Difference between behind a VPN and on-board VPN?

[vargas]

I recently came across a poster who exhorted users to put their Synology behind a separate VPN but NOT to use the VPN on the NAS itself.

Can somebody explain the difference?

 

[L&LD]

Layers of security.

With a VPN directly on the router, anyone that accesses it has direct access to your data.

With a VPN that is controlled by a different device, they still need to know the NAS is there to break into it... and then, still have to 'break in' too.

It's like having a lock on your front door and a safe within the home too, for your data.

 

[vargas]

Great analogy about front door lock and safe L&LD.

So, in a SoHo environment, what might the setup look like?

 

[L&LD]

A QNAP or Synology NAS that has the default login and password changed to obscure/secure ones.

An Asus router fully updated on RMerlin firmware using an obscure private port (equal to 49151 or higher port number) OpenVPN port

An OpenVPN client such as the OpenVPN GUI or the OpenVPN Connect client.

Be sure you are using different usernames and passwords for all connections. With the password length as long as the interface allows for (32 Characters for Asus routers on current firmware, check with the NAS for their specific limitations. In all cases, use only alphanumeric characters with no spaces, punctuation, or smiley faces.

 

[ColinTaylor]

An Asus router fully updated on RMerlin firmware using an obscure private port (equal to 49151 or higher port number) OpenVPN port

Ephemeral ports are not typically used for servers as their availability is not guaranteed. It would be more appropriate to pick an obscure user port that you know is unused on the host system. See this thread for an example of the problem, and why I suggested a port from 5001 to 32767.

 

[L&LD]

I've never run into that type of problem in a SoHo environment.

Using ports that aren't assigned makes more sense to me.