Connecting to Synology NAS Surveillance Station with Pangolin and Newt

Networking Home Networking
,
1

Connecting to Synology NAS Surveillance Station with Pangolin and Newt

After some trial and error, We found a solution that works seamlessly for connecting to my Synology NAS’s Surveillance Station through a VPS using Pangolin and Newt. The key was updating to the latest version of Pangolin and configuring an HTTP resource properly. Below are the steps to achieve this setup, ensuring compatibility with both web browsers and Synology apps while keeping all traffic on port 443 (similar to Cloudflare tunnels) and supporting multiple instances without needing to forward numerous ports.

Prerequisites

  • Synology NAS: Configured with Surveillance Station using HTTPS on port 9901 to bypass the base NAS login screen.
  • VPS: Running Pangolin and Newt, with Newt potentially on a separate server on the same flat network as the Synology NAS (as in your setup).
  • Goal: Replace Cloudflare tunnels, disable Pangolin authentication, and use Synology’s authentication, supporting 20+ instances.

Steps to Set Up

  1. Update Pangolin to the Latest Version

    • Ensure you’re using Pangolin version 1.0.0-beta.15 or later. This version includes critical fixes that resolve compatibility issues with the Synology desktop client and mobile apps when using HTTP resources.
    • Update Pangolin on your VPS by pulling the latest release (e.g., via Docker if you’re using a containerized setup).

  2. Configure the Newt Resource

    • In Newt, create a resource pointing to your Synology NAS’s IP address and port 9901 (e.g., 192.168.1.100:9901).
    • Set the resource type to HTTP. This is crucial because earlier attempts with TCP/UDP raw proxies or sockets worked but didn’t align with the goal of keeping traffic on port 443 for scalability and simplicity.
    • Assign a domain or subdomain (e.g., surveillance.example.com) that routes through Pangolin to this resource.

  3. Disable Pangolin Authentication (Optional)

    • If you want to rely solely on Synology’s authentication (as mentioned in your setup), disable Pangolin’s authentication for this resource.
    • In Pangolin’s configuration, set the authentication policy to “Always Allow” or remove the auth middleware for this specific resource. This ensures users are prompted only by Synology’s login screen.

  4. Verify Synology NAS Settings

    • Confirm that Surveillance Station is configured to use HTTPS on port 9901. You can check this in the Surveillance Station settings on your Synology NAS.
    • Ensure the NAS isn’t redirecting ports 80 and 443 to other ports (like 5000 or 5001) in a way that interferes with the apps. In my case, the default DSM behavior didn’t cause issues after the Pangolin update, but if you encounter problems, you can disable DSM’s port 80/443 listeners via CLI (e.g., following guides like the Reddit post you referenced) while keeping SSH active to avoid lockout.

  5. Test Connections

    • Web Browser: Access the resource (e.g., https://surveillance.example.com) in a browser. You should reach the Surveillance Station login page and log in successfully using Synology credentials.
    • Synology Apps: Open the Surveillance Station desktop client or mobile app, and enter the resource URL (e.g., surveillance.example.com). The apps should now connect without issues, performing the TLS handshake on port 443 and routing to 9901 behind the scenes.

Why This Works

  • Pangolin 1.0.0-beta.15 Fix: Earlier versions had compatibility problems with Synology apps over HTTP resources, likely due to how the apps handled TLS handshakes or Synology’s login redirects. The update resolves this, mimicking Cloudflare tunnels’ behavior of keeping traffic on 443.
  • HTTP Resource: Using HTTP instead of TCP sockets (e.g., for ports 5000/5001) simplifies management and scales better for your 20+ instances, avoiding the need to forward multiple ports per instance.
  • Port 9901: Surveillance Station’s dedicated HTTPS port bypasses the DSM login screen, streamlining access.

Troubleshooting Tips

  • If the apps still fail to connect:
    • Double-check Pangolin’s version (docker ps if containerized, or check the release notes).
    • Use Wireshark to confirm the client is attempting a TLS handshake on 443 with the VPS and completing it successfully.
    • Ensure no Traefik or firewall rules on the VPS block the connection.
  • If you’re unfamiliar with Traefik (as you mentioned), you likely don’t need to modify it beyond Pangolin’s default setup, since the beta.15 fix handles the Synology app quirks.

Final Notes

This setup mirrors the simplicity of Cloudflare tunnels while leveraging Pangolin’s flexibility. You won’t need to forward TCP port 9901 to the host for each instance, as the HTTP resource handles everything over 443.