Network folder outside my network secure question

[XSnPX]

Hello to all, 

 

I have been scrouring the internet to get a simple solution to something I think should, and seems it is not.  So I though to ask away on here if people may have some solutions for me.  Let me explain: 

 

I have a HDD on my main PC - and one folder is shared locally to all my household to use when needed on their system - easy.

 

I would like my extended family outside my network to also have use of this folder when needed and I am stuck to see how to do this safely, securely and easy for both myself and especially more my parents to connect to it.  

 

Are there simple set up option on my side to do and for those wanting to connect on that specific folder on their systems? 

 

Thank you for any help, please do not hesiate to ask me questions if this is not clear enough. 

 

Ben

[jj9987]

First question - do you have a dynamic or static public IP and are you behind CGNAT? These can limit your options by a lot, depending on your connection.

[XSnPX]

Thank you jj9987,

 

My connection is dynamic.  I already a bit of knowledge with this and I already use DYNDNS addresses that update my IP when it changes. I am hoping I can do something with these addresses - e.g - xxxx.dyndns.com - i send this to my folks - add passowrd where needed and they see my folder lol - if ti was that simple - would be an ideal world i guess. 

 

Now - CGNAT - I am not sure.  As far as I looked at the meaning - my main modem offers NAT - and no where can I see CGNAT. 

[Windows7ge]

Have you ever Port Forwarded before? I'd setup a Client-to-Site VPN assuming you can. The important bit being that your ISP doesn't have you behind NAT64-CGN.

 

There are ways to work around even that though.

[XSnPX]

I am able to portforward no problem. thanks. 

 

The rest however to make it happen is why I am here

[Overtaxed]

Assuming you're trying to share via SMB (Windows).

 

You'll need to, on your router, do a port forward, ports 135-139 and port 445 (TCP and UDP) to the computer hosting the shares.  Obviously, you'll need to setup a user/password on the system for the shares (just like you would locally).  And then, once all that's done, from the computer you connect in from; you'll do a \\53.23.84.32\<SHARENAME>.  Replace the IP address with the external IP address of your router.  And there you go, sharing files over the Internet.  

 

Now, that's how you do it, but I'll warn you, those are known ports and hackers scan for them.  You're gonna get a lot of traffic trying to hack in by opening those ports, just be ready for it, and be sure that the username/password combo is complex.  For safety, if possible, set the share to read only so if someone does get in, at least they can't delete the files.

[XSnPX]

Thank you - this may be an option and would need to change my PC password that is for sure if i do this. 

 

I am assuming the following right now: 

- I will only have one folder shared on the system that I have allowed locally - the log in details used is for the whole PC - it is not individual to the specific folder? 

- I have DYNDNS address - would \\www.dyndns.com\<SHARENAME> work - and this would be added in the "NETWORK" option on your file explorer I guess for the user wnating to connect? 

- Also, maybe there is a way to add in this shared folder - the name of the computers that can connect only outside the network? This way i have a second barrier to potential people trying to get in to this folder? 

 

Ben

 

 

[Alex Atkin UK]

2 hours ago, XSnPX said:

Thank you - this may be an option and would need to change my PC password that is for sure if i do this. 

 

I am assuming the following right now: 

- I will only have one folder shared on the system that I have allowed locally - the log in details used is for the whole PC - it is not individual to the specific folder? 

- I have DYNDNS address - would \\www.dyndns.com\<SHARENAME> work - and this would be added in the "NETWORK" option on your file explorer I guess for the user wnating to connect? 

- Also, maybe there is a way to add in this shared folder - the name of the computers that can connect only outside the network? This way i have a second barrier to potential people trying to get in to this folder? 

 

Ben

The correct way to deal with this problem is to install something like OpenVPN and allow your parents to securely connect to that PC.  This also means you only need to forward a single port.

Windows file shares will "just work" though they may need to specify the LAN IP address of the PC rather than its name.

[Overtaxed]

5 hours ago, XSnPX said:

Thank you - this may be an option and would need to change my PC password that is for sure if i do this. 

 

I am assuming the following right now: 

- I will only have one folder shared on the system that I have allowed locally - the log in details used is for the whole PC - it is not individual to the specific folder? 

- I have DYNDNS address - would \\www.dyndns.com\<SHARENAME> work - and this would be added in the "NETWORK" option on your file explorer I guess for the user wnating to connect? 

- Also, maybe there is a way to add in this shared folder - the name of the computers that can connect only outside the network? This way i have a second barrier to potential people trying to get in to this folder? 

 

Ben

 

 

The user account is for the entire computer, however, you decide what that account can do.  Make it a standard user account (not admin) and then when you share the folder, allow that account access.  If you don't allow access to a particular share to that account, it won't have it.  You can further restrict that account if you want to, but, big thing is to make sure it can only see that single share (and hopefully with read only permissions) remotely.

 

Yes, \\dyndns\sharename will work.  No, it will not be added to the network options though for your remote users.  They will need to type in the path directly, there's no way to have it browse the entire Internet to find that specific share, you have to tell the remote computer where the share is, it'll look, and, if authorized, open.  

 

Finally, not really anything you can do with the share itself.  What you can do though, on the router, is restrict the IPs that can hit the share.  If your remote users have a static, that's really secure, just set that IP as the only one allowed through the NAT on the router.  If it's not static, you can take advantage of the fact that most ISPs don't give out totally random addresses.  If you're users IP is 64.223.7.4 it's a pretty safe guess to say that their address will always be 62.223.X.X (with the X.X possibly changing).  So, on your router, setup a rule that only 64.223/16 is allowed through and that should work even with a floating IP address.  

 

I agree with the other poster though, the best/more secure way to do what you're trying to do is via VPN.  It's a lot more setup though; if there are lots of things on your network that the remote user needs, I'd go with a VPN.  If it's just that single share, it's easier to set it up like I described, but it's less secure.  Again, can't stress enough, make sure that the password you use on that share is very complex.  An open SMB port will get picked up by hackers and they will try to breach it, no question about it.

[XSnPX]

Thans to all for all the great advice and different solutions. 

 

I decided to forget SMB share - too risky and I remember when i set up remote access to my computer via the default port it was being used soooo much and was able to change thi sport to a different one and since then it gets hit practically never.. 

 

I need to investgate VPN access - with OpenVPN or other.

 

I also ready about setting up an SFTP? But again this i need to learn more about and what is more important to me - I think i can set up in time on my side - just my users need to be able to connet without many steps or installing programs etc etc. 

 

The idea of them using a address on their PC to access my folder seems the easiest in my opinion. 

 

Which system OpenVPN or SFTP would be easiest for my remote users to access this shared folder? 

 

Thanks again

 

Ben

[jj9987]

On 3/30/2021 at 4:24 AM, Overtaxed said:

Assuming you're trying to share via SMB (Windows).

 

You'll need to, on your router, do a port forward, ports 135-139 and port 445 (TCP and UDP) to the computer hosting the shares.  Obviously, you'll need to setup a user/password on the system for the shares (just like you would locally).  And then, once all that's done, from the computer you connect in from; you'll do a \\53.23.84.32\<SHARENAME>.  Replace the IP address with the external IP address of your router.  And there you go, sharing files over the Internet.  

 

Now, that's how you do it, but I'll warn you, those are known ports and hackers scan for them.  You're gonna get a lot of traffic trying to hack in by opening those ports, just be ready for it, and be sure that the username/password combo is complex.  For safety, if possible, set the share to read only so if someone does get in, at least they can't delete the files.

I wouldn't recommend exposing SMB to public. There have been numerous vulnerabilities in the protocol (just 3 from last year!) and it's only a matter of time when another one pops up, that can be used for spreading ransomware or other malware. Even if they can read files, that could contain personal information, images and other, that should not be publicly available.

 

I recommend using a VPN instead, such as OpenVPN or Wireguard. Connect from outside using the VPN and then you can access your whole internal network as if you were connected directly to it (with the exception of worse bandwidth and latency).

 

As for CGNAT - if your router has IP address in RFC1918 or 100.64.0.0/10 range on the WAN-side, you are behind CGNAT and you will need a third-party host with a public IP. With CGNAT, you can setup port forwarding (also known as destination NAT) on your router, but it won't be enough since the ports will still be blocked by the ISP. If your router has a public IP, then port forwarding will be enough to allow connections from outside to your devices.

[XSnPX]

Looking at the addresses I think i am not behind a CGNAT thanks. 

 

Will look at both OpenVPN and Wireguard to see which will be easiest for me to understand thanks for recommending - again!!!

[XSnPX]

I was able to find this - and I have just tried it

 

Resilio (not adding link as not sure if i am allowed)

 

Seems to be ideal for me and so easy to set up.... and it is free for my needs and the folder is shared directly, safely with a small program to install.... From research this was called BittorrentSync in the past.