On the topic of security: You should make a video on setting up a VLAN on a Unifi Controller for Surveillance Station to isolate the security cameras from the rest of the network and block the cameras from accessing the internet, yet still allowing remote access to Surveillance Station. You could also cover the importance of isolating IoT devices to mitigate risk of someone accessing your NAS and other devices through weak security that some IoT devices possess.

Will, I teach older folks about how to stay safe online, and I own a DS 923+ that I want to find a different method of accessing than just typing in the IP address. So this video knocks out 2 problems with 1 stone. Thanks!

The nice thing about Firefox is that you can explicitly tell it to trust a site, and it will no longer bother you with a message. Not so with Chrome and Edge.

Thanks for all of your explanations. You do it in a professional way and keep it short and simple at the same time. It's amazing. I got myself a DS220+ and find in your Synology-videos a lot of helpful answers - and also helpful questions, that I should ask myself and haven't thought about yet. 😉

Port 80 is not necesary to use Let's Encrypt. I only use 443 for it to update to Synology and Let's Encrypt. Works great.

I just got a new NAS (had a 215j before), and I'm currently binge-watching your videos! It's amazing what you can pull off with a decent NAS :D Thanks a bunch for sharing your work for free! There's just one thing I couldn't find: how to Paperless NGX and how to set it up in the container manager. I'd love to see a video from you on that!

bro is on fire posting new content

wow great explanations, and I understood! Thank you!

This video is so good. Thank you!

Best content on the web.

It maybe just me but I have got a LetsEncrypt certificate yet still get the '...Not Private' message when connecting my Mac via a browser - what am I doing wrong?

We need a LetsEncrypt tutorial for those of us who have an ISP that blocks port 80. 2 versions...one where we have access to the registrar's API and one where we do not (I think this involves a TXT DNS record, but idk). Since I do not have 20 domains with Namecheap and since I have not spent $50 in the previous 2 years, I would need to add $50 to my account before I could have access to their API (unless I can use their API sandbox to obtain a LE certificate).

how about using ACME? i read somewhere that it uses Let's Encrypt as well but without exposing the device to the public.

Is there a way of having a custom domain that resolves to the local nas with firewall configured to only allow Let's Encrypt traffic through? I.e without any other external access. This would be with a Synology router so dns server is a possibility.

Hey I have a question @SpaceRex. I followed your OpenVPN tutorial. I cannot get the hostname of the NAS to be resolved thru DNS since there's no internal DNS configured inside the openvpn config file. How do I get DNS to work thru the OpenVPN? So I can get the shares via \\NAS\Share instead of \\IP\Share?

I tried to set up a certificate using Tailscale (which uses LetsEncrypt) , but so far not working. I think it’s a version issue as the Synology version is old. I’m using that for a remote back up and I’ve disabled the Quick Connect remote access.

Thank you Will. Perhaps you could talk a bit about the problems this can cause, having synology drive all of a sudden stop syncing, which is very annoying.. /from Sweden.

A possible 4th option (DNS forward to a DDNS)? Synology’s KZfaq video “How to Configure HTTPS on Synology NAS Using Let's Encrypt” mentions setting up DDNS in DSM as an alternative to opening port 80. I don’t know much about DNS, but couldn’t a CNAME for the domain I own point to that DDNS? All feedback is welcome.

i cannot setup a hardware key without port forwarding which I am not inclined to do. Seems like I am adding a vulnerable variable to become more secure. Will Lets Encrypt allow me to create a hardware key because now there is a trusted authority? Thank you

Is it possible to set this up with Tailscale? i.e not see the warning message if you are on the same tailscale vpn?

That's one thing which is a bit messy. Or I didn't config things the best way. Setting up a let's encrypt certificate is super easy, and we can use a wild card too. Add that with the reverse proxies, and the synology "dyndns", accessing the nas from "outside" in https without specifying any ports, is cool. But then, accessing it locally, from the n'as ip, it's a bit of a mess (for me) for some reason. 1) we can't use physical keys like a yubikey for the 2fa (it's linked to the synology dyndns address). It's normal but I would like to be able to use my key locally too. I guess it's more complicated than that. 2. Using the synology secure sign in app on the phone doesn't work well If I'm connected on my network with wifi. I have to disable the wifi and be on the cellular network to be able to use the passwordless signing. 3. I can access locally the nas by the dyndns address I have when I use a vpn (I almost always do) because the connection to the nas comes from outside. But then I can use all the security features (2fa) very easily. The yubikey, etc. Is there a way to mix the both worlds? And have all these features available locally. Maybe by setting up a local domain name + a ssl certificate? So at least the yubikey can be used

Any chance you can make a video on cloudflare tunnels?

My Synology is for home use only and is set for HTTP. However, very occasionally, I connect remotely on hotel wifi using Tailscale which I believe encrypts the traffic. Am I likely to be in any danger ? I assume a travel router would add another layer of protection. This was extremely helpful; for some reason my brain could never get around what made cert's secure. Thank you.

If I use a quickconnect instead of a domain name. Will my NAs be more or less or equally secured ?

Please do one on Headscale and Talescale together.

Can somebody explain and help me with my problem please. I can reach my NAS by: - Local Ip - QuickConnect. But, i cant connect with DDNS. It`s says like it cannot be reached. What can be the problem? In DDNS page it says that status Normal. If somebody can help me with that i would be very grateful.

Why can't you purchase a SSL certificate and install it on your NAS?

Please do one on Tailscale.

traefik ftw

Nice video. Here is one more video where we explain Man in the Middle attack and generating self signed certificates . SSL/TLS Certificates: Essential Protection Against MITM Attacks 🛡️ | HTTPS Series 3/4 kzfaq.info/get/bejne/qrN3etCatd-pqYU.html