NAS - Remote Access

[jagdtigger]

Or just use zerotier...

[Akima]

In the past i've run Teleport servers (https://goteleport.com/) to broker remote access to certain devices within firewalled networks, without having to set up VPNs, port forwarding, etc.

 

Plus you can stack access policies and security requirements on top. I've not had a moment to properly check if this translates well for remote NAT access, as there will obviously be a few variables to factor in.. but i'm thorwing it out there if anyone else has used a service like this in the context discussed.

[Frederic Truslow]

Im relatively new here, with an understanding of DDNS and VPN. I've seen some stuff online about WireGuard, a newer VPN standard with a possibly higher level of encryuption compared to OpenVPN. Some tests seem to indicated It has significantly higher performance too, though those reviewers noted that market adoption is slow. Is there any reason for this? Is there anything I'm missing related to WireGuard? Seems to be Open Source.

[dalekphalm]

2 hours ago, Frederic Truslow said:

Im relatively new here, with an understanding of DDNS and VPN. I've seen some stuff online about WireGuard, a newer VPN standard with a possibly higher level of encryuption compared to OpenVPN. Some tests seem to indicated It has significantly higher performance too, though those reviewers noted that market adoption is slow. Is there any reason for this? Is there anything I'm missing related to WireGuard? Seems to be Open Source.

Standards Adoption is always a slow process. A lot of software/OS vendors will think "Why adopt this new standard when my system already works with these other ones?"

 

There's also the monetary and labour cost of adding in new features or compatibility.

 

If it truly is better than OpenVPN, the OSS community should eventually push it's adoption within itself if nothing more.

[brwainer]

18 hours ago, Frederic Truslow said:

Im relatively new here, with an understanding of DDNS and VPN. I've seen some stuff online about WireGuard, a newer VPN standard with a possibly higher level of encryuption compared to OpenVPN. Some tests seem to indicated It has significantly higher performance too, though those reviewers noted that market adoption is slow. Is there any reason for this? Is there anything I'm missing related to WireGuard? Seems to be Open Source.

With every security technology, there are two sides to them - the protocol, and the implementation. New technologies have to be proven in both these regards, through thorough audits and time on the market without incident. Wireguard’s protocol and the official implementation have completed at least one if not more third party audits by recognized security research companies, and there hasn’t been any large issues I’m aware of. But then PFSense’s first implementation, which they did themselves and did not allow the WireGuard main author to help with, was massively flawed and a huge scandal. 

Since PFSense is a major firewall OS with a lot of overlap in the same enthusiastic, performance-oriented IT people, this didn’t help matters. OPNSense, by the way, used the official implementation but in userland-mode, meaning it has a performance hit - I don’t know if they have since adopted PFSense’s improved implementation, or if the official implementation has added support for the FreeBSD Kernel (having a kernel-mode implementation was PFSense’s argument for writing it themselves, but they had insane hubris to not involve anyone outside before shipping it to customers).

 

I think the major limitation to adoption is just momentum though. Not every firewall supports it yet (Mikrotik has it in their new v7 OS branch, but that isn’t fully stable and ready yet so most Mikrotik routers still run v6; Untangle has put it as part of their paid feature set; I don’t think Watchguard has added it nor Sonicwall and most other small business firewalls). And if you have a working connection, maybe you don’t want to spend the time converting it. I’m ising WireGuard where I can for new setups, but have plenty of tunnels with OpenVPN, L2TP, or IPSec that I’m just leaving as-is.

[Yosh1]

If you purchase a router with a VPN function is that the only cost to consider or do you still need to pay for the service as well from a VPN provider?

[brwainer]

3 hours ago, Yosh1 said:

If you purchase a router with a VPN function is that the only cost to consider or do you still need to pay for the service as well from a VPN provider?

There’s two types of uses for VPN technology, generally defined by where the VPN server is located.

In the discussion of this thread, the purpose is to be able to access a home or business private LAN resources when outside the network. The server therefore is located at the home or business, running on the router or separately. In this case, no outside VPN service/provider is generally involved.

A new trend in this space, however, is technologies which aren’t exactly VPN but could be used for the same purpose. Tailscale and Zerotier fall into this category. They have a central orchestration server which each device contacts, and then the devices are told each others addresses and they try to connect to each other directly. If the direct connection fails, the orchestration server may also be able to act as a proxy. In this case, the provider would need to be paid, but they do usually have a free tier that is sufficient for home use.

The main use case for a “VPN provider” however is not for remote access to a LAN, it is for keeping your internet traffic encrypted and obfuscated from the immediate network provider - the operator of the network your on, their ISP, the local government, etc. This is the main type of service that people pay for.

[Rysters Tech]

I would like to see tailscale added to this list. Its free, stupid simple to setup, and works on just about anything.

[Blastic]

On 4/6/2016 at 10:24 PM, KuJoe said:

While I agree with @Blade of Grass that PPTP is insecure, in this instance it's the perfect protocol. It's extremely easy to setup, it has very little overhead, and is supported by basically every OS/device out there. I have both PPTP and L2TP setup on my home router, but I use PPTP more often than L2TP simply because it's faster and I don't need security. A good example of when you want to use PPTP over OpenVPN/L2TP is streaming content. If I connect to a PPTP VPN I can stream Netflix in HD just fine but I'm limited to SD over L2TP (even if the latency is nearly the same). I tried about half a dozen different VPN servers (both with PPTP and L2TP installed, some even in the same state) and there was absolutely no way for me to stream Netflix in HD. Now of course this is just an example, but imagine if you want to stream your 1080p home movies off your NAS while you're at your grandparent's house? Stick with PPTP unless you don't trust their network.

Noob question... Do you not suffer the security issue(s) with PPTP, even thought it setup in addition to L2TP and seemingly available able to connect via it at any time? Is it just the data going through it is less secure and not the system/server itself?

I am looking to create a setup very much like this.

[KuJoe]

Just now, Blastic said:

Noob question... Do you not suffer the security issue(s) with PPTP, even thought it setup in addition to L2TP and seemingly available able to connect via it at any time? Is it just the data going through it is less secure and not the system/server itself?

I am looking to create a setup very much like this.

I only connect to one of them at a time depending on my use case, not both. If security is a concern, never use PPTP. PPTP is only good for fixing routing/performance issues.

[Blastic]

On 4/27/2023 at 8:51 PM, KuJoe said:

I only connect to one of them at a time depending on my use case, not both. If security is a concern, never use PPTP. PPTP is only good for fixing routing/performance issues.

That is starting to clear it up for me. I could use both in my use case. so my data is only at risk when transferring/connected via PPTP, and only the data being transferred? Or just having PPTP available a risk, even if not connected?

[dalekphalm]

On 4/29/2023 at 11:41 PM, Blastic said:

That is starting to clear it up for me. I could use both in my use case. so my data is only at risk when transferring/connected via PPTP, and only the data being transferred?

 

On 4/29/2023 at 11:41 PM, Blastic said:

Or just having PPTP available a risk, even if not connected?

This. PPTP, if enabled and available to connect to, is pretty trivial to break into for a determined "hacker" (malicious actor, whatever you want to call them). That's why it's no longer in use today, and IPSec (There are actually a couple of variants of IPSec) and OpenVPN and others are considered the default/norm in any corporation or org that cares about security.

 

If you're gonna use PPTP, it creates a vulnerability that could potentially lead deeper into your network and other unrelated data. That's a risk, and odds are you won't be individually targeted for attack if you're just a normal person, but it's something to consider. I personally wouldn't use PPTP in 2023.

[Blastic]

9 hours ago, dalekphalm said:

 

This. PPTP, if enabled and available to connect to, is pretty trivial to break into for a determined "hacker" (malicious actor, whatever you want to call them). That's why it's no longer in use today, and IPSec (There are actually a couple of variants of IPSec) and OpenVPN and others are considered the default/norm in any corporation or org that cares about security.

 

If you're gonna use PPTP, it creates a vulnerability that could potentially lead deeper into your network and other unrelated data. That's a risk, and odds are you won't be individually targeted for attack if you're just a normal person, but it's something to consider. I personally wouldn't use PPTP in 2023.

Thank you SOOO much!  I understand clearly now. you guys are the best!

[pitschi]

I am using kind of a reverse ssh tunnel. Cause my NAS is behind two NAT with one I have no control over, I had no chance to open up a port.

 

So I use an ssh tunnel that opens up from the inside to a VERY small and cheap server out there. I even connected a dns name and do let's encrypt on that setup. The command connects with a public/private key pair, opens up a port on the outside server and routes all the traffic on that port through the tunnel onto a port of the NAS. I can do that with multiple connections and the ports don't even have to be the same on each end. So it can be 443 on the outside to 31654 on the inside. Or some other convinient port. 

 

I put everything in one line. Can post it if interested. I only need a cheap server somewhere public with ssh enabled and secured. And ssh client on my NAS or somewhere in my inside network. 

 

This is a German talk about it. But if you mute it, the commands and slides are universal :} 

 

 

 

Does anybody see issues with that setup? 

[LIGISTX]

On 6/17/2023 at 1:15 AM, pitschi said:

I am using kind of a reverse ssh tunnel. Cause my NAS is behind two NAT with one I have no control over, I had no chance to open up a port.

 

So I use an ssh tunnel that opens up from the inside to a VERY small and cheap server out there. I even connected a dns name and do let's encrypt on that setup. The command connects with a public/private key pair, opens up a port on the outside server and routes all the traffic on that port through the tunnel onto a port of the NAS. I can do that with multiple connections and the ports don't even have to be the same on each end. So it can be 443 on the outside to 31654 on the inside. Or some other convinient port. 

 

I put everything in one line. Can post it if interested. I only need a cheap server somewhere public with ssh enabled and secured. And ssh client on my NAS or somewhere in my inside network. 

 

This is a German talk about it. But if you mute it, the commands and slides are universal :} 

 

 

 

Does anybody see issues with that setup? 

Why not just use cloudflare zero trust tunnel at this point..? Or tailscale. 

[PSP.]

could I know why exactly need L2TP or openvpn ?

[dalekphalm]

11 hours ago, PSP. said:

could I know why exactly need L2TP or openvpn ?

L2TP and OpenVPN are both tunneling protocols. They allow encrypted access to your local system. They are 2 examples, but there are additional tunneling protocols out there.

 

You're gonna need to expand your question to get a useful answer. I'm not really sure what you're asking.

[PSP.]

8 hours ago, dalekphalm said:

L2TP and OpenVPN are both tunneling protocols. They allow encrypted access to your local system. They are 2 examples, but there are additional tunneling protocols out there.

 

You're gonna need to expand your question to get a useful answer. I'm not really sure what you're asking.

I'm asking if when openvpn require ? important ?
how with remote access with plex ?

[dalekphalm]

14 hours ago, PSP. said:

I'm asking if when openvpn require ? important ?
how with remote access with plex ?

I suggest you start your own thread if you have specific questions about VPN's or remote access. You'll get much better advice tailored to your specific situation.

 

VPN's are not required for Plex, as it has it's own built-in system for playing content remotely.

[JoeyJ-NiteStorm]

On 2/26/2016 at 12:31 AM, Windspeed36 said:

There’s two main methods to remotely access your data remotely if you’re not using a cloud based storage provider (Microsoft, Google, Dropbox etc).

 

1. Put yourself in the network

    

2. Make the device available over the internet

    

Putting yourself in the network

 

Option 1 is the preferable route, done via creating a secure connection via a VPN between your device (smartphone, laptop etc) and your home network.

 

There are lots of options out there and it depends entirely on the hardware that you’ve got available. I’ve mentioned a few methods below but there are no doubt many more that aren’t listed.

 

• OpenVPN

   

• L2TP (built into most Ubiquiti routers)

   

• Vendor specific SSL (Draytek, FortiGate etc)

   

You might see mention of PPTP Client VPN’s – these are an older connection method, more common with consumer grade hardware from the likes of Asus or Netgear. I strongly recommend you don’t use a PPTP VPN as they’re considered inherently insecure these days.

 

For up to date information on what your device supports, check with the manufacturer or look at using dedicated hardware to run your own VPN server (such as OpenVPN).

 

Making the device available over the internet

 

The alternative to running your own VPN server is making the content available over the internet, usually via an SSL protected web portal.  While this does work, it is all too often that news comes out about another security vulnerability with NAS web pages and malware spreading. I do not encourage you to make your NAS available over the web for this reason.

 

 

 

Common Questions

 

My IP is dynamic (keeps changing) – how do I run a VPN service?

 

Look at using dynamic DNS. Most routers/gateways support some form of dynamic DNS, enabling your hardware to advise a 3^rd party service (like DYN DNS) about a change in IP. In turn, that 3^rd party updates your special record (e.g. mydomain.dyndns.org) and enables you to keep connecting to your home network.

 

What’s the downside of running a VPN server?

 

Bandwidth and data usage are a key consideration. If your internet speed is limited (e.g. 10/10 DSL or similar), the remote experience will be poor, even with split tunnelling for the VPN enabled. Cloud based file storage from a 3^rd party might be a better solution.

 

Another good DNS provider to use for people whom have a dynamic IP is FreeDNS (https://afraid.org). I used that for several years before I made my own name servers. FreeDNS has scripts that can run on a system from within your LAN and auto auto your new IP in DNS for you. You would need your own domain name however. I myself have afnet.us that I use for name service.