Before I start, let me say that I’m a novice when it comes to building networks and even more so when it comes to VPN’s, so please bear with me.
I currently have a QNap NAS, Desktop and a variety of other devices connected to my home network and I would like to securely access their content remotely from my laptop & iPhone. I may provide access to a few friends for media streaming purposes. However, I am extremely paranoid about opening up ports on my firewall to achieve this goal.
The QNap device provides several web-based interfaces for access to their services like Multimedia Station, Download Station, iTunes Server, Web Server, etc. Once enabled, each one of these services will listen on a certain port for a request and will in turn serve up its content. I played around with this a little bit – configuring my router to forward the appropriate port to the listening services and it worked. I configured the NAS with a complex password and blocked all ip addresses except the one from my laptop. I even configured it to email me on Error and Warning conditions. Not long after I began forwarding/opening the required router ports, I started receiving warning emails stating that someone was trying authenticate on certain ports. They were denied, but would automatically try again x number of hours later. I’m guessing this was a BOT on a port scan.
My research has brought me to the idea of installing a new router (I need one anyhow) with VPN support to provide a secure connection. I know that some have opted to install OpenVPN on their NAS, but in my mind, access should be authenticated on the router/firewall and not on a device that sits behind it. The VPN solution I’m looking at provides SSL & client based configurations, as well as, VLAN support.
Now that we have got that out of the way, I have a few questions relating to VPN configuration and general functionality. First, do you have to open a port on your firewall to allow incoming authentication requests to the VPN even if it’s built-in to the firewall? If so, how is this any different than the scenario I listed above from a security perspective? I can currently configure my NAS to require a complex username and password for authentication. I guess what I’m asking here is what’s the security benefit of a VPN from restricting access? I know that a VPN provides encrypted sessions, but there are software solutions that will do the same thing.
Next, what happens if I’m remotely connected to my home LAN via a VPN session and someone at home wants to surf the web? Is there any conflict or special configuration that needs to happen? Does their connection get dropped?
That’s all for now. Sorry for the long-winded post!
I currently have a QNap NAS, Desktop and a variety of other devices connected to my home network and I would like to securely access their content remotely from my laptop & iPhone. I may provide access to a few friends for media streaming purposes. However, I am extremely paranoid about opening up ports on my firewall to achieve this goal.
The QNap device provides several web-based interfaces for access to their services like Multimedia Station, Download Station, iTunes Server, Web Server, etc. Once enabled, each one of these services will listen on a certain port for a request and will in turn serve up its content. I played around with this a little bit – configuring my router to forward the appropriate port to the listening services and it worked. I configured the NAS with a complex password and blocked all ip addresses except the one from my laptop. I even configured it to email me on Error and Warning conditions. Not long after I began forwarding/opening the required router ports, I started receiving warning emails stating that someone was trying authenticate on certain ports. They were denied, but would automatically try again x number of hours later. I’m guessing this was a BOT on a port scan.
My research has brought me to the idea of installing a new router (I need one anyhow) with VPN support to provide a secure connection. I know that some have opted to install OpenVPN on their NAS, but in my mind, access should be authenticated on the router/firewall and not on a device that sits behind it. The VPN solution I’m looking at provides SSL & client based configurations, as well as, VLAN support.
Now that we have got that out of the way, I have a few questions relating to VPN configuration and general functionality. First, do you have to open a port on your firewall to allow incoming authentication requests to the VPN even if it’s built-in to the firewall? If so, how is this any different than the scenario I listed above from a security perspective? I can currently configure my NAS to require a complex username and password for authentication. I guess what I’m asking here is what’s the security benefit of a VPN from restricting access? I know that a VPN provides encrypted sessions, but there are software solutions that will do the same thing.
Next, what happens if I’m remotely connected to my home LAN via a VPN session and someone at home wants to surf the web? Is there any conflict or special configuration that needs to happen? Does their connection get dropped?
That’s all for now. Sorry for the long-winded post!
