Securing WAN Access to NAS

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Securing WAN Access to NAS

Post by sallysensation » Tue Aug 18, 2020 9:06 am

My NAS: QNAP TS-251+ Running Firmware Version 4.4.3.1381

I use my NAS to store my files and access them locally and remotely. I also run several apps on the NAS that I would like to securely access from the WAN (ex. Home Assistant, and transmission). I currently use MYDDNS and MyQNAPCloud Link to connect remotely using a domain name. I open the required ports on my router. It works, but it does not use SSL and I don't know how secure it is. When I start to read about TLS/SSL certificates I quickly give up because it seems like I don't have the time to invest in that -- it seems incredibly complex. I have also been advised to connect only through a VPN. I use some of the other security features like blocking IP address with several failed login attempts. This is somewhat of an open ended question. I want to make sure my NAS is secure. What steps are most important?

Should I only allow secure TLS/SSL connection? How should I do that without spending weeks learning about network security?

How can I set up VPN access and still be able to quickly access all the apps remotely from my phone or other device? How would that affect things like my plex server which I connect to from several devices locally and from the WAN.

I'm not even sure I'm thinking about this right. Any thoughts and suggestion?

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9217
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Securing WAN Access to NAS

Post by Moogle Stiltzkin » Tue Aug 18, 2020 9:28 am

lets tackle this 1 at a time.

first plex.

you need to port forward 32400 for plex to work remotely. but there are things you can do to mitigate your risks. for example

- 32400 is a known port for plex. so you can instead use a custom external port, then redirect it to internal 32400. you are basically obfuscating the port somewhat.

- you can additionally setup plex on a vm. then set it up so that a non admin account has access to plex. and also make it read only. You set this up using docker aka virtual station. I made a jellyfin guide, the process should be roughly similar.
viewtopic.php?f=354&t=155771


recap.

- for plex all you need it to port forward (recommend to use a custom port)
- setup a vm for plex using docker (virtual station) with read access only. This limits some functions for plex, but is sufficient for simple streaming.
- because you have higher risks for remote access, you are expected to diligently update on a regular basis. update qts firmware, the qpkgs, your plex app, your router firmware. Before updating, just check whether the new versions are stable BEFORE updating. If there are no security patches related to the update, you can probably delay update.




Ok so thats for plex. file access for remote, you can setup VPN server. The choice is either QVPN on the QNAP, OR VPN on your router.

This is the QVPN method guide
https://www.reddit.com/r/qnap/comments/ ... _from_the/
https://www.youtube.com/watch?v=eZWI8Yc24JA


This is vpn on router method. This guide is for pfsense routers
https://www.youtube.com/watch?v=PgielyUFGeQ


i recommend vpn server on router. Depends what router firmware you are using. Maybe yours might not support this feature. Use a good router with solid firmware on it to be able to do this. pfsense, ubiquiti, rt merlin etc.



If you want a web address for your ip, one solution i saw was using a docker app to then add a cloudflare dyndns.
safetyscotchegg

Easiest way I found was running a small container in Container Station to monitor your IP and update it on Cloudflare when it changes.

edit: currently using this one https://hub.docker.com/r/joshava/cloudflare-ddns/
https://www.reddit.com/r/qnap/comments/ ... loudflare/

https://www.reddit.com/r/qnap/comments/ ... on_how_to/



the alternative is using the myqnapcloud app (don't recommend using the UPNP and cloudlink feature), for adding a dyndns, and using the inbuilt letsencrypt certificate feature with auto renew enabled.




in regards to remote, there is also a topic discussing reverse proxy using nginx, you can read here
https://www.reddit.com/r/qnap/comments/ ... s_using_a/

[How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate
There might be several reasons why you’d like to have Web server running on your NAS, and there are many to choose from. My reason is because I have a number of web based services running on several different servers in my LAN, and I want to be able to access them remotely over the internet. The easiest way to do that is of course to open up a bunch of ports in your firewall and expose yourself to the world.

If you do that, it probably won’t take long before you’re hacked. There are several much better and safer approaches to solve this. One is the set up a Reverse Proxy Server as a gateway between your LAN and the internet.

Take my advice; Never open any ports in your firewall (internet router) unless you absolutely must, and make sure uPnP is turned off in your router – ALWAYS!
viewtopic.php?f=354&t=155970
Last edited by Moogle Stiltzkin on Tue Aug 18, 2020 9:36 am, edited 1 time in total.
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9217
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Securing WAN Access to NAS

Post by Moogle Stiltzkin » Tue Aug 18, 2020 9:34 am

if the initial config is too hard for you, you should probably pay some tech person to help you with the initial setup. then beyond that, you just regularly update.

i don't need remote access, so i saved myself the headache of setting this up :mrgreen:
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9217
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Securing WAN Access to NAS

Post by Moogle Stiltzkin » Tue Aug 18, 2020 9:38 am

sallysensation wrote:
Tue Aug 18, 2020 9:06 am

Should I only allow secure TLS/SSL connection? How should I do that without spending weeks learning about network security?
What are SSL/TLS Certificates? Why do we Need them? and How do they Work?
https://www.youtube.com/watch?v=r1nJT63BFQ0


VPN & Remote Working - Computerphile
https://www.youtube.com/watch?v=1mtSNVdC7tM
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
OneCD
Ask me anything
Posts: 7946
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Securing WAN Access to NAS

Post by OneCD » Tue Aug 18, 2020 10:30 am

Although, if the intention is to access the LAN only via your own VPN server, there’s no-need to open a port for Plex. ;)
Moogle Stiltzkin wrote:
Tue Aug 18, 2020 9:34 am
i don't need remote access, so i saved myself the headache of setting this up :mrgreen:
@Moogle, if you can setup pfSense on your QNAP, you'll have no-trouble setting-up a VPN server on your router. :geek:

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Re: Securing WAN Access to NAS

Post by sallysensation » Tue Aug 18, 2020 10:33 pm

Wow! Thanks for the quick and thorough reply. Let me try to clarify my situation a bit more:

I currently have my entire system working how I want, including my plex server which I can access from all my TVs and other devices locally or remotely.

-I use MyCloudLink to generate a DDNS domain name (xxxx.myqnapcloud.com:[non-default port])
-I have UPNP turned OFF
-I have cloudlink enabled which I assume makes it possible to connect to the NAS remotely
-I even have an SSL certificate from Let's Encrypt installed (though I don't know how to use it)

So it's all working, but my concern is that it is not secure. Correct me if I'm wrong, but it seems like there are 2 main issues:

1. Connecting insecurely (http) to web based apps running on my NAS, like Home Assistant, Transmission, Medusa, and even the NAS itself.
2. Open ports on router

Solutions/questions:

1. How can I access my my NAS and the apps remotely through https? I have the Let's Encrypt certificate installed for my domain through myqnapcloud.
a. What's my next step to make this connection secure?
b. Will I eventually want to make https connections required?

2. How can I continue to allow these remote connections without having ports open on my router? It seems like a VPN on the NAS or better yet, the router is the most secure option. I have an option to install OpenVPN client on my router. If I do that then presumably I can remotely connect to my local network securely (I get a little confused with created my own VPN and using a VPN like windscribe to anonymously access the internet). But do I need to install software on every device to do so? I currently use a VPN to connect my laptop to my workplace VPN. I can't be connect to both at the same time. I understand this stuff conceptually, but applying it is confusing me.

User avatar
dolbyman
Guru
Posts: 20012
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Securing WAN Access to NAS

Post by dolbyman » Tue Aug 18, 2020 10:45 pm

1, HTTPS does not help against attacks and exploits against the NAS ..
a. VPN ..as mentioned above
b. they only work with fqdn anyways..so no need

2. VPN to access your own devices remotely is different from anonymizer paid vpn services ...it's all under your personal control. You could use multiple VPNs at the same time ..but how ofter do you need to acces work and home at the same time (when not at home)?

sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Re: Securing WAN Access to NAS

Post by sallysensation » Tue Aug 18, 2020 10:55 pm

1. So are you suggesting that I don't worry about https and certificates? I understand that they don't help for many things, but doesn't it encrypt information being sent between the client and NAS? Or are you saying it doesn't matter if you have a VPN set up?

2. I understand the concept of the VPN server. I would need to install it on my NAS (the option on my router is to connect as a client). But I don't like the idea of having to install a client app on any device I want to connect. What about TVs that connect to my plex server? What about when I want to connect from a friends computer or a computer I can't install a client app on? What if I want to quickly access an app running on my NAS: Will I need to login to the VPN and log back out when done? It seems inconvenient. Plus, the instructions for installing the VPN server on QNAP require opening ports...doesn't that defeat the purpose?

User avatar
dolbyman
Guru
Posts: 20012
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Securing WAN Access to NAS

Post by dolbyman » Tue Aug 18, 2020 10:59 pm

1. Yes they do encrypt the traffic between NAS and Client...so would prevent eavesdropping/manipulation from Public WiFi..but that is just a tiny targeted attack vector
99%+ attacks happen by attacking the QNAP web interface (Admin,Stations,etc) .. and a hacker has no problem injecting attack code over a secured connection)

2. Get a better router with a VPN server or dedicated VPN machine. But VPN is only for WAN access.. your TV is not with you at Starbucks .right ?

sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Re: Securing WAN Access to NAS

Post by sallysensation » Tue Aug 18, 2020 11:10 pm

1. So a VPN is my best option for protecting against QNAP web interface attacks, even without https?

2. True. I'm trying to think of other circumstances. What about people who I share my plex library with. Will that affect them? Or if I'm listening to something on plex and leave home, will I lose my connection?

User avatar
dolbyman
Guru
Posts: 20012
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Securing WAN Access to NAS

Post by dolbyman » Tue Aug 18, 2020 11:23 pm

1. Yes, there is ways with a reverse proxy in front of it .. but a VPN is easy and secure
2. I personally share my Plex library only with my sister (Germany) and her connection is established via hardware site2site VPN, (all done via routers). But a couple of people here expose their Plex server to WAN, so far no exploits or hacks surfaced that affect Plex. If you use a always on VPN option and set your Plex media to prebuffer 30 seconds or so, you should be able to roam between home LAN, Cell WAN and wifi hotspots without disrupting your streaming.

sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Re: Securing WAN Access to NAS

Post by sallysensation » Wed Aug 19, 2020 12:04 am

OK. I installed OpenVPN server on QNAP and testing it on my phone (turning on and off wifi). It's working as expected. Slower connection speed going through VPN. Plex is going to be an issue without opening the port. I don't want to have to turn on the VPN when transitioning between LAN and WAN, and I won't have access on my work computer because I am not allowed to install software myself. How much harm is done by leaving ports open? is there harm in leaving the OpenVPN port open?

User avatar
dolbyman
Guru
Posts: 20012
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Securing WAN Access to NAS

Post by dolbyman » Wed Aug 19, 2020 12:10 am

leaving ports open:

QTS,Stations: Even though updated firmwares currently have no public exploits, it happens all the time and could lead to botnet,ransom and malware infections on your NAS
Plex: Currently nothing known of infections through Plex
OpenVPN: nothing known so far .. but QNAP is known to let updates slide, so OpenSSL on QNap could trail a couple of years behind

Security and convenience are sometimes more or less far apart. If you can live with the dangers of leaving it the way it is .. up to you.

sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Re: Securing WAN Access to NAS

Post by sallysensation » Wed Aug 19, 2020 1:05 am

It's strange. I noticed this before making any changes. On my work computer, even when I have the VPN off and I'm connected to my LAN, I cannot connect to my NAS using local IP addresses like I can other devices. I have to route it over the WAN using my domain name or WAN IP. Why is that? If I close all those ports, I will lose any ability to connect to my NAS from my work laptop, even while on my home network since I can't install a VPN client.

sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Re: Securing WAN Access to NAS

Post by sallysensation » Wed Aug 19, 2020 1:09 am

I think I may have answered this one: I have Endpoint installed on my work computer and it's managed by them. I think they block all but a few subnets. So, it's probably block the ip address I use for my NAS.

Post Reply

Return to “Miscellaneous”