Like many home server enthusiasts, I started with a setup that prioritized convenience. I wanted to access my photos, files, and my WordPress blog from anywhere. The easiest way? Open some ports on my router.
But looking at my logs and reading about ransomware attacks on NAS devices, I realized I was living dangerously. My admin login page was exposed to the entire internet. Today, I tore down my network configuration and rebuilt it using a Zero Trust model with Tailscale, all while keeping my public blog running perfectly.
Here is exactly how I did it, and the massive difference it made.
The “Before” State: Convenient but Risky
- Router: Ubiquiti Dream Machine Pro (UDM Pro).
- The Exposure: Ports 5000 (HTTP) and 5001 (HTTPS) were forwarded directly to my NAS.
- The Domain: xxxx-home.com pointed to my home IP. I have No-IP subscription to run DDNS on the UDM Pro.
- The Problem: Anyone who typed my domain or scanned my IP could see my Synology DSM login screen. I was one weak password away from a breach.
What is Tailscale#
Tailscale is a zero-config mesh VPN that fundamentally reimagines how we secure our devices. Instead of routing traffic through a central bottleneck like a traditional VPN, Tailscale creates a peer-to-peer mesh network where every device connects directly to every other device using the high-performance WireGuard protocol. It achieves “Zero Trust” by decoupling identity from physical location; it doesn’t matter if your server is on a home LAN, a coffee shop Wi-Fi, or a cloud VPC - access is granted based on who you are (via your existing SSO provider like Google or Microsoft) rather than where your IP address is coming from. While Tailscale’s central coordination server manages these public keys and access policies, it never sees your actual data, which remains end-to-end encrypted between your devices. This architecture allows you to close open firewall ports and expose services only to authenticated users within your private “tailnet”, effectively rendering your infrastructure invisible to the public internet.
Tailscale’s “Personal” plan is arguably the most generous free tier in the networking space, making it perfect for homelabbers and power users. The free plan is fully functional: it supports up to 3 users and 100 devices, meaning you can easily share your Plex server or NAS with a partner or friend without paying a dime. It also includes advanced enterprise-grade features like MagicDNS (so you can use names like nas instead of IP addresses), Subnet Routers (to reach dumb devices like printers), and ACLs (to lock down who can access what). For most home users, you will likely never hit the paywall.
The Transformation: Step-by-Step#
Instead of opening a door in my router firewall, I installed Tailscale. This requires registering a free account with Tailscale. This creates an encrypted mesh VPN.
Phase 1: Building the Private Tunnel (Tailscale)#
Intall tailscale client on both NAS and your device (my phone in this case):
- The Hurdle: The version of Tailscale in the Synology Package Center was ancient (v1.38). It was missing key features.
- The Fix: I manually downloaded the latest .spk (AMD64) from the Tailscale website and updated it to v1.78+. Installing on phones is very easy, just like installing any other apps.
- The Result: My phone and NAS could now talk to each other securely without any open ports.
Phase 2: The “Green Lock” (Valid SSL Certificates)#
I didn’t want to see browser warnings when accessing my NAS private IP. Tailscale has a feature to generate valid certificates for internal networks, but it requires a trick on Synology.
- I enabled “HTTPS” in the Tailscale Admin Console.
- I ran a root script in Synology Task Scheduler:
/var/packages/Tailscale/target/bin/tailscale configure synology-cert
- Troubleshooting: I hit a 500 Internal Server Error because of the old version. Toggling HTTPS off/on in the Tailscale console and restarting the app fixed it.
- Now, accessing https://[my-machine].ts.net:5001 gives me a valid, secure connection.
Also note that the browser caches heavily (from DNS to the certificate status). Be a little patient, or clear cache / use incognito mode to see the most updated network configuration.
Phase 3: Locking the Front Door#
With the VPN working, I logged into my UDM Pro and disabled the port forwarding rules for 5000 and 5001.
- Immediate Effect: Traffic to my admin panel from the public internet stopped instantly.
- The Exception: I left ports 80 and 443 open because I host a public WordPress blog (magiklog.com). Later in another post, the blog was moved to Hugo so these two ports were closed too.
Phase 4: Stealth Mode & The “Hello” Page#
Even with ports 5000/5001 closed, Synology has a habit of redirecting traffic on Port 80 (public web) to the DSM login page if it doesn’t know what else to do. I wanted to hide the fact that I even own a NAS.
- I created a dummy index.html file in Web Station that just says “Hello.”
- I set Web Station’s Default Server to use Nginx (with no PHP) and point to that dummy file.
- The Result: If a hacker scans my IP or visits xxxx-home.com, they see a blank white page saying “Hello.” No login screen. No Synology branding. Total stealth.
Phase 5: Quality of Life (Reverse Proxy)#
I hated typing :5001 at the end of my URL. I wanted to just type the tailscale domain and have it work.
- I set up a Reverse Proxy rule in Synology.
- Source: HTTP (Port 80) using my private Tailscale hostname.
- Destination: HTTPS (Localhost Port 5001).
- Access Control: I limited this rule so it only works if the user is coming from the Tailscale VPN subnet (100.x.x.x).
- Now, I just type the name, and the NAS automatically redirects me to the secure login page.
The Comparison: Before vs. After#
| Feature | BEFORE | AFTER |
|---|---|---|
| Public Visibility | High. Login page visible to the world. | Stealth. Public sees a blank “Hello” page. |
| Admin Access | Open ports 5000/5001 on Router. | Closed. Access only via Tailscale VPN. |
| Security | Reliance on passwords & hope. | Zero Trust. Military-grade WireGuard encryption. |
| Public Wi-Fi Use | Dangerous/Exposed. | Secure. “Exit Node” enabled to encrypt all phone traffic. |
Final Thoughts#
It took a bit of tinkering—specifically manually updating the Tailscale package and setting up the “dummy” Web Station page—but the peace of mind is worth it. I now have a professional-grade setup where my public blog is open for business, but my personal files and photos are completely invisible to the internet. The downside, is that I can’t access my home network on my work computers any more because tailscale is not allowed. But I think I’m happy with the little inconvenience.