Note: I dug up the original post I wrote back in 2015 using archive.org's wayback machine because my analytics tool showed me that people were still looking for this even today! I'm quite impressed – in a very disturbed way – that people are still seem to be using this piece of crap device.
Ever since the day I moved all my data from Dropbox (see #DropDropbox and the Snowden revelations) to my private cloud – a Synology 415play with ~12TB of storage — I’ve been looking for a way to make this data available to me on the go. Synology provides a handful of solutions to do so, like for example their DS Cloud apps. Unfortunately these apps require you to either punch some holes into your firewall and allow direct access to the NAS’ web-service or use Synology’s QuickConnect, which is yet another man-in-the-middle that could theoretically read the data being transferred from the storage to the clients.
However, after a group of hackers began exploiting vulnerabilities inside the NAS’ services in August 2014 and achieved to install a ransomware named
SynoLocker onto many people’s devices, allowing direct access from the internet to the Synology clearly didn’t sound like a great plan. The solution: A VPN.
A VPN would allow me to only make the VPN server – a piece of software that’s quite challenging to hack when implemented correctly – reachable from the internet and allow my laptop and smartphone to connect from anywhere in the world as if I was at home, using DS file or even AFP/SMB.
To do so I set up an IPsec/L2TP server, as this type of VPN is supported by my Mac/Android natively and only needed to have my internet router forward the required UDP ports
4500 to my VPN server. And that’s where the tricky part began:
The devices shipped with a regular Telekom DSL contract here in Germany include some specialities named WLAN TO GO and EasySupport. In order for these to function correctly, Telekom reserves a number of ports on their devices, which therefor can not be forwarded to an internal host. One of these reserved ports is UDP
“Well, simply disable WLAN TO GO and EasySupport, so you can make use of these ports?”, you might think now. Unfortunately this doesn’t help, as the firmware still disallows forwarding these ports, even with the named functions turned off. It appears that Telekom’s developers simply defined a list of ports that are blocked by default, regardless of whether they’re actually in use by any of their internal services or not.
To cut a long story short: I began looking for a trick I could use to bypass these restrictions, even though hacking proprietary firmwares usually is quite complex and require a lot of work. Especially when developed by huge companies like Telekom and used on a bazillion of devices, right?
15 minutes later I achieved redirecting all the required ports to my IPsec/L2TP server. In a way that is achievable by the average Joe without greater knowhow. Here’s the step by step guide:
Step One: Disable all the Bullshit
Step Two: Configure Port Forwarding
You’re done, press the “Save” button.