Long time surfer since buying my NAS back in 2019, time to be a contributor after much reading and digesting, as I still have some questions please
So after being hit by Qlocker earlier in the year
, I have taken steps to beef up my security, though would appreciate some additional help to make sure i'm water tight going forwards? 
I bought myself a Asus RT-AX88U to replace my ageing BIPAC Billion router and have installed Asuswrt-Merlin 386.3 on it and now have Windscribe VPN running on it too. It's fully locked down, with no open ports!
My NAS is a TS-251+, running QTS 4.5.4.1741. I have the QUFirewall, Malware and Security Counselor installed and I also added Windscribe to the NAS via QVPN. I removed most of the additional programs that I don't and wouldn't use, though noticed certain ones like the Multimedia Console keep coming back? I have minimserver 2.0.12 and Plex Media Server 1.23.6 additionally installed. I have switched the admin account to a second account and have also locked down file access on the NAS to admin only.
I have then switched off all Network and File services suggested by the Security Counselor and anything else listed on the QNAP site for strengthening the NAS security. I have access via HTTPS and a random port and did set up a Cert via Let's Encrypt and myqnapcloud, though switched this off after reading various threads on here suggested that myqnapcloud could be a backdoor into the system and having to open ports on my router, for Let's Encrypt to renew certs, seemed counter productive to locking the place down? This leaves me with an issue of accessing via the local IP address, which is showing as unsecure? Whilst I appreciate I am in theory on a local home network and running a VPN and therefore "secure", I would still prefer access to be via a "secure" means, or is this as good as it gets? Also, in the future I may want to have access to my NAS from outside of my LAN, so may well have to do this via myqnapcloud and be as safe as I can be, as I am unsure how to use SSH etc?
My current aim is to be able to access my music whilst at home on my Bose system via the minimserver and to be able to access my other media via Plex when at home and away. The long term plan is to have a VPN tunnel between two RT-AX88U routers at two different properties, but for the time being, I just want to be secure whilst at home and can then start working out my next steps to linking both households?
Despite my above efforts, the QUFirewall continues to block around 50 packets an hour, down from 2,000 an hour since disabling Multimedia Console last night. Are these blocked packets a sign that something is still open to the WAN, or is this to be expected and the firewall is just doing it's job (I think the former)? I no longer have anyone trying to access the NAS via brute force attacks (for now), like was happening at the time of the Qlocker attack, though I am not entirely convinced I am "off grid" quite yet?
Thankfully in the attack I only lost my music, which was backed up. I am yet to remove the locked files from the drive and am wondering if instead of just removing the locked music files and re-uploading the backed up ones, I should preform a re-format of the drives? Or can I be content that the QLocker and any other issues were removed by the Malware remover?? I run a Malwate and Antivirus scan each night, as well as a Restart and Firmware check.
I've tried to provide as much info as I can think of, but i'm sure I will have missed something you might need to help me out, so please fire away
Can anyone think of something that I might have missed, that has left a door open or how I might make it so I don't have any blocked packets going forwards? How do I set up a secure connection without opening any ports, that might become compromised? And should I start from scratch?
Thanks in advance
Bit
