FYI Synology QuickConnect

[G+_kurterst]

FYI... Synology QuickConnect

I wanted to figure out how QuickConnect actually works. I did some experimenting and finally figured it out. I did a brief writeup on my site so I could look it up again.

 

There are two ways to connect to your NAS using QuickConnect. The first method just uses the Synology relay server, Your connection is encrypted. But all traffic flows through Synology. I assume they could monitor your traffic if they so desired or where ordered to do such from the court. They are a foreign company.

 

The second method requires UPnP. And this is not secure. But if you enable this your traffic goes directly between your client and your NAS after talking to the relay server. And yes you can use Let's Encrypt to secure the connection. Or use the default synology certificate. It will still be encrypted but your browser will complain since self signed certs are not trusted. Unless of course you create your own CA and trust that, which is way beyond this post. So the flow is as follows:

 

1. Your phone https://quickconnect.to/

2. Phone contacts synology relay server

3. Relay server tells your phone that your DDNS address is .synology.me and does some other network magic so your home NAS opens the port via UPnP

4. Your phone then uses .synology.me to contact your NAS

5. All traffic is then between your NAS and your phone

 

I still want to see if I can just manually create the port forwarding rules and use QuickConnect w/o UPnP.

 

Here is my writeup on this subject.

https://www.pahoehoe.net/synology-nas-and-quickconnect/

https://www.pahoehoe.net/synology-nas-and-quickconnect/

[G+_George Fromtulsa]

I had found this Synology how to on YouTube. There's a series of these. Problem with any system provided that users don't completely control is, as you imply, the user's privacy and security is only as strong as Synology allows. And could have backdoors, or worse.

 

One option. Encrypt any files before storing on Synology, or sending over Internet.

[G+_Marco van Laerhoven]

This is perfect timing, I just found I have an issue because I'm using the first method (I see a different cert when connecting to the quickconnect site). I don't want to enable UPNP to have my router open ports automagically, but I think it is better than having a MitM who can read all my traffic, including passwords.

 

Opening static ports may be the preferred solution, at least I control that.

 

On the other hand, this would open the ports on my router all the time - whereas the UPnP setup will only open the ports when I actually try to connect from outside .... I could setup firewall rules on my router (Edgerouter X) to only allow UPnP from the NAS (and drop it from all other ip addresses) to lock it down,

 

Hmmmm, what to do ?? I'll think about it some more - curious about feedback though, so if you have thoughts please let me know !

[G+_George Fromtulsa]

Marco van Laerhoven answered my own question. Yes, there are co-location hosts for NAS. Example in link.

 

Get your own personal static ip?

 

nascolo.com - NAS Colocation – Disaster Planning & Recovery Made Simple

[G+_Marco van Laerhoven]

George Fromtulsa

My concern is mostly for the NAS - preventing unauthorised access or in this case: third parties being able to see my traffic

 

Not sure colocation will add / change security of the NAS compared to my current setup (please add if I've missed something):

 

I have a static IP and optic internet connection (150Mbit up & down)- so speed and accessibility are no issue for me.

The NAS is in a completely separate network segment - it cannot connect to any of the other segments (LAN, IOT, Guest, Video, management) - I have firewall rules locking down clients (only a handful can connect to the NAS). So, internal access to and from the NAS is fine too.

 

I'm just not happy with the fact that my network traffic can be read in transit (not sure whether Synology log or track anything, but technically nothing is keeping them from doing it). I would be much more comfortable if I can setup an encrypted tunnel using my own cert.

 

I like the external access options of the NAS, which gives me a private cloud - but would like to minimise my exposure on the internet.

[G+_George Fromtulsa]

Marco van Laerhoven Encrypt your NAS. Use 7-zip, Verscrypt, Apple Encrypted DMG, or local encryption of your choice to send content to the Synology. I think that's the best way to keep the variety of nodes on the internet from playing Man in Middle. Even that method is susceptible to interception and can be broken open with enough computing resources. Heard recently on a podcast how Digital Ocean, as an "academic / marketing" exercise set 2000 "Droplet" instances to work breaking the WW II German Navy's Enigma code.

[G+_Arunas Adomaitis]

I went through all this recently as well. Didn’t like sending all my traffic via third party, nor having permanent holes in firewall... In the end I went with setting up VPN server. Works well for me.

[G+_Marco van Laerhoven]

I've decided to open three ports in my router and use the NAS firewall to accept only specific apps and from restricted sources. Ask other packets are dropped. Now the connections are encrypted using my own cert, and as added bonus quick as well.

Decided to not use a VPN for now as we are a small group of people collaborating using the NAS, too complicated for most to setup a VPN.

It's a nice idea though, I could try to set it up to see how much with it would be ...

[G+_Arunas Adomaitis]

Marco van Laerhoven how do you restrict sources? Based on IPs?

[G+_Marco van Laerhoven]

Arunas Adomaitis by location, my team are all in the same country. This setup prevents me from having to track IP addresses by still prevents most port scanners from even seeing the NAS

 

Tried it using Steve Gibson's shieldsup, it nicely reported stealth although the port is open for us :-)

[G+_Jeff Gros]

kurterst Plus one. Somehow I missed this post. It answered my questions on exactly how quick connect works. Which was how I expected based on what little I remembered. I think I'll pass on this feature! :)

[G+_George Fromtulsa]

In the Synology "location settings, I was frustrated by the 15 country limit on the pull down.

 

Got diverted into looking up lists of countries most in need of blocking.

 

Then decided to return to Synology and (duh) create a rule to block 15 countries, and try creating a second rule to block 15 more. Worked fine. Took too long, should have been easier, but added enough rules to block every country except my own. Not xenophobia, but no reason anyone in any other country needs into my Synology.

 

Now if only the lists of countries with most and best hackers hadn't included my own, the red white blue and black hat USA.

[G+_Marco van Laerhoven]

George Fromtulsa I adopted the same logic but used a different method which is more simple to setup (I'm a lazy guy :-D). I created an "allow these ports from my country rule" first, after that a deny everything. If someone from another country tried to connect the NAS just doesn't respond.

[G+_George Fromtulsa]

Marco van Laerhoven Your earlier post inspired my country lockdown. Dynamic DNS is why I went "different," and thus far haven't decided to expose NAS to outside the LAN connections of any kind, though that's really not true. It's conected to the network, and connects with Synology for updates -