I want to set up Time Machine backups to my Synology DS213J, which will be off site. I understand I need a VPN to make the computer think I am on the same LAN network?
How do I set up a VPN? I do not understand if it is on my computer, the NAS-network or the NAS itself? A linked guide would work.
Correct, you can use OpenVPN after installing VPN Server app to your Synology. Here’s a guide directly from Synology. That way, your Mac will see the network drive over SMB or AFP as usual. The VPN server will be on your Synology and on your Mac you install a VPN client - for example Tunnelblick, which is FOSS.
How to secure your Synology DSM
https://www.youtube.com/watch?time_continue=4&v=uOH5XwAaZ9w
How to setup secure VPN to your Synology
https://www.youtube.com/watch?v=1aYEViCiaDQ
(This video is long but I promise that if you watch it carefully and follow it exactly you will have a working OpenVPN setup).
OpenVPN on DSM - Tutorial by MMD
Run time machine in a container like Virtual machine vDSM.
Docker DDSM was deprecated.
That way, your Mac will see the network drive over SMB or AFP as usual.
As an aside…Use SMB over AFP for time machine backups
for example Tunnelblick, which is FOSS.
Tunnelblick is a bug ridden heap of crap, at least on a Mac. What does it being FOSS have to do with anything?
Use Viscosity instead.
That way, your Mac will see the network drive over SMB or AFP as usual.
Mac will not see the drive as usual because mDNS does not cross broadcast domain boundaries. You would need to configure reflector or use dns names with additional split-DNS configuration that is not described in synology article or resort to using IP addresses which is bad.
Thank you for answer. I think most of it is set up, but the port on the router seems closed. Do I need to get the log in credentials to open the port, or are there any other solution?
I will check Cloud Station Drive.
What do I need to do to set up L2TP?
+1 for built in L2TP, on both the Synology and macOS. Easy to setup, simple to connect on Mac by keeping VPN in status bar at top of screen.
Definitely don’t Time Machine over VPN. I’d use Arq backup to push to cloud or to your Synology.
I get “Authentication failed.” Doesn’t matter if I am connected to the same network, or an outside network (mobile hot spot).
What should the Server Address be in the Network VPN settings on my Mac? Right now it is the external IP I find in my router, when I check my NAS. The username is my admin log in on my NAS, and the password+Machine Authentication is the pre-shared key.
So, there’s a couple of things that you’ll what to think about:
DDNS: How do you reach a server when your network has a dynamically changing IP? If you’ll need a DDNS. So if you can configure your NAS to have a static address on the internet, point it to that. Example you.synology.me. Maybe for testing sake, point it to the local IP address while on your local net. Do not use its NetBIOS name (i.e. “synology.local”)
Port Forwarding: make sure that whatever ports you need open (and double check you have these right) are being forwarded to your Synology NAS.
VPN Settings: You’ll want to double check and trouble shoot your VPN settings for any misconfigurations. Make sure your Synology username and password are strong for over the internet authentication. Make sure your shared secret is plugged in exactly, etc.
I finally got everything to work. I’ve opened ports 5000 and 5001 for http/https, and the three ports for Synology Cloud Station Backup. I set my username, my password and Shared Secret in my VPN settings. I did not understand it was supposed to be my account password, not the Shared Secret in both field. I need to put the VPN over the WiFi in my network priority list for it to work.
Now: Would you mind giving me an explanation how this works? Why do I need the VPN, why can’t the backup program go through my synology.me:5001 address, why does quickconnect.to work at home but not outside of my internet? Confused.
The entire reason why we use a VPN as opposed to opening up a port directly to the Synology’s login is because that’s not a secure way to connect to your NAS. You can connect to your NAS, and so can everyone else. Also, keeping the default port 5000/5001 is a huge issue because people scan for open ports looking for vulnerabilities and if they find those ports open, they’ll know you have a Synology NAS and could attempt to exploit it.
The same thing just happened with QNAPs (Synology’s competitor) exposed to the internet, there’s a ton of instances of them being infected with Malware. AT LEAST change your default port. Also: CLOSE THE HTTP PORT. You don’t need it for WAN traffic. If ever you use the HTTP port, I could easily take a packet sniffer, listen to your traffic, discern your user name, password and NAS address and use it to hack in. Novice mistake on anyone’s part. Also, make sure you have a valid SSL Cert for HTTPS traffic. I would also recommend turning on 2FA (2 Factor Authentication).
But anyone who knows security knows that accessing your NAS over VPN is best. And any ports you must keep open need to be changed from default. Opening your NAS up to a VPN service is different. These are hardened, tested services. Ideally, you would have a different VPN server than the NAS, like I do. I use a Sonicwall router for my home, but I’m looking at pfSense open source rn.
Right now, if anyone finds a vulnerability in Synology’s NAS, you’re target number one.
OK, closed the HTTP (5000). Should I still let the HTTPS be open, and should I change it from 5001 then?
I manage to connect with L2PT. What I do not understand is, is all of my traffic tunneled home to my NAS now? This is really confusing and a new area for me. Thank you for taking time with me.
No worries, we were all there at one point. If I remember correctly, you have a Mac? You can use something called a “split tunnel” to send only local traffic over the VPN, or you could send all traffic over the VPN, which can be configured in the Mac’s advanced settings under the VPN tab in Network settings.
Everything is at least up and running. Thank you 