Sometimes you want to be able to access your applications outside of your home network. All of the applications that we setup in the Installing Media Server Applications on Synology series are currently only available if we’re on our network. I’m going to discuss a few ways to make them available when you’re away from home.
This is probably the easiest method to setup but it has significant drawbacks. With this method you create an external port and map it to an internal port (which is very similar to the port mapping we did for our docker applications). Then if you know the IP address that your Internet Service Provider is presenting your modem as you can use that IP and the ports that you’ve mapped to access your home network.
The drawbacks are that remembering an IP address is kind of a pain. Some ISPs change their external IP addresses occasionally, so you’ll have to change the IP address you use to access your network. Also you’ll have to manage your port forwarding and potentially expose a lot of ports to the internet. Every port you expose is like leaving a window or door unlocked in your house.
There are services like no-ip which will give you a DNS address that you can map to your IP which can reduce the effort of remembering IP addresses and use a easy to remember domain name, but you’ll still have to change out the IP address when your ISP changes.
Run your own VPN
Now that you’ve got docker running you can find a docker image and run your own VPN which will let you ‘log on’ to your home network externally. This is probably the most secure solution, but it will involve a more complicated setup (which I’ll probably do as a separate course). However, this does limit you to exposing your services to users who are more savvy. For example, if I want to let family queue up movies to download or I want to do that from my phone away from home, we’ll need to install and configure VPN clients on those devices so that we can access the services inside the network. I don’t want to spend my time playing tech support, so I wouldn’t use a VPN for this.
Reverse Proxy Server
A reverse proxy server allows me to open a single port (in this case port 80) and based on the request DNS coming in, forward that request to one of the services running in my instance. In order for this to work, I will need a domain name. These are cheap and easy to get and generally easy to configure. This makes accessing the applications outside of your network extremely easy. Plus having your own domain name really ups the nerd cred. You’re running a network in your home, its time to step up! Finally, synology comes with some really easy to use reverse proxy software, so it’s a challenge anyone can tackle and I’m here to show you how.
Get a Domain Name
I use hostinger to buy and manage my domain names. Any one should work though. The software has become super easy to use.
Once you have your domain name, you’ll need to create a single A name entry and a CNAME entry for each service you want to expose.
First lookup your external ISP address here. Then in hostinger create an A entry that points to that. Use a generic c level domain name because we’re not going to use it externally. A c-level name in this example is
Now create a CNAME entry for the c level domain that you want to expose via the reverse proxy. Examples would be
sonarr, portainer (and possibly
plex). An example would look like this
Create all of the mappings that you want. I would probably not expose SABnzbd or Transmission. Sonarr and Radarr are the tools you can use to monitor your download applications. Unless you’re planning to add items to download that aren’t shows or movies when you’re away from home you won’t need them. Also, I’ve found the security for transmission to be a little difficult.
Setup the Reverse Proxy
Log into the Synology DSM, open the
Control Panel and click
Advanced Mode in the top right.
Application Portal. Choose the
Reverse Proxy tab. Click the create button. Enter the configuration for one of your services. Here’s the one I’m going to use for sonarr
This is going to take an https request for sonarr.bullyrooks.com and then forward the request to an http request to 192.168.1.147 port 31080 where my sonarr service is listening. The reverse proxy works off of the hostname so a separate radarr entry will trigger the reverse proxy to redirect to a different host/port. Here’s my radarr config
Create entries for all of the services you want to expose.
We’ll need to open up some ports both to allow traffic in (SSL) and so that we can allow Let’s Encrypt to do its thing. Open up ports for both external 443 and 80 tcp traffic to forward to 443 and 80 on the NAS.
You noticed that we are using HTTPs (via the standard SSL port 443). We’ll need to get a secure certificate to be able to support those requests. We can generate the secure certificate request (CSR) and install the certificate for free and very easily with the built in synology software.
Let’s Encrypt requires port 80 to be open to the world and forwarded to the NAS in order to work. Make sure it is before moving forward.
In control panel open the
Security menu item and go to the
Click Add, choose Add a new certificate and hit next.
Choose Get a certificate from Let’s Encrypt and hit Next
Enter your domain name, the email you used to register it and in subject alternative name, put all of the CNAME entries that you want to use. These are semicolon separated
Once you get your certificate, click on the domain to highlight it and click the
Configure button. In this next screen make sure that all of the c-level domain names are pointing to the correct certificate.
That should be it. You can now hit https://sonarr.mydomain.com to get to your service instance. DEFINITELY MAKE SURE THAT YOUR SERVICES REQUIRE A USERNAME AND PASSWORD TO ACCESS. You don’t want to find out that someone got access to your service and started downloading a bunch of stuff and filled up your NAS.