Need advice. When you have to open your NAS to the internet , which method do you prefer:
- Use Synology VPN server and Port forward just the VPN port (1134 etc) to outside. Followed by setting up firewall rules for VPN clients to access just those ports that needs access (Photos, Drive, surveillance station etc…)
- Use VPN server on the router itself. So once the user is authenticated, he/she can access anything and everything in the NAS (and also other local devices). Synology firewall rules is configured to allow a LAN user access to ALL ports.
I see many folks recommending #2, but isnt that quite dangerous when a single point of compromise can expose the entire LAN to the internet?
VPN on a good router is preferred.
Number 2 really depends on the router’s capabilities. I have VPN access set up on OPNsense so I still have very granular control over where incoming tunneled traffic can go.
I have the router Synology rt6600 and I prefer using the vpn on the router, that way I can use other services that the router provides me
I suppose it depends on a couple factors — are you setting up a VPN only to access apps on the NAS, or to access your whole LAN? If the former then it makes most sense to host the VPN server on the NAS. If the latter, then you really could go either way and I think the deciding factor will be performance of the VPN tunnel depending on where it’s hosted.
In my experience, I got better performance of my tunnel in the NAS vs my Ubiquiti ERL3 router.
I innitially set up the VPN on the NAS which opened the ports in the router. In the back of my head I was never comfortable with having those ports open as I was afraid the NAS and/or the router could be attacked. Then I found out my router offers Wireguard VPN. I switched it on and tried both simultaneously. Since I saw no significant performance differences, I decided to move the VPN to the router, switching off the one on the Synology and closing the ports open by the NAS. In my mind, this reduces the attack surface (with open ports, the router can be attached and the NAS can be attacked). With the VPN in the router, the NAS is not directly exposed to the Internet so I figure the surface of attack is smaller. What do others think?
If configured correctly then security shouldn’t be that much different.
One big difference is performance. The CPU is a NAS is much more powerful than the CPU in an average router, especially if your NAS CPU supports hardware encryption. Which is most plus models.
Use Tailscale if you’re not familiar with VPNs
I’ve done both. Right now I actually have one of each.
- ASUS-WRT/Tomato are pretty easy to set up a VPN with. The main reason I moved from that is that ASUS is just an access point currently.
- Synology is really easy, if your certificates are in-order. And you can allow the client to access anything else on the network, just as if they came in on the router. You can choose to allow or disallow that.
- OPNSense (which is my current primary firewall) makes some firewalls decently easy, but that gets you into having to set up access rules, which are much tricker than just Port Forwarding. Port forwarding to the Synology is really easy.
- If you want WireGuard, Synology doesn’t support it, but I’ve found that the hardest VPN to get reliably paired and working.
- OpenVPN is “heavier” than WireGuard but, in my experience, easier to set-up.
If you do use the router, something like OPNSense allows you to determine what accesses those clients have; it’s basically a distinct “interface” so you set up rules. (That’s also part of the complexity, because you must do this basically, and that’s trickier on some firewalls than others.)
If you port-forward to the Synology, you can still filter the port forwarding, but you also can firewall in addition at the Synology; it has a bunch of security and account features.
For vpn setup need to buy vpn service ?
Option #2, if there’s an exploit on the VPN software they won’t have your files… ideally you run the VPN on a Raspberry Pi so they also can’t compromise your router
Thanks! Gotta read up on OPNsense… Is it installed on the router?
RT6600 don’t have VPN Server functionality.
At this point, it is just to access the apps on NAS. I dont need the VPN client to access other systems.
Yes, performance would definitely be better on the NAS. I guess I’d be sacrificing the full tunnel capability if i were to host VPN on the NAS… as i dont want to enable all ports.
I try this but is slow speed
In my mind, attacking the Synology’s VPN via the open port-forward is the same as attacking wiregurard VPN on the router right? I mean, one still has to access the wireguard “port”, which should still be accessible to the internet right?
And if that is compromised, then you expose ALL your devices on the local network to the internet… thoughts?
yeah from that perspective, VPN on the NAS is a no brainer. I was asking more from a security point of view, even if I have to sacrifice performance for security.
Thank you for your inputs! If i decide to setup OPNsense, where do i install it? Does it live in the nas?
I can’t say it on this sub, fearing downvotes!! I direct message you 
