Synology QuickConnect Relay: Not Secure?
Solution 1:
- It is correct than QuickConnect isn't end-to-end encrypted. It is encrypted from your device to Synology, and then decrypted and re-encrypted for the voyage from Synology to your NAS. That part is necessary (it's how TLS works), but Synology could choose to add an additional end-to-end encryption layer if they wanted (with more work and performance hits). But they haven't.
- To my knowledge you cannot modify QuickConnect to fallback to your own relay.
- Most likely hole punching is safer than forwarding a public port (which is a hole that is open all the time).
- Hole punching would work when putting your Synology in your router's DMZ, but would be unnecessary and would defeat the point of hole punching. The DMZ is exposed to the internet all the time.
I don't know the answer to to 5 or 6.