Synology Create a VPN to download from a Synology

In order to hide my NAS, I wanted it to use its own VPN, while my public IP was still visible when surfing with any other devices in my LAN.

To do so, I subscribed to HMA! (HideMyAss!) and applied their configuration procedure on my Synology. Et voilà.

Click to Read More

I did try both a L2TP and a OpenVPN VPN with success. Tricks:

  • For a L2TP VPN, use your PPTP password and NOT your account password
  • For a OpenVPN VPN, use your account password
  • Although using Port Forwarding to access my NAS from internet, I did not had to open the required ports !!!
    • L2TP: UDP 500, 4500 and 1701
    • Open VPN : 443 if using TCP, 553 is using UDL
  • If you are using a DDNS, go to the  Control Panel > External Access and Click Update to verify the public IP of your NAS. It must now be your VPN IP.
  • Check that downloading a torrent (with this procedure), your tracker IP is your VPN IP.
  • Check you IP calling ipify from your NAS.
    • A very simple way to do this is to call the following php page on your Web Station:
<?php 
 $ip = file_get_contents('https://api.ipify.org');
 echo "My public IP address is: " . $ip;
?>
  • Soon after enabling the VPN, I started to be attacked on Telnet port! I am using Security’s Auto-Block feature to prevent brute force attacks.
  • On a mobile device (or anything else) connected directly to Internet (not via your LAN), type your VPN IP in a browser. You should see the default home page of your web station if this one is enabled.
    • I would recommend to replace this default page by a php page returning a header 404.
<?php
 header("HTTP/1.0 404 Not Found");
?>
  • If you are using a DDNS on your NAS, you won’t be able to access your router and VDSL modem via that domain name. Indeed, only your NAS is accessible via this VPN IP. If possible, configure another DDNS on your VDSL modem or router.
    • Ex.: I am using duckdns.org for free. They have a great support page here with detailed configurations for many different devices.
    • Doing so, you can access your NAS and your router or modem via their own Domain name.
  • “Tested OK” both when accessed from LAN or from Internet:
    • Download Station via Synology Download Station for Chrome (https://www.download-station-extension.com)
    • JDownloader via Chrome extension and via https://my.jdownloader.org
    • Plex Server via App or via http://DDNS name:port/web or via http://plex.tv
    • DSM via its admin port
    • Apps: DS Cam, DS File, DS Audio, DS Get, DS Photo, DS Video, DS Cloud and DS Note are all wokring fine using Quick Connect (All those I tested via their DDNS name + custom port or DSM admin port worked too)
    • Cloud Sync (with Hubic)
    • FTP Server

Tips Local DNS not working anymore due to AVAST

Since a few week, I have issues when trying to access devices or services in my LAN via domain names defined within my local DNS Server. The problem was due to AVAST’s “Secure DNS” feature (recently enabled unmindfully).

Click to Read More

I have defined a Master Zone for BeatificaBytes.be in my DNS Server (hosted on my Synology). It’s pointing on my NAS itself. Doing so, I can access my blog from my LAN just as from Internet. Without that Master Zone, a ping on BeatificaBytes.be would return the internet IP of my modem. And I can’t use that IP to access my NAS (hosting my blog) from within my LAN.

In that Master Zone, I have defined a A record for www, to forward www.BeatificaBytes.be onto the local IP of my blog.

I have also a few other Master Zones defined to access various devices…

Since a few weeks, I was not able to ping any devices anymore and my blog was only accessible on BeatificaBytes.be but not anymore on www.BeatificaBytes.be.

I spent hours to reconfigure my DNS Server, testing all the various settings, without success. I have never executed so many ipconfig /flushdns, ipconfig /release, ipconfig /renew, ipconfig /all, ping www.BeatificaBytes.be and nslookup www.BeatificaBytes.be :D

I have finally figured out that the problem was with AVAST. It has a feature named “Secure DNS” which protects yourself against “DNS hijacking”. DNS hijacking redirects you from the site you want to visit, to one that looks just like it. Secure DNS ensures the site you’re visiting is real.

So, Avast was preventing me to access my blog on an IP which was not the one of my real “domain name” registered on Internet. But as I only defined the fully qualified “www.BeatificaBytes.be” within my Internet Provider’s DNS Settings, I was still able to access my blog locally on “BeatificaBytes.be” (This has been a lot disturbing my investigation).

It’s really the first time since 1996 that I curse Avast !

Tips WordPress really slow when accessed on LAN via its Domain Name

Since a few weeks, WordPress is really slow when I access it from my LAN with it’s domain name https://beatificabytes.be

The problem was with the name resolution on my PC.

Click to Read More

My blog is hosted on my NAS, that I usually accessed via its netbios name or via its local IP address. But to make it easier for me, I also defined a domain ‘beatificabytes.be’ on my NAS’ DNS Server, with a A Records for www, pointing on the IP of the NAS.

So, I can access my blog locally with either the domain name ‘beatificabytes.be’ (if I am lazy) or with the fully qualified name ‘www.beatificabytes.be’.

The problem is that the actual URL of my blog, defined in WordPress’ settings, is ‘www.beatificabytes.be’. So, many pages of the blog are referencing scripts and images hosted on on that address ‘www.beatificabytes.be’.

And, a few weeks ago, for some unclear reason, my PC started to fail to access my NAS via the url ‘www.beatificabytes.be’. I was only able to access it with its netbios name, its IP or the domain name ‘beatificabytes.be’ (without www).

The reason was an issue with the name resolution on my PC (I thought it was an issue with the “DNS” Server but it was actually due to Avast’s feature ‘Secure DNS’).

Therefore, each page trying to load resources from www.beatificabytes.be was getting timeouts, making the rendering very slow (without any visual notification!)…

I did fix the name resolution issue and I can now access again my blog ‘full speed’.

Conclusion, open the Debug window of your browser to look at possible network or script errors ;)

Synology Update DSM 5.0 with the latest fixes

I have just applied the latest service pack for DSM 5.0. Soon after, I started to experience connection issues to my own blog from my Intranet. This was due to some (???) issues with the DNS Service running on my Synology.

Click to Read More

Issue confirmed: executing a “ping beatificabytes.be” in a CMD prompt was returning the internet IP of my ADSL Modem, instead of the IP of my NAS.

As a reminder: I did configure my Router and my Synology’s DNS Service to be able to access my blog on my intranet with it’s actual FQDN (See here). And after the upgrade from DSM 4.0 to DSM 5.0, I had to enable the “Resolution Service” in the “DNS Server”.

Now, to solve the connection issue experienced after updating DSM 5.0:

  1. On the Synology, in the “DNS Server” configuration pane, I had first to:
    1. Disable the “Resolution Service” and clicked Apply
    2. Re-enable the “Resolution Service” and clicked Apply
  2. Next, on my PC, in a CMD prompt, I did executed:
    1. ipconfig /flushdns
    2. ipconfig /renew *
    3. ping beatificabytes.be

Et voilà !

Tips View or flush the content of the DNS cache on Windows

Although my primary DNS is my Synology and the IP returned for ‘beatificabytes.be’ is expected to be the IP of my NAS, Chrome tried to access my blog on the web instead of locally. I thought it was an issue with the DNS and wanted to know how it resolved my domain name.

Click to Read More

Windows is caching the IP resolved by a DNS. So, thinking my DNS was possibly off when Chrome tried to resolve my domain name, I had to view the content of the cache. This can be done with the following command:

ipconfig /displaydns

The result was clear. My DNS didn’t answer itself and the domain name was therefore resolved by the DNS of my provider:

www.beatificabytes.be
—————————————-
Record Name . . . . . : www.beatificabytes.be
Record Type . . . . . : 5
Time To Live . . . . : 30
Data Length . . . . . : 8
Section . . . . . . . : Answer
CNAME Record . . . . : <myNAS>.diskstation.me
Record Name . . . . . : <myNAS>.diskstation.me
Record Type . . . . . : 1
Time To Live . . . . : 30
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 91.182.141.78

So, I tried to just flush the cache to see if my DNS would now resolve the domain name. The command to do so is:

ipconfig /flushdns

For information purpose, here are the commands to respectively turn off/on the DNS cache until next reboot:

net stop dnscache

net start dnscache

Flushing the DNS didn’t solve the issue unfortunately :(

Neither ipconfig /release nor ipconfig /renew did solve the issue either*… But this post is to keep a note about viewing/flushing the DNS cache only ;)

* To be continued…

Synology Configure Synology DNS + DD-WRT to access my blog from both Intranet and Internet

My blog is hosted at home on my NAS and accessed using the fully qualified domain name www.beatificabytes.be. Configuring adequately the Synology’s DNS service and my Buffalo router running DD-WRT, I can access it both from Internet and my Intranet using that url.

Click to Read More

To make my blog accessible from Internet, I have configured the “DDNS” service of my Synology.  Thanks to this “DDNS” Service, “Synology” links a hostname like “myNas.Disktation.me” to the dynamic IP I get from my Internet Provider – currently “Belgacom”. Next, I have configured a CNAME “www.beatificabytes.be” at my Domain Provider “Servage.net” as an alias of this hostname “myNas.Disktation.me”.

My VDSL Modem being the device physically accessible with the dynamic IP obtained from my Internet Provider, it is configured to forward incoming Internet traffic to my Buffalo router. And this one is forwarding the traffic for my blog to my NAS.

It obviously works fine for accesses from Internet. But if I try to access my NAS with that hostname from my home network (my intranet), the VDSL Modem does not forward me to the NAS via the router. Instead, I am redirected by the DNS of my Internet Provider to a page (http://Intranet IP of my Modem/dns_error) displaying:

Your internet connection is up, please close your browser and restart it again.

Uw internetverbinding is hersteld, gelieve uw browser eerst te sluiten en
daarna opnieuw te starten.

Votre connection internet fonctionne correctement, veuillez fermer votre
navigateur et le redémarrer.

My previous solution was to define the hostname www.beatificabytes.be in the host file (under C:\Windows\System32\drivers\etc) of my PC. So, instead of being resolved into the dynamic IP got from my Internet Provider (reason why I was reaching my VDSL Modem), that hostname was resolved directly into the IP of my NAS.

Using the host file is however a real pain as it must be completed and maintained manually on all the devices. Also, it only works fine for Windows machines and not for my Phone, my Tablet, etc… So, I wanted a more global solution.

I found that I could configure a host file directly on my Buffalo Router as explained here: http://commonbits.wordpress.com/2013/03/26/using-dd-wrt-for-local-dns-and-dhcp/. More details here: http://www.dd-wrt.com/wiki/index.php/DNSMasq_as_DHCP_server.

I could also simply configure my Buffalo Router to provide each DHCP client with the IP of the ppen DNS of Google (8.8.8.8. and 8.8.4..4) instead of the DNS of my Internet Provider.

But I was interested in testing the DNS Server package of Synology. And I found that it’s not that hard to configure it to resolve the hostname locally instead of querying the DNS of my Internet Provider.

First, configure the NAS like this:

  1. Install and run the DNS Server Package via the Package Center
  2. Open the DNS Server Panel via DSM Start > DNS Server
  3. Select the “Zones” tab
  4. Click on “Create” and select “Master Zone”
  5. Select a “Domain type”: forward zone
  6. In “Domain name”, enter the domain name used by the blog
  7. In “Master DNS server”, enter the IP address of the NAS
  8. Keep other settings as by default and click “Ok”.
  9. Double click the new entry to edit its content. You should see two prefilled records respectively of type “A” and “NS”.
  10. Click on “Create” and add a new record of type “A”
    1. Name: (leave blank)
    2. TTL: (use the default)
    3. IP address: type the IP address of the NAS
  11. Also add another record of type “A” with Name “www”.

And that’s it for the DNS Server configuration. I didn’t change anything else, including in the “Resolution” tab, …

Next, configure the DD-WRT like this:

  1. Go to the tab Services
    1. Set “Used Domain” = WAN
    2. Set “LAN Domain” = Any name you want. It does not need to be the domain name of the blog. I am using my “Workgroup” (Yes, I still use a that)
    3. Check that the NAS has a static IP configured in the “Static Leases” table
    4. Set “DNSMasq” = Disabled
  2. Go to the tab Setup > Basic Setup
    1. Set “Connection Type” = Automatic Configuration – DHCP
    2. Set “Router Name” = SomeName
    3. Set “Hostname” = Same name as above
    4. Set “Domain Name” = (I kept it blank as I am not really working with a domain at home)
    5. Set “Local IP Address” = x.x.x.x (E.g.: 192.168.0.1)
    6. Set “Subnet Mask” = 255.255.255.0
    7. Set “Gateway” = local IP of the VDSL Modem (E.g.: 192.168.1.1)
    8. Set “Local DNS” = local IP of my NAS
    9. Set “DHCP Type” = DHCP Server
    10. Set “DHCP Server” = Enabled
    11. Set “Static DNS 1” = 0.0.0.0 (Later, I did set here the IP of my Adsl Modem which is configured to forward the DNS request to my Internet provider. I could also have use Google DNS: 8.8.8.8 or 8.8.4.4)
    12. Set “Static DNS 2” = 0.0.0.0
    13. Set “Static DNS 3” = 0.0.0.0
    14. Set “WINS” = 0.0.0.0
    15. Set “Use DNSMasq for DHCP” = unchecked
    16. Set “Use DNSMasq for DNS” = unchecked

This is working for me but DNSMasq being disabled, there is no caching on the DNS name resolution or even on the NetBios name (DNSMasq can intelligently add DHCP leases to its DNS database, providing local name lookups for any DHCP client, static or dynamic). And solving names seems to me precisely quite slow for the Browsers. So, I decided to try to enable DSNMasq.

  1. Back into the Tab “Services”,
    1. Set “DNSMasq” = Enabled
    2. Set “Local DNS” = Disabled (If I enable it, I lose access to the Synology DSN ?!)
    3. Set “No DNS Rebind” = Enable
    4. Set “Additional DNSMasq Options” = (I kept it blank but was hesitating to enforce a strict order on the DNS to be used to resolves name):
      1. strict-order
      2. dhcp-option=6,<NAS IP comes here>,8.8.8.8,8.8.4.4 (ex.: I use here the open DNS of Google).
  2. Finally, in the tab Setup > Basic Setup
    1. Set “Use DNSMasq for DHCP” = checked
    2. Keep “Use DNSMasq for DNS” = unchecked (If I check it, I lose access to the Synology DSN ?!)
    3. Set “DHCP-Authoritative” = checked.

I am actually not convinced this is correct and improving the resolution in any way. So,”to be continued”… But in the meantime, I can access my blog with its fully qualified domain name from both my Intranet and Internet and now a bit more about DNS configuration :p

Notice:  You can have a lot of troubles while testing the various settings on the DD-WRT as many values are cached either on the Synology, or on your PC. Ideally, you should reboot all the devices after each change in the router settings. At least, reset the network interface of your NAS (telnet as root and execute /etc/rc.network restart) and renew your PC network settings (ipconfig /release and ipconfig /renew). Best would be to do that after a Router reboot (telenet as root and execute reboot)