Best way Securing A secondary off site NAS Backup

I am in the process of setting up an off site backup at relatives home. They only have a crappy ISP’s router with minimal safe guards. I watched all the awesome video’s by SpaceRex on off site backups & is Synology secure enough, securing accounts etc. My core question will the NAS’s security features be enough or should I put a better router in front of it or/and even run a VPN between.

I have a slightly more secure network at home and see attempted attacks but nothing get through to the NAS it’s self. I have the same ISP so I know the their router is crappy.

So should I keep quick connect open at a minimum I would need DDNS to reach the device. Would running the NAS as VPN be client better.


So the highest level of security is to use a site to site VPN between the two boxes. But unless you have that setup only opening the hyperbackup port is a great place to start.

If you encrypt the backup through hyperbackup they could never get access to your data even if somehow their was an exploit

I was tempted to set up a site to site VPN. I’ve got the one end but still need the router on the backup end or set up the NAS to run VPN . But the as it’s an old model may not really have the power to be VPN & NAS .

So if you are just backing up a single NAS you can use the main NAS as an openVPN server, and then have the offsite NAS automatically connect back.

Though I will say that can be a huge pain. Sometimes the backup will just not reconnect to the VPN server

That’s essentially what I have set up now except the VPN server is running on my home Tplink Omada hardware instead of the home Nas.

Everything works but host names resolution ofcoure. I’m assuming set up a DNS on the synology would resolve that.

Not sure if this is possible but is there a way to define in the Hyperbackups target host to still work if the VPN dropped. Ie DDNS or VPN…

Spoke too soon … Works but the VPN drops out after a few Hrs and the Synology fails to reconnect.
The Nas is set to try to reconnect. According to the router the pipe is still up just no client. I’m not using OpenVPN but L2TP/IPSec.

Ok I answered my own question.
Seem the issues is common to Synology. THe auto reconnect does not wokr. Here is a blog page with one of the best VPN reconnect scripts to address the issues. This guy seem to know what he’s doing and requires no modification to the script in default mode.

I have had a much better experience and don’t need to use this anymore on dsm 7

Other option would be something like this: