Synology NAS Remote Access Without QuickConnect: A Safer Alternative

Synology QuickConnect is convenient. You enable it, Synology gives you a subdomain, and you can reach DSM from anywhere. But there is a cost that most users do not think about: every connection you make goes through Synology's relay servers. Your file transfers, DSM login attempts, and Surveillance Station streams all pass through infrastructure you do not control.

For home users this is often acceptable. For IT teams managing NAS devices at client sites — storing accounting data, HR documents, or CCTV footage — it is a harder sell. And for NIS2-regulated entities in the EU, routing data through a non-EU relay is a compliance problem.

What QuickConnect Actually Does

QuickConnect works through Synology's relay network when a direct connection is not possible (which is most of the time, because most NAS devices sit behind NAT with no static IP). The relay receives your session, forwards it to your NAS, and sends responses back. Synology's relay sees the metadata: source IP, destination NAS, timing, session length.

If Synology's relay service has an outage, you lose remote access. If it is blocked by a corporate firewall (which many are), you lose remote access. And if you are subject to NIS2, Synology is a third-party processor you need to document and disclose.

The Alternatives People Try — and Why They Fall Short

Port forwarding. Open TCP 5000/5001 (DSM) directly to the internet. Works — until a vulnerability drops in DSM (they happen regularly) and your NAS is reachable from every scanner on the internet. The SynoLocker ransomware outbreak in 2014 hit NAS devices exposed this way. Synology explicitly warns against this.

DDNS + port forwarding. Same exposure, with a friendlier URL. The attack surface is identical.

Synology VPN Server. Better — but requires the NAS itself to run the VPN server, clients to install VPN software on every machine, and a static IP or DDNS pointing at the NAS. More moving parts, more maintenance.

Tailscale on the NAS. Solid option for personal use. Tailscale has its own relay network (DERP servers) that traffic passes through when direct connections are not possible — similar to QuickConnect in that respect. No free tier covers large MSP deployments, and it requires software on both the NAS and the device accessing it.

The WireGuard Approach: Tunnel on the Router, Not the NAS

The cleanest solution for MSPs and IT teams is to not touch the NAS at all. Instead, install a WireGuard tunnel on the router or gateway at the client site. Once the tunnel is up, every device on that LAN — including the NAS — is reachable through the tunnel without any software on the NAS itself.

The NAS does not need WireGuard. It does not need a WireGuard package. It does not need a static IP. It does not need QuickConnect enabled. DSM runs on the LAN, and the tunnel makes it reachable from outside as if you were sitting on the same network.

This works because WireGuard is installed on the router (MikroTik, pfSense, OPNsense, OpenWRT, or a Debian/Ubuntu box acting as gateway). The router's WireGuard peer connects to a relay server. Traffic to any IP on the LAN — including the IP where the NAS lives — routes through the tunnel.

Setting This Up with ProxyLink

ProxyLink provides the relay infrastructure and the browser interface on top of the tunnel. After installing the WireGuard tunnel on the router:

1. In the ProxyLink dashboard, create a proxy link pointing to your NAS IP on port 5001 (HTTPS) or 5000 (HTTP)
2. ProxyLink assigns a public URL — something like https://abc123.proxy.proxylink.dev
3. Open that URL in any browser — DSM loads, served directly from your NAS, through the encrypted WireGuard tunnel

No QuickConnect. No port forwarding. No software on the NAS. The NAS is dark to the internet — the only way to reach it is through the WireGuard tunnel, which requires authentication to ProxyLink.

QuickConnect vs ProxyLink — Side by Side

	QuickConnect	ProxyLink
NAS traffic through third-party relay	Yes — Synology servers	No — direct WireGuard tunnel
Works without static IP	Yes	Yes
Software required on the NAS	None (built-in)	None — tunnel runs on router
EU-hosted infrastructure	No	Yes — Hetzner Germany
Access to Surveillance Station	Yes	Yes — same DSM port
NIS2 audit log	No	Yes — every session logged
Service outage dependency	Synology relay outage = no access	Self-contained tunnel
Multiple devices per site	One NAS only	All LAN devices through one tunnel

TCP Link for DSM — SSL in the Browser

ProxyLink supports TCP proxy links with SSL termination on ports 443, 8443, and 5001. When you create a TCP link pointing to your NAS on port 5001, the browser sees a valid HTTPS connection (ProxyLink's certificate). DSM's own self-signed certificate stays internal — the browser does not complain.

This is the same approach that works for pfSense, OPNsense, Ubiquiti UniFi, and any other web-based management interface that runs HTTPS internally.

Surveillance Station and File Station

Both work through the proxy link since they run on the same DSM port. Once you have access to DSM, Surveillance Station's camera feeds and File Station's file browser work normally — they are just DSM features, not separate services.

QNAP Is the Same Story

QNAP has its own relay service (myQNAPcloud). The same concerns apply — traffic through QNAP's servers, dependency on their infrastructure, no EU data residency guarantee. The WireGuard-on-router approach works identically for QNAP's QTS web interface, with a proxy link pointing to the NAS IP on port 8080 or 443.

What This Means for NIS2

Under NIS2 Article 21, supply chain security means you need to document every third party that touches client data. If QuickConnect is routing NAS access, Synology is a third-party processor requiring a data processing agreement and client disclosure.

With the WireGuard tunnel approach, the only third party is ProxyLink — EU-hosted on Hetzner Germany, with an audit log of every session. The NAS traffic itself is encrypted end-to-end through the WireGuard tunnel.

Frequently Asked Questions

Can I access my Synology NAS remotely without QuickConnect?

Yes. A WireGuard tunnel on your router (MikroTik, pfSense, OPNsense, OpenWRT, or a Raspberry Pi) gives you remote access to DSM and all NAS services without enabling QuickConnect. The tunnel connects outbound from the router — your NAS needs no configuration changes and no static IP.

Does this work without a static IP or DDNS?

Yes. The WireGuard tunnel is outbound from the router to ProxyLink's relay server, which has a fixed address. Your NAS and router can be behind CGNAT, dynamic IP, or any NAT — the tunnel stays up as long as the router has internet access.

Will Surveillance Station camera feeds work through ProxyLink?

Yes. Surveillance Station runs on the same DSM port (5000/5001). Once you have a proxy link to DSM, every DSM feature — Surveillance Station, File Station, Synology Drive — works through that link. Camera feeds stream normally.

Does ProxyLink require any software on the Synology NAS?

No. The WireGuard tunnel runs on your router, not on the NAS. DSM sees normal LAN traffic with no awareness of ProxyLink. No packages, no agents, no Synology packages to install or maintain.

Is QuickConnect safe for a business environment?

For home use, the convenience usually outweighs the concerns. For business NAS devices holding client data, financial records, or CCTV footage, the relay architecture matters: Synology's servers handle session metadata, and their infrastructure is not EU-resident. Under NIS2, Synology becomes a third-party processor requiring a data processing agreement and client disclosure.

Try ProxyLink free — no card required. If you manage Synology or QNAP devices at client sites, the first tunnel setup takes about 10 minutes.