Access your router configuration panel from outside using your Synology NAS

I was in Portugal and needed to open a port on the router at my home in France. To access the NAT route configuration page, I had to create an SSH tunnel through my Synology.

• 1. Enable SSH on Synology
• 2. Tell sshd you are allowed to do TCP forwarding
• 3. Create an SSH tunnel
• 4. Bonus: lie to your router

# 1. Enable SSH on Synology

I'm not going to do explain that here, because if you haven't already enabled it you can't follow the rest of this tutorial (unless you synology is doing the NAT). It's recommended to enable it on a dirrent port than 22. Believe me, they are lot less bots trying to bruteforce your password on a different port.

This tutorial can be followed to access any local computer from outside securely.

# 2. Tell sshd you are allowed to do TCP forwarding

First, connect to ssh on your synology. We are going to edit the sshd_config configuration file with sudo and vim. No don't go away! I'm not a vim user either but you will see, it's not that complicated.

sudo vim /etc/ssh/sshd_config

At the end of the file we are going to add thoses lines to allow us creating ssh tunnels. By default, only root and admin are allowed to do ssh tunnels. So here we add our user:

Match User root
    AllowTcpForwarding yes
Match User admin
    AllowTcpForwarding yes
Match User myusername 
    AllowTcpForwarding yes 
Match User anonymous
    AllowTcpForwarding no
    GatewayPorts no

Basic usage of vim, but you can also look out on internet:

• Scroll to where you wanna insert something, press i
• After writing the new lines, press ESC
• Save with :w and Enter
• Quit with :q

Since I don't know how to restart a service on a Synology, I did deactivated and reactived ssh on the web interface of my Synology NAS. That does the trick 😄

# 3. Create an SSH tunnel

Its just one line! You basically open a normal ssh connexion but with a local port on your computer redirected to an ip:port on the remote lan. And all of this secured by your ssh connexion.

ssh -L [local_port]:[router_lan_ip]:80 [username]@[nas_ip] -p [ssh_port]
 
# Example: ssh -L 8000:192.168.1.1:80 myusername@mynasdomain.com -p 24

Keep the connexion open and go to 127.0.0.1:8000 on your computer and you will see your router web configuration.

# 4. Bonus: lie to your router

I'm french and my internet provider is Orange. When I tried this, the connection was successful but closed abruptly with an empty response. When Chrome communicate on 127.0.0.1:8000, he send an http header Host: 127.0.0.1. That's normal, this is how you can host multiples websites with diffrent domain on the same server. But my Livebox only respond to the following hosts: 192.168.1.1 or livebox.

So here is a magic trick, on your mac/linux :

sudo nano /etc/hosts

Add this line

127.0.0.1       localhost
::1             localhost
127.0.0.1       livebox  

Now, go back to your browser and ask for http://livebox:8000 instead of http://127.0.0.1:8000. I suppose you could also install a chrome extension to fake a Host: header too.