Access Your Synology With Your Own Domain Name

Introduction

The Synology Diskstation NAS boxes are great.  I have a DS1813+ that I use for my file storage and VMware virtual machines.  They have a great function called QuickConnect that allows people to quickly and easily access they DiskStations from outside of their home network.

They even have a quick knowledge base tutorial on how to achieve this.

For this post though, I’ll be taking you though the steps to connect using your own domain name.  There are a number of steps, and we’ll be going back and forth between different providers.

 

Requirements

For this to work, you will need a few things…

  • Your own personal domain name to use.  I’ll use nas.example.com in the screen shots and descriptions,
  • A free (or paid) DDNS service provider
  • Know how your router works, and how to perform port forwarding,
  • Optional, but recommended, a SSL certificate for secure communications.

 

Domain Names

Despite this blogs title, using your own domain name is somewhat optional.  You could just use a free Dynamic DNS service provider, and just leave it at that.  We will be using one later on anyway.  However if you do this, you can’t secure your connections with SSL, and security is important.

Domain names can be a personal thing.  Some people have just one, some people have lots.  Whatever you choose, make sure you can remember it.  I use a UK domain name registrar called 123-reg.co.uk for all my domain name needs.

Once you have thought of a domain name and checked to see if it’s available, you can buy it.  You can buy the domain for however long you think you need it (1 year, 2 years, etc).  I have had one of my domains for over 10 years.!

Now that we have a domain, we can start to configure a few more things.  Firstly, make sure any emails sent to this domain are forwarded to your own email address.  This should be fairly easy, just set up a catch-all email redirect.  We will come back to the domain settings later, as we need to configure a new DNS entry to point to a DDNS service provider.

 

DDNS Service Provider

We will need a service provider that the Synology can talk to automatically, so that when your external IP address changes (whenever you reboot your router), the domain name forwarding will continue to work.

How DDNS Works (very basic overview)

  1. The Synology DiskStation updates the DDNS service provider when an IP address change is detected,
  2. A client computer (you) requests a connection to your domain name,
  3. The domain name is forwarded to your DDNS service provider,
  4. The DDNS service provider returns to the client the IP given to it by the DiskStation,
  5. The client computer (you) connects to the DiskStation.

 

Service Providers

syno-ddnsAs you can see from the image below, there are a lot of service providers that Synology can automatically update.  Pick one from the list that you feel comfortable with, and sign up for a free account – if they have one.  The provider I use is NoIP.com.  They have a free service, however, you need to renew the account every 30 days (by just clicking a link).

 

During the sign-up, you will be asked for a host name to use, I find it easier to use the domain name I registered above.  Also, make sure you use a very strong password.

ddns-hostname

OK, we now have a domain, and a DDNS hostname.  Go back to your domain name registrar and edit the DNS settings for it.  For 123-reg, they have an advanced panel, this is most likely what you will need.  You need to create a new DNS entry for your domain name.  I called my sub-domain NAS, but you can use what you want. The DNS type for this is a CNAME.  It will redirect to your DDNS service provider hostname.

cname-entry

This may will take between an hour and a day for any changes to replicate around the internet, so don’t worry if it doesn’t work straight away.

 

Port Forwarding

Before you start port forwarding, you will need a few things…

  • The IP address you have assigned to your Synology DiskStation,
  • The Port you use to connect to your DiskStation,
    • The defaults are 5000 and 5001 for HTTP and HTTPS.
    • I’ll be using the default of 5001 for the demo, but you really should change this port number – I’ll show you how later on.  If you are going to use a different number, pick any number between 1024 and 65000.  Remember it.
  • Of course, the username/password for your router.!

Every home router is different, and some corporate ones require more than just a couple of steps.  I’ll point you to a web site I used to use; be warned however, it has a lot of adverts – you are using an avert blocker right.!?

This is a link to an old router I used to have, a Netgear DG834.  You can try to find your own router from their extensive list if you like.  For more advanced routers you may need a few more steps.  For the specific router I use, a Juniper NetScreen 5GT, there are quite a number of steps required, in different areas of the device.

The basic overview is to add a rule to your router/firewall that allows all traffic coming into your home on the specific port (5001), to be forwarded to your DiskStation, where, your DiskStation will handle it.

 

Obtaining a SSL Certificate

For all my SSL needs, I use the free Class 1 certificates from StartSSL.  They are valid for one year, and can be easily renewed.  Did I also mention they are free.  No hidden charges, completely free.

You’ll need to signup for an account (I know, another one).  You will then need to validate the domain name that you want to create a certificate for.

startssl-domainnamevalidation

  1. From the Control Panel, click on the Validations Wizard,
  2. Choose Domain Name Validation,
  3. Enter the domain name your bought above,
  4. Click continue past the email selection page,
    • This is why it was important earlier to make sure all emails are forwarded,
  5. Wait for an email from StartSSL to arrive.  It will contain a verification code, enter it in the box provided,
  6. All done.

Once validated, you can now create a SSL certificate.

  1. startssl-certwizFrom the Control Panel, click on the Certificates Wizard,
  2. Choose Web Server SSL/TLS Certificate,
  3. Create a Key Password
    • Make sure it’s a long one – use the maximum allowed
  4. Change the Keysize to 4096
  5. Make sure Secure Hash Algorithm is set to SHA2,
  6. Copy all the text, and save it as a plain text file in notepad.  Call it SSL.KEY,
    • This is your encrypted private key, do not give it to anyone,
  7. Select the domain you want to use this SSL certificate for, if you have more than one domain,
  8. Enter a sub domain of NAS, or whatever you used for the CNAME above,
  9. Click Continue past the message, then wait for an email from StartSSL (it could take a while, but it’s usually quick)
  10. While you wait for your certificate to be generated, go back to the Control Panel
  11. Select Decrypt Private Key from the menu,
  12. Paste in the encrypted private key from step 6 and the Key Password from step 3,
  13. When you click Decrypt, the key will be decrypted and presented to you
  14. Select all the text, and save it as DECRYPTED.KEY,
    • This is you private key, do not give it to anyone.
  15. Once you get this email, go back to the StartSSL Control Panel and select Retrieve Certificate,
  16. Select the correct certificate from the drop down list (if you have more than one),
  17. Copy all the text, and save it as a plain text file in notepad.  Call it SSL.CER,
    • This is your certificate,
  18. All done.

 

Synology Configuration

We are almost done.  We have a domain, with DDNS forwarding, and port forwarding (on a custom port).  We just need to add the certificate to the DiskStation and optionally change the port numbers…

Enable DDNS Settings

  1. Open the Control Panel,
  2. Go to the External Access section,
  3. Select the DDNS tab,
  4. Click Add,
  5. Select the service provider you picked earlier (NoIP in my case),
  6. Enter the DDNS hostname,
  7. Enter your DDNS username and password,
  8. Click Test Connection to make sure everything is working fine.
  9. Select the Advanced tab,
  10. Enter your domain name in the Hostname or static IP field.

Enable HTTPS and Change Connection Port

  1. syno-httpsOpen the Control Panel,
  2. Go to the Network section,
  3. Select the DSM Settings tab,
  4. (Optional) Change the HTTPS port number to the one you picked earlier,
  5. Tick the Enable HTTPS connections tick box,
  6. Tick all the other options on this page too.
  7. Click OK,

Install SSL Certificate

  1. syno-importcertOpen the Control Panel,
  2. Go to the Security section,
  3. Select the Certificate tab,
  4. Click the Import Certificate button,
  5. Select the two files you created above,
    1. decrypted.key,
    2. ssl.cer,
  6. Once you click OK, the DSM should reload and connect you on a HTTPS connection.

 

Testing It All

You should now be able to connect to your Synology DiskStation via your newly bought domain name.

59 thoughts on “Access Your Synology With Your Own Domain Name

  1. David Conway says:

    Thank you for an awesome post! If I have a domain and have a fixed IP address from my ISP (which is assigned to my router), can I get the SSL certificate to work without using the Dynamic DNS functions on the Synology box? How? Do I just port-forward 5001 to the NAS?

    • Mike says:

      Yes, you can bypass the dynamic IP address section as yours doesn’t change. Continue from “Go back to your domain name registrar and edit the DNS settings…”
      For port-forwarding, you need to look at your routers configuration.

  2. David Conway says:

    Thanks. Was working great. Now today I notice that in Safari (I’m on a Mac) the lock icon is there and certificate is fine, but on Chrome, I’m getting a broken lock icon. Any idea why that would be? Is StartSSL’s root trusted by one browser but not the other? Or is the set of trusted roots determined by the computer’s OS (which wouldn’t make sense since I’m getting the discrepancy on the same computer with two different browsers). Scratching my head…

  3. Daniel Roos says:

    I succeded in making a certificate, i can connect to my DS2413+ trough my domain but it’s still giving me that the connection is not secure, how do i fix this?

    • Mike says:

      What’s the exact “not secure” error message, that will tell you what the issue is. If you got your cert from StartSSL, you may need to install their CA root certificate from https://startssl.com/certs/

      • Daniel Roos says:

        I noticed that Chrome accepts the certificate once imported, Firefox however does not. this is the error i get from Firefox: Peer’s certificate has been marked as not trusted by the user. (Error code: sec_error_untrusted_cert) but i actually had to import it from the start as i’ve never had a certificate for the server before..

  4. tim says:

    I’ve followed your instructions however I have no email for the domain I bought from 123-reg.co.uk. Looked at email and there is nothing however I have seen on who.is I have seen a email address similar to xxxxxx@identity-protect.org is this the email address I should be viewing and how do I do it ?

    • Mike says:

      Are you talking about the forwarding of emails.? Open the 123-Reg Control Panel, select your domain and click Manage. Click Manage Email, Create, Forward, and enter an asterisk as the email address so it looks like *@example.com , then enter the address you want to forward the emails to.

      • tim says:

        many thanks for the explanation now onto the next steps sub-domains not looking good with 123 they’re trying to charge me

  5. Carlos says:

    nice article, i used a namecheap ssl using the directions on https://miketabor.com/secure-synology-nas-install-ssl-certificate/ but may try startssl when this expires.

  6. Tom says:

    Thanks for the very helpful post!

    I’m having a little trouble with setting up the mail redirect.
    I have installed the mailserver and tried to configure it.
    When I try to send a testmail to postmaster@mydomain.com I get a relay access denied from the server defined in the MX-10 CNAME record of my domain registrar.
    I’m not sure of this problem lies at my DS mail server config or possibly a lack of functionality from my domain provider.

    • Mike says:

      Hi, as with serge above (or below), sorry I can’t help with the mail server, I don’t use it. There are some clever people on reddit.com/r/Synology that may be able to help you though

      • Tom says:

        So where did you define the mail redirect? At your domain provider?

        • Mike says:

          I use Yahoo! Mail, and that allows me to send and receive via any number of domains that I can setup (as long as they are my domains). I set up a catch-all email with my domain registrar that forwards everything to my Yahoo mailbox. I then set up a new “Send From” address in yahoo for that domain. I thought I had a blog post detailing it, I’ll see if I can create on in the next few days.

        • Tom says:

          Via the MX records in DNS, simple now that I know it..

  7. Serge says:

    Great article, helped me a lot. Managed to set everything up in no time. Unfortunately my domain registrar doesn’t support a catch-all config for email because of security reasons, so I wasn’t able to create the ssl certificate yet. Do you now of a free way to still get those emails? I guess I could setup a mail server on my Synology or is there another way?
    Thx, Serge

    • Mike says:

      HI Serge, sorry I can’t help with the mail server, I don’t use it. There are some clever people on reddit.com/r/Synology that may be able to help you though

      • Serge says:

        Hi Mike
        found a free email host. Zoho.com offers a free service for one domain and up to 10 users. That’s plenty for me for now. Also very easy to setup!

        • Tom says:

          Thanks Serge,

          I tried it via Zoho and now I expect that it will work.
          I guess my main problem was lack of knowledge of DNS record types.Zoho helped me understand it better though.

  8. james wilmington says:

    Thank you so much for publishing this tutorial. I have shied away from using SSL on my synology because i never knew you could get SSL certificate for FREE. This is a real boon!

    Thanks for sharing.

  9. David says:

    Thanks a ton for posting this. I’ll excited to set this up. I have a few domains. Including mylastname.fm ill be forwarding this to my music. And mylastname.photo to my pics.

    I should be able to manage the different requests to services in my router and or the NAS right?

  10. KiR says:

    Hi,
    Thanks for this post !
    I’m just wondering…

    1) When using CNAME for “DNS redirection”, does my own sub-domaine work for setting CardDAV, CalDAV, Cloud, FTP and others.. ?

    2) I thought Synology company itself provided free DDNS service. Am I wrong ?

    Thanks for ansewering me 🙂
    Regards,
    KiR.

    • Mike says:

      Hi Kir,
      1. Yes
      2. No, they use a QuickConnect ID, which IIRC is just a number and not one that you can specify as you can with a domain name

  11. Nart says:

    This was very helpful…thanks! I am having a little issue though.
    So currently my setup looks like this something.co.uk > DDNS hostname > MyExternalIP > NAS (via forwarded port)

    The only way I can access it is by typing in the browser DDNShostname:forwardedPort. Since the CNAME on something.co.uk only points to the DNS hostname and not on a specific port, the request times out when trying something.co.uk or even DDNShostname on its own. What to do? You cannot apparently include a specific port number in a CNAME either

    • Nart says:

      EDIT:”…only points to the DDNS hostname…”

    • Mike says:

      use “something.co.uk:port” the port number will be forwarded with the DDNS name

      • Nart says:

        I eventually figured that out…and it works if I use the DDNS hostname directly…if I use the domain that I actually want to use I keep getting a “The site you have requested is currently unavailable, please try back again later.” message, which appears to be generated by No-IP.

        The CNAME is obviously set correctly on the domain and pointing to the DDNS hostname…I double-checked with a traceroute.

  12. Josh says:

    Do I always have to input the domain like “https://ds.example.com:5001”?

    If not how do I change this to default to just going to the url itself?

    • Mike says:

      Yes, just add it as a bookmark

      • Josh says:

        Thanks, I can do that for myself, but I also wanted to distribute the URL out to friends and family. It would be better off if they could just type https://ds.example.com/ and be brought to the main panel instead of typing the port too.

        • Steve says:

          I thought you could forward port 80 (http) or 443 (https) to your NAS port number to avoid specifying, as these are the default ports. Untested though, I’ve been meaning to try this.

  13. Sami Jay says:

    Hi. Great post one of only few assisting in this CNAME business.
    I did get my SSL from NAMECHEAP – after few struggles all went ok.
    So I have SSL
    I have a Synology generated DDNS
    I have a Domain from 1 & 1 hosting
    I then used the redirect to the Public IP with the port 5001
    I get to my NAS and the certificate shows but list an error that the URL do not match the certificate.
    ????

    If I just type my DDNS I can access my NAS and it’s secure but with the original SSL certificate?

    Is that possible?……my NAS says 3rd part certificate and list my bought DOMAIN on it?

    Any help is appreciated.

    SJ

  14. Kim says:

    There is one additional step you need to take to prevent messages in browsers that complain about an obsolete cipher suite in use. This might not apply to all Synology models, but it is probably good to verify your settings.

    The key is that it may happen AES_128_CBC is negotiated by Apache and the browser, where you would like AES_128_GCM or similar/netter.

    Go to “Control Panel”->”Terminal & SNMP”->”Advanced Settings” and set to ‘High’. In case you have a client that does not support the default settings for ‘high’, you could also just add the correct cipher suite to your current configuration under the ‘Custom’-menu.

    • Mike says:

      Thanks Kim, I didn’t know about this. Mine is set to “Medium” at the moment. This is only for SSH connections though, not HTTPS.

    • Kim says:

      My apologies, that doesn’t seem to be the complete answer…

      SSH Into the box and change the SSLCipherSuite configuration in ‘/etc/httpd/conf/extra/httpd-ssl.conf-cipher’ to “SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256”.

  15. tim says:

    Great site, simple instructions !

    I forgot to renew my noip free host so created a new host name and pointed my 123reg to this new address and updated the external address on my synology box, however when I type the new host name on the browser I’m told it does not exist, do I need to recreate my noip from scratch again ?

  16. Mario C says:

    I got everything to work with your instructions, supplemented by another Synology user’s instructions. However, now when I connect to the DiskStation within my LAN using the internal IP address, it gives me an “invalid security certicate” warning because the cert is just for the external name. Should I get a cert for its internal LAN IP and server name, or is there a way to make the official cert also work internally?

    • Mike says:

      Nope, you will always get this error, and there is nothing you can do about it if you use the internal address.
      Personally, I use the external address all the time, it helps with my password manager too 🙂

      • Mario C says:

        So, even if I change the server’s actual internal host name to the one that the cert is looking for I’ll still get the error? The error code is: “ssl_error_bad_cert_domain”. It says that the cert is only valid for the external domain name that I gave it following your method.

        • Mike says:

          Put the host name back to what it was so that the cert matches. When I said “I use the external address” what I meant was when I want to browse manage my NAS, I use the external address in my browser window as if I was outside my internal network.

  17. Patrick says:

    Excellent blog post, followed the steps, learned a lot, and it works. Awesome.
    Much appreciation!

  18. Ron says:

    Thanks for a great article, I tend to ‘Over Egg’ these tasks and I was good to have the process set out clearly. The job was done in a minutes as I had all of the components. One of the things that had me tricked was that the Sever Name field in Control Panel / Network is not the same as the Common Name field in Control Panel / Security / Certificate / Create Certificate / Create Certificate Signing Request. As the Server Name field will not accept a FQDN and the later will.

    Now I need to find out How to add an SSL to the Domains that I have on the Web Server on my DS716

    Cheers
    Ron

  19. JoYo says:

    what is more secure? 1) establishing a domain name (w/ ssl, 2 factor authentication, complex password, changing port numbers, etc.) that points to the router and opens the port to the NAS in order to access my files; or 2) connecting to the NAS through VPN (such as ProVPN) using firewall to only allow that 1 static IP address? what are the differences?

  20. Alex Emelianov says:

    I have performed the steps, and https requests connect to the right server, but it keeps returning 404s. Am I missing something?

    • Mike says:

      Are you sure you have the right URL and port number.?

      • Alex Emelianov says:

        The path of the URL is empty, I’m trying to get the DSM index. I left port 5001 for HTTPS. I can inspect the SSL cert details in the browser, and it is the correct one. I’m puzzled that I can access the content using https://192.168.x.x:5001 (after bypassing the warning that the SSL cert does not match this hostname), but not using https://mydomain.cc:5001 – I’m getting a 404 page with Synology logo, clearly from my NAS.

        • Mike says:

          Try adding the path to the end of the URL, maybe it’s looking for a web resource instead of the interface.
          For the DSM it’s : https://[address:port]/webman/index.cgi

          Check if your firewall is setup to allow that port through to your NAS and it’s not changing it to 443 or 80 for some reason.?

          • Alex Emelianov says:

            I fixed it. The problem was that I put my domain name into “enable custom domain” setting. Apparently, that setting does not mean what I thought it meant. It all works now.

  21. Mario C says:

    So, now it’s time to replace the SSL because it’s expiring soon. I already went through the process of renewing it from StartSSL. Do I now install the new cert alongside the one that’s expiring?

    • Alex Emelianov says:

      New DSM has the option to automatically renew your cert with LetsEncrypt. You have to open port 80 for that to work, though.

  22. Lars says:

    Looks like the whole startSSL website has changed as has the UI.
    Did anyone figure out how to do it with the current UI?

  23. Lars says:

    To be clear. I did manage to validate my domain using the mail server on the Synology.

    Then I don’t get the option via the certificate wizard for Web Server SSL/TLS Certificate but there is selection of either a SSL Class 1 DV SSL Certificate or a MIME/s certificate.

    Then you need to provide the CSR yourself. I tried the openssl method described. But I don’t seem to have the correct info entered during the openssl process as Synology keeps telling me my private key is illegal.

    Another confusing thing is that the certificate you download via StartSSL is actually a zip file containing certificates for 4 types of servers. No idea what is needed for Synology. There are several folders in the zip that contain intermediate certificates which Synology also needs.

    So I probably have the correct certificates, just that I probably need to enter different info in the private key gen openssl step…?

  24. Lars says:

    I’ve created a CSR from certificates section in disk station. With that I was able to create a set of certificates that I could import together with the private key created via CSR.

    Now when I access synology via https: I still get the red crossed https saying that authority is not trusted. When I view the certificate from within the web browser it shows Synology certificate.

    What am I missing?

  25. Lars says:

    Looks like it is opening the synology default certificate ad saying that one is signed by unknown authority.

    The certificate I created with StartSSL states issued by StartCom Class 1 DV Server CA and Subject Alternative Name shows my domain. For only shows ‘-‘ while the synology default certificate shows a whole list of items it supports. Just a string?

Leave a Reply

Your email address will not be published. Required fields are marked *