Safest way to share files via Synology

Hi there!

I would want to be able to share files, say huge videos or other files with substantial size via the share file functionality.
However, my NAS holds important stuff and I very reluctant to just haphazardly make my NAS available on a public address.

So what would be the safest way to be able to use the NAS functionality like sharing files without putting yourself at risk from trash “humans” like ransomware people, black hats or government protection rackets, I.e tax collectors?

It would not be practical to set up openVPN and then share certificates for example. So what would be a good compromise, and still retain some security? Is it at all possible?

Depends on what you mean by sharing. Assuming you just want to allow others to view your content then just using Synology photos should do the trick. Open up the photos ports and leave the rest locked down. If you want to provide write access that a much bigger topic and Will has plenty of video’s on the topic. My personal approach is to safeguard my personal files with a backup strategy. If a site to site VPN is not feasible then Drive might be a solution to externally share files.

As for the safeguarding your files, a 3,2,1 backup is a must. Using BTRFs and snapshots should give you another layer of protection. But if you have the space an immutable copy of our content (write once read many).

1 Like

Thank you for the reply.

I will have to test sharing with photos. The important thing is that the individual can download the file and that it is isolated from the other files so that the person only gets what I want him to get.

Site to site VPN is fine for me personally, but it is not feasable to ask others to set up VPN to my server just to download a file.

I have not had time to set up a backup strategy unfortunately, but yes, that is key indeed. I did buy tape devices and tapes but need to plan how to use it regularly. I saw the stuff about immutable copies and will have to go back and watch it again so I can start to use the NAS as it is intended. If I only had more time :sweat_smile:

I’m guessing you going with a photographers metaphor . You want to share an album with a specific client but don’t want them to access any other clients photos let alone you own images & file. Not to mention same for family & friends sharing.

This is how I use Photo’s to share images with family. Synology photos will take care of it all for you. Its Just about organizing your Albums & workflow for clients. You can used named account to share or generic sharing with a URL. Each clients get a URl to access the Album. You specify whether a password is needed as well setting an expiration on the URL. You control what access they have and whether they can download.

Will has a number of realty good videos on Synology Photos as well as Lightroom workflow(s), video workflows etc etc …

I am not really a photographer. But sometimes I need to share things in files that bad actors like google, apple and others should not see, like if I was to send them to someone that uses these dangerous services.

Even if I was to send something that these bad actors could see, like videos of the Nűremberg trials, most email services do not accept files over 100MB.

I have used like dropbox many years ago, and and am now sharing via owncloud. But as there are so many issues with owncloud I would like to find another solution.

Right now it looks like I have to spend some energy onfiguring out a backup plan and then putting my synology on the public internet. Scary though.

Anyway, thanks for the pointers :+1:

Curious what direction you decided to go.

I pretty much have the same requirements. Running a DS923+ for a small company that needs to share project files with clients. The sharing feature works well, but it does open the NAS up to the Internet.

We’ve been allowing a single download for 1 user with the links to expire in a week. The “public” address that the client sees is obscured but I’m still a little uneasy about it. The NAS is locked down with secure passwords, 2FA, etc. and all the other recommended security stuff.

1 Like

In addition to all the advice I read here, you could consider a second NAS and sync the files to share to that NAS. If purchasing additional hardware is not in your plan, think about virtualDSM in a virtual machine.

1 Like

You can use the specific login portal that Synology supplies for Photo Station and its other applications. On your DSM check out: Control Panel> Login Portal> Applications and scroll down to Synology Photos. From there you can set up a very specific portal to access the Photos app for the public. Click on Synology Photos and then on Edit to set it up. There is substantial documentation on how to do it.

You can set up limited user access and enable 2FA if password protection is not enough.

1 Like

Thank you for all the great tips.

So far I have not had a ton of time to find solutions. But I have made a port available on the public internet. But then I have had a ton of issues.

I have bought a wildcard domain certificate. And the plan was to use this on my pfsense firewall facing the internet and also for all the servers inside my network.

However, as I am as ignorant as a stroke ridden npc when it comes to networking I did not realize that using aubdomains and certificates is not trivial. Right now I am using HA proxy to steer the subdomains to the correct ip. But, as HA proxy is unable to view inside the content it can not see the subdomains without running in http/https mode and setting up itself as an endnode, then running the internal call to the Synology Nas without encryption.

As I do not like unencrypted traffic running anywhere I kind of got it set up so that it now works with the correct certificate, but now the port on the “outside” redirects to the correct port internally. However, now my photo sync with Synology only works when I am on the outside as you only set up one server and port in the photos app. So when you have different ports externally and internally the stuff does not work.

Sure I guess I could run the same port externally, but I am kind of uneasy with running real services on default ports.

I think the solution is in doing some NAT magic, but so far no luck.

How do you guys solve the issue with certificates and subdomains and at the same time trying to shield your nas from unnecessary threats?

Maybe it is just better to buy a small spinning rust Synology and just make a backup of the whole thing and then take bigger risks?