Possible solutions after "Support For My Cloud Changing"

WD creates at least 4 big challenges for users when changing the support for their OS3 NAS devices:

  1. No more firmware updates to fix security vulnerabilities and bugs.
  2. No more remote access. Not able to use WD software like MyCloud.com, My Cloud mobile apps and WD Sync.
  3. No more support from WD.
  4. No more email notifications.

In addition, there will be financial and time consuming challenges if you are forced to purchase new equipment.
Also keep in mind that most OS3 NASs may be outdated with slow processors and not enough RAM.

My solution is based on using a VPN server in my LAN. The solution requires knowledge of DDNS, FQDN, static IP, HTTPS, VPN, firewalls, port forwarding, programming, editing configuration files, etc. If you are not comfortable with the technology, you may be able to get help from a friend or hire expert help. Once everything is installed, all users can easily access My Cloud remotely. Please note that according to WD, the device still has security challenges that probably never will be resolved. They actually recommend disconnecting the cloud device from the internet!

The working solution is based on My Cloud v04.05.00-342 and a Synology DS718+ connected to the same router in LAN. Remote connections from laptops with Windows 10 and Linux Mint 20, and mobile phones with Android 11 are made regularly.

1. No more firmware updates to fix security vulnerabilities and bugs

If remote access is required, it must be accepted that the OS3 devices will still have security challenges that will never be fixed. To reduce the risk, I use a script that examines the date and time on the file /root/.bash_history. The timestamp is sent via email every day. Changed time means that someone has been inside the system and executed terminal commands. No important files are stored on the device and all passwords are wery strong.

2. No more remote access through mobile apps or web app.

The VPN Server on DS718+ is running, and accept connections from OpenVPN clients on WAN. OpenVPN clients exists for all major operating systems including Windows, Linux, macOS, Android and iOS. For remote connection from a Windows laptop, the OpenVPN Connect Windows client can be used.

OpenVPN Clients used on WAN allow users on DS718+ to remotely and securely access resources shared within the LAN of the Synology NAS by only exposing one service instead of a bunch of them. The connection is encrypted. It protect from eavesdropping when we are in an unsecured network on WAN, like a public WiFi. It can also bypass country restrictions when we are not in our country.

Once connected, we can access shared resources on LAN as if we were at home. For example, in Windows File Explorer, \\192.168.2.93/tom will connect to user Tom’s share on My Cloud if correct username and password is given. If we type 192.168.2.93 in a web browser, we will have access to all information and settings in My Cloud Dashboard. With my VPN configuration, if we use the internet via a web browser, the IP address provided by our ISP (home external IP address) will normally be used.

All of this also applies to remote connection from mobile phones and devices with Linux or macOS operating systems (that supports SMB/AFP or maybe even NFS).

3. No more support from WD

If necessary, I will seek in the WD Knowledge Base, or ask all the skilled people on the WD Community.

4. No more email notifications

Some notifications can also be read in My Clouds Dashboard. What I need most is that the daily mirroring of My Cloud has gone well. To achieve this, I use a script that automatically starts at 5 a.m. every day. The script mirrors the contents of My Cloud to the connected usb hard drive and sends notification via email.

Yes, unfortunately I think this is going to be beyond the capabilities of 99% of the people on this board (myself included). Interestingly, QNAP put out a notification yesterday that ALL NAS should be disconnected from the internet for security reasons!

I have long ago concluded that VPN was the way to remotely access NAS units on my network.

I did not like the idea of a third party (WD) being an intermediary in my files going across the internet.
If I was willing to use a third party. . . . .Dropbox and OneDrive offer compelling options.

In terms of OS/3. . . .I view just HAVING an OS/3 on my network is a hazard due to known exploits and open ports. I operated for several months with the device on the network. . .but BLOCKED at the Router from WAN access. That means it doesn’t matter what the OS/3 device was doing. . .it was NOT going to send / recieve to devices outside my network.

UNFORTUNTALY. . .in my network; blocking the OS/3 device from “the internet” also blocked the device from different subnets within my network. This effectively terminated VPN access. (in otherwords, the NAS sits at 192.168.0.100; any computer on VPN was getting an address of 10.10.0.100 - - - → and was being blocked from the NAS on the 192.168 subnet)

My current solution? For $50; I bought another router. On this router, I have three NAS units and no internet. When I need to use it. . .I switch networks on my PC. Try hacking into that! Need files on the road? I have a 1TB SSD in my bag with most of my files. Need all my files? I have a 4TB HDD that I can also bring.

(This actually works better than it used to when travelling because (1) Less travel in days of covid and (2) Streaming media options work much better across the world and (3) Media options on long haul aircraft have FAR improved significanlty over the last 5 years. (just don’t fly US airlines. . . they are subpar))

On the issue of QNAP. What QNAP stated is the following:
https://www.qnap.com/en/security-news/2022/take-immediate-actions-to-secure-qnap-nas

QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP networking devices.

Check whether your NAS is exposed to the Internet

Open the Security Counselor on your QNAP NAS. Your NAS is exposed to the Internet and at high risk if there shows “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP” on the dashboard.

See the link for the rest. They are telling their users to close certain NAS ports (port forwarding) and disable certain NAS features/options. Some of which, like UPnP are generally recommended by many security advisors to disable anyway. They have further articles on using myQNAPcloud Link to access their device(s) from the internet.

To the initial posting. The first gen v4.x single bay My Cloud has been end of support for a number of years now (since late 2019). There are a number of discussions on the OS3 termination where it is recommended to use VPN to access the unit once WD terminates the OS3 remote access. There were even some years past discussions on trying to get SFTP working for remote access. While the termination of OS3 support for emailing of certain alerts will affect some. There have been past discussions on setting up email notification for certain user scripted events like using Rsync instead of SafePoint to back up a v4.x firmware My Cloud.

https://community.wd.com/search?q=SFTP%20category:105

Fact is most who need remote access will likely just “man up” after their grumbling about what WD is doing, and buy a new NAS if they are not technically inclined to take a stab at VPN or other methods of secure remote access.

Exposing any device to broadband access runs the risk of it being compromised through security vulnerabilities. Some venders close security vulnerabilities in their products faster than others. And for some it’s easier/cheaper to simply end support for a product than continue to support it. WD has chosen this last option for certain OS3 devices.

I agree with much of the post above.

It was definatlely time for WD to start from the ground up and replace OS/3. The fact that older devices wouldn’t make the cut for upgrade. . . (I have one in this category). . is a fact of life in consumer electronics. How well WD succeeded in their effort to produce a quality OS/3 upgrade. . .can be left for discussion in another thread.

As an adide: Regarding UPnP: Doesn’t WD kinda require this to make it’s port fowarding work for internet access; especially if multiple units are present?

As an second aside: If I really needed internet access to my NAS. . .I would also go the “s uck it up, buttercup” route and buy a new NAS. The model/vendor decision would indeed be influenced by WD’s demonstrated security track record.

sktn77a

Yes, it’s scary to see how devices can be hacked, especially on an old outdated NAS. QNAP’s advice and Open Port Check Tools on the Internet may improve security.

I think many who want to continue with remote access are able to set up their own VPN. After all, using VPN is quite common in network technology. Also creating scripts for email and backup that starts at a given time is well described on this forum, see Bennor’s helpful links.

NAS_user

Agree with everything you say.

You had challenges with VPN on your advanced network. Did you remember to open the firewall for 10.10.0.100 → clients?

Bennor

Agree with everything you say, you are like a WIKI for all of us, thank you for the links.

Is your solution to block all OS3 devices in your network?

Currently I block broadband access to my first gen single bay My Cloud at the router’s firewall. It blocks inbound and outbound broadband traffic to the My Cloud. Local network access to the My Cloud is not affected. I also disable Cloud Access/Remote Access and FTP access in the My Cloud Dashboard > Settings section.

One word of note when it comes to blocking broadband access to the My Cloud. It may impact certain My Cloud features like the My Cloud NTP requests. This means the time/date settings may end up wrong in the My Cloud. The solution is to reconfigure, in the My Cloud Dashboard > Settings, the NTP setting to manually set the My Cloud date and time.

Yes. . .I remembered to open the ports.

The only issue is that it didn’t work :slight_smile:

I am not an expert at this, but the way my Asus router is setup. . .the blocking seemed to be an all-or-nothing affair. (I am not claiming to be an expert. . . might be worth my asking directed questions to a forum at some point - - → just not motivated at the minute :wink: )

Another way to get remote access to My Cloud is to use the Synology File Station package. An administrator can mount an external folder in the Synology NAS file system. The external folder can be, for example, \\192.168.2.93/tom. This is user Tom’s folder on My Cloud. Content on Tom’s share can now be accessed on WAN via DS718+.

This solution does not require any special knowledge, and login from WAN uses the security built into Synology like account protection, automatic blocking, multi-step authentication, firewall, etc.

If you also want to move or copy files between My Cloud and Synology NAS, this method is very effective because the transfer goes more directly between the devices and not via a PC.