1/0/0 A 64.98.148.13 (47)
IP 8.8.8.8.53 > 192.168.1.101.42884: 62352 0/1/0 (81)
IP 192.168.1.101.51286 > 216.40.47.26.53: 58438 [1au] A? pahoehoe.net. (41)
IP 216.40.47.26.53 > 192.168.1.101.51286: 58438*- 1/0/0 A 173.236.174.31 (46) (NS1.HOVER.COM Responds with A Record)

Checking ICMP echo-request and echo-reply to 8.8.8.8.  Check the Wikipedia article for more ICMP control messages.

# tcpdump -lnp -i wlan0 icmp and net 8.8.8.0/24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
04:36:43.910160 IP 192.168.1.101 > 8.8.8.8: ICMP echo request, id 24772, seq 1, length 64
04:36:43.939672 IP 8.8.8.8 > 192.168.1.101: ICMP echo reply, id 24772, seq 1, length 64
04:36:44.912043 IP 192.168.1.101 > 8.8.8.8: ICMP echo request, id 24772, seq 2, length 64
04:36:44.937692 IP 8.8.8.8 > 192.168.1.101: ICMP echo reply, id 24772, seq 2, length 64

You can grab plain text ID and passwords using the '-A' flag.  This also shows the port option.  You can use the port number of the common name.

# tcpdump -lnpA -i wlan0 port ftp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
04:55:04.944303 IP 192.168.1.101.45514 > 198.57.170.33.21: Flags [S], seq 902807131, win 29200, options [mss 1460,sackOK,TS val 37261499 ecr 0,nop,wscale 7], length 0
E..<..@.@..s...e.9.!....5..[......r.j..........
.8..........
.......
E..t..@.3.<V.9.!...e....R[..5..\...........
.jV".8..220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 23:55. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.

04:55:05.042076 IP 192.168.1.101.45514 > 198.57.170.33.21: Flags [.], ack 321, win 237, options [nop,nop,TS val 37261508 ecr 3295303202], length 0
E..4..@.@..i...e.9.!....5..\R[.$.....S.....
.8...jV"
04:55:07.082735 IP 192.168.1.101.45514 > 198.57.170.33.21: Flags [P.], seq 1:12, ack 321, win 237, options [nop,nop,TS val 37261713 ecr 3295303202], length 11
E..?..@.@..]...e.9.!....5..\R[.$....w......
.8...jV"USER anon

04:55:07.133890 IP 198.57.170.33.21 > 192.168.1.101.45514: Flags [.], ack 12, win 46, options [nop,nop,TS val 3295305290 ecr 37261713], length 0
E..4..@.3.=..9.!...e....R[.$5..g...........
.j^J.8..
04:55:07.133910 IP 198.57.170.33.21 > 192.168.1.101.45514: Flags [P.], seq 321:358, ack 12, win 46, options [nop,nop,TS val 3295305290 ecr 37261713], length 37
E..Y..@.3.=o.9.!...e....R[.$5..g...........
.j^J.8..331 User anon OK. Password required
04:55:09.854433 IP 192.168.1.101.45514 > 198.57.170.33.21: Flags [P.], seq 12:27, ack 358, win 237, options [nop,nop,TS val 37261990 ecr 3295305290], length 15
E..C..@.@..W...e.9.!....5..gR[.I...........
.8...j^JPASS password
04:55:14.115825 IP 198.57.170.33.21 > 192.168.1.101.45514: Flags [P.], seq 358:391, ack 27, win 46, options [nop,nop,TS val 3295312272 ecr 37261990], length 33
E..U..@.3.=q.9.!...e....R[.I5..v...........
.jy..8..530 Login authentication failed

Show the packets to and from host 216.58.192.196.  The timestamps have been removed to reduce the clutter.

# tcpdump -i wlan0 -lnpt host 216.58.192.196
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.1.101.50207 > 216.58.192.196.443: Flags [S], seq 910478434, win 29200, options [mss 1460,sackOK,TS val 18694987 ecr 0,nop,wscale 7], length 0
IP 216.58.192.196.443 > 192.168.1.101.50207: Flags [S.], seq 2406340571, ack 910478435, win 42540, options [mss 1430,sackOK,TS val 35546692 ecr 18694987,nop,wscale 7], length 0
IP 192.168.1.101.50207 > 216.58.192.196.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 18694989 ecr 35546692], length 0
IP 192.168.1.101.50207 > 216.58.192.196.443: Flags [P.], seq 1:278, ack 1, win 229, options [nop,nop,TS val 18695004 ecr 35546692], length 277
IP 216.58.192.196.443 > 192.168.1.101.50207: Flags [.], ack 278, win 341, options [nop,nop,TS val 35546861 ecr 18695004], length 0
IP 216.58.192.196.443 > 192.168.1.101.50207: Flags [.], seq 1:1419, ack 278, win 341, options [nop,nop,TS val 35546863 ecr 18695004], length 1418
IP 216.58.192.196.443 > 192.168.1.101.50207: Flags [.], seq 1419:2837, ack 278, win 341, options [nop,nop,TS val 35546863 ecr 18695004], length 1418
IP 216.58.192.196.443 > 192.168.1.101.50207: Flags [P.], seq 2837:3502, ack 278, win 341, options [nop,nop,TS val 35546863 ecr 18695004], length 665
IP 192.168.1.101.50207 > 216.58.192.196.443: Flags [.], ack 1419, win 251, options [nop,nop,TS val 18695006 ecr 35546863], length 0
IP 192.168.1.101.50207 > 216.58.192.196.443: Flags [.], ack 2837, win 274, options [nop,nop,TS val 18695006 ecr 35546863], length 0
IP 192.168.1.101.50207 > 216.58.192.196.443: Flags [.], ack 3502, win 296, options [nop,nop,TS val 18695006 ecr 35546863], length 0
IP 192.168.1.101.50207 > 216.58.192.196.443: Flags [P.], seq 278:404, ack 3502, win 296, options [nop,nop,TS val 18695008 ecr 35546863], length 126
IP 216.58.192.196.443 > 192.168.1.101.50207: Flags [P.], seq 3502:3748, ack 404, win 341, options [nop,nop,TS val 35546904 ecr 18695008], length 246
IP 192.168.1.101.50207 > 216.58.192.196.443: Flags [P.], seq 404:691, ack 3748, win 319, options [nop,nop,TS val 18695012 ecr 35546904], length 287
IP 216.58.192.196.443 > 192.168.1.101.50207: Flags [P.], seq 3748:5166, ack 691, win 350, options [nop,nop,TS val 35546976 ecr 18695012], length 1418
IP 216.58.192.196.443 > 192.168.1.101.50207: Flags [P.], seq 5166:6543, ack 691, win 350, options [nop,nop,TS val 35546976 ecr 18695012], length 1377
IP 216.58.192.196.443 > 192.168.1.101.50207: Flags [F.], seq 6543, ack 691, win 350, options [nop,nop,TS val 35546976 ecr 18695012], length 0
IP 192.168.1.101.50207 > 216.58.192.196.443: Flags [.], ack 6543, win 364, options [nop,nop,TS val 18695017 ecr 35546976], length 0
IP 192.168.1.101.50207 > 216.58.192.196.443: Flags [.], ack 6544, win 364, options [nop,nop,TS val 18695021 ecr 35546976], length 0
IP 192.168.1.101.50207 > 216.58.192.196.443: Flags [F.], seq 691, ack 6544, win 364, options [nop,nop,TS val 18695465 ecr 35546976], length 0
IP 216.58.192.196.443 > 192.168.1.101.50207: Flags [.], ack 692, win 350, options [nop,nop,TS val 35551466 ecr 18695465], length 0

Check packets from source host.  You can use 'src net 1.2.3.0/24' as well.  Of course you can add other filters to search for a port or something else.

# tcpdump -i wlan0 -lnpt src 192.168.1.101
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.1.101.22 > 192.168.1.2.52638: Flags [P.], seq 3964313467:3964313707, ack 2205964022, win 350, length 240
IP 192.168.1.101.22 > 192.168.1.2.52638: Flags [P.], seq 240:448, ack 1, win 350, length 208
IP 192.168.1.101.22 > 192.168.1.2.52638: Flags [P.], seq 448:624, ack 1, win 350, length 176
IP 192.168.1.101.22 > 192.168.1.2.52638: Flags [P.], seq 624:800, ack 1, win 350, length 176
IP 192.168.1.101.22 > 192.168.1.2.52638: Flags [P.], seq 800:976, ack 1, win 350, length 176
IP 192.168.1.101.22 > 192.168.1.2.52638: Flags [P.], seq 976:1152, ack 1, win 350, length 176
IP 192.168.1.101.22 > 192.168.1.2.52638: Flags [P.], seq 1152:1344, ack 1, win 350, length 192
IP 192.168.1.101.22 > 192.168.1.2.52638: Flags [P.], seq 1344:1536, ack 1, win 350, length 192