The advice I’ve read (and implemented myself) is to not so much run a block list, but an allow list. So first things first, have a rule to block all connections, then have overriding rules to allow connections using criteria you would deem safe. If you know someone needs to access the server from the UK, include the UK on the allow list. Everything else can remain locked down until you have a reason to open it up to another country.
I set this up a week ago. Not sure if this is the best practice approach but it’s been working fine for me.
In FreshRSS my API url is just the default local address. 192.168… whatever it may be. Tailscale assigns an specific address to each machine, so on my RSS client (Reeder) I use the server’s Tailscale address (plus internal port and /api/). As long as Tailscale is active on your server, and active on your client, any traffic to a Tailscale address should be routed via Tailscale automatically.
Happy to provide screenshots via DM if this doesn’t make sense. Also happy to change my setup if someone tells me I could be doing things better.
There are a few people saying that a synology NAS may not do everything you’d ever want, but there’s an underlying assumption there that you should run everything on a single device. There’s value in isolating functions to their dedicated device, especially when the alternative means a guaranteed compromise.