Great guide and even better timing! Solved a problem I just couldn't sort out myself with NPM running in a LXC container on Proxmox. Everything up, running and working now. Thanks Frank, you're a star!
I'm pretty much doing all of this using Synology's built in reverse proxy. I probably have 20 different subdomains working exactly as I want. So, my question is what's the advantage to using nginx in a Docker container versus the internal nginx reverse proxy built into Synology? EDIT: Love your straightforward way of explaining things!
You are letting your macvlan act as a DCHP server for your entire subnet (ip_range: 192.168.1.0/24)? You have no ip conflicts? Wouldn't it be best to restrict it to one ip address (ip_range: 192.168.1.2/32) or omit the ip_range variable?
Great video--thank you! I used your previous guide for Adguard but decided to uninstall it completely to use Pihole+NPM. I was having noob issues getting adguard to work with npm (network/macvlan etc). Could you do a follow-up guide to make this work well with Tailscale? I know you can set a local DNS in Tailscale, but I was having issues connecting to devices. I'm debating just going back to OpenVPN on my router because I could not get my off-network tailscale device to resolve anything DSM related (NAS is enabled for subnet routing with tailscale, and is running Pihole + NPM.)
Thanks! If you're running Tailscale on the NAS, it makes it more complicated because you have to use the bridge network IP as opposed to the NPM IP, but it adds a lot of complexity. I'm not sure I'd do this with that setup if I'm being honest.
@@WunderTechTutorials I am running tailscale inside DSM. When i follow your config. I think it make errors: s obsolete, it will be ignored, please remove it to avoid potential confusion" Network npm_zbridge Creating Network npm_zbridge Error failed to create network npm_zbridge: Error response from daemon: cannot create network conflicts with network / networks have overlapping IPv4
Thanks for the video. 2 quick questions- 1. Is this necessary if you are not exposing the services to the internet? 2. Can you create a quick guide on changes we need to do on Pfsense if we want to run NPM inhouse along with Cloudflare? Thanks
Definitely not necessary - it's mainly for usage and there are a few services that require a reverse proxy to work (Vaultwarden is one of them), and if you don't want to expose it externally, this is one way to do it. There aren't really any changes on the pfSense side. You would just create a DNS record in the DNS resolver rather than using Pi-hole.
Enjoyed the video. Silly question, when referencing the "Accessing Synology Services with Cloudflare..." video, should one follow that entire video/guide prior to completing the steps in this video?
Thanks for this great guide. I was able to get it working on my Synology NAS with no issues. I am curious, could I use Tailscale to access my web apps through my tailnet while away from my local network?
Thanks! Yes, you should be able to if you configure a DNS server in Tailscale, but if you're accessing them remotely and using Tailscale on the same NAS, you probably have to use the bridge IP.
Not working for me. When I run the nslookup command, I get that the server is unknown and there's a non-authoritative answer that spits back the domain and local address/port.
All works well except for Synology NAS. I get 502 Bad Gateway on any proxy host that has a destination to it.. I do have TLS/SSL Profile set to medium as I see that did cause problems in the past. Could synology certificate be causing the problem as in Nginx dos not like an invalid cert?
Great video. I am running your set up in Docker, but when I try to go to Portainer via the proxy host after i mapped it, i get "Dangerous Site" warning from Google and a Red screen. I can't go any further. Any suggestions?
I have an existing instance of npm running on Synology NAS and pihole running on a separate raspberry pi (not involved at all with npm).. even after watching and trying this I cannot understand how to make this setup work for internal only use. The part that is still very confusing is the npm_network vs npm_zbridge, why and what they are doing. Maybe it would make more sense to move npm to the pi and run both in docker instead of bare metal? or pihole to the NAS? Thoughts?
Those networks are only there to bypass the Synology use of ports 80/443. On a Raspberry Pi, you won't have to do that, so if you have one available, it probably makes sense to run it there.
Sorry for my stupid beginner question. When I have a domain I own and forward my services to the web with cloudflare at 443, doesn't it mean I have an open door for public to access my services? E.g. Synology DSM?
Can this be done with adguard instead of pi-hole?, also with the CNAMES, can you just just ad a wild card url so you are not adding every service twice through the dam server and the proxy server.
@@WunderTechTutorialsthanks for your response! It’s now working great on my local network. Should this also work outside of my network? If not, what might I have missed? Many thanks in advance!
@@WunderTechTutorials what if you already have a wildcard DNS record in Cloudflare? Is there a way to "have my cake and eat it too?" so have local DNS Cert without making my services public? So at the same time i would like to have some of my subdomains to be public, but the rest should be only locally respolvable and not to be public.
I have this setup, together with openvpn to access my NAS outside my local network. I had the assumption I could this the local IP adress to this new URL. Inside my local network it works. However it doesn't outside of my local network (with VPN on). Am I missing something or was this not the purpose in the first place? My goal was to lose all the security warnings because the SSL was not setup. Edit: Do I have to push the openvpn connection over my own dns server to work?
@WunderTechTutorials I get the error that the host is unreachable after setting everything up (changing openvpn config file and the client config file) and do an IP ping. Any thoughts? I ping the ipv4 of the pi-hole (Which I can access locally) succesfully but not over the vpn
By creating macvlan network in docker compose it re-creates the network every time you restart right? I created mine in terminal but have to run a script so that it recreates every time restart NAS.
No, it should create it once (assuming you don't have any other network interfaces with the same name), and it'll reference it every time it starts, but only create it the first time. I just confirmed on my test setup that it all works as expected after a reboot.
@@WunderTechTutorials Thanks, I think it's because the method I was using was creating a nother macvlan interface on the host that communicates with the docker containers on another macvlan network, but it gets removed with each restart. Your way is much better, will redo everything and follow your guide.
I'm running my NAS on a 12 hours daily basis. Is it possbile to outsource the task to my raspberrypi that is running 24/7? I mean it should make no difference right?
Thank you for this video and tutorial. This is exactly what I need. Just a couple of questions though. Can you explain again the npm_network and npm_bridge for? I think you mentioned these in the video but my thick head is just not getting it. Is this for bridging all the containers running on the Container Manager? Also, I already have pihole running on raspberry pi, and I have my docker containers running on portainer on my NAS, do I just use the generic Docker Compose file for the reverse proxy?
The bridge is strictly used for NAS to Container communication. Since we're using a macvlan network interface (npm_network), the NAS cannot communicate with the NPM container through the npm_network - that's what we're using the bridge for. The gateway (.1) is the NAS, and the IP (.10) is the container. Yes, if you have a separate server, the generic Docker container will do what you're looking for!
@@WunderTechTutorials Hi! Me again :) I cannot get a wildcard SSL certificate on my Cloudflare domain; it's just timing out. Do I need to run the cloudflared tunnel like in the other video you referenced?
@@WunderTechTutorials Hi Frank, thanks for your response. I figured out what was wrong. The container log showed that it couldn't connect to pypi to install the cloudflare module. The docker-compose has the bridge with higher priority than the macvlan network, but the bridge network doesn't have an outside route; only the macvlan network does. So, I temporarily removed the bridge from the container, and then I was able to pull a cert. But if I put the bridge back, this would fail when it comes time to renew the cert, right? And I need that bridge.
@@WunderTechTutorials What happens if you want to use this set up for internal use, but you also want to open some services to the internet. Would opening port 443 and 80 cause issues?
@@ToastOnAvacado Short answer is that you can, but you might want to distinguish them somehow. example *.home.domain.com is local stuff and *.domain.com is external stuff.
So, I got to the point where I set up the DNS record in Pihole, I'm using Duck DNS. when I entered the domain for NPM in the browser it say server not found. What am I doing wrong?
so the DNS record (xyz.subdomain.duckdns.org) is pointing to the NPM server? And you have a proxy host record in NPM with the correct HTTP/HTTPS, server IP, and port?
Nice video I actually use macvlan on Synology but in different VLANs over a LAGG. Btw I tried in NPM to to set it as well for the Synology drive app, but it's not working, because the app needs two ports. Do you know how to set it in NPM?
Thanks! Did you set it up as a login portal in DSM and assign a port to it? If so, you should be able to use that port - I show it towards the end of the video.
@@WunderTechTutorials Yes, but the problem is when you use the APP, the connections from the appp is done under port 6690, on which the NMP is not listening. And I do not know how to set NPM to listen on this port.
@@MiFonito The app works for me using the method shown in the video. That's how I've been running it, but you can't have two ports for one reverse proxy rule either way.
@@WunderTechTutorials hmm interesting than I probably have somewhere a missconfig in the NPM. I will review it. Many thanks for the input! You gave me some ideas on what to check. Also to be more clear I am speaking about the Mobile or Desktop app client.
The only other way to do it is to be your own certificate authority, which 99% of people won't want to do as soon as they understand how the certificates work. This is all done through DNS, no ports are opened, and everything just works. IMO, much better way of doing it than being your own CA.
I found this today but do you need to add pihole dns record once you have configured NGIX reverse proxy. mine works without it. I followed this instructions here and it is much easier ua-cam.com/video/acturgE4TmE/v-deo.html. It would be great if you could point out any risks or downsides of not configuring dns records. I have Unifi UDM pro but did not change anything there to get it working so not sure why dns records
Great guide and even better timing! Solved a problem I just couldn't sort out myself with NPM running in a LXC container on Proxmox. Everything up, running and working now. Thanks Frank, you're a star!
Glad to hear it helped! Thanks for watching!
The best tutorial i saw, two days trying to configure it, and with you only 15 mins. Thanks a lot!!
I was looking exactly for this. Thanks in advanced. You are the best 🙌
Excellent video Frank, this is definetly one of the best guides on the topic to date. everything is explained beautifully and clearly. excellent job!
Thanks, Avi! Appreciate you watching!
I'm pretty much doing all of this using Synology's built in reverse proxy. I probably have 20 different subdomains working exactly as I want. So, my question is what's the advantage to using nginx in a Docker container versus the internal nginx reverse proxy built into Synology?
EDIT: Love your straightforward way of explaining things!
Thanks Frank, this tutorial was very helpful.
Very cool, this is extremely useful. Thank you for your excellent tutorial on configuring this
I think you are using pfsense as a router/fw. It would be good if you can prepare some of pfsense videos for us :) rules etc
I'll add it to my list! It's hard for me to tell how much interest there is in pfSense videos.
You are letting your macvlan act as a DCHP server for your entire subnet (ip_range: 192.168.1.0/24)?
You have no ip conflicts?
Wouldn't it be best to restrict it to one ip address (ip_range: 192.168.1.2/32) or omit the ip_range variable?
Great video--thank you! I used your previous guide for Adguard but decided to uninstall it completely to use Pihole+NPM. I was having noob issues getting adguard to work with npm (network/macvlan etc). Could you do a follow-up guide to make this work well with Tailscale? I know you can set a local DNS in Tailscale, but I was having issues connecting to devices. I'm debating just going back to OpenVPN on my router because I could not get my off-network tailscale device to resolve anything DSM related (NAS is enabled for subnet routing with tailscale, and is running Pihole + NPM.)
Thanks! If you're running Tailscale on the NAS, it makes it more complicated because you have to use the bridge network IP as opposed to the NPM IP, but it adds a lot of complexity. I'm not sure I'd do this with that setup if I'm being honest.
@@WunderTechTutorials I am running tailscale inside DSM. When i follow your config. I think it make errors:
s obsolete, it will be ignored, please remove it to avoid potential confusion" Network npm_zbridge Creating Network npm_zbridge Error failed to create network npm_zbridge: Error response from daemon: cannot create network
conflicts with network / networks have overlapping IPv4
Thanks for the video. 2 quick questions-
1. Is this necessary if you are not exposing the services to the internet?
2. Can you create a quick guide on changes we need to do on Pfsense if we want to run NPM inhouse along with Cloudflare?
Thanks
Definitely not necessary - it's mainly for usage and there are a few services that require a reverse proxy to work (Vaultwarden is one of them), and if you don't want to expose it externally, this is one way to do it.
There aren't really any changes on the pfSense side. You would just create a DNS record in the DNS resolver rather than using Pi-hole.
@@WunderTechTutorials Thank you for your response.
Enjoyed the video. Silly question, when referencing the "Accessing Synology Services with Cloudflare..." video, should one follow that entire video/guide prior to completing the steps in this video?
Thanks! No, only the first part where you connect the domain to Cloudflare. Then you can pick back up here.
Thanks for this great guide. I was able to get it working on my Synology NAS with no issues. I am curious, could I use Tailscale to access my web apps through my tailnet while away from my local network?
Thanks! Yes, you should be able to if you configure a DNS server in Tailscale, but if you're accessing them remotely and using Tailscale on the same NAS, you probably have to use the bridge IP.
Excelente!!!
Lo Andaba Buscando!
Not working for me. When I run the nslookup command, I get that the server is unknown and there's a non-authoritative answer that spits back the domain and local address/port.
All works well except for Synology NAS. I get 502 Bad Gateway on any proxy host that has a destination to it.. I do have TLS/SSL Profile set to medium as I see that did cause problems in the past. Could synology certificate be causing the problem as in Nginx dos not like an invalid cert?
Made a command line acme.sh letsencrypt cert with CF to have a valid cert. That did not fix the 502 problem unfortunately.
Is this work with IPV6?
Great video. I am running your set up in Docker, but when I try to go to Portainer via the proxy host after i mapped it, i get "Dangerous Site" warning from Google and a Red screen. I can't go any further. Any suggestions?
Thanks! My only guess would be that it could be HTTP / HTTPS related. Did you select the correct type, for whatever port you're using with Portainer?
I have an existing instance of npm running on Synology NAS and pihole running on a separate raspberry pi (not involved at all with npm).. even after watching and trying this I cannot understand how to make this setup work for internal only use. The part that is still very confusing is the npm_network vs npm_zbridge, why and what they are doing. Maybe it would make more sense to move npm to the pi and run both in docker instead of bare metal? or pihole to the NAS? Thoughts?
Those networks are only there to bypass the Synology use of ports 80/443. On a Raspberry Pi, you won't have to do that, so if you have one available, it probably makes sense to run it there.
Sorry for my stupid beginner question. When I have a domain I own and forward my services to the web with cloudflare at 443, doesn't it mean I have an open door for public to access my services? E.g. Synology DSM?
Yes, if you expose them to the web. This tutorial (assuming you're following it), doesn't expose anything to the Internet.
Can this be done with adguard instead of pi-hole?, also with the CNAMES, can you just just ad a wild card url so you are not adding every service twice through the dam server and the proxy server.
Yes, I believe Adguard Home supports DNS records - and you can if it supports wild card records.
Long live NGINX PM!
Love your videos! Quick question! Do you have to create an A record in CloudFlare for your subdomain?
Thanks! No, if you're using a local DNS server, only a local record is required.
@@WunderTechTutorialsthanks for your response! It’s now working great on my local network. Should this also work outside of my network? If not, what might I have missed? Many thanks in advance!
This will only work locally, but can work externally if you're using a VPN and set the DNS server to be the DNS server you configured.
@@WunderTechTutorials what if you already have a wildcard DNS record in Cloudflare? Is there a way to "have my cake and eat it too?" so have local DNS Cert without making my services public? So at the same time i would like to have some of my subdomains to be public, but the rest should be only locally respolvable and not to be public.
Nginx ihave this message when i want login 'bad gateway'
I have this setup, together with openvpn to access my NAS outside my local network. I had the assumption I could this the local IP adress to this new URL. Inside my local network it works. However it doesn't outside of my local network (with VPN on). Am I missing something or was this not the purpose in the first place?
My goal was to lose all the security warnings because the SSL was not setup.
Edit: Do I have to push the openvpn connection over my own dns server to work?
Yes, you are correct - you have to use the local DNS server through the VPN if you'd like it to work.
@WunderTechTutorials I get the error that the host is unreachable after setting everything up (changing openvpn config file and the client config file) and do an IP ping. Any thoughts? I ping the ipv4 of the pi-hole (Which I can access locally) succesfully but not over the vpn
If you're running the DNS server and OpenVPN on the NAS, are you using the bridge network IP in the config file?
@@WunderTechTutorials no I am using the ipv4 of the pihole
By creating macvlan network in docker compose it re-creates the network every time you restart right? I created mine in terminal but have to run a script so that it recreates every time restart NAS.
No, it should create it once (assuming you don't have any other network interfaces with the same name), and it'll reference it every time it starts, but only create it the first time. I just confirmed on my test setup that it all works as expected after a reboot.
@@WunderTechTutorials Thanks, I think it's because the method I was using was creating a nother macvlan interface on the host that communicates with the docker containers on another macvlan network, but it gets removed with each restart. Your way is much better, will redo everything and follow your guide.
Great Video! I am using Unbound-DNS from opnsense. There is no CNAME possibility. What to do? Thanks!
Thanks! Do you have an alias option?
you can create a wildcard A record and point it to the IP of the npm. Then you won't have to add cnames each time you create a sub domain.
I'm running my NAS on a 12 hours daily basis. Is it possbile to outsource the task to my raspberrypi that is running 24/7? I mean it should make no difference right?
Absolutely! Should run great on a Pi.
Thank you for this video and tutorial. This is exactly what I need. Just a couple of questions though. Can you explain again the npm_network and npm_bridge for? I think you mentioned these in the video but my thick head is just not getting it. Is this for bridging all the containers running on the Container Manager?
Also, I already have pihole running on raspberry pi, and I have my docker containers running on portainer on my NAS, do I just use the generic Docker Compose file for the reverse proxy?
The bridge is strictly used for NAS to Container communication. Since we're using a macvlan network interface (npm_network), the NAS cannot communicate with the NPM container through the npm_network - that's what we're using the bridge for. The gateway (.1) is the NAS, and the IP (.10) is the container.
Yes, if you have a separate server, the generic Docker container will do what you're looking for!
@@WunderTechTutorials Oh gotcha! Thanks again.
@@WunderTechTutorials Hi! Me again :) I cannot get a wildcard SSL certificate on my Cloudflare domain; it's just timing out. Do I need to run the cloudflared tunnel like in the other video you referenced?
@@CelsoBarriga No, you should just be able to use the Cloudflare token. Did you set the permissions properly?
@@WunderTechTutorials Hi Frank, thanks for your response. I figured out what was wrong. The container log showed that it couldn't connect to pypi to install the cloudflare module. The docker-compose has the bridge with higher priority than the macvlan network, but the bridge network doesn't have an outside route; only the macvlan network does. So, I temporarily removed the bridge from the container, and then I was able to pull a cert. But if I put the bridge back, this would fail when it comes time to renew the cert, right? And I need that bridge.
Very nice video thanks. This method doesn’t expose anything externally to the wider internet this is just for internal lan usage correct?
Thanks! Correct, just for internal usage.
@@WunderTechTutorials that's awesome will give it a go tonight on prox. thanks!!
@@WunderTechTutorials What happens if you want to use this set up for internal use, but you also want to open some services to the internet. Would opening port 443 and 80 cause issues?
@@ToastOnAvacado Short answer is that you can, but you might want to distinguish them somehow. example *.home.domain.com is local stuff and *.domain.com is external stuff.
Great video! I’ll try if this setup works with Photostation and custom subdomain. Thanks!
So, I got to the point where I set up the DNS record in Pihole, I'm using Duck DNS. when I entered the domain for NPM in the browser it say server not found. What am I doing wrong?
so the DNS record (xyz.subdomain.duckdns.org) is pointing to the NPM server? And you have a proxy host record in NPM with the correct HTTP/HTTPS, server IP, and port?
@@WunderTechTutorials yes, I'm stumped.
@@WunderTechTutorials Hmmm, it suddenly started working! Didn't change a thing. THanks for your help. Great video as usual.
Nice video I actually use macvlan on Synology but in different VLANs over a LAGG. Btw I tried in NPM to to set it as well for the Synology drive app, but it's not working, because the app needs two ports. Do you know how to set it in NPM?
Thanks! Did you set it up as a login portal in DSM and assign a port to it? If so, you should be able to use that port - I show it towards the end of the video.
@@WunderTechTutorials Yes, but the problem is when you use the APP, the connections from the appp is done under port 6690, on which the NMP is not listening. And I do not know how to set NPM to listen on this port.
@@MiFonito The app works for me using the method shown in the video. That's how I've been running it, but you can't have two ports for one reverse proxy rule either way.
@@WunderTechTutorials hmm interesting than I probably have somewhere a missconfig in the NPM. I will review it. Many thanks for the input! You gave me some ideas on what to check.
Also to be more clear I am speaking about the Mobile or Desktop app client.
My apologies, I thought you meant the mobile app. Right now, this will not work with the desktop app.
Is it safe compared to Tailscale?
This is only for internal DNS resolution (though you could use it externally, but Tailscale is more secure in that regard).
now make a local dns resolver that doesn't need a top level domain
Thanks!
Local SSL → Proceeds to use Let's encrypt and using DuckDNS
The only other way to do it is to be your own certificate authority, which 99% of people won't want to do as soon as they understand how the certificates work. This is all done through DNS, no ports are opened, and everything just works. IMO, much better way of doing it than being your own CA.
I found this today but do you need to add pihole dns record once you have configured NGIX reverse proxy. mine works without it. I followed this instructions here and it is much easier ua-cam.com/video/acturgE4TmE/v-deo.html. It would be great if you could point out any risks or downsides of not configuring dns records. I have Unifi UDM pro but did not change anything there to get it working so not sure why dns records
cloudflare tunnel.... problem solved. No open ports etc.
This is for internal DNS resolution + cert.