Connect to server folders remotely without exposing IP

[DamirB]

Hi all,

 

I am running a Windows 11 machine which I use as a home server. SMB works great for local machines but I want to be able to access it from everywhere so that I can backup from anywhere. Ideally I want to do this without exposing my IP address. I already have a cloudflare DNS account and domain which I use for another piece of software I want to have remote access to. Not sure if there is something like a SFTP server which use this.

 

I tried playing around with Filezilla Server but it's interface is really weird to me with virtual and native paths. I just want to host an SFTP server where I can select the server folders that I want and that show up when entering the SFTP details on a client (prefebly native windows of macos client). 

 

The server is built to be as energy efficient as possible so it would be great if it is pretty leightweight and doesn't keep the drives spinning when there are no active transfers

[Windows7ge]

I want to say the overwhelming majority of SFTP software out on the market is going to rely on you setting up Port Forwarding but there isn't a real reason to be paranoid about doing so. Just make sure the server is password protected. Setup Public/Private Key Authentication if it's an option. Don't use Port 22 on the public facing side. Use something over 30,000 but under 65535.

 

If that's not good enough the only software that comes to mind for file transfers without Port Forwarding is TeamViewer and that's not its purpose design just a feature. There's a couple other similar softwares available. I believe one is called AnyDesk. PARSEC might possibly work but I know that's not what it was made for. Never tried AnyDesk but it and TeamViewer should allow the transfer of files remotely without Port Forwarding.

[DamirB]

4 minutes ago, Windows7ge said:

I want to say the overwhelming majority of SFTP software out on the market is going to rely on you setting up Port Forwarding but there isn't a real reason to be paranoid about doing so. Just make sure the server is password protected. Setup Public/Private Key Authentication if it's an option. Don't use Port 22 on the public facing side. Use something over 30,000 but under 65535.

 

If that's not good enough the only software that comes to mind for file transfers without Port Forwarding is TeamViewer and that's not its purpose design just a feature. There's a couple other similar softwares available. I believe one is called AnyDesk. PARSEC might possibly work but I know that's not what it was made for. Never tried AnyDesk but it and TeamViewer should allow the transfer of files remotely without Port Forwarding.

I don't really have a problem with port-forwarding, I just don't want my IP being the "page" for SFTP when connecting from lets say a friends machine. I already have a Cloudflare domain that I use for Emby. So instead of my IP, I enter emby.mydomain, in the Cloudflare DNS settings that will redirect to my machine with SSL and encryption. Ideally I want the same with SFTP. Just type in sftp.mydomain and it will go through cloudflare to my server. 

 

I've player around with filezilla a bit didn't find the option to have an external domain do it and I find the virtual and native paths a stupid way to handle folders (otherwise multiple user with their onw folders and passwords is pretty nice so might look into it)

[Windows7ge]

29 minutes ago, DamirB said:

I don't really have a problem with port-forwarding, I just don't want my IP being the "page" for SFTP when connecting from lets say a friends machine. I already have a Cloudflare domain that I use for Emby. So instead of my IP, I enter emby.mydomain, in the Cloudflare DNS settings that will redirect to my machine with SSL and encryption. Ideally I want the same with SFTP. Just type in sftp.mydomain and it will go through cloudflare to my server. 

 

I've player around with filezilla a bit didn't find the option to have an external domain do it and I find the virtual and native paths a stupid way to handle folders (otherwise multiple user with their onw folders and passwords is pretty nice so might look into it)

Basically you want multiple domains to connect to the same IP but access different services. Does CloudFlare allow you to configure a port number?

 

Windows for desktop doesn't offer much in terms of SFTP server software. That's where Windows Server would normally come in. Really Linux or UNIX would make this very easy to setup as everything you need is pre-installed. Unfortunately the only software that comes to mind without resorting to Linux is FileZilla Server but you already tried that. I'm wondering if PowerShell might offer a SSH Server service that could be used here but if you need multiple accounts they'd likely be computer local accounts not just accounts for the SSH client.

[LIGISTX]

6 hours ago, DamirB said:

Hi all,

 

I am running a Windows 11 machine which I use as a home server. SMB works great for local machines but I want to be able to access it from everywhere so that I can backup from anywhere. Ideally I want to do this without exposing my IP address. I already have a cloudflare DNS account and domain which I use for another piece of software I want to have remote access to. Not sure if there is something like a SFTP server which use this.

 

I tried playing around with Filezilla Server but it's interface is really weird to me with virtual and native paths. I just want to host an SFTP server where I can select the server folders that I want and that show up when entering the SFTP details on a client (prefebly native windows of macos client). 

 

The server is built to be as energy efficient as possible so it would be great if it is pretty leightweight and doesn't keep the drives spinning when there are no active transfers

Would you not be able to just VPN in and access the shares via SMB as if you were in your network?

 

This is how I have my homelab set up. If I want to get at my data from externally, I VPN into my network and then my machine effectively acts as if it was on my LAN.

 

But if you really want to use SFTP, sure, just port forward. There likely isn't going to be great options for Windows though as stated above. VPN is likely the best bet, you can run wireguard in a docker container.

[Jarsky]

VPN would be a much better solution than SFTP since you already have SMB configured. 

I run Wireguard, its very fast and lightweight. It has the added benefit of I can run Wireguard on my phone and connect it to home to proxy all my traffic for mobile security as well when im using hotspots. 

[DamirB]

On 7/5/2022 at 6:58 AM, Jarsky said:

VPN would be a much better solution than SFTP since you already have SMB configured. 

I run Wireguard, its very fast and lightweight. It has the added benefit of I can run Wireguard on my phone and connect it to home to proxy all my traffic for mobile security as well when im using hotspots. 

@LIGISTXI have seriously considered this but the problem is that you would always need to be connected. I also want some family member to be able to automatically backup their stuff and that is a lot easier with sftp since you don't have to interact with it at all.

[LIGISTX]

17 minutes ago, DamirB said:

@LIGISTXI have seriously considered this but the problem is that you would always need to be connected. I also want some family member to be able to automatically backup their stuff and that is a lot easier with sftp since you don't have to interact with it at all.

Theoretically, if you set it up for them once at the start, WireGuard VPN will be much easier. You can mount the drive as a network share just like a normal SMB share, and you can set up split tunneling so all standard internet bound traffic goes out the WAN like normal, but stuff destined for your NAS will go out over the VPN.  

[Mihle]

I think if you don't want anyone to see your routers IP at all, the only way to do that is to use some third party proxy, or set up an VPN/proxy yourself in another location/with another IP.

[LIGISTX]

1 hour ago, Mihle said:

I think if you don't want anyone to see your routers IP at all, the only way to do that is to use some third party proxy, or set up an VPN/proxy yourself in another location/with another IP.

Or just use a DNS forwarder... duckDND, noip.com, etc etc. 

[FabioA.]

On 7/4/2022 at 3:29 PM, DamirB said:

I don't really have a problem with port-forwarding, I just don't want my IP being the "page" for SFTP when connecting from lets say a friends machine. I already have a Cloudflare domain that I use for Emby. So instead of my IP, I enter emby.mydomain, in the Cloudflare DNS settings that will redirect to my machine with SSL and encryption. Ideally I want the same with SFTP. Just type in sftp.mydomain and it will go through cloudflare to my server. 

 

I've player around with filezilla a bit didn't find the option to have an external domain do it and I find the virtual and native paths a stupid way to handle folders (otherwise multiple user with their onw folders and passwords is pretty nice so might look into it)

First off, the currently available version of FileZilla server supports FTP and FTPS (FTP over TLS), but not SFTP (based on SSH). That one is going to be supported by the Enterprise Edition, which isn't going to be available for free. 

If that's fine with you, then to set it up so that it can be connected to from outside, you need to appropriately forward the ports to the network interface you want the FileZilla Server to listen on. The listeners are configurable in the proper config panel.

As for virtual and native paths, how would you do things differently?

[DamirB]

12 hours ago, FabioA. said:

First off, the currently available version of FileZilla server supports FTP and FTPS (FTP over TLS), but not SFTP (based on SSH). That one is going to be supported by the Enterprise Edition, which isn't going to be available for free. 

If that's fine with you, then to set it up so that it can be connected to from outside, you need to appropriately forward the ports to the network interface you want the FileZilla Server to listen on. The listeners are configurable in the proper config panel.

As for virtual and native paths, how would you do things differently?

FTP over TLS would work fine for me as well. The setup to connect through the outside, is it possible to let in run through cloudflare just to not expose my IP? Otherwise it is not the end of the world as long as the encryption is strong enough. I've attached an image of how I've done it in Emby so that instead of typing homeip:embyportnumber I type emby.mydomainname which is hosted by Cloudflare. Since I already own the domain (and I like the dashboard) I would like to be able to use ftps.mydomainname.

 

For the virtual and native paths I understand how it is usefull for people, but for my usecase just having a explorer window pop-up where I select the folder(s) I want to share through FTPS would better.