With openvpn active on Asus router my Synology NAS is not reachable from external IPadres

[Hansxls]

I'm trying for weeks now (and searching the net for solutions) to get this problem solved. With OpenVPN active on my GT-AX11000 router (VPN-fusion) it is impossible to to reach my NAS when I'm not using my home wifi. Only with Quickconnect. But i need also access like Webdav access.
I can reach all other devices (security cams, door opener, alarm, etc)

So there is something specific about Synology NAS I don't understand. Anyone who can help me (I don't know much about networking )

 

[jtjbt20x]

Check your Synology firewall settings, perhaps it’s not allowing your vpn connection’s IP address through. I had that problem.

 

[Hansxls]

Check your Synology firewall settings, perhaps it’s not allowing your vpn connection’s IP address through. I had that problem.

I deactivated my firewall completely for a minute, but it didn't make a difference.
I used a online portscanner to check if my ports are open and the funny thing is that the ports for all my other devices are open, but not the ports from my NAS. One online scanner says they are closed, another one says 'filtered' which means:
A port is marked as "filtered" when the packets are sent to that port, however packet filtering (e.g., firewall) prevents the packets from reaching that port.

 

[jtjbt20x]

What IP address is your VPN connection presenting on your LAN?

 

[jtjbt20x]

Or check on the Synology Admin Facebook group, they can probably fix it quickly.

تسجيل الدخول إلى فيسبوك

قم بتسجيل الدخول إلى فيسبوك لبدء المشاركة والتواصل مع أصدقائك وعائلتك والأشخاص الذين تعرفهم.

www.facebook.com

 

[Hansxls]

Or check on the Synology Admin Facebook group, they can probably fix it quickly.

تسجيل الدخول إلى فيسبوك

قم بتسجيل الدخول إلى فيسبوك لبدء المشاركة والتواصل مع أصدقائك وعائلتك والأشخاص الذين تعرفهم.

www.facebook.com

I don't have facebook.

But my NAS sees as external adres the IP address of my chosen VPN server.

 

[MichaelCG]

What do you mean by chosen VPN server? Are you connecting your phone/laptop to OpenVPN hosted on your ASUS router?

An external scan should NEVER show any of your internal services....EVER!! That is the entire point of OpenVPN on the ASUS. Only expose the ASUS OpenVPN server, connect to that, then your remote clients have access to your internal services.

 

[Hansxls]

What do you mean by chosen VPN server? Are you connecting your phone/laptop to OpenVPN hosted on your ASUS router?

An external scan should NEVER show any of your internal services....EVER!! That is the entire point of OpenVPN on the ASUS. Only expose the ASUS OpenVPN server, connect to that, then your remote clients have access to your internal services.

By chosen VPNServer I mean for instance one of the servers in Germany which NordVPN offers. When I upload the config UDP file on my Asus router and activate it, my NAS sees that IPaddress (instead of my IP address I get from my internet provider).

So, when I diable VPN fusion on my Asus, my NAS sees my real IP address and is reachable from outside my house. When I activate VPN fusion, my NAS sees the IP address from the NordVPN server in Germany and my NAS is not reachable from outside

 

[MichaelCG]

Ah...so you need to exclude your NAS from the VPN then. The VPN is tunneling all egress traffic from your network and sending it to the 3rd party provider. That 3rd party provider is NOT providing ingress services back to you.

What is the purpose of the VPN usage? Is this a "security" or "privacy" thing? Or are you trying to bypass geo-filtering?

 

[Hansxls]

Ah...so you need to exclude your NAS from the VPN then. The VPN is tunneling all egress traffic from your network and sending it to the 3rd party provider. That 3rd party provider is NOT providing ingress services back to you.

What is the purpose of the VPN usage? Is this a "security" or "privacy" thing? Or are you trying to bypass geo-filtering?

It's a privacy thing (downloading movies and so from usenet )

But why do I only have this problem with my Synology NAS. I do can access my alarmsystem, security cams, door-opener, heating thermostat, .....?

 

[MichaelCG]

I'm sorry, but if you have exposed all of those other services directly, you are just asking for trouble. Pretty much none of that stuff should ever be directly exposed to the Internet.

Now......IF.....those are being accessed via an "app" or 3rd party portal, they are working due to a completely different type of setup and network flow.

There are a couple of different ways your "remote" access to a service can work.

1.) Direct ingress from the Internet
- via an inbound NAT rule on your router/firewall
- extremely high risk due to direct exposure of service to Internet
- just a matter of time before one of those services will be compromised

2.) via 3rd party portal/proxy
- internal system makes outbound connection to 3rd party
- mobile device connects to 3rd party
- no "direct" attack surface of internal systems
- security is all dependent upon the security of the 3rd party environment

3.) VPN remote access
- setup a client VPN service at your home
- mobile device connects to home VPN service
- only public exposed service is the VPN service
- risk profile is moved back to user environment to the VPN service

 

[Hansxls]

I'm sorry, but if you have exposed all of those other services directly, you are just asking for trouble. Pretty much none of that stuff should ever be directly exposed to the Internet.

Now......IF.....those are being accessed via an "app" or 3rd party portal, they are working due to a completely different type of setup and network flow.

There are a couple of different ways your "remote" access to a service can work.

1.) Direct ingress from the Internet
- via an inbound NAT rule on your router/firewall
- extremely high risk due to direct exposure of service to Internet
- just a matter of time before one of those services will be compromised

2.) via 3rd party portal/proxy
- internal system makes outbound connection to 3rd party
- mobile device connects to 3rd party
- no "direct" attack surface of internal systems
- security is all dependent upon the security of the 3rd party environment

3.) VPN remote access
- setup a client VPN service at your home
- mobile device connects to home VPN service
- only public exposed service is the VPN service
- risk profile is moved back to user environment to the VPN service

Thanks for your input, it makes it a bit more clear for me.
- So if I understand correctly, my secure cams and alarmystem work via direct ingress form the net (the company who installed it asked me to open some ports on my router, needed for external access. My router has a kind of AI protection (works with Trend Micro) and was continuous blocking IP addresses from Cina, N-Korea and U.S. who were trying to access my security cams. (I asked the company for user manual and discovered that they had not changed the use of the standard ports. After I changed that, it's quiet for the last 8 months)

Other devices are connected via 3rd party

I now activated (next to VPN fusion) the VPN server facility on my router so I can connect to my router with my phone via OpenVPN and then indeed I can connect to my NAS with my phone.

Did not solve all my problems, but a lot of them, thanks!

 

[Dex10]

I'm sorry, but if you have exposed all of those other services directly, you are just asking for trouble. Pretty much none of that stuff should ever be directly exposed to the Internet.

Now......IF.....those are being accessed via an "app" or 3rd party portal, they are working due to a completely different type of setup and network flow.

There are a couple of different ways your "remote" access to a service can work.

1.) Direct ingress from the Internet
- via an inbound NAT rule on your router/firewall
- extremely high risk due to direct exposure of service to Internet
- just a matter of time before one of those services will be compromised

2.) via 3rd party portal/proxy
- internal system makes outbound connection to 3rd party
- mobile device connects to 3rd party
- no "direct" attack surface of internal systems
- security is all dependent upon the security of the 3rd party environment

3.) VPN remote access
- setup a client VPN service at your home
- mobile device connects to home VPN service
- only public exposed service is the VPN service
- risk profile is moved back to user environment to the VPN service

MichaelCG,

I activated the OpenVPN server on my Asus router and managed to install the client on my smartphone (android), which I use to access my network remotely.

I was left with a doubt:

-With the above settings, will not all services that I access remotely, through the router, behind this router be exposed?

- for example, I have a NAS that is behind the router, if I access it remotely, then this access would go through the VPN, considering that the router has the VPN server active and the access is being made by a client of this VPN .

- It is?!

 

[Sky]

Check to see if you customized the http/https ports on your Syno as they recommend. If you did, you'll need to Forward the port or ports on your router for the outside world to get to the NAS. normal HTTP/HTTPS on the NAS is probably 5000/5001 but they pro-actively an in a very strong manner recommend changing these. Assume you paid attention and did exactly that picking, for example 50025/50026. Then you would need to forward 50025:50026 to your NAS, which will have to be assigned an IP in the router.

Does that create a vulnerability? Of course. Any thing that uses the internet in any way has vulnerabilities to outside attack, but that's an issue for a different forum.