Securely Access Remote Synology SSH Using Cloudflare Tunnel

Do you have a Synology NAS in a remote location (like your home or office) and wish you could securely manage it via SSH just like you would locally, no matter where you are? This guide documents how to achieve this using Cloudflare Tunnel (a Zero Trust tunnel).

Advantages of using Cloudflare Tunnel:

• No Public IP Required: Even if your Synology NAS is behind a complex internal network, you don’t need to worry about having a public IP address.
• No Open Ports: You don’t need to configure any port forwarding on your router. This significantly enhances security by preventing your SSH port from being exposed to malicious scans on the public internet.
• Highly Secure: All traffic is encrypted and protected through Cloudflare’s global network, and you can benefit from its powerful DDoS protection capabilities.
• Stable and Free: Cloudflare offers a generous free plan for personal users, which is more than sufficient for remote SSH management needs.

Prerequisites:

1. A Synology NAS: You must know its administrator account and password.
2. Your own domain name: For example, yourdomain.com. You must be able to change this domain’s DNS settings.

Part One: Cloud-Side Setup on Cloudflare

In this part, we will create a tunnel in the Cloudflare dashboard and obtain the token required for the connection.

Step 1.1: Add Your Domain to Cloudflare

If your domain is not yet managed by Cloudflare, first log in to the Cloudflare website, click “Add a Site,” and follow the instructions to add your domain. This usually requires you to change your domain’s Name Servers to the addresses provided by Cloudflare in your domain registrar’s settings.

Step 1.2: Enter the Zero Trust Dashboard

On the main Cloudflare dashboard, select Zero Trust from the left-hand menu. The first time you enter, you may need to select a free plan and set up a team name.

Step 1.3: Create a Tunnel

1. In the Zero Trust dashboard, select Access -> Tunnels from the left-hand menu.
2. Click the Create a tunnel button.
3. Give your tunnel an easily recognizable name, such as synology-nas, and then click Save tunnel.

Step 1.4: Get and Save the Connector Token

After creating the tunnel, you will see a “Choose your environment” page. This page provides commands to install the connector (cloudflared) on different operating systems.

This is a very crucial step! In the command box on the right, you will see a full installation command, similar to cloudflared service install ey.... You only need to copy the long, random-looking string that follows install. This is your tunnel token. Please copy this token completely and save it in a safe place, as we will need it on the Synology NAS shortly.

Part Two: Installing and Configuring the Tunnel on Synology NAS (Package Center Version)

Now, we will use the more convenient Package Center method to install the cloudflared software on your Synology NAS and connect it to Cloudflare.

Step 2.1: Add a Third-Party Package Source

1. Log in to your Synology DSM desktop and open the Package Center.
2. Click the Settings button in the upper-right corner.
3. In the pop-up window, select the Package Sources tab.
4. Click Add, enter SynoCommunity in the “Name” field, and enter the following address in the “Location” field: https://packages.synocommunity.com
5. Click OK to save.

Step 2.2: Install Cloudflared from the Package Center

1. Return to the main Package Center interface and select Community from the left-hand menu.
2. In the search box in the upper-right corner, type Cloudflared and search.
3. Find the Cloudflared package and click Install.
4. Wait for the installation to complete. This step automatically handles user, permission, and background service configurations.

Step 2.3: Configure the Tunnel Token

1. After installation, find Cloudflared in the Package Center and click Open.
2. The package’s configuration interface will be very simple, usually with an input box prompting you to enter the Tunnel Token.
3. Paste the long token string you copied from the Cloudflare dashboard in Step 1.4 completely into this input box.
4. Click Apply or Save. The package will automatically start in the background and use your token to connect to Cloudflare’s network.

Step 2.4: Verify the Connection and Point it to the SSH Service

1. Go back to the Cloudflare Zero Trust dashboard in your browser. Refresh the page, and you should see your connector status display as “Connected” on the tunnel configuration page. If so, your Synology NAS has successfully connected to the cloud!
2. Now, let’s tell the tunnel to forward incoming requests to the Synology’s SSH service. Click the Public Hostnames tab.
3. Click Add a public hostname.
4. Fill out the rule:
   • Subdomain: Enter a subdomain you like, e.g., ssh or nas .
   • Domain: Select your domain.
   • Path: Leave this blank.
   • Service:
     • Type: You must select SSH.
     • URL: Enter localhost:22 (where 22 is the default port for the Synology SSH service).
5. Click Save hostname.

At this point, all server-side configuration is complete!

Part Three: Configuring the SSH Client on Your Computer

For the final step, we need to configure the SSH client on your own computer so it knows how to connect through the Cloudflare Tunnel.

Step 3.1: Install cloudflared on Your Computer

Your computer also needs this tool installed to act as a “client-side proxy.” You might wonder why you need to install it on your computer if it’s already on the Synology. This is because they play different roles: the cloudflared on your Synology NAS is responsible for securely “sending” the internal service to the cloud, while the cloudflared on your computer is responsible for securely “bringing” your SSH command to the cloud. They shake hands in the cloud to form a complete, encrypted channel.

• Official download link: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/
• Please download and install it according to your operating system (Windows/macOS/Linux). For example, on macOS, it’s recommended to use Homebrew: brew install cloudflared.

Step 3.2: Modify Your Local SSH Configuration File

This is the key step that makes the magic happen.

1. Open your computer’s SSH configuration file with a text editor. It is usually located at ~/.ssh/config (macOS/Linux) or C:\Users\YourUsername\.ssh\config (Windows). If the file or directory does not exist, please create it manually.
2. Add the following configuration block to the file:# Connect to Synology NAS via Cloudflare Tunnel Host ssh.yourdomain.com ProxyCommand /opt/homebrew/bin/cloudflared access ssh --hostname %h
3. Be sure to modify the following:
   • Host ssh.yourdomain.com: Replace ssh.yourdomain.com here with the full hostname you set up in Step 2.4.
   • /opt/homebrew/bin/cloudflared: Replace this with the actual installation path of cloudflared on your computer. You can find it by typing which cloudflared (macOS/Linux) or where.exe cloudflared (Windows) in your terminal.

Part Four: Time to Connect!

All configurations are complete! Now, no matter where you are, just open your computer’s terminal and type the familiar SSH command:

ssh [your_synology_username]@ssh.yourdomain.com

(Please replace ssh.yourdomain.com with your own hostname)

You will find that the system prompts you for your password as usual. After successful authentication, you have successfully logged into your remote Synology NAS!

Conclusion and Troubleshooting

Congratulations! You have successfully built an extremely secure and convenient path back to your NAS.

• Q: What should I do if the connection times out or fails? A: First, go back to the Cloudflare Zero Trust tunnel management page and confirm that your tunnel connector has a green “Connected” status. If not, try restarting the Cloudflared package in the Synology Package Center. If the status is normal but you still can’t connect, carefully check that the hostname and ProxyCommand path in your local .ssh/config file are completely correct.
• Q: I get a Classic tunnels have been deprecated error when connecting via SSH? A: This is because the ProxyCommand in your SSH config file is outdated. Make sure you are using cloudflared access ssh --hostname %h and not the old cloudflared tunnel ... command.
• Q: When using sudo, it fails even with the correct password? A: This is likely due to a mismatch between your local computer’s keyboard layout and the remote server’s layout, causing special characters (like @, !, #) to be entered incorrectly. You can use an “echo test” to verify or temporarily change your password to something simpler to resolve this.