Secure Synology with VPN

Hi,
I keep seeing posts saying to use VPN to truly secure the NAS from outsiders. Is there a good video showing how to do this with Tailscale and the like? If I want to use C2 as a cloud backup or sync Dropbox to a folder, wouldn’t the VPN block those services from working? Wouldn’t it block quickconnect and activeinsight as well? I’d love to lock down the NAS with a VPN but I’m trying to wrap my head around how exactly you guys are doing it? I’d like to keep the local SMB network unaffected too. How are you guys configuring this magical VPN encapsulation? I really want to do it but don’t see how you handle all these scenarios. Thanks!

Tailscale and Zerotier by default do not affect your NAS network usage. It only creates a P2P tunnel that allows you to connect to the NAS from the outside without port forwarding.

It only works for connections between two devices. All other connections will not pass through the VPN unless you additionally enable full tunnel.

That’s why I’m assuming it’s a full tunnel VPN scenario to protect the NAS. But if the cloud services such as Dropbox, C2, active insight, etc do not have a VPN connection to the NAS then they won’t be able to see it. Hoping I can get good clarification on how exactly everyone is using VPN to protect the Synology NAS while still exposing it to these services…

When the NAS is behind the router. By default, it will only deny entry but not out.

Dropbox, C2, active insight etc. are all connected from the NAS. There is no blocking.

And you want to connect to your NAS from the Internet. It is entering. By default, it will be blocked. So you need port forwarding or VPN.