Best practice accessing photos outside of network.
I just installed Immich on my Synology NAS and im looking for a way so that my girlfriend can access her photos all the time. With as little hassle as possible. What would be the best move here?
26 Replies
:wave: Hey @Daan,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.
Successfully submitted, a tag has been added to inform contributors. :white_check_mark:Most secure is vpn for sure. Wireguard or Tailscale.
Harder to setup but publicly exposed would be using a Reverse Proxy with https and certs.
https://immich.app/docs/guides/remote-access/
I dont want to bother her with vpn. thats the thing :p
I'll second the vote for tailscale, easiest solution as far as I'm concerned.
Then you’ll have to read about and learn how to setup a reverse proxy
reverse proxy via cloudflare is ok right?
I’m not sure if you meant little hassle on your end or hers haha
Cloudflare can see all your images if you do that, your call
She just wants her images, like Google Drive
so if she needs to enable a vpn every time she wants to access her images, thats 1 step extra
If using tailscale or wireguard, you can just keep them active and choose which apps will always run over the vpn. Essential being set and forget.
And if you mean using something like cloudflare tunnel, yes it works but like Zeus said, they can see everything and if you will be subject to upload limits
Yeah tailscale/wireguard* is special in the sense that (in my layman understanding) it let's you access your normal internet as usual and it only redirects specific traffic through it's VPN based on the IP address.
thanks. i will give tailscale a try
do you know if iphone shows the little vpn box in the top left?
I use android, which shows it. Unsure on iphone. Probably?
Cool
And battery wise its ok? If a vpn runs all the time
Yeah, a VPN doesn't do anything else except reroute some traffic, minimal overhead
(theoretically. Again, can't speak for iphone app.)
I am running immich on synology as well and i have tailscale in my synology to access nas outside home. You can do same for immich. Immich app you have option to setup different network and ip so that works good
especially wireguard protocol, so like tailscale is good on battery
other way is a reverse proxy but if you have never done it, it takes some time to do it securely as you need to know how it works
I don't worry too much about security, so I use:
Synology's Reverse Proxy
DDNS (Synology's built-in service)
Let's Encrypt SSL Certificate
Easy, fast, and relatively secure. You can set it up in 5 minutes and have your server accessible from anywhere on the internet.
I would caution anyone reading against using a NAS built in reverse proxy. It's not hard to find many examples of NAS software vendors being frankly negligent in patching their products and fixing major vulerabilities
Would recommend a modern proxy like nginx, NPM, traefik, caddy etc
NAS are notorious for having serious security issues and many, many have had data loss because their NAS was publicly exposed...
Actually, I've been considering setting up an NGINX reverse proxy via Docker for a while now—I just need to find the time and motivation. But for now, I'm still risking it without a VPN in favor of easier access (yes, I'm very lazy).
i dont know specifically about a synology reverse proxy though
well, make sure to have good backups.... hope nothing confidential is on it :[
Synology : Security vulnerabilities, CVEs
Security vulnerabilities related to Synology : List of vulnerabilities affecting any product of this vendor
BTW I'm only exposing port 443, no other port forwarding. Let's hope I get lucky.
yeah but you're trusting your nas proxy to not have any horizontal escalation
you have no containerization, and few to no actual updates/bug fixes
so that doesn't help IMO
Tailscale has automatic on/off when (dis)connecting to certain networks @Daan
afaik, tailscale is based on the wireguard protocol
wireguard is very easy on battery as it doesn't necessarily need to stay active, it does not need to keep sending keepalives, it will simply "resume" the connection whenever traffic is sent
iirc it also uses encryption designed to be "easy" on the cpu/battery but still resilient to attacks