Reduce the NAS services exposed to the internet using VPN
Applicable Products:
- VPN
- QVPN
To maximize the NAS security, it is better to have as less services exposed to the internet as possible.
For instance you may want the NAS could serve the following functions.
- QTS interface can be navigated through web browser(default ports: 8080,443 need to be forwarded)
- The files can be downloaded by Windows file explorer through SMB protocol (default ports: 137, 138, 139, 445 need to be forwarded)
- The files can be transferred using FTP software (default ports: 20, 21 need to be forwarded)
When the functions serve at home, there is less problems as you can trust all the devices at home no matter what services on NAS that home devices try to connect. But when the functions need to serve over the internet, you won't be able to know what devices tried to knock on the doors and for what purpose. Serving more functions, means more ports/doors are port forwarded, this brings the more security risks.
Those seems to be basic functions, so I can't use the NAS over the internet or is there a way to port forward only a few ports to reduce the risks but provide all the NAS functions?
Yes, the answer is to use VPN service. Depends on VPN protocol you use, only one ~ three ports needs to be port forwarded. (For instance: WireGuard protocols requires only one port, default port: 51280, to be opened.). Once the VPN is setup, the VPN server gives the ip address to the VPN client and form a point to point network between the client and server, the devices in the VPN networks works as if they are in the local network, therefore you can easily access the resources on the VPN connecting devices without mentioning the service port.
Here are the steps to set up a WireGuard VPN server on QNAP NAS.
Use a QNAP NAS as VPN server, you will need to install QVPN service first.
Setup WireGuard VPN server on QNAP NAS.
- Note the listen port (default port is 51820).
- Give the NAS users the VPN privilege.
Setup WireGuard VPN client to verify if the VPN connection can be established in a local network.
Setup port forwarding on your NAT router. Note: If you need to console the router manufacturer, the question is like How do I set up a VPN service behind a router.
- Login to your NAT router.
- Go to Advance settings > Port forwarding or Virtual server
- Insert NAS IP, port number, protocol in the setting.(for example: 192.168.1.2, 51820, TCP)
- Activate and apply the setting.
- Setup WireGuard VPN client to establish the VPN connection.
