There are quite a few tutorials on how to apply Cloudflare Tunnel service to Synology NAS, whereas such tutorials are almost absent from the more vulnerable QNAP NAS (at least they are being attacked for several times). This tutorial aims at providing a step-by-step guideline to fill in that absence.
Update: I have revised this tutorial to suit the configuration of the new Container Station 3.
A. What are the problems myqnapcloud?
When we read the comments on how to make our NAS safe, the most popular comment would be ‘don’t connect your NAS to the Internet’ .
Well, it is true though, but it will lose the benefits of using a NAS to replace many public cloud services. QNAP offers a service named myqnapcloud which allows you to access your QNAP NAS everywhere.
Although myqnapcloud service is convenient, it is very vulnerable, as:
- The IP and ports of your NAS are exposed to the internet
- ALL myqnapcloud devices are QNAP devices, which provide a very nice pool of potential victims for hackers who want to make good use of a QNAP loophole
B. What are the benefits of using Cloudflare Tunnel?
As Cloudflare introduced a FREE tunneling service that can be used to protect your NAS from many types of cyber attack, making good use of this service can be a game changer.
With this service, your NAS will be:
- Protected by the Cloudflare infrastructure from DDoS attacks
- Able to hide the real IP from the Internet
- Able to serve as usual, as all services that required myqnapcloud will retain with proper settings
- Possibly increased access speed as Cloudflare could provide a better routing
Actual Steps
Obtaining a free domain name
You will need a domain name to replace your myqnapcloud domain. To obtain one, there are many free DDNS service providers available. I recommend Freenom, as it offers some FREE nice top-level domain names (e.g. .tk / .ml / .ga / .cf / .gq).
But the registration process of Freenom is quite tricky, if we check the availability of domains, it will always show NOT available.
Here are the steps to obtain a free domain:
- Click Partner > Developers on the Navigation Bar.
- Scroll down and click Get a Random Domain Account Today.
- Review and Check out by entering your email address, you don’t need to provide any credit card information, but you need to input some address details.
- Activate your account by verifying the email address.
- Check the availability of domain again, at this time, you shall be able to ‘purchase’ the domain.
- By default, the free domain will last for 3 months, but you can choose up to 12 months for free in the drop down menu.
We will be returning to Freenom and perform one final step later, but now, let us create a Cloudflare Account first.
Creation of Cloudflare Account
The creation of Cloudflare account is more straight forward, after the normal account creation, perform the following steps:
- After creating the account, click Add site and enter the just obtained domain name.
- Sometimes this process can result in an error message like ‘Hmm… We couldn’t find any matching websites.’ Wait for a few minutes for Freenom to activate your domain.
- After adding the site, Cloudflare will ask you to change the nameserver of your domain. Copy the two nameservers and go back to Freenom, replace Freenom nameserver.
- Cloudflare said that it could take up to 24 hours to update the register, but from my experience, it only take 5 to 10 minutes. Just take a walk, seep some coffee to continue.
- You will be receiving an email indicating that the nameservers have been changed.
- There are many settings available on Cloudflare, some of them will be covered in the Tweak section later.
- Click your site, and in the sidebar, click Access and in page, click Launch Zero Trust.
- Here you entered the Zero Trust Portal, in the sidebar, click Access > Tunnels.
- Click Create a tunnel, after naming the tunnel, you will see a list of command like this, then we can move to our QNAP NAS:
docker run cloudflare/cloudflared:2022.8.2 tunnel --no-autoupdate run --token eyJh[thisisthetoken]GaCJ9
Installing Cloudflare Tunnel service on QNAP NAS
To use this service, you will need a Container Station already installed on your QNAP NAS.
Then perform the following steps:
- In the Container Station, hit Explore on the top and search Cloudflared and deploy it. It will show a very long list of versions, just choose the default Latest.
- In the pop-up creation wizard, under the Configure Container part, give a name to your docker.
- Click Advanced Settings, Here comes the tricky part, replace the command with the following into the Command box. Replace the string after
token
with the token (that long strange string) you copied above.
tunnel run -token eyJh[thisisthetoken]GaCJ9
- Then, at the Network panel, choose Network Mode to be host. Then apply the settings and finish the wizard.
- Click Create and you should be seeing the Container functions. It is normal to get some error message at this point. And it’s time to return to Cloudflare.
- In the Tunnel panel of Cloudflare, Add a public hostname, choose the subdomain if you like, and for the Service, input this IP address that you find in the Network & Virtual Switch of your NAS.
- This is the local IP address of your NAS, not your WAN IP.
- For the port number, you may refer to the Control Panel > General Settings of your NAS, normally speaking you may use the default HTTP Port 8080 and HTTPS Port 443.
- Now, try to use the new URL to access your QNAP NAS. Some security prompting might appear, but you now are using the Cloudflare tunnel to access your NAS!
Implementing the Cloudflare certificate to QNAP NAS
If you are using myqnapcloud service, most likely you are using the Let’s Encrypt SSL Certificate, you may use the Cloudflare-generated certificate to replace it. So that your connection between your NAS all other devices would be safe. And there will not be some security promptings.
Here are the steps of the implementation:
- Manage your site in Cloudflare, navigate to SSL/TLS > Origin Server, choose Create Certificate.
- You do not need to change any settings, and after creation, you will see Key Formart be PEM, your Original Certificate and Private Key.
- Save Original Certificate and Private Key to your computer, paste them to notepad and save as
original.PEM
andprivate.PEM
. Remember to change format. - Go to your QNAP NAS and access your Control Panel > Security > SSL Certificate & Private Key.
- Depending on the status, you are likely to choose Replace Certificate > Import Certificate.
- Choose the above-created
original.PEM
to be Certificate,private.PEM
to be Private Key, then press Apply. - Voila! And you will be using the Cloudflare SSL certificate to ensure the connection between your NAS and your devices are encrypted.
- (This step is optional, but highly recommended) Navigate back to your Cloudflare SSL/TLS > Overview, choose Full (strict) to ensure the connections are always encrypted and are using the aforementioned certificate.
Tweaking of the Tunnel service (WebUI / Qsync / Mobile Apps / Webdav )
This section is for referencing. If you use WebUI (and its related services, like QuMagie), here are the settings that you might need to pay attention.
- For WebUI, QuMagie, Mobile Apps, Qsync, they are ALL using the System Port that you would find Control Panel > General Settings.
- Therefore, if you would like to use these services, just replace the original myqnapcloud link with the above Cloudflare tunnel domain.
- If you would like to use Webdav, you are advised to use a new sets of ports, rather than the system ports. You may choose FileRun to replace the system Webdav service.
- After all these settings, you may now turn off the myqnapcloud service, disable the UpnP function and auto router configuration on your NAS. As you don’t need these services to get your NAS be accessible from the Internet.
- Disabling the myqnapcloud service will not have any impact on the myqnapcloud Link service, you can still share folders / files via this method.
Here are my port configuration:
WebUI / Mobile Apps / Qsync
admin.example.ga > HTTP 192.168.1.100:8080
admin.example.ga > HTTPS 192.168.1.100:443
Webdav
documents.example.ga > HTTP 192.168.1.100:3333
documents.example.ga > HTTPS 192.168.1.100:3334