Here’s the scenario… I have a Synology Router RT2600ac (SRM 1.2.4) and a Synology NAS DS620slim (DSM 6.2.3) and I wanted to be able to log into home assistant using a Synology-provided domain name linked to a valid SSL certificate locally only. I.e. if I try to access my synology domain remotely, I want access denied for security purposes. If I’m local, I want to type in the Synology domain (e.g. example.synology.me) and have it open Home Assistant with a security badge in the browser. Remote access should be handled by VPN. I also wanted to enable DNS over HTTPS.
I’ve seen guides for how to do this with PiHole and Adguard and DNSMasq and other docker containers, but given my hardware, I wanted to use what I already have.
This guide involves using sudo and you could brick your NAS and/or Router so proceed by accepting that this could be the outcome.
For this guide, I will assume that you already have a Synology domain (DDNS) and valid certificate. I’ll also assume that you have Home Assistant running in docker on the Synology NAS. I’ll use 192.168.1.1 as the synology router IP and 192.168.1.100 as the NAS IP.
For the Synology Router
-First, optionally remove any port forwarding rules you have.
-Then go to Control Panel “Services”, enable ssh, set port 222, then
ssh -l root 192.168.1.1 -p 222
Your password is the password of the admin account (which may be disabled). You can enable it and set the password in Control Panel “Users”.
Next modify the hosts file:
vi /etc/hosts
add this to the end (spaces are tabs):
192.168.1.100 example example.synology.me
next, create this file
vi /etc/dhcpd/dhcpd-dns-dns.info
and put a single line in:
enable="yes"
then create this file
vi /etc/dhcpd/dhcpd-dns-dns.conf
and add this line:
address=/example.synology.me/192.168.1.100
In router web interface, go to Network Center -> Internet and make sure the DNS servers are blank.
Also in the router web interface, go to Network Center -> Local Network and check “Enable DoH” (I used Cloudflare). Doing this will grey-out the primary and secondary DNS boxes in the same page.
On the Synology NAS:
Go to Control Panel, “Network” -> “General” and set the Synology Router as primary DNS (192.168.1.1)
Go to “Application Portal” -> “Reverse Proxy” and add
Source Protocol -> HTTPS
Hostname -> example.synology.me
Port -> 443
Destination Protocol -> HTTP or HTTPS depending on if you already set up or want SSL when accessing your home assistant via an IP address.
Hostname -> 192.168.1.100
Port -> 8123
Before you click on OK, go to the custom header tab and add the following associations (Header Name -> Value):
Upgrade -> $http_upgrade
Connection -> $connection_upgrade
X-Forwarded-For -> $proxy_add_x_forwarded_for
Host -> $http_host
X-Real-IP -> $remote_addr
X-Forwarded-Proto -> $scheme
Lastly, modify /etc/hosts on your Synology NAS (assuming you already have ssh access to your NAS) by adding this line to the end:
192.168.1.100 example example.synology.me
In Home Assistant Configuration.yaml:
Add this to the “http:” section
use_x_forwarded_for: true
trusted_proxies: 192.168.1.0/24
where trusted_proxies refers to the range of IP address that can connect to home assistant.
Testing…
Go here to test if DoH is working.
If you removed your port forwarding rules you should now be blocked from accessing your website from outside your network. If you try accessing from inside your network, the site example.synology.me should resolve to home assistant and you should have a valid SSL badge in your browser.
If you use a VPN to access your network remotely, you may have to override the DNS settings by server. I use the OpenVPN app on Android and set the DNS server to 192.168.1.1