The NUMBER ONE RULE: DO NOT EXPOSE YOUR NAS TO THE INTERNET!
If you want to access your NAS, then do it on a VPN or using the myqnap cloud service where you can access the NAS on the web via signing in through QNAP and access it there. You don’t need the SSL certs for doing that. You only want the SSL certs if you are putting your NAS on the internet which I said to not do.
Skip the SSL certs - period. You don’t need them for LAN, VPN or accessing your NAS via myqnapcloud.com.
The biggest problem with the myqnapcloud.com is that the only servers for that are in Taiwan and the link is not all that fast.
You best bet for full access is a VPN. I use a Wireguard VPN set up on my MikroTik router. I also sometimes use a ZeroTier VPN.
Yeah, that’s what I actually trying to achieve. Currently I tried to use Tailscale and it looks much simplier than going to set eveyrhting via Cloudflare Tunnel.
I can’t use Wireguard VPN as I would need somehow tell client where it should connect to. Having dynamic IP complicates this a lot.
Dynamic IPs are easy to work around. First of all your QNAP has a built in DDNS client that you could use to connect to your external IP for the external domain name. Many routers these days support that as well.
I absolutely love my MikroTik router as it has a DDNS built in for the router itself and the WireGuard VPN is very easy to set up and as long as you copy everything over correctly it just works and works really well.
Yeah, I have Unifi UCG Max, which also has this option. However I am not sure about how DDNS will work.
ISP changes my external IP address randomly during one connection without disconnecting me from the Internet. I am not sure if DDNS will be able to resolve these changes so rapidly.
Previous ISP did these changes only at the connection. Once I establish PPPoE connection I receive one IP address which remain the same until disconnect. However this ISP is little bit more tricky. Did you face with such cases? Will DDNS be able to help in that case?
Your WAN (internet) IP is likely assigned to your from your ISP by DHCP. DHCP has a specific lease time that the DHCP server uses when assigning the address. During at least 50% of that lease time, you address will not change. At 50% of the lease time, your router (the client) will request an update to its lease. At that time you may or may not get a new IP address. I’ve had the same IP address from my ISP for months. If I reboot my modem, I may or may not get a new IP.
Regardless of how often your external IP address changes, dynamic DNS is designed to get around that. It periodically looks up your WAN address and then updates the Dynamic DNS server with that information. Typically these updates happen multiple times a day. Some DDNS clients allow you to set how quickly the updates happen.
The protocol works very well and all of us who have dynamic IPs and yet want to access our home networks utilize these.
This shouldn’t be possible. Unifi would HAVE to know your external IP changed or your packets won’t route.
Setting up DDNS in Unifi should be the most bulletproof.
Setup keepalive on the server side and it should self repair so long as your clients don’t shutdown during the IP change. Wireguard is pretty resilient.
Worst case use teleport on your phone to get your current WAN IP until DDNS updates.
Yes, unfortunately we are talking about using CGNAT by ISP. So, in case of CGNAT, as I understand UCG Max DDNS + VPN on UCG Max will not help? Is it correct?
Until now, I successfully tried Cloudflare Tunnel + Cloudflare Access and Tailscale.
From technical perspective Tailscale is less complex in terms of settings. However I am not sure, what would provide better security among these