Local DNS with SSL setup using Docker on Synology NAS and Synology Router

Tags: #<Tag:0x00007f3260500160> #<Tag:0x00007f3260507f50> #<Tag:0x00007f3260507d98> #<Tag:0x00007f3260507bb8> #<Tag:0x00007f3260507a00>

Here’s the scenario… I have a Synology Router RT2600ac (SRM 1.2.4) and a Synology NAS DS620slim (DSM 6.2.3) and I wanted to be able to log into home assistant using a Synology-provided domain name linked to a valid SSL certificate locally only. I.e. if I try to access my synology domain remotely, I want access denied for security purposes. If I’m local, I want to type in the Synology domain (e.g. example.synology.me) and have it open Home Assistant with a security badge in the browser. Remote access should be handled by VPN. I also wanted to enable DNS over HTTPS.

I’ve seen guides for how to do this with PiHole and Adguard and DNSMasq and other docker containers, but given my hardware, I wanted to use what I already have.

This guide involves using sudo and you could brick your NAS and/or Router so proceed by accepting that this could be the outcome.

For this guide, I will assume that you already have a Synology domain (DDNS) and valid certificate. I’ll also assume that you have Home Assistant running in docker on the Synology NAS. I’ll use 192.168.1.1 as the synology router IP and 192.168.1.100 as the NAS IP.

For the Synology Router
-First, optionally remove any port forwarding rules you have.
-Then go to Control Panel “Services”, enable ssh, set port 222, then

ssh -l root 192.168.1.1 -p 222

Your password is the password of the admin account (which may be disabled). You can enable it and set the password in Control Panel “Users”.

Next modify the hosts file:

vi /etc/hosts

add this to the end (spaces are tabs):

192.168.1.100     example     example.synology.me

next, create this file

vi /etc/dhcpd/dhcpd-dns-dns.info

and put a single line in:

enable="yes"

then create this file

vi /etc/dhcpd/dhcpd-dns-dns.conf

and add this line:

address=/example.synology.me/192.168.1.100

In router web interface, go to Network Center -> Internet and make sure the DNS servers are blank.

Also in the router web interface, go to Network Center -> Local Network and check “Enable DoH” (I used Cloudflare). Doing this will grey-out the primary and secondary DNS boxes in the same page.

On the Synology NAS:

Go to Control Panel, “Network” -> “General” and set the Synology Router as primary DNS (192.168.1.1)

Go to “Application Portal” -> “Reverse Proxy” and add
Source Protocol -> HTTPS
Hostname -> example.synology.me
Port -> 443

Destination Protocol -> HTTP or HTTPS depending on if you already set up or want SSL when accessing your home assistant via an IP address.
Hostname -> 192.168.1.100
Port -> 8123

Before you click on OK, go to the custom header tab and add the following associations (Header Name -> Value):

Upgrade -> $http_upgrade
Connection -> $connection_upgrade
X-Forwarded-For -> $proxy_add_x_forwarded_for
Host -> $http_host
X-Real-IP -> $remote_addr
X-Forwarded-Proto -> $scheme

Lastly, modify /etc/hosts on your Synology NAS (assuming you already have ssh access to your NAS) by adding this line to the end:

192.168.1.100     example     example.synology.me

In Home Assistant Configuration.yaml:
Add this to the “http:” section

    use_x_forwarded_for: true
    trusted_proxies: 192.168.1.0/24

where trusted_proxies refers to the range of IP address that can connect to home assistant.

Testing…

Go here to test if DoH is working.

If you removed your port forwarding rules you should now be blocked from accessing your website from outside your network. If you try accessing from inside your network, the site example.synology.me should resolve to home assistant and you should have a valid SSL badge in your browser.

If you use a VPN to access your network remotely, you may have to override the DNS settings by server. I use the OpenVPN app on Android and set the DNS server to 192.168.1.1