What's new

QNAP and VPN?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Ola Malmstrom

Regular Contributor
I understand VPN is the best way to secure that I don't get hacked when accessing my private network from the outside.

Setting up VPN seems to be simple enough. I have found good guides how to do it. I will probably install a OpenVPN server on my Asus RT-AC3200 router.

However I have a few questions related to VPN and QNAP NASes:
  • I have two QNAP NASes. The old one is used as a file server for backup purposes. I intend to move it to my brother-in-law's house a few kms away. He will move his old one to our house at the same time. If I introduce VPN to communicate between the NASes, how will it affect our setup? I use Rsync and RTRR for syncronisation and backups. What needs to be changed? On the NASes and on the router?
  • I don 't really like myqnapcloud. It is too complicated. I also have the asus DDNS (which seems to work fine). Is there any way I can use the asus DDNS instead together with VPN? Both to access the NASes directly and to use the QNAP mobile phone apps particularly Qfile.
  • With VPN, how do I handle the manual port forwarding done for my cameras and for the NAS access?
 
You have a few questions going on there so let me try and hit them all.
1) how do you adjust your RRTR or RSYNC? Well once your old NAS is behind someone else’s router it will have a different IP address so all you’ll need to do is change the IP address to correctly point at the new ip address. Keep in mind you’ll need to load the VPN information on the primary Nas. Once enabled your NAS will be behind the other persons router which will slow down your upload speed. It may not be the best way to do it if all your trying to do is backup files.

2) can you use your ASUS DDNS instead of myQnapcloud? Heck yea! All DDNS does is update “a” domain name to deal with the fact you don’t have a static ip from your Internet service provider. If you purchase a domain you can’t use the Qnap my cloud anyway (at least not with your own domain). Point is, I have done both and would recommend running the open VPN server on your router providing it is up to the task. If you need 20 clients connecting you might need more hardware power than the asus router but I’m guessing it’s only you.

3) If you successfully setup your VPN you actually don’t need to forward any other ports. If you login using your VPN it’s as if your phone/computer were on the local network. You can access files, login to your router, remote control a computer (I use rdp to control windows machines). Literally anything that you can do local you can do through a VPN- IF IT IS SETUP TO DO THAT.

I’ll explain- a vpn server can be set as a TAP or a TUN connection. One will only allow traffic to flow through the VPN and then out to the internet (tun I believe) or you can setup as tap which allows access to local files and services. If you do a tap connection you can disable all other port forwarding and just use your VPN when you want something. It’s way more secure. For example, you can now leave SSH open on a machine and as long as you have no ports forwarded to it your relatively safe from an outside hack. You can then vpn in and use SSH to do what you need without the risk of port forwarding leaving anyone in the world to try and take a crack at your server.


Sent from my iPhone using Tapatalk
 
How fast is your ISP connection? The backups between the homes may/will be atrociously slow with the RT-AC3200 between NAS'.

I don't recommend to use or have QNAPCloud enabled (at all). OpenVPN offers all you need more securely, without having your NAS directly exposed to the world.
 
Thank you for your answers!!

I can run the OpenVPN server on either the RT-AC3200 router with Merlin (2x1 GHz and 256 MB of RAM and 2 GB of swap space on a USB stick) or the new NAS (4x1.8.GHz and 8 GB of RAM). The router is normally below 10% CPU usage and about 60% RAM. The NAS is usually also well below 10% CPU on all 4 CPUs and about 1.2 GB of RAM. Seems to me that the NAS is better equipped to run the VPN server.

Callinc: I have tried the QVPN server on the new NAS and the QVPN client on the old NAS. Quite easy to setup but doesn't work. I don't understand
  • how to connect ports 873 (for rsync) and 8899 (for RTRR) on the two NASes (currently specified with UPNP and manually).
  • the .ovpn file created by the server. It specifies the external IP address of my router, not the DDNS name. This IP address is changed almost every night, so I need to use the DDNS name here. It seems to work if I edit the file before I import it to the client. The QVPN overview tells me it connects to the server but when trying HBS it doesn't connect.
L&LD: I have 500 mbit/sec up and down. Should be fine when my brother-in-law has upgraded his connection as well. Particularly if I run the first backup/sync jobs before I move the old NAS to his house. Then it's only the delta that needs to be transferred. Also, as far as I understand, the ac3200 should be able to handle at least 700-800 mbit/sec. It handles about 30 clients without any hickups.
 
First, that is one of the flaws or bugs about the Qnap vpn server. It does only create the config file using your IP address. You are correct to edit the config file to your DDNS name and it will work just fine.

Second, are you trying to turn on the vpn on the client while it’s hooked up to your current network? You can’t VPN into a network you’re already on. You shouldn’t need to change any ports or settings. The only thing that will change is the IP address of the other NAS. You’ll need to correct that.

Note: if you currently use the host name you will run into problem IF you use the other NAS as the open VPN server. It’s a known issue that when the nas is the vpn server local host names won’t resolve (I called Qnap on this about 6 months ago).

Note 2: although you can use your router just fine for 20-30 clients, encrypted VPN traffic takes a much higher toll on the cpu. Your NAS has much higher specs but the local host names not resolving really stinks in my opinion. If your nas and maybe your phone now and again are the only VPN traffic I’d try using the router as the server first.


Sent from my iPhone using Tapatalk
 
Thanks Callinc!

OK understand, thanks for confirming my suspicions and that the .ovpn file can be edited.

As you can see, I'm an amateur trying to learn ;-)

So for my next test I will use the router as the server and test the setup with my phone disconnected from my local network. Interesting particularly since VPN will only be used by my phone and the NAS when it has been moved.

Too bad I can't use VPN within my network (one of the lessons learned here!!). I would like to test the whole setup completely before moving the old NAS to my brother-in-law.

Update:

Set up a VPN server on the router and connected to it from my phone. Seems to work, both on the phone and on the router. The phone indicates some traffic and so does the router.

However: How do I connect to the NAS using the VPN tunnel? If I try to use the generated IP address (10.8.0.2) to login to the NAS I can't connect. It doesn't seem to reach the server.
 
Last edited:
I don’t have an asus router at home I’ve only done it for friends and a small business but, there is a setting to change what you have access too. I believe when you’re under the OpenVPN server tab you have to hit the drop down under “VPN details” and look there. You want to either select tap connection or something like “allow access to local resources”.

Update: I googled screen shots and it looks like it will be the first option once you changed the view to advanced. Also, you’ll need to redo your config file as this is a major change. So export new one, edit the file for your DDNS, reimport and you’ll be good to go.


Sent from my iPhone using Tapatalk
 
Aha done! Just tested. Now it works. I can connect securely both to the routers admin page and other devices using the internal IP addresses when the OpenVPN connection has been established.

So then I just need to figure out how to do this when I have moved my second NAS to my brother-in-laws house. Is assume that I will only need to import the .ovpn file into the QVPN client and make it connect whenever the NAS is re-booted.

Thank you so much Callinc! Seems that I make it harder than it really is.... ;-)
 
I’m sorry but I haven’t used my nas as a vpn client so I can’t speak intelligently on the issue. It seems weird to me that is wouldn’t auto connect on a reboot though. You have the check box selected for “reconnect when the vpn connection is lost”?


Sent from my iPhone using Tapatalk
 
How long did you wait for reconnection? A NAS takes an eternity to boot up fully. :)

Just one more reason to use OpenVPN on the router (at least as a backup method to access the NAS). :)
 
Just tested to move my old NAS to my brother-in law's house.

When connected to his internal network, I can connect through VPN to all devices on my own internal network. However NOT to my NAS which is connected to his internal network.

It boots up OK. It gives a long beep after some minutes when all is ready. However I can't connect to it since I gave it the static IP address 192.168.0 6 (as per instructions). I believe my old NAS needs to be on my brother-in-laws network, 10.0.1.1/24, in order to communicate at all.

If I use DHCP on my brother-in-law's internal network instead, I am able to connect to it. But not through VPN.

How do I connect from my new NAS on my internal network to my old NAS on his internal network using VPN? Can I somehow create a bridge between?

Maybe a route on my brother-in-law's router connecting 192.168.0.6 to his network?

192.168.0.6 255.255.255.0 10.0.1.1 (on my Asus router. He has an Apple router).
 
Last edited:
Yes your old nas needs to be on his network. I just meant static so it doesn’t change on his network every time it’s rebooted. It’s needs to be on the correct network and correct subnet.


Sent from my iPhone using Tapatalk
 
Thanks!! Understand! I think..... Will try again tomorrow then.

But..... how do I access my old NAS on his network through VPN? I can't use my old internal IP address. Do I use the static IP address assigned by his router, for example 10.0.1.75?
 
Last edited:
Yes that would be correct. If that’s the ip address for your old NAS then that’s what you’ll use. When your “new NAS” is a VPN client it should be getting an ip address in that same network making them peers on the same network and able to pass traffic to each other.


Sent from my iPhone using Tapatalk
 
So I got it to work both ways. Must have the OVPN client started on both NASes.

My next step is a performance test. Will run a full backup just to see how it affects performance, particularly the router which is my current VPN server. Seems to increase its CPU load quite significantly.

Maybe I will need to move the VPN server to the new NAS which is substantially better equipped. But..... this will mean adjusting the .ovpn file generated by QNAP. The IP address of the server needs to be replaced with a DDNS name and possibly something else.

Shouldn't be any problem network wise. We both have fiber, I 500/500, my brother-in-law 250/250.
 
Your backups are effectively at a maximum of USB 2.0 speeds (about 30MB/s). I hope you are not transferring a lot at one time. :)

If you can reach this maximum, it will effectively shut down the internet for both homes while the backup is running.
 
Your backups are effectively at a maximum of USB 2.0 speeds (about 30MB/s). I hope you are not transferring a lot at one time. :)

If you can reach this maximum, it will effectively shut down the internet for both homes while the backup is running.

Why is that? What’s the limiting factor


Sent from my iPhone using Tapatalk
 
The brother-in-law's connection of 250 up/down. :)

Thinking about it, @Ola Malmstrom's connection may be okay if the DNS/Internet of the brother-in-law's connection isn't forced/used. :)
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top