How to Securely Access Your NAS Using Your Own Domain & Cloudflare

Have you ever wished to access your Network-Attached Storage (NAS) from anywhere in the world without worrying about security risks? Exposing your NAS directly to the internet can be dangerous, leaving it vulnerable to cyber threats. Fortunately, you can create a secure and reliable remote access solution by using Cloudflare and your domain. In this guide, I’ll show you a step-by-step method to securely access your NAS, ensuring data safety and seamless connectivity no matter where you are.

1️⃣ Why Use Cloudflare for Remote NAS Access?

1. Enhanced Security – Prevents direct exposure to your NAS IP.
2. Free SSL Certificates – Encrypts traffic between your devices and NAS.
3. DDNS Integration – Automatically updates your domain’s IP address.
4. Cloudflare Tunnel – Establishes a secure and private connection.

You may want to read this post :

• How to Build a NAS from Scratch: A Complete Step-by-Step Guide
• NAS vs Cloud Storage: Which is the Best for You?
• Take advantage of the Cloudflare free plan
• How to Create a Free Custom Email ID for Your Domain

---

2️⃣ Setup Cloudflare for Your Domain

Get a Cloudflare Account

1. Go to Cloudflare.
2. Sign up or log in.
3. Add your domain name.
4. Change your domain’s nameservers to Cloudflare’s (Cloudflare will provide these).

Info! Click here to get a detailed Guide to adding the domain to Cloudflare

Create a Subdomain for Your NAS

1. Go to DNS Settings in Cloudflare.
2. Click Add Record and enter:
   • Type: A
   • Name: nas (or any subdomain you prefer)
   • IPv4 Address: Your public IP (Find it on WhatIsMyIP)
   • Proxy Status: Set to "DNS only" (we'll change this later)
3. Click Save.

---

3️⃣ Set Up Dynamic DNS (DDNS) to Handle Changing IPs

Most ISPs change your public IP over time. We need to automate updating your Cloudflare DNS records.

Get Cloudflare API Token

1. Go to Cloudflare Dashboard → API Tokens.
2. Click Create Token.
3. Use the "Edit DNS Zone" template.
4. Select your domain and click Create Token.
5. Copy and save your API Token.
6. Find your Zone ID under the domain settings in Cloudflare.
7. Find your Record ID using this command SSH into your NAS sing PuTTY, CMD (Windows) or Terminal (Linux/Mac). (ssh root@your-nas-ip).
8. Run below code in Terminal. Replace YOUR_ZONE_ID with your actual Zone ID):

   curl -X GET "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/dns_records" \
   -H "Authorization: Bearer YOUR_API_TOKEN" \
   -H "Content-Type: application/json" | jq '.'

Install Cloudflare DDNS Script on Your NAS

1. SSH into your NAS sing PuTTY, CMD (Windows) or Terminal (Linux/Mac). (ssh root@your-nas-ip).
2. Install dependencies:

   apt update && apt install curl jq -y

3. Create the update script:

   nano /root/cloudflare-ddns.sh

4. Paste the following script:

   #!/bin/bash
   API_TOKEN="your_api_token_here"
   ZONE_ID="your_zone_id_here"
   RECORD_ID="your_record_id_here"
   RECORD_NAME="nas.yourdomain.com"
   
   IP=$(curl -s https://ifconfig.me)
   CF_IP=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD_ID" \
   -H "Authorization: Bearer $API_TOKEN" \
   -H "Content-Type: application/json" | jq -r '.result.content')
   
   if [[ "$IP" != "$CF_IP" ]]; then
       curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD_ID" \
       -H "Authorization: Bearer $API_TOKEN" \
       -H "Content-Type: application/json" \
       --data "{\"type\":\"A\",\"name\":\"$RECORD_NAME\",\"content\":\"$IP\",\"ttl\":1,\"proxied\":false}"
   fi

5. Save & exit (CTRL + X, then Y, then Enter).
6. Make the script executable:

   chmod +x /root/cloudflare-ddns.sh

7. Set it to run every 5 minutes:

   crontab -e

   Add this line at the bottom:

   */5 * * * * /root/cloudflare-ddns.sh

   Save and exit.

---

4️⃣ Secure Your NAS with HTTPS (SSL Certificate)

Enable SSL in Cloudflare

1. Go to Cloudflare Dashboard → SSL/TLS.
2. Set SSL mode to Full (Strict).
3. Click Origin Server → Create Certificate.
4. Choose Let Cloudflare generate the private key and CSR.
5. Copy and save the Certificate and Private Key.

Install SSL Certificate on OpenMediaVault (OMV)

1. Go to OMV Web UI → System → Certificates.
2. Upload the Cloudflare SSL certificate and private key.
3. Enable HTTPS in OMV and select the new certificate.
4. Save changes and restart OMV.

---

5️⃣ Set Up Cloudflare Tunnel (No Port Forwarding Needed - Recommended)

To avoid exposing ports, use Cloudflare Tunnel (Argo Tunnel) to securely access your NAS without opening your router.

Install Cloudflare Tunnel on NAS

1. SSH into your NAS sing PuTTY, CMD (Windows) or Terminal (Linux/Mac). (ssh root@your-nas-ip).
2. Install Cloudflare Tunnel:

   curl -fsSL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o /usr/local/bin/cloudflared
   chmod +x /usr/local/bin/cloudflared

Authenticate Cloudflare Tunnel

1. Run:

   cloudflared tunnel login

2. This will give a link to your terminal. Open it by pressing Ctrl and right-click then log in to Cloudflare.
3. Approve the tunnel and copy the provided token.

Create and Run the Tunnel

1. Run:

   cloudflared tunnel create nas-tunnel

Info! Copy the tunnel ID and keep it safe.
2. Create a config file:

   mkdir -p /etc/cloudflared
   nano /etc/cloudflared/config.yml

3. Paste the following:

   tunnel: your_nas-tunnel_ID
   credentials-file: /root/.cloudflared/your_nas-tunnel_ID.json
   
   ingress:
     - hostname: nas.yourdomain.com
       service: http://192.168.X.X:80
     - service: http_status:404

4. Save and exit.
5. Start the tunnel:

   cloudflared tunnel run nas-tunnel

6. Set it to start on boot:

   cloudflared service install

---

6️⃣ Change DNS Record

1. Now Go to Cloudflare Dashboard → DNS.
2. Check if there’s an A record for nas pointing to your Public IP address.
3. Delete that A record.
4. Add a new CNAME record -

   Name: nas
   Target: your-tunnel-ID.cfargotunnel.com
   Proxy Status: Proxied✅

✅ Final Step: Access Your NAS Securely

Now, you can access your NAS securely via:

https://nas.yourdomain.com

• No port forwarding is needed (Cloudflare Tunnel handles everything).
• Fully secured with HTTPS (Cloudflare SSL).
• Works even if your public IP changes (DDNS updates automatically).

---

🎉 Done! Your NAS is Now Secure & Accessible Anywhere!

You now have a fully secure, remote-access NAS without exposing your home network.

By following this guide, you now have a secure way to access your NAS remotely without exposing it to the internet. Cloudflare’s powerful security features, combined with your own domain, provide an extra layer of protection, ensuring your data remains private and accessible only to you. Whether you’re traveling or working remotely, you can confidently connect to your NAS knowing that your setup is both safe and efficient.

If you found this guide helpful, feel free to share your thoughts in the comments! Happy networking!

FAQ

Why should I use Cloudflare to access my NAS instead of port forwarding?

Cloudflare provides a secure way to access your NAS without exposing your public IP or opening ports on your router. Port forwarding can make your NAS vulnerable to attacks like brute force attempts and DDoS attacks. With Cloudflare Tunnel, your NAS remains behind Cloudflare’s security layer, making it much harder for attackers to reach it.

What happens if my ISP changes my public IP address?

If your ISP changes your public IP, your NAS’s domain could stop working unless you update the Cloudflare DNS records manually. To automate this, we use a Dynamic DNS (DDNS) script that periodically checks your IP and updates Cloudflare automatically. This ensures your NAS remains accessible even if your IP changes.

What is Cloudflare Tunnel, and why is it recommended?

Cloudflare Tunnel (previously Argo Tunnel) is a secure way to expose your NAS to the internet without opening ports on your router. Instead of allowing inbound connections directly to your NAS, Cloudflare Tunnel creates an outbound connection to Cloudflare’s network. This eliminates the need for port forwarding and enhances security.

What is the difference between "DNS Only" and "Proxied" in Cloudflare DNS settings?

DNS Only: This simply resolves your domain to your public IP without routing traffic through Cloudflare. It’s useful for initial DDNS setup. Proxied: This routes traffic through Cloudflare’s servers, providing DDoS protection, caching, and SSL encryption. Once the Cloudflare Tunnel is set up, ensure your NAS subdomain is Proxied (orange cloud icon).

Can I access my NAS locally using the domain instead of its IP address?

Yes! To access your NAS using the domain inside your home network, you need to add a local DNS entry in your router or set up Split DNS:

If your router supports DNS overrides, map nas.yourdomain.com to your NAS's local IP (192.168.x.x).

If using Pi-hole or another DNS server, add a manual entry for nas.yourdomain.com pointing to the NAS’s local IP.

Is this setup free, or do I need to pay for Cloudflare services?

Most of the features used in this guide are completely free with Cloudflare’s Free Plan, including:

DNS hosting

Cloudflare Tunnel

SSL certificates

DDoS protection

However, Cloudflare offers paid plans with advanced security and performance features, but they are not required for securing your NAS with this method.