I have a Synology NAS at home for storing my ever-growing collection of personal photos and videos. It’s great.
When I purchased it years ago I recognized that I had neither the networking nor security expertise to know how to set it up for safe remote access. As a result I’ve been running it local only on my LAN for years.
This, however, isn’t a true 3-2-1 solution. While I’ve been getting around this for years by variously syncing the most crucial files to Proton and/or Tresorit I’m hitting the limit of that workflow. So I purchased a second Synology NAS and plan to set it up to replicate the first from a different location (in case of fire, flood, etc).
The issue? I still have very little grasp on how to set this up in a reasonably secure and private way. I have vaguely wrapped my head around Synology’s built in utilities and Tailscale but I’ve also read that those are not very secure and private, respectively. I know there are other solutions out there, but as someone who has zero expertise in networking I don’t know what they are or how to use them.
My threat model and needs are:
No unauthorized access to my files, obviously. Both in terms of outside attackers (security) and the syncing services themselves (privacy).
Must be reliable. Nothing else matters if it isn’t reliable.
Minimal data collection, to whatever extent is possible.
Minimal proprietary software having to go onto my devices, to whatever extent is possible.
So my questions are:
What is the least-bad option for securely exposing my NAS to the internet and keeping it in sync with another NAS?
Is there a guide that translates that option into step-by-step instructions for someone that is computer literate but is not a programmer or computer engineer?
I never used a NAS before nor I can call myself an expert but i believe people can use Syncthing in these kind of situations. Maybe you can check it out.
I’ve used SyncThing within my own network but I don’t know how to safely open my NAS up to the wider internet or how to point SyncThing at it once it is.
As far as im informed, syncthing is end to end encrypted between the nodes. I just searched up and there are some nice guides to set it up NAS safely too.
The built-in tools from Synology can make the sync between 2 NAS easy.
Same for a remote access, I forgot the name but those are natively available as far as I remember.
Meanwhile, you won’t be able to go super far on the privacy side because you don’t really know what Synology’s DSM (the OS) is doing because it’s closed source but start slow and make it nice to use + secure first.
Definitely do keep it behind some VPN or zerotrust networking set up like Cloudflare Zero Trust or Tailscale. You really should not expose these devices directly to the internet under any cirumstance.
Do not expose your NAS or network to the internet, I’d recommend two options:
Easy path: use TailScale (or NetBird, but it doesn’t have a Syno app) or ZeroTier on each Synology.
Hard path: use something like an OPNSense firewall and set up a site-to-site WireGuard configuration.
Please note that DSM uses an ancient Linux kernel that I believe will result in using the ‘Userspace’ implementation of WireGuard if you go for option 1. TailScale and NetBird use WireGuard (ZeroTier uses a different protocol), which will result in significantly higher than expected CPU usage. You can install a 3rd party Kernel Module to allow the lower level Kernel to perform Wireguard duties which should drop the CPU usage of large uploads/downloads via WG to 1-2%).
Option 2 much more elegant and having well configured OPNSense router is extremely rewarding. I’d start by configuring a router/firewall at site A, then configuring a WireGuard ‘server’ (that you can connect your smartphone to and access your NAS) at site A, then replicating the same at site B and finally bridging the two networks together. Your NAS’s can then talk to each other securely.
Otherwise syncthing works without them being on the same network and is e2ee, albeit it is incredibly slow if both NAS are behind NAT and cannot connect directly.
