I have the VPN package setup with OpenVPNon my synology, and I opened the 1194 UDP on my router to the NAS in order to:
but, recent threads questioning synology’s segurity got me confused and I don’t know if it is a good idea to have the NAS behaving as a VPN or if the VPN should be one step behind, and be set up at the router…
what’s your advise?
The first post talks about Synology’s QuickConnect which isn’t the same as having a VPN running from a Synology NAS. The second thread is, from reading through the comments, a Synology app on the OPs phone trying to contact the Synology, at least that’s what it looks like.
I run a VPN from my Synology, I think at the end of the day, it doesn’t really matter if the VPN is hosted on a NAS or on the router itself. The security is the same, at least as far as I know, and if anyone does somehow get your password, you’re hosed in either case since they have access to your LAN. That said, regardless of which you choose, use strong passwords and don’t leave admin accounts activated. So if you do run the VPN on your Synology, don’t allow an account with admin credentials to use the VPN (so the default ‘admin’ user on the synology).
This came up yesterday, in short:
Don’t run VPN on NAS (best practice security)
Synology version is outdated
I am an IT engineer and part of my job is to configure firewalls for SMB business till multinational corporations. I am not an expert, but I have avoided catastrophe many times for my clients.
Rule #1 Budget option
Whatever device you are going to use for VPN, should be configured good. It is not good practice to use a non-security device to act as VPN server, while this deceive holds all your data. If it gets cracked, your data are accessible.
Rule #2 Normal option
You should use a firewall for VPN, as these devices have options like blocking suspicious activity and also notify you. A cheap way is a Mikrotik. Some hassle to configure it but in the end it really worth. Pay attention to firewall rules. Try to avoid Zyxel, Cisco and Fortigate firewalls. This is bread and butter for hackers.
Rule #3 Advanced option
If you are on the go, and you need to access your photos or whatever, use static IP on your 4G/5G and create a port forward rule which allow traffic only from your external static IP.
You can always open synology ports to the whole world, but your firewall will do almost nothing if an attack happen.
Rule #4 Insane option
You can always use quickconnect but it’s slow and generally if they ever manage to crack their database, you are f@cked. So I propose you to close it.
Nowadays, Hacker groups target authentication servers where there is a lot of information. And information is money.
Keep safe.
Router, always router.
VPN should never be on the device. If the client is compromised they have access to the device. In this case that means all your data.
If it’s on the router and gets compromised, your device is still secure, and hopefully most/all your traffic is encrypted. If you keep your devices up to date, they still need to hack something else to get data.
So it’s a question of: Do you want 1 or more than 1 things that need to be hacked to get access to data.
I’m using OpenVPN to my router. I tinker much more with my servers, so my router is much more likely to always be accessible.
Can’t access the poll though: Internal Server Error
There’s a reason a router is referred to as an “Edge Device”
i am not qualified to give advice on this topic, do I have to vote anyway just to see the results?
Router all day long. Never look back.
A router integrates the VPN with the rest of the security services (subnets, VLANs, firewall rules), so it’s easier to configure it in a safer way.
For instance, assigning an IP to a VPN connection from a restricted zone and only allowing specific IP/ports to LAN resources.
If I had a router that could handle VPN I’d put it there. It isn’t really a NAS responsibility to do that.
What do you guys think about using ZeroTier directly on the NAS?
I am a cyber security consultant.
I would not recommend to co-host application and VPN networking components on the same infrastructure (or server to make it simpler to understand). It is took risky and you might not even to detect intrusion if it happens.
All software contain bugs and vulnerabilities whether opensource or vendor provided.
Build a VPN that would allow you to disconnect it from the internet easily without stopping your whole NAS which can continue to work on your LAN.
I would put it on the Router as it’s simpler to configure.
If security is your concern, then run NAS-only functions on the NAS and all other apps and services on other devices. This will ensure your scope of potential threat vectors is isolated and contained.
Would one trust the VPN on say a UDM Pro over a Synology unit?
The concern here is that open source software Synology uses contains opaque shim layer (including in authentication paths) that was not peer reviewed and/or audited and there can be anything — from intentional backdoors to stupid exploitable bugs.
So while choice of where to run vpn should mostly be dictated by the available cpu performance — if running o lan Synology I would run recent vanilla vpn software in VM.
That thread is nothing to worry about, it’s the OP’s phone connecting via (Target) WiFi to upload stuff to Moments/DS File. It’s not a security breach, synology detected a new login from an unknown IP address and made a report. It was the user himself logging (albeit automatically) in with a legitimate app.
If you run a VPN in docker on your Synology and use certificates to connect, you are good to go.
Pure network-wise it’s better to have it on a different machine and put network tasks on network devices (or devices only doing network things, i.e. a dedicated VPN server).
thanks for this.
will it be the same case for DSM 7?
Try to avoid Zyxel, Cisco and Fortigate firewalls. This is bread and butter for hackers.
I know that there have been incidents in the past with “forgotten” backdoors at least in Zyxel and Fortigate firewalls, but they have been patched now. Any other evidence that a Mikrotik router is safer than those other manufacturers? In any case I’m favor of “Defense in Depth”, I would not trust neither of those alone. Firewall in one appliance, VLANs in a separate switch and VPN which only gives partial access to LAN resources (IP assigned by VPN being on specific VLAN/subnet with firewall rules allowing traffic only in specific IP/ports). Also separate DMZ and private zones.
use static IP on your 4G/5G
How could we do that? The ISP provides us with a dynamic IP, the best we could do is DDNS, right?