I was reading the QuickConnect whitepaper and was overall pretty impressed. But on page 10 it explains how the Relay service works and it’s implied (but not explicitly stated) that packets are decrypted on the Relay Server. They go on to pinky swear they won’t snoop your traffic:
While providing the promised services, QuickConnect makes no use of collected data from registered Synology NAS servers except in delivering such services. For more details, please visit the Privacy Terms on our official website.
As most of you probably are, I can be a little paranoid about Security. My previous setup used a tcp proxy server which allowed for E2E encryption to work natively. That was however somewhat brittle and left a public port exposed. It also added latency. Hole Punching is really cool and does seem to create a encrypted tunnel E2E so that sounds perfect for my needs. A few questions:
- Is it correct that QuickConnect relay isn’t encrypted E2E?
- Can I modify QuickConnect to fallback to my own relay?
- Is my assumption correct that Hole Punching is safer than simply forwarding a public port?
- Will hole punching work when putting my Synology in my router’s DMZ?
- In which conditions will Hole Punching not work?
- Does QuickConnect uses UDP or TCP Hole Punching?