How to configure Cloudflare on Synology
In order to protect internal ressources, we will configure Cloudflare as a reverse proxy service that will expose internal services via tunnel connection to the Synology NAS box. Please note that the following instructions require use of a credit card, but you will not be charged as well as a TLD domain name. I presume credit card is required for identity verification purposes.
Login into your Cloudflare dashboard (if you do not have an account, create one for free), and click Add Domain. Type in the domain name, select Quick scan for DNS records and click Continue, select Free and click Continue. Review the DNS records discovered by the Cloudflare and click Continue to activation. In the section 3, you will find the Cloudflare nameservers that you will need to use in order for Cloudflare to administer your domain DNS records. Update your domain nameservers with your domain registar. Once updated nameservers, click Continue and Check nameservers now. Please note, that it might take some time before Cloudflare can acquire DNS management. You will receive an email once this process is done.
On your Synology NAS, make sure that Container Manager is installed and running.
In the Cloudflare dashboard, click Zero trust in the left pane, click Network and then Tunnels. Click Create a tunnel and select Cloudflared. Name your tunnel and click Save tunnel. Click on Docker, and copy ONLY token, and paste the token in the configuration for the Docker container (replace YOUR TOKEN HERE with your actual token)
version: “3.3”
services:
cloudflared:
image: cloudflare/cloudflared:latest
command: tunnel run
environment:
- TUNNEL_TOKEN=YOUR TOKEN HERE
Copy the entire Docker container configuration. On your Synology NAS, open File Station and create a folder docker on the root of the file structure. Create a new folder named cloudflare_tunnel under docker folder. Start Container Manager, click Project and click Create. Write cloudflare_tunnel in the Project name, click Select and select cloudflare_tunnel folder previously created, under source select Create docker-compose.yml and paste Docker container configuration. Click Next, click Next again, select Start the project once it is created and then click Done. Once the container has been created and is up and running, you can confirm it in the tunnel overview dashboard.
Click the three dots on the newly created tunnel and select Configure. Click Public hostname and click Add a public hostname.In this example we will expose the Synology NAS Management Interface, and the internal address is https://nas300.home.sefnet.in:33669. Synology NAS is using custom signed SSL certificate. In the Subdomain field type what ever you want, in this example, we will use nas300, select the Domain, under Service, select HTTPS and paste the entire internal address, including the port. Click Additional application settings, click TLS and turn on No TLS verify option since we are using a custom signed SSL certificate, otherwise the SSL connection would fail. Click Save hostname. Now you can test and confirm that the Synology NAS Management Interface is available via Cloudflare. Please note that this offers no security whatsoever, and therefor we need to configure access rules to the service.
In the left pane, click Access, and then Access Groups. Click Add a group and type in the group name. In the Define group criteria, select Emails in the Selector and in the Value field type in email addresses of the persons who should have access to the exposed service. You can use any other selector, and configure it accordingly. Once done, click Save.
Now click Applications under Access in the left pane, and click Add an application. Select Self-hosted, and give it a name. Select Session duration, and again use the external hostname you have used previously, select Domain, and click Next, type in access Policy name, select Session duration, and select the Access group previously created, click Next and then Add application. Now if you try to access the Synology NAS Management Interface, you will be prompted to enter your email address to get a OTP code sent. If you enter a valid email address that is configured in the access group policy, you will receive an OTP code, and from there you can access the management interface.
I would strongly recommend to configure your Synology NAS to use a 2-factor authentication, using either a hardware key like Yubikey or a OTP code using a Google Authenticator app or Bitwarden (preferably). Note that use of OTP in Bitwarden required a subscription plan,