How to securely access Home NAS from WAN?

vpn nas openvpn synology
8,843

Solution 1

The VPN server can also offer PPTP connections which can be used without additional software but are less secure but that's still better than having your internal services exposed to the internet directly via port forwarding.

Documentation: https://help.synology.com/dsm/?section=VPNCenter&version=1.2&link=vpn_setup.html

  1. Open VPN Server and then go to Settings > PPTP on the left panel.

  2. Tick Enable PPTP VPN server.

  3. Specify a virtual IP address of VPN server in the Dynamic IP address fields. Refer to About Dynamic IP Address below for more information.

  4. Set Maximum connection number to limit the number of concurrent VPN connections.

  5. Set Maximum number of connections with same account to limit the number of concurrent VPN connections with the same account.

  6. Choose either of the following from the Authentication drop-down menu to authenticate VPN clients:

    • PAP: VPN clients' passwords will not be encrypted during authentication.
    • MS-CHAP v2: VPN clients' passwords will be encrypted during authentication using Microsoft CHAP version 2.

  7. If you selected MS-CHAP v2 for authentication above, choose any of the following from the Encryption drop-down menu to encrypt VPN connection:

    • No MPPE: VPN connection will not be protected with encryption mechanism.
    • Require MPPE (40/128 bit): VPN connection will be protected with 40-bit or 128-bit encryption mechanism, depending on the client's settings.
    • Maximum MPPE (128 bit): VPN connection will be protected with 128-bit encryption mechanism, which provides the highest level of security.

  8. Set MTU (Maximum Transmission Unit) to limit data packet size transmitted via the VPN.

  9. Tick Use manual DNS and specify the IP address of a DNS server to push DNS to PPTP clients. If this option is disabled, the DNS server used by the Synology NAS will be pushed to clients.

  10. Click Apply for the changes to take effect.

When connecting to the VPN, the authentication and encryption settings of VPN clients must be identical to the settings specified on VPN Server, or else clients will not be able to connect successfully.

To be compatible with most PPTP clients running Windows, Mac OS, iOS and Android operating systems, the default MTU is set to 1400. For more complicated network environments, a smaller MTU might be required. Try to reduce the MTU size if you keep receiving timeout error or experience unstable connections.

Please check the port forwarding and firewall settings on your Synology NAS and router to make sure the TCP port 1723 is open.

PPTP VPN service is built-in on some routers, the port 1723 might be occupied. To ensure VPN Server works properly, you might need to disable the built-in PPTP VPN service through the router's management interface to have the PPTP of VPN Server work. In addition, some old routers block the GRE protocol (IP protocol 47), which will result in VPN connection failure. It is recommended using a router that supports VPN pass-through connections.

Solution 2

  1. Setup VirtualBox on some computer inside your LAN.

  2. Install minimal Debian virtual machine (384 MB RAM, 3 GB HDD is enough), without graphics environment or services, just with openssh-server.

  3. Configure port redirect on your router - not on default 22 port number, but on some high port, let's say 30000-60000. Remember this port number :)

  4. Add non-administrative user, and remember to change his password often.

  5. On WAN computer download and run PuTTY. Configure connection to your home external IP address with enabled SSH connection tunnelling.

  6. On WAN computer configure browser to use socks proxy and point it to localhost, to port set in PuTTY settings.

  7. Enter local IP in browser's url.

Why use separate Debian instead of connecting straight to Synology? Because Synology firmware is far less secure (remember Synolocker?) than minimal Debian with 2015's default settings.

Of course you can also use PPTP, like in previous answer. But PPTP can be blocked at the remote side, eg. when you use your employer's computer and employer blocks outside VPN traffic. Ssh is better then, because you just need to find one single unlocked port number (eg. 443) and you are free to establish connection.

Share:
8,843

Related videos on Youtube

JChris
Author by

JChris

Updated on September 18, 2022

Comments

  • JChris
    JChris over 1 year

    I have a Synology NAS on my network, it has a static IP and I want to be able to access it from outside of the LAN.

    Currently I have 2 services running there that I want to access from outside:

    • Plex on port XX
    • Download Center on port YY

    I already got it working using port forward and DDNS. I used noip to have an address pointing to my External IP, so that I could do things like:

    • mysupernas.ddns.net:XX and get Plex
    • mysupernas.ddns.net:YY and get Download Center
    • And so on...

    But this was way dangerous, anyone with the link could have direct access to those services.

    People said to try Open VPN, but there is a problem, I need to be able to access all this from anywhere and I use some computers that have admin rights blocked and I won't be able to install an Open VPN client.

    What should I do, how can I access my LAN securely and remotely?

    • rrirower
      rrirower almost 9 years
      Depending on your NAS, DSM version, and requirements, QuickConnect may be appropriate for you.
    • JChris
      JChris almost 9 years
      I have quickconnect, but this is only for DSM access, not for local services running on the NAS
  • JChris
    JChris almost 9 years
    Yes, I prefer something that I can configure inside the NAS. Using a dedicated computer in the LAN just for that is a bit overkill. How can I use this ssh thing that you said? I think VPN traffic isn't blocked where I use.
  • Tomasz Klim
    Tomasz Klim almost 9 years
    So just run ssh server on NAS and configure port redirect on router straight to NAS.
  • JChris
    JChris almost 9 years
    Yes, VPN is the way to go. Enough security for me and fast.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Connect to my entire LAN through OpenVPN, QNAP
With OpenVPN how can I only let LAN go through the VPN?
Pre-configured EC2 VPN AMI
Is it possible to setup a VPN on Heroku?
Forgot openvpn admin's password
Extreme difficulty setting up VPN
Ubuntu 12.04 and now cannot get my vpn connection
Send all OpenVPN traffic through proxy or TOR proxy?
Authenticate/Decrypt packet error in openvpn
Can't solve unmet dependencies: initscripts