Ouch. It’s been a while since I wrote anything here. And this is not even going to be remotely connected to biology. In any case, I have recently been trying to set up access to my Synology NAS from outside of home without using their QuickConnect feature. As it seemed a little bit confusing at first, I thought why not share the steps required in a blog post – for others to (hopefully) save them some time and for my future self to save me some frustration.
I’m describing here the steps required to set up access to a device manufactured by Synology but it would apply all the same to other brands (provided that they support e.g. manual configuration of a reverse proxy server, so no guarantees here).
What you will need
Assuming that you are already running a Synology NAS, you will need a couple of additional elements:
- A domain that you own and a new DNS record within that domain
- A certificate for a subdomain that you intend to point to your NAS
- A reverse proxy running on your Synology NAS
Overview
We’ll start with pointing the address of your choice (within the domain you own) to your public IP address. Next, we’ll need to set up port forwarding on your router to forward HTTPS requests coming from the Internet to the reverse proxy server running on your NAS. The reverse proxy will then forward the requests coming from a specific address (the one that you created the DNS entry for, see below) to the Synology DSM Desktop service that will display the DSM user interface. Additionally, we will secure the connection using a certificate obtained from Let’s Encrypt so that the entire communication is encrypted.
You can see a simple diagram of the whole set up below:
Let's do it
As you can see on the diagram, for the sake of this tutorial we are making a couple of assumptions:
- you own a domain example.com
- you want to be able to reach your NAS through https://nas.example.com
- your (static) public IP address is 123.456.7.8
- the address of your Synology NAS on your local network is 192.168.1.10
1. Domain setup
First, you will need a domain (here: example.com). If you don’t own one, you can get one from providers like Google Domains or GoDaddy. Within that domain, in the DNS table you need to create a new DNS A record that will point the address of your choice to your public IP (this tutorial assumes that you are in the lucky position of having a static IP – if not you will need to make use of DDNS service which is out-of-scope here). Since the exact setup depends on your domain provider, it is difficult to show here a specific example – this is just the summary of the record you need:
Record type: A
Domain name: nas.example.com
IP address: 123.456.7.8
This basically means that you want to translate the nas.example.com URL to your server address which is 123.456.7.8.
2. Port forwarding
Next, you need to set up port forwarding on your router to forward all HTTPS requests coming to port 443 to port 443 of your Synology NAS. Since this step is dependent on the router you own, we cannot show here how to do it exactly – try googling for “port forwarding “ and surely you’ll find some info on how to do that.
Additionally, you will need to forward also port 80 – this is required to get a certificate in one of the next steps. After that, you can disable this forwarding rule.
Forwarding rules (according to our example):
port 443 → 192.168.1.10, port 443
port 80 → 192.168.1.10, port 80 (only for getting/renewing a certificate)
3. Reverse proxy
In our setup so far, we would forward all HTTPS requests coming to your public IP to your NAS server. Now, we will need to set up a reverse proxy that will look at those requests and forward the ones received at https://nas.example.com further to the DSM Desktop service that will display the Synology graphical user interface.
Synology’s DSM OS comes with a tool allowing us to easily set that up. To do this:
- head to Control Panel → Application Portal and select Reverse Proxy
- click on Create and fill out all the required fields as shown in the example below (remember to replace both hostnames with your real values)
- confirm with OK
Now, you should see a new entry in the list of the reverse proxies that points the requests received at nas.example.com to port 5001 of your Synology NAS.
Certificate setup
The last piece of the puzzle is the certificate. Before we get to that though, let’s head to Control Panel → Network and select the DSM Settings tab. There, tick the first checkbox to enable automatic redirecting of requests from port 5000 to 5001 (see below).
To set up the certificate:
- go to Control Panel -> Security and select Certificate
- click Add and select Add a new certificate
- click Next and select Get a certificate from Let’s Encrypt, click Next
- fill out the domain name (nas.example.com) and your email address, click Apply
- DSM certificate service will now try to contact Let’s Encrypt to issue a new certificate for your domain – should anything go wrong, check out Synology’s guide on that (section 4, scenario 2)
- provided that everything went well, you should now see a new certificate on the list of available certificates (under the synology.com one)
- click Configure button
- in the window that pops up you should now see your new service in the column on the left (see picture below) – from the. list of available certificates select the one you just obtained and click OK
That’s it! Now, if you type in your browser https://nas.example.com you should get connected to your Synology NAS.
Hey! I’m a protein biochemist by training with a more recent software development experience. Here, I’ll be trying to combine a bit of both – let’s see though where we’ll end up with that 🙂