I am planning to buy two synology NASs, one for home and one off-site. The home NAS will be my main NAS for doing everything, the off-site NAS will only be used for Hyper Backup Vault (to backup the main NAS). I would like to be able to access both NASs remotely, mainly for using Synology Drive and Synology Photos on the go, but would also like to access DSM for both remotely if needed. I am going to run an OpenVPN server on the main NAS at home, and have OpenVPN clients on all my devices. I know that I need to setup port forwarding on my home router to enable remote access on this main NAS, and I know that I need to set up a OpenVPN client connection on the back-up NAS in order for the back-up NAS to connect to the main NAS. With this setup I can access the main NAS anywhere by running the OpenVPN client on my laptop/phone/etc. However, how can I connect to the back-up NAS’s DSM console? The back-up NAS would be connected via an OpenVPN client to the local home network (open VPN server of the main NAS). I do not want to use quickconnect at all, and my preference is to not use Tailscale either, as I don’t like the idea of trusting Tailscale to not introduce malicious nodes onto my network (I know unlikely, but want to avoid possibilities and self-host as much as I can). I have seen something about setting up a static route, but I wasn’t sure whether that needs to be at my home router or offsite router, and what exactly that setup means. Basically, I want to be able to have both my NASs on the same OpenVPN network, and be able to log into DSM console on both from anywhere only via devices with the VPN Client. Thanks in advance for any advice.
I run almost the same setup but the OpenVPN server lives on my router. You should be able to access both devices when you connect to the VPN Server. But you will need to define a static IP for the offsite NAS within the VPN for this to work reliably (or it might different IPs after reconnecting). Synologys OpenVPN Client (which will run on your offsite NAS) does not reliably reconnect after loss of connection, there is a script to fix this issue.
Also synologys OpenVPN is a bit weird (at least on my syno router), I’d consider using wireguard instead if you can.
If you don’t like tailscale I’m gonna assume you have a problem with wire guard?
I may be an absolutely idiot but I specifically chose not to use a VPN for my offsite backup. I prefer to keep it simple. A backup solution must be reliable. So regarding security, my remote NAS only accepts incoming connections on 443 and hyperbackup and my backup is encrypted at the source.
Not trusting tailscale on anything but a feeling, makes me wonder how you could trust anything that is connected one way or the other to the internet?
I use a wireguard vpn server for regular remote access to my home network (pivpn.io deployed on a raspberry pi), while for hyper backups between local and remote bas, I use Zerotier, similar to Tailscale a virtyal networking solution.
From dsm7 onwards on dsm it requires to be deployed as a docker container as 3rd party services are no longer allowed to run under root.
Easy deployment guide on:
With ZT also installed on my phone, laptop and pc, I can manage both nas units regardless of where I am. Only internet access required.
Nowadays one can also deploy your own ZT nodes, but I did not bother too much yet into hosting that myself yet…
So no fiddling with any portforwarding in my case, on either end.
Tailscale runs on Wireguard. I’ve been running it for over a year successfully. I do local PC/Mac backups with ABB on both local and remote sides. I also store data on both local and remote sides. I do NAS backups local to remote and remote to local using Hyper Backup. Scheduled and happens like clockwork. Pretty easy to setup and no port forwarding.
Wonder where the concern for malicious nodes came from. I’ve never heard of this happening, or even a concern. It hasn’t happened to me. I’d be more worried about forwarding ports. JMHO
The way I would do it is make a site to site vpn connection between those two locations. This way you will have “local” access to both locations regardless of your current one (site a or b).
In order to get into that LAN from the outside use WireGuard incoming vpn server.
It can be configured on either location A or B, before once you are in, the site to site vpn would allow for access to all services on both sites.
With this setup you will need a single port open for incoming WG connection, and one for site to site.
An easy deployment of WG on your Syno box can be done with a simple docker deployment that is very user friendly.
Hopefully these articles could help:
So the IP address (of the remote NAS) that I use for connecting to Hyper Backup on the main NAS, I can just enter that IP address in my web browser (when connected via OpenVPN) and it would take me to the remote NAS DSM console? Do I need to set up a static route or something like that (I’ve seen some places mention that)?
My router comes from the ISP, so I’m not sure how much configuration I’d be able to do on it, such as running an OpenVPN server on the router itself. Thanks for that script. I’ll check it out.
I don’t have an issue with wireguard, but I don’t know the setup needed for it. I’m open to suggestions. All I’ve seen so far is an OpenVPN setup (preferred) or tailscale (less preferred). I’d like to be self-hosted
Using a VPN doesnt add that much complexity imho. I run a similar setup to OPs idea for about 1,5 yeara and had Zero issues related to the vpn Connection (after installing the vpn reconnect Script, synologys own solution doesnt work properly).
It’s not about trusting or not trusting tailscale. If I can self-host my own VPN, then why not do it? There’s a difference between trusting my firewalled laptop joining “the internet” vs trusting all of my personal data on my NAS to tailscale not being hacked. If tailscale is hacked, or if the government issues a warrant to tailscale, then someone could add a malicious node to your tailscale network and begin probing your NAS. Tailscale will comply with a warrant. Self-hosted VPN cannot “comply”.
Thanks I’ll look into the possibility of a wireguard setup. So is it basically the same as tailscale, except the web interface is locally hosted for synchronizing the severs, instead of tailscale running that?
I think it is fine to run the VPN on your NAS. I thought it would be nice to have “networking” on my Router but it also prevents me from using wireguard. If you Plan on buying a “plus” model I’d recommend checking out how to run wireguard via docker as an alternative to using OpenVPN.
Cool. Didn’t know that.
I’m not overly tech savvy. I got that one figured out. Wireguard setup is pretty easy
Yea the VPN setup does not look hard at all, and adds a huge layer of security. My only question is how do I cannot to the remove NAS if it does not have it’s own VPN server running, but rather it is connected to the VPN of the main NAS.
As said, with ZT you can selfhost nowadays, so with that you could be connecting to any service on your nas, in one go, as if they are all in a local network. Been using it for years, and is still free for up to 50 clients and no business use.
I don’t worry too much really about the government trying to get access to my data, if at all it is more about preventing (other) bad actors that might wanna earn something by for example encrypting the data? I don’t think my government is really that interested in anything I (might) have (YMMV).
I didn’t know about Tailnet lock at all. This would alleviate my concerns about using Tailscale in general. Thanks for bringing this up.
Yeah, Tailscale just makes it an easier setup and doesn’t require a separate setup for Wireguard. Works for me. 