NAS Remote Access Australia (2026): VPN, DDNS, Tailscale and Reverse Proxy Explained

Accessing your NAS from outside your home network is one of the first things most owners want to do. And one of the most confusing to set up correctly in Australia. The method that works varies dramatically depending on your ISP, NBN connection type, and whether you're behind CGNAT. This guide covers every practical option available in 2026. From the dead-easy vendor cloud relay methods (QuickConnect, myQNAPcloud) to self-hosted VPNs and reverse proxies. And tells you which one to use for your situation.

Why Remote NAS Access Is Harder in Australia

Remote NAS access depends on being able to reach your home network from the internet. In a traditional setup, your ISP assigns your router a public IP address. You forward a port, and your NAS is reachable from anywhere. This still works for many Australians, but two factors have complicated things significantly in 2026.

CGNAT: The NBN Problem Blocking Port Forwarding

Carrier-Grade NAT (CGNAT) is used by many Australian ISPs to extend the life of the limited IPv4 address pool. Instead of giving each customer a unique public IP address, the ISP places dozens of customers behind a shared IP. The result: your router never gets a real public IP, so port forwarding to your NAS is impossible. The internet has no way to reach you directly.

ISPs currently known to use CGNAT on some or all plans in Australia include Aussie Broadband, Superloop, Leaptel, Mate, and several smaller NBN retailers. Telstra, Optus, and TPG typically assign real public IPs (often dynamic) but this can vary by plan and NBN technology type.

Dynamic IP: The Other Obstacle

Even users with a real public IP face a second problem: most NBN plans assign a dynamic IP that changes each time the router reconnects. Upstream upload on a standard NBN 100 plan is typically 20 Mbps, rising to around 50 Mbps on NBN 250, with NBN 1000 offering up to 50 Mbps upstream on most connections. The raw bandwidth is workable for remote access. The problem is pointing your remote devices at a moving target.

Dynamic DNS (DDNS) services solve this by maintaining a hostname that automatically updates whenever your IP changes. Your NAS or router handles the DDNS update; your remote devices connect to the hostname rather than an IP. Most NAS vendors include built-in DDNS clients at no extra cost.

Remote Access Methods Compared

There are six main approaches to remote NAS access in 2026. Each has a different setup complexity, security profile, and compatibility with CGNAT. The comparison table below covers the key decision factors.

Vendor Cloud Relay: QuickConnect and myQNAPcloud

Every major NAS brand ships with a vendor-hosted relay service that works right out of the box. No port forwarding, no DDNS, no router configuration required. These services work by connecting your NAS outbound to vendor servers, which then relay your remote traffic back. Because your NAS initiates the connection, CGNAT is bypassed completely.

Synology QuickConnect

QuickConnect is Synology's relay service. Once enabled in DSM under Control Panel → QuickConnect, your NAS is accessible via quickconnect.to/your-id from any browser. Setup takes under two minutes and requires no router changes. Synology's QuickConnect infrastructure routes traffic through Synology's servers. Primarily in the US, Europe, and Asia-Pacific. And performance depends on server load and your upload bandwidth.

For casual use. Accessing files, using Synology Photos or Drive while travelling. QuickConnect is excellent. For transferring large files or running bandwidth-intensive apps, the relay overhead can become a bottleneck. Synology also offers QuickConnect Relay+ (P2P mode) which attempts direct connections when possible, significantly improving throughput for compatible network configurations. QuickConnect works on all current Synology NAS units available in Australia, including the DS225+, DS425+, DS925+, DS1525+, and the full Plus/Value series.

QNAP myQNAPcloud

QNAP's equivalent is myQNAPcloud, configured through the myQNAPcloud app in QTS. It provides a myqnapcloud.com hostname and supports both relay and direct connection modes. QNAP's implementation also includes myQNAPcloud Link. A DDNS-style service that creates a public hostname for your NAS. All current QNAP units available in Australia, including the TS-433, TS-464, and TS-664, support myQNAPcloud out of the box.

Other Brand Equivalents

Asustor offers EZ-Connect, UGREEN NAS units include cloud access through the UGREEN mobile app, and TerraMaster has TOS Cloud. All function on the same relay principle. For users who want zero-config remote access and aren't concerned about traffic passing through vendor servers, any of these is a valid starting point.

Tailscale: The Best Option for Most Australian Users

Tailscale is a mesh VPN built on WireGuard that creates a private network between your devices. No port forwarding, no public IP required, and it works reliably through CGNAT. For most Australian NBN users in 2026, Tailscale is the best answer to remote NAS access. It combines WireGuard's performance and security with a setup process that takes about five minutes.

How Tailscale Works

Tailscale assigns each device in your account a stable private IP in the 100.x.x.x range. When two Tailscale devices try to communicate, the Tailscale coordination server (DERP) helps them negotiate a direct WireGuard connection. A process called hole-punching. In most cases, traffic flows directly between your devices with no relay. When hole-punching fails (as it can behind certain symmetric NATs), Tailscale falls back to routing through its DERP relay servers, but the traffic remains WireGuard-encrypted end-to-end and Tailscale cannot read its content.

The result is a private network where your NAS appears as a device at, say, 100.64.0.12. Reachable from your phone or laptop anywhere in the world, with no firewall changes and WireGuard-grade encryption throughout.

Installing Tailscale on Your NAS

Synology: Tailscale is available as a native DSM package through the Synology Package Center. Install it, log in with your Tailscale account, and your NAS joins your tailnet immediately. No command line required.

QNAP: Tailscale is available as a QPKG package from QNAP's App Center. Installation follows the same pattern. Install, authenticate, done.

Asustor / TerraMaster / UGREEN: These platforms may require manual installation of the Tailscale binary via SSH, or installation through their respective package managers if a package is available. The Tailscale documentation maintains an up-to-date install guide for each platform. Always check the official docs for your specific NAS OS version.

Subnet Routing: Accessing Your Full LAN via Tailscale

By default, Tailscale only exposes the NAS itself to your tailnet. To reach other devices on your home LAN (a printer, a router admin page, another PC), enable subnet routing on your NAS. This configures your NAS as a Tailscale subnet router, advertising your local network range (e.g. 192.168.1.0/24) to all other devices in your tailnet. Once approved in the Tailscale admin console, remote devices can reach your entire home LAN through the NAS as a gateway. With no additional configuration on any other LAN device.

WireGuard VPN: Self-Hosted, Maximum Performance

WireGuard is the modern VPN protocol that underpins Tailscale. But you can also run it directly on your NAS or router for a completely self-hosted setup with no third-party coordination server involved. WireGuard is significantly faster and more battery-efficient than OpenVPN, uses modern cryptography (Curve25519, ChaCha20, Poly1305), and has a much smaller attack surface: the entire codebase is around 4,000 lines of code, compared to OpenVPN's 70,000+.

The tradeoff: self-hosted WireGuard requires a real public IP (or DDNS hostname) and working port forwarding. It will not function behind CGNAT without an additional tunnel or VPS relay.

WireGuard on Synology NAS

Synology's DSM includes built-in VPN Server support with WireGuard available as a native protocol from DSM 7.2 onwards. No third-party packages required. Configuration: install the VPN Server package, create a WireGuard server, generate client configs (downloadable as .conf files or QR codes for mobile), then forward the WireGuard port (default UDP 51820) on your router to the NAS's LAN IP.

Pair this with DSM's built-in DDNS client (Control Panel → External Access → DDNS) using the free synology.me hostname. The WireGuard client config on your devices uses the DDNS hostname rather than a static IP, so it continues working when your ISP rotates your IP address.

WireGuard on QNAP NAS

QNAP supports WireGuard through the QVPN Service app, available from the App Center. The configuration flow mirrors Synology: create a WireGuard server interface, add peers (clients), export configs, forward the UDP port on your router. QNAP's QVPN client app also supports split-tunnel configuration, letting you route only NAS-bound traffic through the VPN while other internet traffic goes direct.

WireGuard on Your Router (Cleaner Architecture)

For users running DD-WRT, OpenWRT, pfSense, OPNsense, Firewalla, or a GL.iNet router, running WireGuard at the router level is architecturally cleaner than running it on the NAS. The VPN terminates at the network edge, all LAN devices are accessible without the NAS acting as a gateway, and the NAS itself is not directly involved in VPN operations. This is the preferred architecture for home users with compatible routers and is worth the extra setup effort for anyone running a serious home network.

OpenVPN: The Older Standard

OpenVPN is the veteran of self-hosted VPNs. Both Synology and QNAP have supported it for years through their VPN Server packages, and it remains widely compatible across every client OS and mobile platform. In 2026, it is hard to recommend OpenVPN over WireGuard for new setups. WireGuard is faster, simpler to configure, and uses stronger modern cryptography.

The main case for OpenVPN remains network compatibility. OpenVPN running over TCP on port 443 blends in with standard HTTPS traffic, making it useful in situations where WireGuard's UDP traffic is blocked. Some corporate networks, hotel Wi-Fi systems, and country-level firewall scenarios. If you need to punch through restrictive networks that block VPN protocols, OpenVPN TCP on port 443 is a reliable fallback.

DDNS: Dynamic DNS for Changing IP Addresses

Dynamic DNS solves the problem of a changing public IP by maintaining a consistent hostname (e.g. yourname.synology.me) that automatically updates whenever your IP changes. Your NAS's built-in DDNS client checks your current public IP periodically and pushes any changes to the DDNS provider's DNS servers, typically within minutes of a change.

Built-in DDNS Providers by Brand

Synology: DSM includes a free DDNS client under Control Panel → External Access → DDNS. The synology.me subdomain is provided free with every Synology NAS and is the simplest starting point. DSM also supports no-ip.com, DynDNS, and others.

QNAP: QTS includes myQNAPcloud DDNS (your-id.myqnapcloud.com) plus support for external providers including no-ip.com, DynDNS, and Namecheap FreeDNS.

Custom domain DDNS: If you own a domain, most DNS providers (Cloudflare, Namecheap, Porkbun) support dynamic DNS records via API. Your NAS or router calls the API to update the record. This gives you a clean address like nas.yourdomain.com.au instead of a subdomain of the vendor's domain. Useful if you're also using a reverse proxy or want a professional-looking URL for self-hosted services.

Port Forwarding: When It's Needed and How to Do It Safely

Port forwarding maps an external port on your router's public IP to an internal port on your NAS's LAN IP. It is required for self-hosted WireGuard/OpenVPN VPNs, and for running a reverse proxy that accepts inbound HTTPS connections. Port forwarding is NOT required for QuickConnect, myQNAPcloud, or Tailscale. These all use outbound connections from the NAS and bypass NAT naturally.

Minimum Safe Port Forwarding Rules

If you do forward ports to your NAS, apply these security minimums:

• Never forward port 5000 (DSM HTTP) or 5001 (DSM HTTPS) directly. These are default management ports and are actively scanned by internet-facing bots. Use a reverse proxy with a custom hostname instead.
• Forward only the specific ports you need. A single UDP port for WireGuard, or TCP 443 for a reverse proxy. Do not open broad port ranges.
• Use non-standard external ports where possible (e.g. external 54321 mapped to internal 5001) to reduce automated scanning hits.
• Enable firewall rules on the NAS to restrict which source IPs can access admin interfaces.
• Enable 2FA on all DSM/QTS admin accounts before exposing any port to the internet.

CGNAT Workarounds for Australian NBN Users

If you're behind CGNAT, your options are more limited but very workable. Here are the four main paths Australian users take in 2026.

Option 1: Tailscale (Recommended for Most Users)

Tailscale's hole-punching works through most CGNAT configurations without any ISP interaction. It's the fastest path to reliable remote access for CGNAT-affected users, free for personal use, and available on all major NAS platforms. Start here unless you have a specific reason to choose another approach.

Option 2: Request a Public IP from Your ISP

Many Australian ISPs will assign a proper public IP upon request, sometimes at no cost, sometimes for a small monthly fee ($5-15 typically). Aussie Broadband, for example, offers a static IP add-on. With a public IP (even dynamic), you're out of CGNAT and can use port forwarding, self-hosted VPN, DDNS. All methods become available. This is worth the cost if you need maximum performance and flexibility for ongoing use. Contact your ISP's support and ask specifically: "Can I be removed from CGNAT and assigned a public IPv4 address?"

Option 3: Vendor Cloud Relay (Zero Config)

Vendor relay services (QuickConnect, myQNAPcloud) work through CGNAT without any changes to your ISP plan or home network. Performance is lower than a direct connection since all traffic routes through vendor servers, but for file access, Photos, and app use it's typically adequate for most home users.

Option 4: VPS Tunnel (Advanced)

An advanced option for technical users: rent a cheap VPS (virtual private server) with a public IP. Vultr, DigitalOcean, and Oracle Cloud's Always Free Tier are popular choices. Then create a WireGuard tunnel from your NAS to the VPS. Your NAS connects outbound to the VPS (works through CGNAT), and the VPS forwards inbound traffic down the tunnel to your NAS. This gives you a stable public endpoint without requesting a public IP from your ISP, and is a powerful pattern for users running home servers or multiple self-hosted services behind CGNAT. Setup complexity is high; ongoing cost is $5-10/month for a basic VPS.

Reverse Proxy: Exposing NAS Services with HTTPS

A reverse proxy sits in front of your NAS services and handles HTTPS termination. Incoming requests hit the proxy, which routes them to the appropriate NAS service on your LAN. The benefit: you expose a single port (HTTPS on port 443) rather than multiple NAS ports, you get proper SSL/TLS encryption with a real certificate, and you can host multiple services on different subdomains (e.g. photos.yourdomain.com.au, files.yourdomain.com.au) all through the same IP address. Reverse proxies are not needed for VPN-based access. They're specifically useful when you want to expose services via clean HTTPS URLs to the public internet or to non-VPN users.

Built-in Reverse Proxy on Synology DSM

Synology DSM includes a built-in reverse proxy under Control Panel → Application Portal → Reverse Proxy. You configure rules that map incoming hostnames to internal services. Paired with DSM's built-in Let's Encrypt support (Control Panel → Security → Certificate), you can automatically obtain and renew SSL certificates for your DDNS hostname or custom domain. No manual certificate management required.

Example setup: forward photos.yourname.synology.me → localhost:8080 (Synology Photos port), with a Let's Encrypt certificate automatically provisioned for that subdomain. The result is a clean HTTPS URL accessible from any browser worldwide.

nginx Reverse Proxy via Docker

nginx can be installed via Docker on most NAS platforms. Synology Container Manager and QNAP Container Station both support Docker containers. Running nginx Proxy Manager (NPM) in Docker gives you full control over proxy rules, SSL configuration, and security headers, with a web UI that makes configuration accessible to non-command-line users. NPM handles Let's Encrypt certificate provisioning and renewal automatically. This is a popular setup among technically inclined home NAS users who want maximum flexibility.

Caddy: Automatic HTTPS with Minimal Config

Caddy is a modern web server with automatic HTTPS baked in. It obtains and renews Let's Encrypt certificates with zero configuration beyond specifying your domain name. Caddy's Caddyfile syntax is significantly simpler than nginx configuration. For users comfortable with Docker but who find nginx config files intimidating, Caddy is a compelling alternative. A Caddyfile proxying your NAS web interface to a custom domain is often 3-4 lines of configuration versus 30+ for a comparable nginx config.

Let's Encrypt SSL Certificates: Free HTTPS for Your NAS

Let's Encrypt provides free, automatically renewable SSL/TLS certificates from the ISRG non-profit. Every major NAS platform supports Let's Encrypt certificate provisioning, either natively (Synology DSM, QNAP QTS) or through Docker-based tools like Certbot, acme.sh, or Caddy. There is no cost and no manual renewal process once configured.

HTTP-01 vs DNS-01 Challenge

Let's Encrypt verifies domain ownership via a challenge before issuing a certificate. Two methods are relevant for NAS setups:

• HTTP-01: Let's Encrypt makes an HTTP request to your domain on port 80. Your NAS or reverse proxy must be publicly accessible on port 80 for this to work. Simple, but requires port 80 to be open and reachable from the internet.
• DNS-01: Let's Encrypt asks you to place a TXT record in your domain's DNS zone. This works even if your NAS is not publicly accessible at all (useful for internal-only or CGNAT deployments behind Tailscale), and is the only option for wildcard certificates (*.yourdomain.com.au). Requires a DNS provider with API support.

Synology DSM's built-in certificate manager supports both challenge types. For custom domains hosted on Cloudflare, the DNS-01 challenge via Cloudflare's API is the most flexible setup and is widely documented for Synology NAS configurations.

Security Checklist Before Going Remote

Before exposing your NAS to remote access via any method, work through this security checklist. A NAS holding years of personal or business data is a high-value target. NAS devices have been targeted by ransomware campaigns (most notoriously Deadbolt, which affected thousands of Synology and QNAP users in 2022) and credential-stuffing attacks.

Security minimums before enabling remote access:

• Enable two-factor authentication (2FA) on all admin accounts. The NAS admin account and any user accounts you'll access remotely
• Disable the default 'admin' account; create a named admin account with a strong unique password
• Enable auto-block (failed login lockout) in DSM Security Advisor or QTS Security settings
• Update DSM/QTS/TOS/UGOS to the latest version. Check for updates monthly at minimum
• Audit which packages and apps are running; disable anything unused
• Enable the NAS firewall and restrict management interface access to known IP ranges where possible
• Use HTTPS for all remote access. Never plain HTTP for any production use
• If using a reverse proxy, configure security headers (HSTS, X-Frame-Options, X-Content-Type-Options)

IPv6 and Remote NAS Access

IPv6 is increasingly available on Australian NBN connections, and it has a useful side-effect for remote access: every device gets a globally unique, publicly routable IPv6 address. There is no NAT and no CGNAT to work around. If your ISP provides an IPv6 prefix (most major NBN RSPs now do), your NAS has a public IPv6 address and is directly reachable from IPv6-connected networks.

The limitation: not all networks your remote devices connect from will have IPv6. Some mobile carriers, hotel Wi-Fi networks, and corporate environments remain IPv4-only. IPv6-only remote access is not reliable as a sole method in 2026. As a supplementary path when available, it can simplify configuration. Synology DSM and QNAP QTS both support IPv6 firewall rules and IPv6 DDNS hostname assignment for users who want to leverage it.

Choosing the Right Method: Decision Guide

Related Reading

Remote access is one component of a broader NAS strategy. The following guides cover adjacent topics that matter once your NAS is accessible from anywhere:

• Best NAS Australia (2026). Choosing the right hardware before you set it up
• What Is a NAS?. Foundational guide for anyone new to network storage
• NAS vs Cloud Storage Australia. How self-hosted NAS compares to cloud for Australian users
• 3-2-1 Backup Strategy for NAS. Protecting your data once it's accessible remotely
• NAS RAID Explained. How your data is protected on-device
• Synology NAS Australia. Synology-specific setup and model guide
• Synology vs QNAP Australia. Comparing the two dominant NAS platforms
• Where to Buy NAS in Australia. Retailers, pricing, and warranty considerations
• Best NAS Hard Drives Australia. Drive selection for your NAS
• NAS Power Consumption Australia. Running cost for an always-on, always-accessible NAS

Use our free NBN Remote Access Checker to check if your NBN plan supports NAS remote access.

Related reading: our Plex on NAS setup guide and our NAS surveillance setup guide.

How do I know if I'm behind CGNAT on my Australian NBN connection?

Compare the IP address shown in your router's WAN/internet settings against what whatismyip.com shows when you visit it from your browser. If the two IPs are different, you're behind CGNAT. Your router has a private IP that your ISP translates to a shared public IP, and port forwarding will not work. ISPs known to use CGNAT on some plans in Australia include Aussie Broadband, Superloop, Leaptel, and Mate. Contact your ISP and ask specifically whether you can be removed from CGNAT and assigned a public IPv4 address. Many will do this for free or a small monthly fee.

Is Tailscale safe for remote NAS access with sensitive files?

Yes. Tailscale uses WireGuard for all data encryption. A modern, audited VPN protocol with strong security credentials and a minimal codebase. Data between your devices is encrypted end-to-end and does not pass through Tailscale's servers in the vast majority of cases (direct P2P connections are the norm). When Tailscale's DERP relay servers are used as a fallback, the traffic remains WireGuard-encrypted and Tailscale cannot read its content. For home users concerned about vendor relay services (QuickConnect routes through Synology's servers), Tailscale is a more privacy-preserving alternative while retaining CGNAT compatibility.

What is the difference between WireGuard and OpenVPN for NAS?

WireGuard is faster, uses less battery on mobile devices, connects in under a second (compared to OpenVPN's 5-10 second handshake), and has a much smaller codebase meaning fewer potential vulnerabilities. OpenVPN is more widely compatible and can run over TCP port 443, which blends with HTTPS traffic and passes through most corporate and country-level firewalls that block VPN protocols. For new setups in 2026, WireGuard is the clear choice for home and small business use. Consider OpenVPN only if you specifically need to connect from networks that block WireGuard's UDP traffic.

Does QuickConnect slow down file transfers on Synology?

Yes, in relay mode QuickConnect routes all traffic through Synology's servers, adding latency and limiting throughput. The practical impact depends on Synology's APAC server load, your NBN upload speed, and the size of files being transferred. Synology's QuickConnect Relay+ (P2P mode) negotiates a direct connection when network conditions allow, significantly improving throughput. For large file transfers, self-hosted WireGuard VPN or Tailscale will outperform relay-based QuickConnect. QuickConnect relay is well-suited to browsing files, using the Photos or Drive apps, and light app use. Less ideal for streaming large videos or transferring multi-gigabyte datasets.

Do I need a static IP for remote NAS access in Australia?

No. A static IP is not required. Dynamic DNS handles the changing IP problem for methods that need a public IP. Your NAS's built-in DDNS client updates a hostname whenever your IP changes, so remote devices connect to the hostname rather than an IP. Synology provides free synology.me DDNS, QNAP provides myqnapcloud.com, and both platforms support third-party DDNS services. A static IP simplifies setup and ensures your hostname is always immediately current (DDNS has a small propagation delay), but it is not necessary for a functional self-hosted VPN setup. Australian ISPs typically charge $5-15 per month for a static IP add-on.

What NBN upload speed do I need for useful remote NAS access?

The useful minimum depends on what you're doing remotely. For browsing files and syncing documents: NBN 25 (5 Mbps upload) is workable. For using Synology Photos or streaming SD video from your NAS: NBN 100 (20 Mbps upload typical) is comfortable. For 4K video streaming or high-speed remote file access: NBN 250 or NBN 1000 (50 Mbps upload) makes a meaningful difference. Note that your upstream NBN speed is the bottleneck for all remote access. Upload on most fixed-line NBN plans is a fraction of download speed. If remote access performance is a priority, consider a higher NBN tier; if you're primarily on mobile, your 5G uplink may actually be the limiting factor at some locations.

Is it safe to use port forwarding to access my NAS from the internet?

Port forwarding to expose a VPN endpoint (WireGuard UDP port) is safe when properly configured. Port forwarding to expose NAS management interfaces directly (DSM port 5000/5001, QTS port 8080) is not recommended. These ports are actively scanned and targeted by automated attacks. The safe approach is to forward only a WireGuard or OpenVPN port, then access all NAS services through the encrypted VPN tunnel. If you need public web access to NAS services, use a reverse proxy with HTTPS and a custom hostname, enable 2FA on all accounts, and keep your NAS firmware up to date.

What is a reverse proxy and when do I need one for my NAS?

A reverse proxy accepts inbound connections and routes them to internal services on your network. For NAS use, it lets you access services via a clean HTTPS URL (e.g. photos.yourdomain.com.au) rather than a raw IP and port. It handles SSL/TLS certificate management via Let's Encrypt and exposes only port 443 publicly. You need a reverse proxy if you want a custom domain with valid HTTPS, to host multiple services on different subdomains, or to avoid exposing NAS management ports directly to the internet. You do not need one if you're using a VPN (WireGuard, Tailscale) or vendor cloud relay for all access. VPN-based access is inherently secure without a reverse proxy.

Can Tailscale work on QNAP, Asustor, and UGREEN NAS?

Yes. QNAP has an official Tailscale QPKG package in the App Center. Asustor ADM supports Tailscale through App Central or via manual SSH installation of the Tailscale binary. UGREEN NAS units running UGOS Pro can install Tailscale through the available package manager or via SSH depending on the firmware version. For all platforms, check the official Tailscale documentation for your specific NAS OS. It is actively maintained and includes step-by-step guides for each major NAS platform. Synology, QNAP, and Asustor users typically have the smoothest installation experience due to official package support.

How do I set up Let's Encrypt SSL certificates on my Synology NAS?

In Synology DSM, go to Control Panel → Security → Certificate → Add → Get a certificate from Let's Encrypt. Enter your DDNS hostname (e.g. yourname.synology.me) or your own domain name, and DSM will request and install the certificate automatically. DSM also handles renewal before expiry with no manual intervention. To assign the certificate to DSM services, click Configure in the Certificate panel. For custom domains using DNS-01 challenge (required when your NAS isn't publicly accessible on port 80), use acme.sh via SSH or a Certbot Docker container with your DNS provider's API credentials. Cloudflare DNS is the most widely used pairing for DNS-01 on Synology NAS due to its free tier and well-maintained Certbot and acme.sh plugins.

What is a VPS tunnel and how does it help with CGNAT on NBN?

A VPS tunnel is a WireGuard connection from your NAS (behind CGNAT) to a cheap cloud server (VPS) with a public IP. Because your NAS initiates the outbound connection to the VPS, it works through CGNAT. The VPS then forwards inbound traffic from the internet down the WireGuard tunnel to your NAS. The result: a stable, permanent public IP endpoint (the VPS) that routes to your NAS at home, without needing your ISP to remove you from CGNAT. Entry-level VPS plans from providers like Vultr, DigitalOcean, or Hetzner (now with Australian data centres) start at around $5-6/month AUD. Oracle Cloud Free Tier provides a permanently free option for users willing to navigate the setup. This approach is more complex than Tailscale but gives you full control and no dependency on a third-party service.

Which remote access method is best for a small business using a NAS in Australia?

For most small businesses, Tailscale Teams or a self-hosted WireGuard VPN on the router are the best options. Tailscale Teams provides centralised device management, access control lists (ACLs), and audit logs. Critical for business environments where you need to control which staff can access which resources. WireGuard at the router gives maximum performance for users with a public IP and IT capability to manage it. Vendor cloud relays (QuickConnect, myQNAPcloud) are convenient but route business data through vendor servers and lack enterprise access controls. For businesses where data security and access auditing matter, self-hosted VPN or Tailscale Teams is the right approach. Not a consumer relay service.