Yes, you are correct.
I would benefit from knowing how WD connects to the NAS. It is probably similar to how my PC connects to one drive! Some funky software tunneling through your antivirus software and router firewall software.
For 9 out of 10 people. . . the WD servers are just fine and the tunneling protections are probably just fine. Hopefully, the traffic to/from WD is encrypted. (Don’t be surprised if it isn’t). BUT If you put your entire life on Facebook, why not use WD servers to shepherd data from your home to your phone?
For me; I am not a trusting person. The bottom line for me is that you are using WD servers to connect to your NAS. Regardless of the security of your system, the biggest “threat” in my view is the WD server itself; as it is NOT in your possession, and NOT in your control. If someone wants to, motivated by, say, a FISA warrant, or advertising revenue, to search your data. . . what exactly in your “terms of service” prevents it? Before your answer that. . . .perhaps you should also read the modifications that will be made to the terms of service in the next five years.
Ok. . .I am well into tin-foil hat territory. . . .but you get my point? You are granting access to your “stuff” to another party. For the record, I do use onedrive and dropbox. I really like those services. I use them for file sharing for myself, and I have folders setup that I grant access to others for filesharing. If I had terrabytes of data to share that way, I would use the WD NAS units without hesitation. BUT: I don’t put any personal/sensitive data on cloud servers for tin-foil-hat reasons.
As to opening ports: Yes, when I set everything up, I established router security and set up a router based VPN (as opposed to using a commercial VPN service). Passwords here, there, and everywhere.
It worked fine. It seemed to be a pretty cool user experience.
Probably fairly secure. . .except that the router itself was a consumer grade $70 unit with some advanced features. . . not an enterprise class thing, and the setup certainly wasn’t setup for multifactor authentication. Rather than starting the cyber security game and doing lots more research, I finally figured that I would simply block all the internet access on everything, and carry a copy of important data on a physical device with me. That also solved another problem I frequently face: Sketchy (i.e. poor performance) internet access.