Access Your Synology NAS Remotely Without QuickConnect (2026)
Access your Synology NAS remotely without QuickConnect, no port forwarding, no static IP, no third-party relay. A WireGuard tunnel on the router keeps your NAS dark to the internet.
Synology QuickConnect is convenient. You enable it, Synology gives you a subdomain, and you can reach DSM from anywhere. But there is a cost that most users do not think about: every connection you make goes through Synology's relay servers. Your file transfers, DSM login attempts, and Surveillance Station streams all pass through infrastructure you do not control.
For home users this is often acceptable. For IT teams managing NAS devices at client sites, storing accounting data, HR documents, or CCTV footage, it is a harder sell. And for NIS2-regulated entities in the EU, routing data through a non-EU relay is a compliance problem.
What QuickConnect Actually Does
QuickConnect works through Synology's relay network when a direct connection is not possible (which is most of the time, because most NAS devices sit behind NAT with no static IP). The relay receives your session, forwards it to your NAS, and sends responses back. Synology's relay sees the metadata: source IP, destination NAS, timing, session length.
If Synology's relay service has an outage, you lose remote access. If it is blocked by a corporate firewall (which many are), you lose remote access. And if you are subject to NIS2, Synology is a third-party processor you need to document and disclose.
Is Synology QuickConnect Secure?
QuickConnect is not insecure in the way that port forwarding is, it does not expose your NAS directly to the internet. But it introduces a different risk profile that matters for business use.
What QuickConnect does: Your NAS registers with Synology's relay servers. When you connect remotely, the session is brokered and relayed through Synology's infrastructure. Synology's servers see your source IP, your NAS identifier, session timing, and connection metadata. If you use QuickConnect for DSM file access or Surveillance Station, that traffic passes through Synology's relay.
For home use: The convenience usually outweighs the concerns. Synology is a reputable company and QuickConnect is a well-maintained service.
For business use, three concerns apply:
- Data residency: Synology's relay infrastructure is not EU-resident. If your NAS holds client data, financial records, or CCTV footage, the relay path is outside the EU, a problem for GDPR and NIS2.
- Third-party dependency: If Synology's relay service has an outage (it has had several), remote access stops. Your access depends on their infrastructure staying up.
- Supply chain audit: Under NIS2 Article 21, Synology becomes a third-party processor requiring a data processing agreement and client disclosure.
The short answer: QuickConnect is secure enough for home NAS use. For IT teams managing NAS devices at client sites, the relay architecture adds dependencies and audit obligations that a direct WireGuard tunnel avoids entirely.
The Alternatives People Try, and Why They Fall Short
Port forwarding. Open TCP 5000/5001 (DSM) directly to the internet. Works, until a vulnerability drops in DSM (they happen regularly) and your NAS is reachable from every scanner on the internet. The SynoLocker ransomware outbreak in 2014 hit NAS devices exposed this way. Synology explicitly warns against this.
DDNS + port forwarding. Same exposure, with a friendlier URL. The attack surface is identical.
Synology VPN Server. Better, but requires the NAS itself to run the VPN server, clients to install VPN software on every machine, and a static IP or DDNS pointing at the NAS. More moving parts, more maintenance.
Tailscale on the NAS. Solid option for personal use. Tailscale has its own relay network (DERP servers) that traffic passes through when direct connections are not possible, similar to QuickConnect in that respect. No free tier covers large MSP deployments, and it requires software on both the NAS and the device accessing it.
The WireGuard Approach: Tunnel on the Router, Not the NAS
The cleanest solution for MSPs and IT teams is to not touch the NAS at all. Instead, install a WireGuard tunnel on the router or gateway at the client site. Once the tunnel is up, every device on that LAN, including the NAS, is reachable through the tunnel without any software on the NAS itself.
The NAS does not need WireGuard. It does not need a WireGuard package. It does not need a static IP. It does not need QuickConnect enabled. DSM runs on the LAN, and the tunnel makes it reachable from outside as if you were sitting on the same network.
This works because WireGuard is installed on the router (MikroTik, pfSense, OPNsense, OpenWRT, or a Debian/Ubuntu box acting as gateway). The router's WireGuard peer connects to a relay server. Traffic to any IP on the LAN, including the IP where the NAS lives, routes through the tunnel.
Setting This Up with ProxyLink
ProxyLink provides the relay infrastructure and the browser interface on top of the tunnel. After installing the WireGuard tunnel on the router:
- In the ProxyLink dashboard, create a proxy link pointing to your NAS IP on port 5000 (HTTP scheme). Port 5000 works reliably. Avoid HTTPS scheme to port 5001, modern DSM units negotiate HTTP/2 which is not supported by the HTTP proxy; use the TCP link method below for port 5001.
- ProxyLink assigns a public URL, something like
https://abc123.proxy.proxylink.dev - Open that URL in any browser, DSM loads, served directly from your NAS, through the encrypted WireGuard tunnel
No QuickConnect. No port forwarding. No software on the NAS. The NAS is dark to the internet, the only way to reach it is through the WireGuard tunnel, which requires authentication to ProxyLink.
QuickConnect vs Tailscale vs ProxyLink, Full Comparison
| QuickConnect | Tailscale | ProxyLink | |
|---|---|---|---|
| NAS traffic through third-party relay | Yes, Synology servers | Sometimes, DERP relay servers | No, direct WireGuard tunnel |
| Works without static IP | Yes | Yes | Yes |
| Software required on the NAS | None (built-in) | Yes, Tailscale package on NAS | None, tunnel runs on router |
| Software required on your laptop | None | Yes, Tailscale client | None, browser only |
| Reaches NVR cameras and PBX on same LAN | No | No, only devices with Tailscale installed | Yes, all LAN devices through one tunnel |
| EU-hosted infrastructure | No | No (US-based) | Yes, Hetzner Germany |
| Access to Surveillance Station | Yes | Yes | Yes, same DSM port |
| NIS2 audit log | No | No | Yes, every session logged |
| Service outage dependency | Synology relay outage = no access | Tailscale outage = relay breaks | Self-contained WireGuard tunnel |
| MSP pricing for 50+ sites | Free (relay hidden cost) | Per-user, scales poorly | €69/mo flat, 300 tunnels |
TCP Link for DSM, SSL in the Browser
ProxyLink supports TCP proxy links with SSL termination on ports 443, 8443, and 5001. When you create a TCP link pointing to your NAS on port 5001, the browser sees a valid HTTPS connection (ProxyLink's certificate). DSM's own self-signed certificate stays internal, the browser does not complain.
This is the same approach that works for pfSense, OPNsense, Ubiquiti UniFi, and any other web-based management interface that runs HTTPS internally.
Surveillance Station and File Station
Both work through the proxy link since they run on the same DSM port. Once you have access to DSM, Surveillance Station's camera feeds and File Station's file browser work normally, they are just DSM features, not separate services.
Synology Remote Access Without DDNS or Static IP
One of the most common questions about Synology remote access is whether a static IP or DDNS service is required. The answer with a WireGuard tunnel is no. The tunnel connects outbound from your router to ProxyLink's relay server, the relay has the fixed address, not your site. Your NAS and router can sit behind CGNAT, dynamic IP, or any NAT configuration and the tunnel stays up regardless.
This is the same reason ProxyLink works for Starlink-connected sites, hotel networks, and any location where the ISP assigns dynamic or shared IPs. The outbound tunnel model bypasses the static IP requirement entirely.
If you are also managing Windows PCs at the same site, the same tunnel gives you browser-based RDP to every Windows machine on the LAN, no separate setup required.
QNAP Is the Same Story
QNAP has its own relay service (myQNAPcloud). The same concerns apply, traffic through QNAP's servers, dependency on their infrastructure, no EU data residency guarantee. The WireGuard-on-router approach works identically for QNAP's QTS web interface, with a proxy link pointing to the NAS IP on port 8080 or 443.
What This Means for NIS2
Under NIS2 Article 21, supply chain security means you need to document every third party that touches client data. If QuickConnect is routing NAS access, Synology is a third-party processor requiring a data processing agreement and client disclosure.
With the WireGuard tunnel approach, the only third party is ProxyLink, EU-hosted on Hetzner Germany, with an audit log of every session. The NAS traffic itself is encrypted end-to-end through the WireGuard tunnel.
Frequently Asked Questions
Can I access my Synology NAS remotely without QuickConnect?
Yes. A WireGuard tunnel on your router (MikroTik, pfSense, OPNsense, OpenWRT, or a Raspberry Pi) gives you remote access to DSM and all NAS services without enabling QuickConnect. The tunnel connects outbound from the router, your NAS needs no configuration changes and no static IP.
Does this work without a static IP or DDNS?
Yes. The WireGuard tunnel is outbound from the router to ProxyLink's relay server, which has a fixed address. Your NAS and router can be behind CGNAT, dynamic IP, or any NAT, the tunnel stays up as long as the router has internet access.
Will Surveillance Station camera feeds work through ProxyLink?
Yes. Surveillance Station runs on the same DSM port (5000/5001). Once you have a proxy link to DSM, every DSM feature, Surveillance Station, File Station, Synology Drive, works through that link. Camera feeds stream normally.
Does ProxyLink require any software on the Synology NAS?
No. The WireGuard tunnel runs on your router, not on the NAS. DSM sees normal LAN traffic with no awareness of ProxyLink. No packages, no agents, no Synology packages to install or maintain.
Is QuickConnect safe for a business environment?
For home use, the convenience usually outweighs the concerns. For business NAS devices holding client data, financial records, or CCTV footage, the relay architecture matters: Synology's servers handle session metadata, and their infrastructure is not EU-resident. Under NIS2, Synology becomes a third-party processor requiring a data processing agreement and client disclosure.
What are the best QuickConnect alternatives for MSPs?
For MSPs managing multiple client sites, the best QuickConnect alternatives are tools that do not require software on each NAS. A WireGuard tunnel on the router (ProxyLink) gives access to the NAS and every other device on the same LAN, switches, NVRs, PBX systems, through a single setup. Tailscale is a good personal option but requires a package on every device and doesn't cover network devices.
How do I access my Synology NAS remotely without DDNS?
With a WireGuard tunnel, DDNS is not needed. The tunnel connects outbound from your router to a relay server with a fixed address. You access the NAS through a stable ProxyLink URL, even if your ISP changes your IP address every day, the tunnel reconnects automatically and the URL stays the same.
Can I access Synology remotely over Starlink or CGNAT?
Yes. Starlink and CGNAT connections block inbound connections, which breaks port forwarding. A WireGuard tunnel uses an outbound connection from the router, it works on any internet connection that allows outbound UDP traffic, including Starlink, LTE, and any CGNAT environment.
Try ProxyLink free, no card required. If you manage Synology or QNAP devices at client sites, the first tunnel setup takes about 10 minutes.
Filippos Iliadis is the founder of ProxyLink. He manages remote access for 50+ hotel and SMB networks across Greece, including Synology NAS deployments at client sites, using the WireGuard-based architecture described in this post.