Synology Diskstation SSL with Let’s Encrypt – Setting up your Synology Diskstation to be accessible from the web can be useful and secure if done correctly. Packages from Synology like Moments (for pictures) and Surveillance Station (security cameras) can work over HTTPS meaning you can access these services from anywhere in the world, assuming you’ve properly set up your Synology.
**DISCLAIMER** – this requires forwarding ports from your router, to your Synology Diskstation. I take no responsibility should anything happen to your network. Do your due diligence on your part and follow best practices to harden your Synology Diskstation (strong password, 2FA and enabling the firewall come to mind). Make sure you know what you are doing before getting started!
Buy a Domain Name
This is the fun part, pick your own domain name and buy it from a domain registrar. I use Hover. A regular .com domain that isn’t a top level keyword, should only cost around $13 a year (from Hover). Once you make the purchase, read on.
Set up DNS records with your Registrar
You need to point your new domain name to your public IP address so that when you type “www.yourdomain.com” you are directed to your network where the Synology resides. However, there is a caveat to consider. If you have a consumer internet connection, you likely have a dynamic public IP address. This means if you point your domain to the public IP you are currently assigned, it will eventually change and your DNS record will be broken.
The way around this is to use a free Dynamic DNS (DDNS) service like No-IP.com. You can set up DDNS on the Synology or on your router if it supports it. The DDNS service will provide a fixed hostname that always points to whatever your current public IP is. It does this by having a host on your network (the Synology or your router) regularly update the DDNS service with your network’s current public IP address.
Now you can use the DDNS hostname in your DNS record at your domain registrar.
So for example, if you sign up for a DDNS service and get a hostname called “mycoolhostname.vnc.com”, you will use that in your DNS record entry at the registrar.
Now that we have that out of the way, log into your domain provider’s site and find your DNS records. You should have some entries there already and they probably look like this:
You have a couple of options here but to keep things simple, you only need to edit two records, the ones with the “A” type. Point those records to your DDNS hostname. Now when you browse to your domain name (mydomain.com or www.mydomain.com) you will be pointed to your DDNS, which then points to your public IP address from your ISP.
I was incorrect in my testing and in writing the above paragraph. You will need to use a CNAME entry if you are using a dyanmic DNS service instead of a static IP address. You can leave the A records as they are (unless you have a static IP) and add a new CNAME entry:
Hostname: whatever value you want your subdomain to be.
Target Name: your dynamic DNS hostname goes here.
**Note – this change may take as long as 48 hours to propagate through the internet.
Forward Ports 80 and 443 on your Router
If you don’t know about port forwarding, you should stop and do some research now.
You can dig through your router’s settings pages or look online for guides on how to forward ports but it will vary based on your router model and brand. You need to forward port 80 and 443 to the internal IP address of your Synology NAS. Also, now would be a good time to make sure you’ve set a static IP address on your NAS.
Create the SSL Certificate with Let’s Encrypt
Now we’ve got the prerequisites to create the SSL certificate. We’ll use the built-in certificate tool and the Let’s Encrypt option. (Let’s Encrypt provides a free, 3-month SSL certificate).
1) Log into your NAS, and navigate to Control Panel > Security > Certificate.
2) Choose “Add a new certificate”.
3) Choose “Get a certificate from Let’s Encrypt”.
4) Enter your domain name and a valid email address. Also enter your DDNS hostname as “Subject Alternative Name”.
5) Click Apply and wait for confirmation. If successful, you’ll see the new certificate listed like this:
6) Select the new certificate and click Configure. Select the drop-down next to each package or service and change it to your new certificate and click OK.
HTTP to HTTPS Redirect
The last thing to do is to turn on the HTTP to HTTPS redirect. This can be done under Control Panel > Network > DSM Settings. Checking the box for HTTPS redirect will force all connections to the Synology** to occur over HTTPS. This is more secure.
** It appears that some of the mobile apps like Surveillance Station will still connect to the Synology on the HTTP port unless the HTTPS checkbox is selected in the mobile app. However, web access to the DSM interface is still redirected to HTTPS.
One last caveat with HTTPS redirect. You will need to forward a third port on your router if you turn this feature on. This is due to the fact that the DSM web interface for the Synology uses ports other than 80/443. (The default ports are 5000 and 5001, HTTP and HTTPS respectively). If you attempt to connect from outside your network, the default incoming HTTP (80) or HTTPS (443) request will be re-routed to port 5001 but if that port is not forwarded on your router, the connection won’t work.
So something like this will occur:
- External Browser requests “yourdomain.com” which is forwarded to your router.
- Router forwards request to internal IP for Synology on port 80 or 443.
- Synology responds to browser and says “talk to me on 5001”.
- Browser tries to reconnect to 5001 but fails if port is not forwarded.
All of the above happens instantly so it may just look like the connection fails. However, I discovered this was the problem with my setup and after forwarding the DSM HTTPS port in my router, I was able to get in without any issues.
If you’ve gotten this far without errors, congratulations! You have configured your Synology Diskstation SSL with Let’s Encrypt! You should now be able to access your Synology NAS from the web and you can enable web access for some other cool packages like Moments and Surveillance Station. I use the Moments app over HTTPS to view and share my photo collection and to backup photos from anywhere. I also use Surveillance Station to view my security cameras over HTTPS from anywhere.
If you encountered errors, the most common one is not having the proper port forwarding set up and not getting the SSL certificate configured. Double check your port forwards in that case. Also try clearing your cache logging in / logging out of the NAS if you have SSL mismatch errors.
Thanks for reading and check back soon for more posts in my Synology Diskstation Series!