I recently decided to get a NAS, and while doing research I found your channel. Your videos prevented me from making a few mistakes and were incredibly helpful in guiding my purchase and then my setup. I ended up getting a DS423+ for my family NAS. I set it up using a DDNS from Synology and a Let’s Encrypt wildcard certificate, changed all the default ports on the Synology, and set up reverse proxies for Photos, Drive, File Station and Audio Station. I also set up the firewall, again following your very clear instructions. I forwarded ports 443 and 80 on my router to get the reverse proxy working. I did not set up a VPN because I’m afraid that the slightly increased complexity means that my family would not use it. My children live in different states, so external access is very important.
All the applications work as expected using the reverse proxy and https, both on mobile and on my PC. The only exception is the Drive client on my Windows PC. As I learned, the Drive client uses its own protocol and port 6690 is hardcoded. So, everything I’ve seen suggests that the Drive client will simply not work with the built-in Synology reverse proxy. It either needs quickconnect, or it needs port 6690 to be open on the router.
Is this correct? Is there no way to make the Drive client on a PC work without quickconnect or without opening port 6690 on the router? Is there perhaps a “fancier” reverse proxy I could set up on a docker container that would work? Or would all reverse proxies have the same problem with the drive client’s non-standard protocol?
If the answer is that the Drive client will not work without quickconnect unless I open port 6690, how big of a security risk is that? I would guess that the Drive app is designed to be open to the internet and relatively fortified. How much of a risk is it? Since it is hardcoded, it is very easy to “find”.
(It would be so much better if Synology either changed the drive client to use http or https like it does on the mobile clients, or at least allowed changing the default port 6690).
Port 6690 is for Synology Drive Server, not for the Drive Client. Port 6690 is used when two NASs with Synology Drive Server sync, also called Synology Drive ShareSync.
In other words, you configured the wrong port, which did not work. You define the port for Drive Client in Control Panel > Login Portal > Applications. Open Synology Drive and configure the https port. The default is 10003.
Thanks for the advice. I tried what you suggest but without success. Let me detail what I did, and maybe you can help figure out what I am doing wrong?
I am using a Synology ddns domain name, have a reverse proxy on the Synology, and the appropriate ports forwarded on my router. I configured a custom port for Synology Drive in Control Panel > Login Portal > Applications, for both https and http. I also configured an alias and a customized domain:
When I try to connect with quickconnect it works perfectly, although the connection is slow.
I know the reverse proxy setup works because this same setup (with the ‘drive’ prefix) works when I open the Drive web client in a browser, it also works for synology photos on the browser (obviously a different prefix) as well as on my phone. It works for Audio Station and File station, but when I try it with the Windows Drive client application it fails to connect.
I mentioned the drive server because at the bottom of the login screen of the client it does say you need the Synology drive server installed on the NAS. AIso, when I click on the “troubleshoot” link on the error message I see this:
So I sort of assumed I needed the Drive server and that it only works if I forward port 6690 on my router? What am I missing?
Edited to add: I installed the webdav server on the NAS, and I am able to connect using webdav and the ‘drive’ prefix. So it definitely seems the problem is unique to the Drive client application
This seems to be consistent with what I am experiencing.
Thanks for this table! So, if I want to keep it simple for my family, it seems my options are either Quickconnect or opening port 6690 on my router. I see you rated both as “medium” security.
I am also trying the webdav server. Between the three options, is there a significant security difference one way or the other?
This was interesting! I have both a VPN and Cloudflare tunnel in use, where the VPN tunnel gives me access to DSM, VMM, docker services ++, while I use the Cloudflare tunnel to give family members easy access to the Drive and Photo services. We primarily use the web portal (which works perfectly!), but I do have one device with the Drive client installed. I can view and open files just fine, but I now see that changes I make to files won’t sync to the NAS until I connect to my LAN or VPN. I’m usually connected through VPN anyway, so I hadn’t really noticed this. It alligns with the error message you posted from Synology, about needing to forward port 6690 on the router.
About your question on port forwarding vs. QuickConnect, I’d assume Synology have decent mechanisms in place to protect the exposed edge of their relay servers. At least better mechanisms than I would have, exposing a port directly to the internet. I’d still say MFA and other security settings are more important than the decision to use QuickConnect vs. port forwarding. If I were you, I would give VPN a shot, and fall back to QuickConnect if that fails. If you get your family members onboard with VPN, you don’t have to expose ports 80/443 to the internet directly either, which is a major secuirty benefit IMO.
I’ll follow this thread to see if any good solutions are posted.
Yes
Slightly complex
