↼ My Two Cents

Cover image for Access Synology NAS Securely Using Cloudflare Tunnel

Access Synology NAS Securely Using Cloudflare Tunnel

#Synology #Cloudflare #Zero Trust #Self-hosting #Homelab

Exposing services like Synology DSM, File Station, or Photos should never mean opening ports to the internet. In this guide, I’ll walk through setting up Cloudflare Tunnel on a Synology NAS the easy way — no port forwarding, no headaches.

🧰 What You’ll Need

  • A domain managed in Cloudflare
  • Cloudflare Zero Trust enabled (free tier works)
  • SSH and Docker access on your Synology NAS (DSM 7+ preferred)

⚙️ Step 1: Create the Tunnel in Cloudflare

  1. Log into Cloudflare Zero Trust
  2. Go to Access → Tunnels
  3. Click Create a Tunnel
  4. Give it a name like synology-nas
  5. For the connector, select Docker
  6. Copy the generated docker run command — it includes your tunnel ID and credentials

💡 Keep this tab open. You’ll run the Docker command on your NAS in the next step.

🐳 Step 2: Run Cloudflared in Docker on Synology

SSH into your Synology NAS:

ssh admin@your-nas-ip

Create a directory for the tunnel credentials:

mkdir -p /volume1/docker/cloudflared

Then run the Docker command you copied from the Cloudflare dashboard. It should look similar to:

docker run -d \
  --name cloudflared \
  --restart unless-stopped \
  -v /volume1/docker/cloudflared:/etc/cloudflared \
  cloudflare/cloudflared:latest tunnel run

This spins up the tunnel and connects your NAS securely to Cloudflare’s edge network.

🌐 Step 3: Create a Public Hostname

Back in Cloudflare Zero Trust:

  1. Click on the tunnel you just created
  2. Go to Configure → Public Hostname
  3. Add a hostname like nas.yourdomain.com
  4. Service type: HTTPS
  5. URL:
    • For DSM: https://localhost:5001
    • For other apps (Photos, File Station): adjust accordingly
  6. Click Save

A CNAME record will be created automatically for you.

🔐 Step 4: (Optional) Add Cloudflare Access Protection

To secure it behind identity checks:

  1. Go to Access → Applications
  2. Click Add application
  3. Choose Self-hosted
  4. Set the URL (e.g. https://nas.yourdomain.com)
  5. Select your identity providers (email, GitHub, OTP, etc)
  6. Define access rules (e.g. allow only your email)

Now your NAS is behind a Zero Trust layer — even if the link leaks, it’s protected.

✅ You’re Done

You now have secure, encrypted, authenticated access to your Synology NAS from anywhere — without exposing a single port.

If this helped you secure your NAS (or saved you from exposing port 5000 to the internet), consider buying me a coffee:

👉 https://ko-fi.com/alwynispat

Every tip helps me keep testing, writing, and sharing guides like this. Appreciate the support!

Why I Chose Cloudflare Pages … →