QNAP remote access - https redirect

[mikolajek]

I'd like my QNAP device to be accessible remotely using a subdomain of a domain I control, and not MyQNAPCloud or other DDNS service. I do have static IP assigned for my home, just for the record.

I've set the nas1.domain.com subdomain and assigned my home IP to it. Then I've forwarded port 443 on my router to make it accessible outside.

This resulted in my NAS GUI being accessible from https://nas1.domain.com, but when I type just nas1.domain.com or http://nas1.domain.com, the connection gets refused. I realize this is because I haven't opened port 80 on my router.

I don't want however non-secure connection to my NAS being possible, so I'd love to stick to https protocol. Is there any way I can redirect traffic from non-https addresses so they launched https://nas1.domain.com? This is purely for my convenience, so I wouldn't have to remember to set the "https" each time I'm typing the NAS remote address.

I know how to do it for my webpage, but for NAS GUI there's no (or I just don't know anything about) folder I could put the file with domain rewrite rules. I suppose there's some other way to do so...

Is it? Can you please helep me?

 

[MichaelCG]

The redirect happens at the web server on port 80. A couple of options:

1.) Learn to type HTTPS which you should ALWAYS do anyways. Being dependent upon HTTP redirects to happen correctly on the Internet leaves you more open to MiTM attacks. I'm not saying it will happen, it just leaves the door open longer that the redirect could be intercepted and manipulated.

2.) Open your FW on port 80 to the NAS and confirm the NAS will issue the proper re-direct.

3.) If your FW supports application layer functions, issue the redirect at the FW itself.

Also to note...why in the world are you exposing your NAS to the Internet in general? Please consider using a VPN to better isolate and secure that traffic.

 

[dosborne]

Also to note...why in the world are you exposing your NAS to the Internet in general? Please consider using a VPN to better isolate and secure that traffic.

+1

I realize this is because I haven't opened port 80 on my router.

See above but if you do really have a need to do it, would port forwarding ext 80 to internal 443 be a viable option?

 

[MichaelCG]

but if you do really have a need to do it, would port forwarding ext 80 to internal 443 be a viable option?

it doesn’t work that way...different protocols. A redirect is required to tell the browser to change protocols otherwise the browser will bitch about invalid protocols.

 

[mikolajek]

Thank you, everyone!

Also to note...why in the world are you exposing your NAS to the Internet in general? Please consider using a VPN to better isolate and secure that traffic.

The reason is simple, I need quite regular access to my files hosted on NAS. When it comes to VPN - yep, I couldn't agree more, but the simplest (and dumbest) reason I don't have it yet is that I haven't figured out how to do so...

Can you please advise - is it OK for me just to follow this QNAP tutorial? Or should I aim at something more sophisticated?

 

[L&LD]

@mikolajek if you have an Asus router (RT-AC3100, RT-AC86U or RT-AX88U preferred) with RMerlin firmware installed (or not), I don't recommend doing what that QNAP tutorial says. I would never open up the NAS to the internet itself.

Instead, with one of the routers listed, set up an OpenVPN Server, and using the OpenVPN GUI on the device you want to connect with, import the generated .opvn file. Even defaults will work to 'prove' your connection is live.

The RT-AC86U and the RT-AX88U will give you the fastest possible VPN throughput (up to about 250Mbps).

Which router do you have and does it support an OpenVPN Server?

 

[mikolajek]

Hi @L&LD, thanks for this tip!

Indeed I have the RT-AX88U router, that I got very recently, and indeed I've flashed it with Asuswrt-Merlin firmware. It certainly supports OpenVPN.

I'm also a subscriber for NordVPN. I've found some tutorials on how to set it up on QNAP NAS, I suppose it's similar to setting it up on the router.

Just wondering if it's possible to combine it with DDNS service. As said in my original post I have static IP, but this is more a routine than part of my ISP contract. The last change of IP assigned to me took place almost 3 years ago, and the only reason for this was upgrading my service. Since then, they haven't change it at all, though formally they can do it. I've got used to treating it as static IP then. However I'm pretty sure that once I set up VPN, some Murphy law will activate and my IP will get changed . Thus my DDNS question.

 

[dosborne]

it doesn’t work that way...different protocols.

Thanks, I did realize that, just thought maybe it would help as he would then only have to change http to https after I've never had reason to actually try this in particular, or remapping the ports at all actually, so wasn't sure what would actually happen.

 

[dosborne]

I've found some tutorials on how to set it up on QNAP NAS, I suppose it's similar to setting it up on the router.

This too would be a mistake in my book. If you are going to run a VPN, do so on the router, not the NAS. The RT-AX88U is more than capable of handling the load (mine runs at about 5% CPU). Running on the router gives you access to your entire network and is much better implemented and support (IMO).

Just wondering if it's possible to combine it with DDNS service.

Yes. I run a VPN server, multiple clients and multiple DDNS (as well as another DSL ISP with a static IP)

 

[MichaelCG]

Indeed I have the RT-AX88U router, that I got very recently, and indeed I've flashed it with Asuswrt-Merlin firmware. It certainly supports OpenVPN.

I'm also a subscriber for NordVPN. I've found some tutorials on how to set it up on QNAP NAS, I suppose it's similar to setting it up on the router.

Just wondering if it's possible to combine it with DDNS service.

Keep in mind, NordVPN is for egress flows that originate from the NAS, not for ingress flows from the Internet. You will need to setup and configure OpenVPN on your router itself and then install a VPN client on your remote devices to connect in.

For DDNS, on my Synology, I have used the built-in tools to register itself with DNS-O-Matic which updates my DNS, OpenDNS, and IPv6 tunnelbroker for me in one shot. Not sure what QNAP has built in, but DNS-O-Matic provides many ways to accomplish an update that could just be run as a cron job if needed.

 

[mikolajek]

Does anyone know how to configure this with DDNS from OVH's own service called Dyn Host?

 

[RMerlin]

One trick I've been using for years, when dealing with a DDNS while you own a legitimate domain name: create a CNAME within your domain, that points as the DDNS address. That way, you can transparently use the DDNS service. And if you were to switch DDNS provider, you just need to update the CNAME to point at the new DDNS host.

 

[dosborne]

One trick I've been using for years, when dealing with a DDNS while you own a legitimate domain name: create a CNAME within your domain, that points as the DDNS address. That way, you can transparently use the DDNS service. And if you were to switch DDNS provider, you just need to update the CNAME to point at the new DDNS host.

Sounds interesting but I don't really follow. Can you provide an example? What would be the benefit to doing it that way compared to the way I currently do it.... My domain is set to use the DDNS DNS servers. Should I change DDNS providers, I simply change the DNS servers. (Or am I missing something)

 

[RMerlin]

Sounds interesting but I don't really follow. Can you provide an example? What would be the benefit to doing it that way compared to the way I currently do it....

Let's say I use QNAP's DDNS service, and have merlin.myqnapcloud.com as my DDNS hostname. I also own the asuswrt-merlin.net domain.

What I'd do is configure the following DNS entry in the asuswrt-merlin.net domain:

myhome.asuswrt-merlin.net.     CNAME     merlin.mqynapcloud.com

So my VPN clients would all use myhome.asuswrt-merlin.net.

If next week I replace my QNAP by a Synology, I will have to switch DDNS provider to use the synology.me service, switching my DDNS to merlin.synology.me.

Now if I had 10 different devices configured to connect back home over VPN and I directly used the myqnapcloud address, I would have to reconfigure all 10 of them to use synology.me. Instead, since I'm using a CNAME, all I have to do is change one single DNS entry:

myhome.asuswrt-merlin.net.     CNAME     merlin.synology.me

And within a few minutes, all my clients will once again be able to connect back home without having to reconfigure them.

What this allows is to make you less tied to a specific DDNS provider. Changing DDNS provider is as simple as editing one single DNS record, versus having to manually update all of your clients.

And as an added bonus, you can use a SSL certificate for your personal domain, rather than having to rely on Let's Encrypt on a public domain name, which might carry a high chance of throttling due to the thousands of users on that same domain.

Should I change DDNS providers, I simply change the DNS servers.

Not all DDNS providers will also provide authoritative DNS support. QNAP and Synology's for instance don't.