How to access my NAS from the outside if my router runs through a VPN tunnel?

[Namaste]

Hi all,

I have a Syno MR2200 router and a NAS on the LAN side. The NAS is accessible from the outside. I managed to configure the router as a VPN client, so all my traffic can benefit from a VPN service. However, this prevents my NAS to be reachable from outside, which is a must. Is there any solution available? Would you have any resource concerning that situation?

I have some ideas, but I don't know enough about networks to have the slightest idea if they make sense. Like: setup the VPN tunnel from the NAS (instead of the router) and route my traffic through the NAS thank's to the DNS server package... But I guess that would not be enough... Or something with subnetworks or masks? Or Quickconnect (I would prefer not to use this one)?

Thank's a lot for your help!

 

[Rusty]

Switch roles. Place the VPN client role on the NAS and use the router as your VPN incoming point back to your LAN.

This way you will not use QC at all, but rather connect using VPN. On top of this if you use your NAS as your VPN client you can then still use all your LAN traffic via that VPN connection towards the internet (guess that it what you want?).

Have a look here, under the last section called NAS as a VPN client for more configuration settings.

 

[DataNAS]

@Rusty - I understand that configuring a NAS as a VPN server or client provides privacy benefits, by ensuring that communications are encrypted. But, are there any security advantages (i.e., reducing the likelihood of unauthorized access to the NAS)? Thank you.

 

[Rusty]

But, are there any security advantages (i.e., reducing the likelihood of unauthorized access to the NAS)?

Ofc there are. If you have that as your only access to your NAS from the outside world, then you are not opening any other port for any other app/service that you host on your NAS, and on top of that, you protect access by using a much better protection mechanism then a simple user/password access.

Also, you can limit what DSM user can have access to VPN service to further protect it, and on top of that limit access by using GeoFirewall options to limit from what countries (and even network ranges) you can access your NAS using that protocol.

Ofc, many of these options apply to general usage/access as well not just VPN, but in combination, it can be a powerful mix that will push the attacker away and mark you as a "complicated" target. The main benefit is that VPN has a combination of encryption and authentification options that you can use to really secure your tunnel and make it really really hard for the attacker to get in.

 

[DataNAS]

Rusty, I’m interested in learning more. Is it the case that a NAS configuration employing (a) two-factor authentication (2FA) for all users without a VPN would be more secure than one employing (b) a VPN for all users without 2FA? Intuitively, it seems that 2FA is a superior approach to controlling unauthorized NAS access than a VPN.

Thank you.

 

[Rusty]

Rusty, I’m interested in learning more. Is it the case that a NAS configuration employing (a) two-factor authentication (2FA) for all users without a VPN would be more secure than one employing (b) a VPN for all users without 2FA? Intuitively, it seems that 2FA is a superior approach to controlling unauthorized NAS access than a VPN.

Thank you.

Well, it depends on your needs. There might be some services and apps that do not support login or 2FA for that matter. How will you access those services from a remote location without implementing a login system or in that case, use a VPN tunnel?

The level of encryption that VPN provides can't compare with a 2FA process, but tbh it is not "fair" to compare those 2 methods. They can be used in different scenarios and should be treated as such.

2FA is an additional layer of security for the underlying authentication mechanism. VPN, on the other hand, is a communication protocol that enforces encryption for the whole duration of the session, and all of the traffic going through it.

 

[fredbert]

If I'm reading this thread right then the original question had the router behaving as VPN client to a VPN server on the Internet: this obscures the traffic from the local ISP. The problem being to access the NAS remotely when all access in/out of the router is through the VPN gateway and not direct to the router's ISP assigned IP address.

But seems, as is often the case in these discussions, that we're now talking about the router or NAS running the VPN server and there's a remote Internet user/device. For remote access into the router/NAS:

If all services (except the VPN server, obvs) are not accessible to the Internet then it means that any vulnerability in those server implementations are only exposed to local and authenticated VPN users and devices. Whereas being directly accessible from the Internet then you rely on the vulnerabilities being only exploitable by authenticated users ... really you don't want vulnerabilities but at least in this scenario it should be approx. the same level of exposure as it is behind the authenticated VPN.​

​

You may want to consider using a separate user authentication for remote access: each NAS user would be assigned a second account with limited access to services, mostly just for VPN access and password management. I run VPN Plus on my router with LDAP users (managed by DSM LDAP Server) but the NAS uses local users for DSM services. This isn't 2FA as there is no time-limited/single-use 'something I have' aspect to the two accounts, but it would mean breaking two mechanisms using different credentials.​

 

[WST16]

Some VPN services allow port forwarding. Another option to consider and evaluate if applicable.

Here‘s Mullvad’s as an example:

Port forwarding with Mullvad VPN - Guides | Mullvad VPN

How to forward ports to your computer when using Mullvad.

mullvad.net