I have a Synology NAS (DS1522+) at home which I use to store pictures / documents and also host a family calendar. Recently, I setup a spare DS220j at my in-laws’ house as an offsite backup for the DS1522+ (via HyperBackup). Since I didn’t want to open any ports in my in-laws’ home network, my first idea was to let the DS220j connect to the DS1522+ using OpenVPN. This didn’t work out because of connectivity issues I can only attribute CG-NAT / DS Lite — I was able to connect to the OpenVPN Server (i.e. the DS1522+) using my mobile phone but not from within my in-laws’ LAN. Long story short: Since I also want to reach services running on the DS1522+ from anywhere, I got a VPS with a static IP which hosts an OpenVPN server, a Wireguard Hub and a reverse proxy (Nginx Proxy Manager) inside a docker container.

I mainly followed these two tutorials for this:
https://www.procustodibus.com/blog/2022/08/connecting-wireguard-and-openvpn/
https://apfelcast.com/ds-lite-ipv6-portfreigaben-erstellen-inkl-reverseproxy-und-vpn-server/

Clients (e.g. the DS220j) can now connect to the VPS using OpenVPN or Wireguard while the VPS has a steady Wireguard tunnel to a Raspberry Pi at home (which also runs Pi-hole). This setup is working fine and the OpenVPN (10.8.0.X) / Wireguard (10.0.0.X) clients seem to be able to reach each other and also reach other devices within my home network (192.168.200.X). I then decided to disable DDNS and port forwarding to my DS1522+ (which was only working through IPv6 anyways) and instead try to reach its services (Drive, Photos, etc.) through the VPS running NPM. I setup a domain name “my-domain.com” with subdomains e.g. “nas.my-domain.com” pointing to the VPS’ public IP (A Record). I opened ports 80 and 443 on the VPS’ firewall and setup my NAS’ local IP and corresponding ports as destinations in Nginx (e.g. “nas.my-domain.com” points to http://192.168.200.22:5000). Finally, I got (Let’s Encrypt) SSL certificates for each subdomain and turned on the “force SSL” option in Nginx Proxy Manager.

Here is the issue: When I try to reach any of the DS1522+'s services via one of the subdomains in a browser it will try loading for a while and either (a) load only the DSM favicon and NAS’ name (in the tab’s title) but otherwise show a blank page or (b) return a 504 gateway timeout error.

I’ve tried pretty much everything I could think of over many days:

  • Turning various settings settings in DSM on and off
  • Turning various NPM settings on and off
  • Importing the SSL certificates created via NPM into the NAS
  • Setting the destination in NPM to http and https with ports 80, 443, 5001 and other ports for each service

My guess is somehow the response from the NAS is not routed properly but I’m not sure where or what to look for anymore.

And before anyone suggests just using the safer option and only access the NAS via VPN: I want to be able to share documents and pictures with friends and family members without creating VPN profiles for them and I also use NetGuard on my (Android) mobile devices which already blocks / uses the VPN service.

  • ElevenNotesB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Why did you mix OpenVPN with Wireguard on your VPS when Wireguard alone would be faster?