I bought the NAS originally as a replacement for cloud backup. The back-story I'll cover in another post, but essentially it was to avoid leaking all my secrets into the great unknown (don't care about utility bills and CVs - but what about Passkeys, scans of passports, banking details and so on?)

Since purchasing, it's been augmented with a UPS, because the reliability of the grid and home wiring in Australia has been shocking. And there's no point having backups if one zap means they're all gone.

So I'm starting to feel like its purpose and limitations are clearer to me, and thought I'd write the post I wish I could have read when I was deciding to buy it.

Synology NASs can do anything

I'm talking about the slightly bigger ones, generally the two-bay versions and up. Most of these have decent, multicore processors.

As of a few days time, DiskStation Manager (DSM) 7.2 will be out, the software that runs on and runs the NAS. Out of the box, DSM lets you do a mind-boggling list of things:

  • Multiple RAID options for making your data fast and available
  • Manage users and groups, using the NAS or an external provider, secured with 2FA
  • Set up file sharing for Windows, MacOS, Linux, rsync, ftps and more acronyms (i.e. access files over a network share, or via remote connection)
  • Time Machine backups for your Mac
  • Automatically look after security, updates
  • Provides a desktop-like file explorer and NAS manager in your browser
  • Easy remote access, using a variety of options, or none at all.

And then it has a store, where a whole lot more can be done for free:

  • Add docker support
  • Manage and run virtual machines on the NAS (the number limited by your NAS' processing capability, so buy wisely if you want this)
  • Add file syncing (like OneDrive and Dropbox) for your home folder
  • Add a web-based Office system for editing your files in a browser
  • Adds a complete Photos manager with face recognition and advanced metadata like Google Photos / Apple Photos
  • Video and Audio manager to complement the photos
  • Note-taking system with apps for your devices 
  • Backup your enterprise cloud e.g. whole Micrsoft 365 tenant
  • Backup your NAS to cloud storage providers
  • Run a full mail exchange and/or calendar server on your NAS, and mail clients via browser
  • Use your NAS as a DHCP server, DNS server, a VPN, RADIUS server, 
  • Use your NAS to stream surveillance cameras for storage, and provides a web app to view them
  • Run OAuth against your users to provide single sign on for any other apps that support it
  • Sync between NASs for a multi-site setup
  • And the store, Docker and Virtual Machines allow for so much more

But I don't want to run technical support for the rest of my life, and I want it to be secure and reliable

All of that is great, the possibilities are literally endless.

But the purpose for me, the sweet-spot, and the reason for shelling out for a Synology, and not just hardware and Linux, was that I want it to (as close as possible) just work.

So I don't want to use it's full potential, I want to use the subset of things that a) I need and b) will work, securely. I decided to carefully pick from the list of options that fits inside that, and discard the rest, or use cloud services for them.

For example, I'd rule out fronting the services up to the internet, so I can access them from anywhere, because I don't know enough about whether they are, and how to keep them, secure. And I'd rule out custom builds in the Docker/VM environment that needs TLC and a tickle every third Wednesday to keep them running.

I also know that running everything it could ever do would make it slow and probably be a waste of my time and the NAS' time. I'd never use all the features anyway. They'd be fighting for resources, and making the features I do use less reliable and slow. If you go off-roading, and you run a wedding car service, you buy two cars.

So what do I use it for?

The basics

I definitely use it for the mission-critical stuff it can do, and the things it can comfortably do. The things I really bought it for.

  • Providing network storage and a backup destination for the computers. A no-brainer. I have separate accounts for the users and their backups. Each user has a home volume, and access to a separate volume announced as a Time Machine destination.
  • The home volume allows users to chuck large files at it, or infrequently accessed files or anything else. It's accessible via network share (SMB).
  • A Documents folder in each home volume is also syncronised to relevant computers using the Drive Server (think Dropbox/iCloud/OneDrive). This works everywhere in the world, and is available offline. As well as the personal Documents folders, Drive synchronises shared volumes like a Household one.
  • I've added the Office plugin to Drive, which adds a Microsoft 365-like experience. It can view Office files, and edit in its propriety format. It can't save (only export to) Office files, but it is useful in a pinch.
  • Photos and Videos are also both hosted on the NAS. The Photo app on the phone and on the web are both brilliant. I think a decade of photos were imported and processed overnight. There's a Video app for the Apple TV, too, so you can watch your movies from other devices.

The intermediates

There's some stuff I'll tolerate, because the benefits outweigh the "cost".

  • I've set up a personal, web-accessible, Gitea instance. It's efficient because it uses Docker. How I have shared this safely is covered below.

The excluded

I do not want to do anything with it that's mission-critical from the outside world, or not best suited for a NAS. Constraining factors? Anything too hard to look after (even if I could get it working), or because it's on a personal broadband line, or because it undermines security of the unit.

  • No hosting of websites, blogs, etc (even with super-fast broadband, that's silly). It could be safely done from Docker, or a VM, but why not a free service like RenderFlyGitHub PagesVercel or a $2 VPS in the cloud?
  • Definitely not hosting mail. I used MAIB for a while, on a Linode VPS, and then moved to Fastmail. They're indie, affordable and flexible. Don't put mail servers on your domestic broadband.
  • Nothing else that competes with the objective of available, secure, fast file sharing and backup. I'd prefer to get another machine running.

What would I do if I had the need?

There's some other no-brainers, but I don't need them or want them. But if you bought a NAS, and needed these, I'd recommend using them:

  • The CCTV integration / surveillance stuff is great, and much better hosting videos of you in your birthday suit in your own server than someone else's. Just remember to keep the NAS secure somewhere, in case there really is a break-in.
  • There's a native Plex add-on, which is home-based media system. Definitely worth adding if you're into that. Could be supported by Download Station (automatic BitTorrent downloads) and Docker containers doing stuff like getting thumbnails, transcoding, etc for you.

How do I keep it secure?

I've really gone full circle on this, and tried so many things out. I usually set up something I like, and then read a reddit post that says the world will end if I do that and so I panic and undo it.

I'm not sure publishing my setup on the internet is a great idea, but here goes.

First off. Turn on MFA for all meaningful accounts, i.e. admin and user accounts.

Securely accessing the NAS anywhere

This is so easy in 2023 it's untrue. There are two main options, and I much prefer the second one:

Set up a VPN  Server

One comes with the NAS. Turn it on, then poke a hole in your router and tell it to forward a port to the NAS (e.g. port 443 for OpenVPN). Tell your laptop, phone etc to use that VPN. (OpenVPN is fast, secure, and gets past most hotel firewalls).

Set up TailScale

This is my preferred option. You can only sign into TailScale with an Identity Provider of your choice (e.g. Apple, Google, GitHub and many more), so you have to get that going first.

If all devices will sign in as you, just go with what's easy. If you want to share with family, you'll need group accounts. The easy and free way to do this is to set up a family organisation on GitHub, and add your family members.

Then, sign into TailScale by clicking the appropriate button and follow the steps. TailScale will help you from here, but the gist of it is: you add TailScale to each device (phone, laptop, NAS) and sign them in. The DSM Store has a TailScale app that's one-click from being installed to help.

The devices then form part of an automatic, private, virtual network. Each device gets given a private IP and name - both only accessible when both devices are connected to TailScale.

It is probably worth letting TailScale know that you don't want your NAS keys expiring (via the admin console at TailScale) - otherwise you'll need to re-authenticate the NAS periodically.

In summary, add TailScale, sign in on each device, done.

Routing to the device and apps with ease

So how do you find devices (like the NAS) easily? When you configured it, you got a fixed IP address for it on your local network. But a) that's hard to remember and b) that only works at home.

The VPN / TailScale will give the NAS a fixed IP address that works everywhere, as long as you're connected. Closer.

So you need some kind of address resolution that works whereever your devices are. There are three main options:

  • Easy: Let TailScale do it. TailScale gives you devices names, and sets up search domains, so as long as you're signed in you can access e.g. "[nas.tailfe8c.ts.net](https://nas.tailfe8c.ts.net:50...)" privately, and from anywhere.
  • Hard: Push TailScale / your VPN a bit harder - set up a DNS Server on your NAS (directly, or as a PiHole) and tell your local network and TailScale to use that for DNS resolution. You can then point your local subdomains at the NAS with A/AAAA records (e.g. "nas.home" > "100.100.100.2")
  • Medium: Register a domain name on the internet, and set up records there that use your internal IP addresses. For example *.ourhome.com would point at 100.100.100.2 (or whatever). This requires no DNS trickery or special cases. If you're connected to your tailnet, the addresses will resolve to your NAS. If you're not, like everyone else, the IP addresses will be meaningless.

I'm still torn between these options, to be configured this week, but leaning towards option 3. The sadist in me wants to use option 2, but I can see telling my other half to set up phones etc to work like that being a blocker. It also flies against "not being local IT support".

Everything, everywhere, all at once

So now all that's done, how do you use it? Set up Web Station on your NAS (one click), and when you add virtual machines or Docker containers to your NAS, it will prompt you to set up a "web portal" for you. With all your subdomains routed to the NAS's IP, Web Station will basically use this information to route you to the right app.

So "git.nas.home" will connect through to your Git Docker, and "nas.home" will give you the admin panel and Drive sharing etc. This uses something called a Reverse Proxy, but don't worry about that.