Tightening up security from outside my LAN: Relay connection vs. other ways to access

Hello there!
Before posting this topic, I searched through the device manual, knowledge base as well as this forum without finding sufficient info.

I am trying to secure my network from the outside and have been wondering how the My Cloud App (not the Home app that most of the knowledge base is about, but the one from this picture)


… how the My Cloud App accesses my device from outside my LAN.
I found out that it uses Relay connection mode, can somebody elaborate on what that is? I didn’t manage to find an answer.

I think this is the only way to access the device from outside, all of the other possibilities that I know of located under ‘Settings → Network’ like SSH, FTP and so on are OFF.

I just want to make sure that this method is safe and find out whether the other modes might be safer. Also I want to make sure that it doesn’t leave a vulnerable hole in my router that I should be aware of if that makes sense.

Thank you.

bump

Answers to any of my questions would be appreciated. :slight_smile:
Thank you.

At the risk of being really, really, wrong:

If the setting says “Relay connection established”, that means you are connecting to your NAS via WD servers to your box.

So you are going from your phone/tablet/PC to your NAS _via WD servers_,  I guess your NAS is establishing some internet link to Western Digitals Big Brother servers. So your phone is connecting to the WD server, and the WD server is talking to your NAS.

If the settings say “Port Forwarding” or some such, you CAN connect directly to your NAS through your router. If you use the WD app or WD website, you will use the WD servers as I described above. You will, however, have the option to use FTP or some other connection to connect DIRECTLY to your router and the NAS. So for example, if your router has a WAN IP address of 123.45.67.89, and your router has port 4400 “forwarding” to the right port on your NAS, then you can map the NAS to your computer by using web address 123.45.67.89:4400

As for security. . . .hahahahah. . . . yeah. . . good question. I finally did get this to all work with my NAS box. . .but then I got kind of scared having my router exposing ports to the internet. If you do some searches, I think you will find that WD NAS security is not exactly high grade stuff. At the end of the day. . I decided that having open ports on my router wasn’t worth the security risks and I shut everything off.

I can still access the NAS boxes via the WD app; using the WD servers as a relay. . . .but to be honest, I have turned that off as well recently (because. . . I am not a trusting person).

Does this help?

Thank you for the time you put into replying to my question.

Firstly, I understand port forwarding basically the way you put it.

Unfortunately what I am really interested in (and what I probably should have specified a bit more) is how exactly the WD servers access my NAS. I think that your explanation of the relay connection mode should be right - that I’m connecting through a WD server that takes care of talking to my NAS through my router for me (I would hope in a secure manner). What I wanna find out is HOW this is done, so that I can make an informed decision (or at least a bit more informed than now :grin:) whether I want to be connecting to my NAS this way. It seems that given your last sentence you might benefit from this knowledge yourself. :slightly_smiling_face:

I basically think that the relay connection should be a safer choice for tech newbies, as the connection to your NAS from outside is done for you, because if you had to configure port forwarding as a complete beginner, you would probably end up with a big exploitable hole in your network. For an (imaginary) expert user though, I think a well configured port forwarding setup with some sort of authentication is ultimately the most secure way to connect to your NAS. (At least you would know how the connection is done and you would have a specific port to monitor the traffic on)
Only thing it seems you have to do is decide whether you’ve educated yourself enough to consider yourself closer to the expert side of the spectrum or if you stick to the “Yeea, I’ll probably let WD do this for me, just to be safe (meaning not to f*ck things up even more than WD might have)” :laughing:

So, please, does anybody know how the WD My Cloud Desktop App accesses the data on a WD My Cloud EX2 NAS in Relay connection mode?

I would be grateful for any replies. :slight_smile: Thanks

Yes, you are correct.

I would benefit from knowing how WD connects to the NAS. It is probably similar to how my PC connects to one drive! Some funky software tunneling through your antivirus software and router firewall software.

For 9 out of 10 people. . . the WD servers are just fine and the tunneling protections are probably just fine. Hopefully, the traffic to/from WD is encrypted. (Don’t be surprised if it isn’t). BUT If you put your entire life on Facebook, why not use WD servers to shepherd data from your home to your phone?

For me; I am not a trusting person. The bottom line for me is that you are using WD servers to connect to your NAS. Regardless of the security of your system, the biggest “threat” in my view is the WD server itself; as it is NOT in your possession, and NOT in your control. If someone wants to, motivated by, say, a FISA warrant, or advertising revenue, to search your data. . . what exactly in your “terms of service” prevents it? Before your answer that. . . .perhaps you should also read the modifications that will be made to the terms of service in the next five years.

Ok. . .I am well into tin-foil hat territory. . . .but you get my point? You are granting access to your “stuff” to another party. For the record, I do use onedrive and dropbox. I really like those services. I use them for file sharing for myself, and I have folders setup that I grant access to others for filesharing. If I had terrabytes of data to share that way, I would use the WD NAS units without hesitation. BUT: I don’t put any personal/sensitive data on cloud servers for tin-foil-hat reasons.

As to opening ports: Yes, when I set everything up, I established router security and set up a router based VPN (as opposed to using a commercial VPN service). Passwords here, there, and everywhere.

It worked fine. It seemed to be a pretty cool user experience.

Probably fairly secure. . .except that the router itself was a consumer grade $70 unit with some advanced features. . . not an enterprise class thing, and the setup certainly wasn’t setup for multifactor authentication. Rather than starting the cyber security game and doing lots more research, I finally figured that I would simply block all the internet access on everything, and carry a copy of important data on a physical device with me. That also solved another problem I frequently face: Sketchy (i.e. poor performance) internet access.