On the topic of security: You should make a video on setting up a VLAN on a Unifi Controller for Surveillance Station to isolate the security cameras from the rest of the network and block the cameras from accessing the internet, yet still allowing remote access to Surveillance Station. You could also cover the importance of isolating IoT devices to mitigate risk of someone accessing your NAS and other devices through weak security that some IoT devices possess.
@@djderekrock I already have mine set up like this. He asked for suggestions on future videos and I thought it might be something that other people would benefit from as well.
The nice thing about Firefox is that you can explicitly tell it to trust a site, and it will no longer bother you with a message. Not so with Chrome and Edge.
Will, I teach older folks about how to stay safe online, and I own a DS 923+ that I want to find a different method of accessing than just typing in the IP address. So this video knocks out 2 problems with 1 stone. Thanks!
Thanks for all of your explanations. You do it in a professional way and keep it short and simple at the same time. It's amazing. I got myself a DS220+ and find in your Synology-videos a lot of helpful answers - and also helpful questions, that I should ask myself and haven't thought about yet. 😉
I just got a new NAS (had a 215j before), and I'm currently binge-watching your videos! It's amazing what you can pull off with a decent NAS :D Thanks a bunch for sharing your work for free! There's just one thing I couldn't find: how to Paperless NGX and how to set it up in the container manager. I'd love to see a video from you on that!
It maybe just me but I have got a LetsEncrypt certificate yet still get the '...Not Private' message when connecting my Mac via a browser - what am I doing wrong?
Thank you Will. Perhaps you could talk a bit about the problems this can cause, having synology drive all of a sudden stop syncing, which is very annoying.. /from Sweden.
That's one thing which is a bit messy. Or I didn't config things the best way. Setting up a let's encrypt certificate is super easy, and we can use a wild card too. Add that with the reverse proxies, and the synology "dyndns", accessing the nas from "outside" in https without specifying any ports, is cool. But then, accessing it locally, from the n'as ip, it's a bit of a mess (for me) for some reason. 1) we can't use physical keys like a yubikey for the 2fa (it's linked to the synology dyndns address). It's normal but I would like to be able to use my key locally too. I guess it's more complicated than that. 2. Using the synology secure sign in app on the phone doesn't work well If I'm connected on my network with wifi. I have to disable the wifi and be on the cellular network to be able to use the passwordless signing. 3. I can access locally the nas by the dyndns address I have when I use a vpn (I almost always do) because the connection to the nas comes from outside. But then I can use all the security features (2fa) very easily. The yubikey, etc. Is there a way to mix the both worlds? And have all these features available locally. Maybe by setting up a local domain name + a ssl certificate? So at least the yubikey can be used
A possible 4th option (DNS forward to a DDNS)? Synology’s TH-cam video “How to Configure HTTPS on Synology NAS Using Let's Encrypt” mentions setting up DDNS in DSM as an alternative to opening port 80. I don’t know much about DNS, but couldn’t a CNAME for the domain I own point to that DDNS? All feedback is welcome.
We need a LetsEncrypt tutorial for those of us who have an ISP that blocks port 80. 2 versions...one where we have access to the registrar's API and one where we do not (I think this involves a TXT DNS record, but idk). Since I do not have 20 domains with Namecheap and since I have not spent $50 in the previous 2 years, I would need to add $50 to my account before I could have access to their API (unless I can use their API sandbox to obtain a LE certificate).
i cannot setup a hardware key without port forwarding which I am not inclined to do. Seems like I am adding a vulnerable variable to become more secure. Will Lets Encrypt allow me to create a hardware key because now there is a trusted authority? Thank you
Hey I have a question @SpaceRex. I followed your OpenVPN tutorial. I cannot get the hostname of the NAS to be resolved thru DNS since there's no internal DNS configured inside the openvpn config file. How do I get DNS to work thru the OpenVPN? So I can get the shares via \\NAS\Share instead of \\IP\Share?
I tried to set up a certificate using Tailscale (which uses LetsEncrypt) , but so far not working. I think it’s a version issue as the Synology version is old. I’m using that for a remote back up and I’ve disabled the Quick Connect remote access.
Is there a way of having a custom domain that resolves to the local nas with firewall configured to only allow Let's Encrypt traffic through? I.e without any other external access. This would be with a Synology router so dns server is a possibility.
My Synology is for home use only and is set for HTTP. However, very occasionally, I connect remotely on hotel wifi using Tailscale which I believe encrypts the traffic. Am I likely to be in any danger ? I assume a travel router would add another layer of protection. This was extremely helpful; for some reason my brain could never get around what made cert's secure. Thank you.
if you connected your NAS to Tailscale (only, no other means to connect it to internet) and you are remotely accessing it from another computer connected to THE SAME Tailscale, you are completely safe (no, not you - your NAS ;-)
Quick connect without port forwarding is more secure than domain name with port forwarding If you have quick connect with port forwarding its the same as domain name with port forwarding
Can somebody explain and help me with my problem please. I can reach my NAS by: - Local Ip - QuickConnect. But, i cant connect with DDNS. It`s says like it cannot be reached. What can be the problem? In DDNS page it says that status Normal. If somebody can help me with that i would be very grateful.
Nice video. Here is one more video where we explain Man in the Middle attack and generating self signed certificates . SSL/TLS Certificates: Essential Protection Against MITM Attacks 🛡️ | HTTPS Series 3/4 th-cam.com/video/tMGGmiPyEyQ/w-d-xo.html
![[UNCUT] "เสรีพิศุทธ์" แฉยับ! งัดหลักฐานใหม่ชั้น 14 ได้นอนคุกสมใจแน่!! I คนดังนั่งเคลียร์ I 2 ก.ย.67](http://i.ytimg.com/vi/O1SSg4p9Izs/mqdefault.jpg)
On the topic of security: You should make a video on setting up a VLAN on a Unifi Controller for Surveillance Station to isolate the security cameras from the rest of the network and block the cameras from accessing the internet, yet still allowing remote access to Surveillance Station. You could also cover the importance of isolating IoT devices to mitigate risk of someone accessing your NAS and other devices through weak security that some IoT devices possess.
This video from Rex would be very much appreciated. I hope he got the Will to do it.
Yes
@@djderekrock I already have mine set up like this. He asked for suggestions on future videos and I thought it might be something that other people would benefit from as well.
Yes this would be interesting.
@@user-ek7nq4by7zI agree, great tip 💡
The nice thing about Firefox is that you can explicitly tell it to trust a site, and it will no longer bother you with a message. Not so with Chrome and Edge.
you call it "nice" ?
Will, I teach older folks about how to stay safe online, and I own a DS 923+ that I want to find a different method of accessing than just typing in the IP address. So this video knocks out 2 problems with 1 stone. Thanks!
Port 80 is not necesary to use Let's Encrypt. I only use 443 for it to update to Synology and Let's Encrypt. Works great.
Thanks for all of your explanations. You do it in a professional way and keep it short and simple at the same time. It's amazing.
I got myself a DS220+ and find in your Synology-videos a lot of helpful answers - and also helpful questions, that I should ask myself and haven't thought about yet. 😉
I just got a new NAS (had a 215j before), and I'm currently binge-watching your videos! It's amazing what you can pull off with a decent NAS :D Thanks a bunch for sharing your work for free!
There's just one thing I couldn't find: how to Paperless NGX and how to set it up in the container manager. I'd love to see a video from you on that!
bro is on fire posting new content
haha dont get too use to it! We only do 2x a week every once in a while!
Please do one on Headscale and Talescale together.
It maybe just me but I have got a LetsEncrypt certificate yet still get the '...Not Private' message when connecting my Mac via a browser - what am I doing wrong?
Thank you Will. Perhaps you could talk a bit about the problems this can cause, having synology drive all of a sudden stop syncing, which is very annoying.. /from Sweden.
how about using ACME? i read somewhere that it uses Let's Encrypt as well but without exposing the device to the public.
That's one thing which is a bit messy. Or I didn't config things the best way.
Setting up a let's encrypt certificate is super easy, and we can use a wild card too.
Add that with the reverse proxies, and the synology "dyndns", accessing the nas from "outside" in https without specifying any ports, is cool.
But then, accessing it locally, from the n'as ip, it's a bit of a mess (for me) for some reason.
1) we can't use physical keys like a yubikey for the 2fa (it's linked to the synology dyndns address).
It's normal but I would like to be able to use my key locally too. I guess it's more complicated than that.
2. Using the synology secure sign in app on the phone doesn't work well If I'm connected on my network with wifi. I have to disable the wifi and be on the cellular network to be able to use the passwordless signing.
3. I can access locally the nas by the dyndns address I have when I use a vpn (I almost always do) because the connection to the nas comes from outside. But then I can use all the security features (2fa) very easily. The yubikey, etc.
Is there a way to mix the both worlds? And have all these features available locally. Maybe by setting up a local domain name + a ssl certificate? So at least the yubikey can be used
A possible 4th option (DNS forward to a DDNS)? Synology’s TH-cam video “How to Configure HTTPS on Synology NAS Using Let's Encrypt” mentions setting up DDNS in DSM as an alternative to opening port 80. I don’t know much about DNS, but couldn’t a CNAME for the domain I own point to that DDNS? All feedback is welcome.
All feedback is welcome.
We need a LetsEncrypt tutorial for those of us who have an ISP that blocks port 80. 2 versions...one where we have access to the registrar's API and one where we do not (I think this involves a TXT DNS record, but idk). Since I do not have 20 domains with Namecheap and since I have not spent $50 in the previous 2 years, I would need to add $50 to my account before I could have access to their API (unless I can use their API sandbox to obtain a LE certificate).
wow great explanations, and I understood! Thank you!
This video is so good. Thank you!
i cannot setup a hardware key without port forwarding which I am not inclined to do. Seems like I am adding a vulnerable variable to become more secure. Will Lets Encrypt allow me to create a hardware key because now there is a trusted authority? Thank you
Hey I have a question @SpaceRex. I followed your OpenVPN tutorial. I cannot get the hostname of the NAS to be resolved thru DNS since there's no internal DNS configured inside the openvpn config file. How do I get DNS to work thru the OpenVPN? So I can get the shares via \\NAS\Share instead of \\IP\Share?
hostnames dont work well over layer3.
You can sometimes use a .local DNS server, but its hit or miss
I tried to set up a certificate using Tailscale (which uses LetsEncrypt) , but so far not working. I think it’s a version issue as the Synology version is old. I’m using that for a remote back up and I’ve disabled the Quick Connect remote access.
Best content on the web.
Is it possible to set this up with Tailscale? i.e not see the warning message if you are on the same tailscale vpn?
So they have documentation that says you can do this, but i have never done it
Is there a way of having a custom domain that resolves to the local nas with firewall configured to only allow Let's Encrypt traffic through? I.e without any other external access.
This would be with a Synology router so dns server is a possibility.
My Synology is for home use only and is set for HTTP. However, very occasionally, I connect remotely on hotel wifi using Tailscale which I believe encrypts the traffic. Am I likely to be in any danger ? I assume a travel router would add another layer of protection. This was extremely helpful; for some reason my brain could never get around what made cert's secure. Thank you.
if you connected your NAS to Tailscale (only, no other means to connect it to internet) and you are remotely accessing it from another computer connected to THE SAME Tailscale, you are completely safe (no, not you - your NAS ;-)
@@zyghomThank you.... my NAS thanks you...
If I use a quickconnect instead of a domain name. Will my NAs be more or less or equally secured ?
Quick connect without port forwarding is more secure than domain name with port forwarding
If you have quick connect with port forwarding its the same as domain name with port forwarding
@@SpaceRexWill thanks a lot
Any chance you can make a video on cloudflare tunnels?
Can somebody explain and help me with my problem please. I can reach my NAS by:
- Local Ip
- QuickConnect.
But, i cant connect with DDNS. It`s says like it cannot be reached. What can be the problem? In DDNS page it says that status Normal. If somebody can help me with that i would be very grateful.
This will explain it: th-cam.com/video/bh61ngQzE_o/w-d-xo.htmlsi=syOpoErafgnOz1Wn
@@SpaceRexWill Thank you for your feedback back, I'll try it!😊
Why can't you purchase a SSL certificate and install it on your NAS?
You can!
@@SpaceRexWill If you can purchase the certificate, why not do so as a solution to the problem, which is not mentioned in the video?
Please do one on Tailscale.
traefik ftw
Nice video. Here is one more video where we explain Man in the Middle attack and generating self signed certificates .
SSL/TLS Certificates: Essential Protection Against MITM Attacks 🛡️ | HTTPS Series 3/4
th-cam.com/video/tMGGmiPyEyQ/w-d-xo.html