Lost on cloud / internet access / ddns

Post your questions about myQNAPcloud service here.
Post Reply
cocoboy
New here
Posts: 5
Joined: Mon Nov 20, 2017 3:33 am

Lost on cloud / internet access / ddns

Post by cocoboy »

Hi everyone!
Sorry to bother you with such newbie topic, but more I read everywhere more I become confused. So, I decided to post all my question and hope you guys, experts, could friendly answer me :?

It has been a long time now since I'm using QNAP TS-251. I use:
- HD Station on my TV
- QVRPro as a NVR of Onvif camera
- Backup all my data with netbak replicator on my personal laptop

Quite basic in fact. Of course it has access to internet, in order to get streaming video (HD Station), system upgrades, malware remover, QVRPro camera monitoring (sometimes...) and, sometimes too: getting access to personal data when not being at home.
So I configured:
- no UPnP Port forwarding, but redirection of HTTPS port (not 443 but another one because I changed it) manually entered on my router.
- I activated a DDNS with XXXX.myqnapcloud.com
- I activated myQNAPcloud Link
- I publish only Secured NAS Web and Secured File Station
- I set up a Let's Encrypt certificat in automatic renewal
- I activated IP Access Protection to block IP after 5 attemps
- every default port has been changed to a custom value
- I'm forcing HTTPS only
- I disabled all the service except : Network Service, Microsoft Networking, Management Services, NAS Web Management Interface, SNMP, Applications, Web Server
- No SSH, No Telnet, No SNMP, No FTP

But since the last security/risk announcements that have been published, I'm thinking about my whole setup again and wondering if it's good or not...
I read in several threads that giving access to Internet it's a bad idea. Well, what do we mean by "connecting it" ? allowing the internet access on the router or opening ports/services only?
I don't really understand the difference between DDNS myqnapcloud and myQNAPcloud Link: is it preferable to completely disable the DDNS myqnapcloud and let myQNAPcloud Link handling the remote access by activating only the required service I only need (only filestation, QVRPro)?

Sorry for these questions... I'm a bit frustrated to not be able to answer it by myself. But when it comes about security, I prefer to ask. Thank you for you time
User avatar
dolbyman
Guru
Posts: 35007
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Lost on cloud / internet access / ddns

Post by dolbyman »

never puplish any part of the NAS, qts port forwarding (no matter if ports are changed) is a prime way to get your nas attacked and infected by malware

setup a vpn server on your router or dedicated appliance for remote access and remove direct remote access asap
cocoboy
New here
Posts: 5
Joined: Mon Nov 20, 2017 3:33 am

Re: Lost on cloud / internet access / ddns

Post by cocoboy »

That mean :
Just disabling the port redirection of my router and the ddns config of qts?
Or also disabling du myqnapcloud link service?

I don't think my router can set up a VPN... :(
What do you by "dedicated appliance for remote access"?

Since your message, I disabled port forwarding of my router.
User avatar
dolbyman
Guru
Posts: 35007
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Lost on cloud / internet access / ddns

Post by dolbyman »

disable manual port forwards and upnp on the router

qlink is tunneling through qnap servers ..so you if you trust qnap to not get compromised or read your data..you could also do that

a dedicated appliance could be a raspi ..or a firewall
cocoboy
New here
Posts: 5
Joined: Mon Nov 20, 2017 3:33 am

Re: Lost on cloud / internet access / ddns

Post by cocoboy »

OK, I have a raspberry pi running Home Assistant : I will install a VPN (WireGuard ?) on it + forwarding port 51820 on my router and this should be better, isn't-it?
User avatar
dolbyman
Guru
Posts: 35007
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Lost on cloud / internet access / ddns

Post by dolbyman »

Much better
cocoboy
New here
Posts: 5
Joined: Mon Nov 20, 2017 3:33 am

Re: Lost on cloud / internet access / ddns

Post by cocoboy »

Hi Everyone !
I'm back to give some news from my settup.
I finally disabled everything in QTS.MyQNAPcloud:
- no more Auto Routter Configuration,
- DDNS is disabled
- not Publishing any services
- disabled myQNAPcloudLink

I had Home Assistant running on a RaspberryPI:
- I set up WireGuard VPN on it and configured it to allow access to it from only the wanted devices
- I changed by DNS from myqnapcloud to duckdns

On my router, I disabled all the rules except the UDP forwarding to RPi, for the port I configured for WireGuard.

So, from now, I can access to my QNAP, and its application, and also Home Assistant from my local network and also from outside connecting to my VPN and using local IP addresses.

IS it better now? Or did I fall in a pitfall ?

PS: I just couldn't configure TLS/SSL with Home Assistant because of application doesn't seem to work with SSL on local network (through VPN)
Plus the let's encrypt certificate cannot be automatically renewed on my QNAP :s
Post Reply

Return to “myQNAPcloud service”