Using a VPN instead of exposing individual services means that you only have to harden one thing — something that was really designed with security in mind—instead of managing security in a bunch of different places, some of which may not have great options, and you also only have one service worth of potential security vulnerabilities and updates to track.
It never matters that a comment is old if the information is still valid. Sometimes I reply to really old comments. 
I’m using Wireguard on my Raspberry Pie without any problems.
I actually haven’t even touched (barely even logged in) that raspberry pie in years (I had set it to auto update and reboot every day at 4am). So I am ironically probably too rusty to help you with your problem.
If I was having issues now, I would try pasting my configuration into ChatGPT and also in Claude.ai and ask them to debug it.
You’re correct that a VPN limits port exposure, port forwarding also limits which ports are exposed. Presumably, only limited and necessary secured ports are exposed, which is kind of the point.
It’s important to remind people that no solution is a complete solution.
Yeah OpenVPN is an option straight from DSM on the Synology nas so I’m hoping it’ll be the same as my normal network throughput. I’ll go with a vpn then. Cheers for your sdvice
That’s pretty good. I get 100Mbps up and down so I hope mines the same
Ah, yes. But you can get self signed certificate with IP.
Ignore warning you know you signed it.
I’m just tired of having to reinstall a fresh install and then going through everything again. I’m using my mine for my minidsp 2x4hd for my home theater to send BEQ files onto it from my phone. Then I put pi hole on. But every time I do the port forwarding before wireguard, it works fine. Turn off my wifi on my phone and use my data, and I check on whoer .net to confirm. Then I do the script for the wiregaurd, and then it all goes downhill. In fact, it always ends up taking down my router… to the point I thought I was getting middleman (what I got after putting new fresh boot of the rpi OS), which took me forever to find a code to remove the ssh key. Now, on my 3rd day, I now have all the scripts for the minidsp and pi hole on a notepad and all the key scripts I use. So now it doesn’t take long to set all that up.
edit I just got done now with doing a fresh install and got my minidsp-rs and pi hole installed… and have it all working. I’m just debating to try the wireguard again or skip it completely. I want to setup a NAS on it instead of using Google drive all the time but I couldn’t get that setup either. Iirc I had a different bit installed than what they wanted and found out at the end so again I had to do another fresh os install… I tried to unistall the MSO with sudo apt remove openmediavault and sudo apt uninstall openmediavault.
Absolutely agree that no solution is complete. That said, it is equally important to ensure people understand levels of exposure and risk. For example opening port 22 and 443 exposes you to more kinds of potential attacks than just 443. That does not mean your exposure is limited as exposing any common port means you are susceptible to to a significant amount of potential attacks. In the File Station example, you are susceptible to attacks directly against the Synology software and the underlying web host just by exposing the web port. Also, web based attacks are some of the most common. Using a VPN significantly reduces your exposure vs port forwarding as 0 ports is better than any number of ports.
MacBook Pro isn’t an issue, when I use Visolity I can direct all traffic through the tunnel. I was already happy being able to connect to the NAS using my iPhone.
Let me repeat that as far as the NAS is concerned, it has no idea it’s using a tunnel. The UTM does all the tunneling and firewalling and proxying. If the NAS has to maintain the tunnel(s) itself, it can turn out to be a bit underpowered. But you’ll notice, I’m sure.