How to use WireGuard VPN to reduce the number of NAS services exposed to the internet?
Last modified date:
2023-05-19
Applicable Products
VPN, QVPN
Overview
To maximize NAS security, it is best to have as few services exposed to the internet as possible. For example, you may want the NAS to serve the following functions:
- Allow QTS to be accessible in a web browser (default ports: 8080, 443 must be forwarded).
- Download files using in Windows File Explorer through SMB protocol (default ports: 137, 138, 139, 445 must be forwarded)
- Transfer files using FTP (default ports: 20, 21 must be forwarded)
When using these functions locally, there are few issues as you can generally trust the devices on a closed local network. But when these functions are exposed to the internet, your network and devices may be at risk unless you are an expert at configuring network security.
When using a VPN service it is possible to consolidate these services into a smaller number (sometimes only one) of ports that must be forwarded. In this example (WireGuard) the VPN requires only one port (default port: 51280).
Procedure
Follow these steps to set up a WireGuard VPN server on QNAP NAS.
- Install QVPN service on your NAS.
- Set up WireGuard VPN server on QNAP NAS.
- Take a note of the listen port (default: 51820).
- Allocate NAS users with sufficient VPN privileges.
- Set up Qufirewall rule to allow VPN connections.
- Set up WireGuard VPN client and verify if the VPN connection can be established in a local network.
- Configure port forwarding on your NAT router.NoteConsult your router's user guide or contact your device manufacturer for more information on performing these steps.
- Log in to your NAT router.
- Find the settings for Port forwarding/Virtual server
- Enter the NAS IP, port number, protocol in the setting (for example: 192.168.1.2, 51820, UDP for a default WireGuard VPN server).
- Apply the settings.
- Set up WireGuard VPN client to establish the VPN connection.
