Savior Faire

Clouflare tunnel on QNAP

There are quite a few tutorials on how to apply Cloudflare Tunnel service to Synology NAS, whereas such tutorials are almost absent from the more vulnerable QNAP NAS (at least they are being attacked for several times). This tutorial aims at providing a step-by-step guideline to fill in that absence.

Update: I have revised this tutorial to suit the configuration of the new Container Station 3.

A. What are the problems myqnapcloud?

When we read the comments on how to make our NAS safe, the most popular comment would be ‘don’t connect your NAS to the Internet’ .

Well, it is true though, but it will lose the benefits of using a NAS to replace many public cloud services. QNAP offers a service named myqnapcloud which allows you to access your QNAP NAS everywhere.

Although myqnapcloud service is convenient, it is very vulnerable, as:

B. What are the benefits of using Cloudflare Tunnel?

As Cloudflare introduced a FREE tunneling service that can be used to protect your NAS from many types of cyber attack, making good use of this service can be a game changer.

With this service, your NAS will be:


Actual Steps

Obtaining a free domain name

You will need a domain name to replace your myqnapcloud domain. To obtain one, there are many free DDNS service providers available. I recommend Freenom, as it offers some FREE nice top-level domain names (e.g. .tk / .ml / .ga / .cf / .gq).

But the registration process of Freenom is quite tricky, if we check the availability of domains, it will always show NOT available.

Here are the steps to obtain a free domain:

We will be returning to Freenom and perform one final step later, but now, let us create a Cloudflare Account first.


Creation of Cloudflare Account

The creation of Cloudflare account is more straight forward, after the normal account creation, perform the following steps:

docker run cloudflare/cloudflared:2022.8.2 tunnel --no-autoupdate run --token eyJh[thisisthetoken]GaCJ9

Installing Cloudflare Tunnel service on QNAP NAS

To use this service, you will need a Container Station already installed on your QNAP NAS.

Then perform the following steps:

tunnel run -token eyJh[thisisthetoken]GaCJ9

Implementing the Cloudflare certificate to QNAP NAS

If you are using myqnapcloud service, most likely you are using the Let’s Encrypt SSL Certificate, you may use the Cloudflare-generated certificate to replace it. So that your connection between your NAS all other devices would be safe. And there will not be some security promptings.

Here are the steps of the implementation:


Tweaking of the Tunnel service (WebUI / Qsync / Mobile Apps / Webdav )

This section is for referencing. If you use WebUI (and its related services, like QuMagie), here are the settings that you might need to pay attention.

  1. For WebUI, QuMagie, Mobile Apps, Qsync, they are ALL using the System Port that you would find Control Panel > General Settings.
  2. Therefore, if you would like to use these services, just replace the original myqnapcloud link with the above Cloudflare tunnel domain.
  3. If you would like to use Webdav, you are advised to use a new sets of ports, rather than the system ports. You may choose FileRun to replace the system Webdav service.
  4. After all these settings, you may now turn off the myqnapcloud service, disable the UpnP function and auto router configuration on your NAS. As you don’t need these services to get your NAS be accessible from the Internet.
  5. Disabling the myqnapcloud service will not have any impact on the myqnapcloud Link service, you can still share folders / files via this method.

Here are my port configuration:

WebUI / Mobile Apps / Qsync
admin.example.ga > HTTP  192.168.1.100:8080
admin.example.ga > HTTPS 192.168.1.100:443

Webdav
documents.example.ga > HTTP 192.168.1.100:3333
documents.example.ga > HTTPS 192.168.1.100:3334

#Tutorials