Connecting to NAS while using VPN

VPN
1

Hi all.

I’m not all that proficient when it comes to VPN’s, ports, firewalls etc. and possibly getting in way over my head here.

I recently tried a VPN on my PC having heard about their many advantages, but I’ve noticed that when it’s running I’m unable to connect to my DS923+ even though I’m plugged directly into the PC as well as the router.

I would obviously like to make the NAS as safe as possible from outside threats on the internet too, so I’m wondering if I set up the NordVPN server on the NAS will that allow me to connect to it while using the VPN? I imagine this would have consequences for accessing remotely with a mobile however?

As I mentioned I really don’t have too much of an idea about it all, despite my efforst to try and learn more. I’d just like my data to be somewhat safe, but I’m possibly in too deep here as I’m very confused.

Many thanks for any advice.

2

Usually there’s a setting in the VPN apps you can enable that will allow access to local devices (be they a NAS, other computers, etc). Once you do that, you should be able to connect fine locally as you did before.

Connecting the NAS to the VPN won’t help with this I don’t think, as I don’t believe you can go sideways if that makes sense, the connection is between your device(s) and NordVPN, so you being connected to NordVPN tunnels you to and from them, you can’t then access another device you’re signed into on NordVPN (or any other VPN provider) as this is practically no different to trying to talk to another random person in the world using NordVPN. I’m happy to be corrected on this as maybe it’s technically possible on some providers but assume you can’t.

If you want secure remote access to your NAS, the best option (mentioned to death in this sub for good reason!) is to use the free Tailscale service. Basically, you sign up, and then download the Tailscalea app on each device you want. So your PC, laptops, phones, tablets, and your Synology. Each device gets a special Tailscale IP address that begins with 100.x.x.x. You connect using that, whether it’s in a browser to access the Synology web interface, file sharing over SMB, whatever, and it works whether you’re using it at home or if you need remote access. This way you don’t need to forward any ports or expose your NAS directly to the internet in any way, which is a security and safety minefield not worth dealing with without very good reason.

3

Download and use tailscale, don’t use quick connect and don’t open any ports on your Router. Tailscale is available in the package center.
Nordvpn is a service that routes your traffic through their servers, that doesn’t help you make your NAS more secure in any way.

4

If you have public ip address, you can set up wireguard

5

Ideally you use openvpn. Set it up on the router or the NAS (router preferred) and then use their sortware on your computer. Send yourself the connection configuration and voilà, that’s it.

6

Thanks so much for your feedback mate, immensely appreciated.

I’ve downloaded Tailscale and have my PC and phone set up and connected. I’m just curious, does the the NAS still need to be plugged in to the router as such to be able to work? I downloaded the Tailscale app on the NAS and then unplugged from internet, but Login button doesn’t work now when trying to connect it.

If so, how do I go about having the NAS plugged in to the router without it being exposed to the internet as such?

7

Ah sorry, I should’ve been a bit clearer! ‘Exposed to the internet’ kinda means that the device is directly accessible in some way. So if you have anything connected to the internet, whether a laptop, NAS or TV box, usually by default the firewall on your router keeps them from being directly connected to by anyone outside. The device still needs to be connected full stop to do anything, of course, as otherwise you may as well be in a field with no power or anything else as without some sort of network connection there’s no way to connect at all.

To expand a bit on my ‘directly connected’ point, for instance, you have an external IP address for your internet connection (whatever that might be). If you go here, you can see what it is: https://wtfismyip.com

However, say your laptop or Synology is plugged in and online, you also get given a local IP address per device by your router, usually something beginning with 192.168.1.x, 10.0.1.x, something like that.

If I’m anyone outside and I want to connect to your laptop or NAS, first of all, those local addresses of course don’t do me any good, because unless I’m on your home network, those addresses don’t work. The only way to usually try and connect to anything inside your network is if you deliberately open a ‘port’. So, the default port for accessing Synology via a browser is usually 5001. If you wanted to enable external access in a basic bitch way (so to speak), you would go into the settings for your router, and tell it to ‘open’ port 5001 by directing it to an internal IP (so, your Synology). That allows you to type your external IP address into a browser anywhere in the world, so for example, 142.251.40.174:5001, and you can log into your Synology and adminster it from wherever. Sounds great!

Except, also, any clown with a computer can try that too, whether they’re a random script kiddie or a Chinese or North Korean botnet scanning for vulnerabilities. Some hacker figures out you can bypass the root login somehow on fully patched Synology systems? It might take a few days, weeks or etc for Synology to fix in an update, but if you’re unlucky, someone waltzes in the front door of your NAS, encrypts all your files and demands a load of bitcoin to get your files back.

This is a very long winded way of saying that the VPN means the only route in is being ‘in’ is either being in your house or within the encrypted tunnel Tailscale provides. For an example of what happens when you port forward directly, these Reddit posts give some indication, and these are from just the past week or so:

https://www.reddit.com/r/synology/comments/12dtyc9/recent_hack_attempt_detailed_info/
https://www.reddit.com/r/synology/comments/12dl0f2/lot_of_sign_in_requests_from_unknown_ip_adresses/
https://www.reddit.com/r/synology/comments/125q3k4/need_help_for_data_backup_must_reformat_due_to/

Hopefully this TL;DR gibberish is helpful!

8

Far out. I so appreciate you taking the time to detail that all out a bit for me man, bloody amazing. A great help to getting my head a little more around this!

I downloaded Tailscale and got that all up and running, and have set up firewall on my NAS to deny everything but local wifi IP and also my PCs IP address so that the direct connection still works. Everything seems to be working okay, I just have one more query - the only thing I find strange is that when I search for the NAS in Synology Assistant I can see two connections; one through the local wifi and one through direct connection to the PC. When I enable my VPN on my PC, although I still have access to the NAS now which I didn’t before (for reasons I can’t be sure of), I notice that I lose the ethernet connection and the local wifi IP is the one that holds strong, meaning I’m gaining no transfer speed advantage by still being plugged in directly (10MB/s vs 100MB/s).

Sorry to take advantage of your knowledge but thought I might pick your brain while you’re here!

Thanks a lot again man.