Categories
Guides Most Popular Topics Self Hosted Synology

Synology Disktation SSL with Let’s Encrypt

Synology Diskstation SSL with Let’s Encrypt – Setting up your Synology Diskstation to be accessible from the web can be useful and secure if done correctly. Packages like Synology Moments (for pictures) and Surveillance Station (security cameras) can work over HTTPS meaning you can access these services from anywhere in the world, assuming you’ve properly set up your Synology. SSL is also required for some projects like Self-Hosting a Password Manager.

**DISCLAIMER** – this requires forwarding ports from your router, to your Synology Diskstation. I take no responsibility should anything happen to your network. Do your due diligence on your part and follow best practices to harden your Synology Diskstation (strong password, 2FA and enabling the firewall come to mind). Make sure you know what you are doing before getting started!

Buy a Domain Name

This is the fun part, pick your own domain name and buy it from a domain registrar. I use Hover. A regular .com domain that isn’t a top level keyword, should only cost around $13 a year (from Hover). Once you make the purchase, read on.

Set up DNS records with your Registrar

You need to point your new domain name to your public IP address so that when you type “www.yourdomain.com” you are directed to your network where the Synology resides. However, there is a caveat to consider. If you have a consumer internet connection, you likely have a dynamic public IP address. This means if you point your domain to the public IP you are currently assigned, it will eventually change and your DNS record will be broken.

The way around this is to use a free Dynamic DNS (DDNS) service like No-IP.com. You can set up DDNS on the Synology or on your router if it supports it. The DDNS service will provide a fixed hostname that always points to whatever your current public IP is. It does this by having a host on your network (the Synology or your router) regularly update the DDNS service with your network’s current public IP address.

Now you can use the DDNS hostname in your DNS record at your domain registrar.

So for example, if you sign up for a DDNS service and get a hostname called “mycoolhostname.vnc.com”, you will use that in your DNS record entry at the registrar.

Now that we have that out of the way, log into your domain provider’s site and find your DNS records. You should have some entries there already and they probably look like this:

Domain Name Service Records for SSL with Let's Encrypt

You have a couple of options here but to keep things simple, you only need to edit two records, the ones with the “A” type. Point those records to your DDNS hostname. Now when you browse to your domain name  (mydomain.com or www.mydomain.com) you will be pointed to your DDNS, which then points to your public IP address from your ISP.

I was incorrect in my testing and in writing the above paragraph. You will need to use a CNAME entry if you are using a dyanmic DNS service instead of a static IP address. You can leave the A records as they are (unless you have a static IP) and add a new CNAME entry:

Hostname: whatever value you want your subdomain to be.
Example: mynas.mydomain.com

Target Name: your dynamic DNS hostname goes here.

**Note – this change may take as long as 48 hours to propagate through the internet.

Forward Ports 80 and 443 on your Router

If you don’t know about port forwarding, you should stop and do some research now.

You can dig through your router’s settings pages or look online for guides on how to forward ports but it will vary based on your router model and brand. You need to forward port 80 and 443 to the internal IP address of your Synology NAS. Also, now would be a good time to make sure you’ve set a static IP address on your NAS.

Create the SSL Certificate for Synology Diskstation with Let’s Encrypt

Now we’ve got the prerequisites to create the SSL certificate. We’ll use the built-in certificate tool and the Let’s Encrypt option. (Let’s Encrypt provides a free, 3-month SSL certificate).

1) Log into your NAS, and navigate to Control Panel > Security > Certificate.

2) Choose “Add a new certificate”.

3) Choose “Get a certificate from Let’s Encrypt”.

4) Enter your domain name and a valid email address. Also enter your DDNS hostname as “Subject Alternative Name”.

Synology Diskstation SSL with Let's Encrypt

5) Click Apply and wait for confirmation. If successful, you’ll see the new certificate listed like this:

synology

6) Select the new certificate and click Configure. Select the drop-down next to each package or service and change it to your new certificate and click OK.

HTTP to HTTPS Redirect

The last thing to do is to turn on the HTTP to HTTPS redirect. This can be done under Control Panel > Network > DSM Settings. Checking the box for HTTPS redirect will force all connections to the Synology** to occur over HTTPS. This is more secure.

** It appears that some of the mobile apps like Surveillance Station will still connect to the Synology on the HTTP port unless the HTTPS checkbox is selected in the mobile app. However, web access to the DSM interface is still redirected to HTTPS.

One last caveat with HTTPS redirect. You will need to forward a third port on your router if you turn this feature on. This is due to the fact that the DSM web interface for the Synology uses ports other than 80/443. (The default ports are 5000 and 5001, HTTP and HTTPS respectively). If you attempt to connect from outside your network, the default incoming HTTP (80) or HTTPS (443) request will be re-routed to port 5001 but if that port is not forwarded on your router, the connection won’t work.

So something like this will occur:

  • External Browser requests “yourdomain.com” which is forwarded to your router.
  • Router forwards request to internal IP for Synology on port 80 or 443.
  • Synology responds to browser and says “talk to me on 5001”.
  • Browser tries to reconnect to 5001 but fails if port is not forwarded.

All of the above happens instantly so it may just look like the connection fails. However, I discovered this was the problem with my setup and after forwarding the DSM HTTPS port in my router, I was able to get in without any issues.

Conclusion

If you’ve gotten this far without errors, congratulations! You have configured your Synology Diskstation SSL with Let’s Encrypt! You should now be able to access your Synology NAS from the web and you can enable web access for some other cool packages like Moments and Surveillance Station. I use the Moments app over HTTPS to view and share my photo collection and to backup photos from anywhere. I also use Surveillance Station to view my security cameras over HTTPS from anywhere.

If you encountered errors, the most common one is not having the proper port forwarding set up and not getting the SSL certificate configured. Double check your port forwards in that case. Also try clearing your cache logging in / logging out of the NAS if you have SSL mismatch errors.

Thanks for reading!

Entry-level NAS: Synology DS218+ on Amazon
Pro-sumer NAS: Synology DS918+ on Amazon
NAS Hard Drives: Seagate IronWolf NAS 6TB on Amazon

Products mentioned are available through affiliate links at no extra cost to you. Using these affiliate links to purchase helps support the blog and allows me to bring you new content. Thank you!

Amazon Associate Program: As an Amazon Associate I earn from qualifying purchases.

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

7 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Keith

When you are done with this process, shouldn’t you disable the port forwarding to the DSM? Obviously, you need to port forward to other services on the NAS, but leaving the DSM exposed to the internet seems risky.

Keith

Oh, by the way… thank you thank you thank you. This post was extremely helpful and I learned a lot about CNAMEs, DDNS, Port Forwarding (and, oddly, uPNP) while working all this out.

Chris

Glad it helped you! Thanks!

Chris

If you disable port forwarding to the NAS then there’s no real point to setting up SSL for your NAS. You have to have a port forwarded from your router to the NAS to be able to access it from outside your network. I only have 443 (HTTPS) enabled, plus one port for my OpenVPN server (also on the NAS) because all of the apps that I need to access can operate over 443. You don’t need to port forward other Synology services. Think of the Synology as a very fancy reverse proxy. It can take all incoming HTTP/S requests… Read more »

Keith

I see what you are saying. I guess I was thinking at the time that bitwarden would handle SSL independently of the DSM (see link below), so that you are only exposing the service instead of the admin interface. Or that the reverse proxy listener might run as a distinct service from the DSM interface itself, which would be accessible locally or through an independent VPN connection.