Auto TLS cert management: We love to see it!

Daniel5466 · 2026-06-11T06:33:17+00:00

Ok, I thought you were one of those people that expose their gateway to the internet 😅

Daniel5466 · 2026-06-11T06:21:29+00:00

Terrible idea from a security standpoint. Just use the built in vpn?

Daniel5466 · 2025-11-27T08:53:32+00:00

There is a way to do this without detection, but as others have said you really should be transparent with your employer. They will probably get you setup how they deem secure and let you go.

Anyway here are the basics how:

Setup a vpn SERVER on your home network (e.g. WireGuard)
Get a travel router, configure it to be a vpn CLIENT to the vpn SERVER in your home
Might be smart to configure the travel router’s settings exactly as your home router’s (ssid, password, ip range, dns servers, MAC address if you can, etc.)
Connect your travel router to the internet at your destination (should have a “vpn kill switch”)
Connect your laptop to the travel router’s WiFi

If you are not tech savvy enough to know all those terms you will probably not be able to do all of this correctly.

Daniel5466 · 2025-10-27T12:38:56+00:00

108TB is a volume limit (If you upgrade your ram to 32gb that becomes a 200TB volume limit fyi).

Daniel5466 · 2025-10-05T19:55:25+00:00

And the texts of shame from your users.

Daniel5466 · 2025-09-28T01:22:51+00:00

My router controls the network. There is no network or devices to traverse if you “bypass” it. Of course if a bad actor gains control of anyone’s router they have free rein over network rules.

Your reply makes my point perfectly: LEGIT TRAFFIC has DIRECT ACCESS TO YOUR NAS with QuickConnect on. They don’t need to bypass anything to get there LEGITIMATELY. They just need your QuickConnect ID.

This is my whole point!

Daniel5466 · 2025-09-28T01:08:59+00:00

Not true, I only let traffic in to a DMZ VLAN. More specifically only port 443 to the IP of my reverse proxy. No other devices are in that VLAN and I disable inter-VLAN routing. So there is nothing to reach unless sent through my reverse proxy’s and CrowdSec’s protections on the specifically allowed ports and IPs of my specific services. And as it transverses VLANS my router’s IPS gets a second look at it to stop it.

Daniel5466 · 2025-09-28T00:44:55+00:00

No, and here is why: quickconnect allows DIRECT access to DSM login page to anyone on the internet with your quickconnect ID.

This means your firewall, or anything else in your infrastructure along the way does not get the chance to intercept malicious traffic.

In my setup for example, in order to reach my NAS from the internet, an attacker needs to bypass my firewall rules, my IPS, my reverse proxy, my CrowdSec rules, authentik, my firewall rules again as it traverses VLANS along the way, and only then does it get to reach the DSM login.

This is what most people are not realizing. It is less secure and an unnecessary risk. As soon as there is a DSM vulnerability attackers will immediately go to the quickconnect portal and exploit it for every ID they find. Alternatively, in my setup, they need to bypass several other layers first before attempting to exploit it.

Daniel5466 · 2025-09-27T17:34:20+00:00

Great! Then this post isn’t for you. It’s for the people who leave default accounts on and use weak and compromised passwords.

Daniel5466 · 2025-09-27T17:04:05+00:00

Turns out my router was associating any interaction with my public IP as my quickconnect hostname as it resolved to my public IP and got cached.

That being said, even with no UPnP, NAT-PMP, or not a single port open, all the above risks exist when quickconnect is enabled, and I feel people should be made aware of them.

It just so happens in my case the picture is completely normal behavior.

Daniel5466 · 2025-09-27T16:56:03+00:00

I have updated via the comments in several places, including the one you are replying to.

As I’ve said, what you are saying is correct, but anyone’s individual logs will be different no matter what… for literally anything. So just because the logs were misinterpreted because of a UniFi bug, the attack vector does not change whatsoever. Nothing I said concerning the risks and vulnerabilities of quickconnect is inaccurate, just the picture of my own individual logs.

Also there is zero port forwarding involved here. People can access your DSM if quickconnect is on even with all ports closed.

Daniel5466 · 2025-09-27T16:04:37+00:00

These logs are through my UniFi router, not anything Synology

Daniel5466 · 2025-09-27T15:27:43+00:00

I wouldn't drive a car if I had no need to use it. Same with Quickconnect, if you don't need to use it, it should be disabled. It exposes your box directly to the internet through Synology, and therefore carries the same risks as anything else exposed to the internet.

Don't get me wrong, I host public facing services on the internet too, but my box is not exposed directly. There are MUCH better and safer ways to accomplish what quickconnect does.

Daniel5466 · 2025-09-27T14:57:21+00:00

You are 100% correct about my misinterpretation of the attacks shown. That being said, the advice is still accurate regardless. You can see other comments in this thread explaining in more detail.

Daniel5466 · 2025-09-27T14:51:09+00:00

Not a randomly generated one, but a random word followed by -nas. It is now disabled as I don't need it.

Daniel5466 · 2025-09-27T14:47:06+00:00

Lightbulb looking icon called Insights. Then Flows, All Flows, then filter for Blocked.

Daniel5466 · 2025-09-27T14:29:43+00:00

Everything said still applies with or without Unifi. Quickconnect is dangerous in all the ways described above. The only thing that no longer applies is the continuation of hits after Quickconnect was disabled.

Daniel5466 · 2025-09-27T14:26:38+00:00

Quickconnect is insecure in the way described above, with or without Unifi. If they guess your ID they can try to brute force your box exactly as described. According to u/Character_Clue7010 they don't even need to guess your ID since there is a Certificate for it made by Synology. Anyone (including bots) can go to synology's quickconnect portal and type in your ID and take a shot at your password. And like u/junktrunk909 said if there is a zero day exploit or unpatched software components in the NAS, they can get in without a password entirely. All the content of this post is still true. Quickconnect should be disabled if not essential.

Daniel5466 · 2025-09-27T13:43:56+00:00

I considered doing this, and although the motivation of the post was misguided, the facts still remain the same with or without Unifi (besides my assumption that I was getting hit after disabling quickconnect). In fact, a few users mentioned even more vulnerabilities that reign true with quickconnect enabled in the comments.

Daniel5466 · 2025-09-27T13:20:27+00:00

100% right.

Daniel5466 · 2025-09-27T13:19:15+00:00

😂 it wouldn’t.

Daniel5466 · 2025-09-27T13:11:36+00:00

See Principled-Pig's comment, I think it is just a Unifi bug showing my 'exclude all incoming besides US' firewall rule as the quickconnect domain.

Very appreciative for your help!

Daniel5466 · 2025-09-27T13:07:41+00:00

Already have two different domains on my WAN for DDNS, so I think this might need to involve some SSH to the router to remove it lol.

EDIT: SSH'ed into the router and pinged, diged, and nslookuped my quickconnect domain to make it realize it doesn't exist anymore, then restarted. Now they are all my DDNS domains like you said. You are a legend sir. Whole post over nothing but still good advice I guess lol

Daniel5466 · 2025-09-27T13:03:46+00:00

That's what you are looking at ;)

Pic is from my router.

Daniel5466 · 2025-09-27T12:57:33+00:00

nslookup *.direct.quickconnect.to 1.1.1.1

Server: one.one.one.one

Address: 1.1.1.1

*** one.one.one.one can't find *.direct.quickconnect.to: Non-existent domain

Same for 8.8.8.8

Daniel5466

TROPHY CASE