access from outside home (from Internet)

[Hector Luis Hernandez Torriente]

ok, I installed ALT-F a few days ago and I have done it little by little all alone ... but already this exceeds my auto-intellect hehhehhe

someone to explain to me how I can access my NAS with ALT-F from the internet?

Thanks in advance to the masters :) 

[Jeremy Laidman]

Hector

You have more than one way to solve this problem.

The first is to install a VPN application, such as OpenVPN, on both your NAS and your other device(s) such as your phone. You'll also need a way to obtain your IP address, so you might want to use an application such as inadyn, and get an account with a Dynamic DNS provider such as https://freedns.afraid.org/. You might need to setup port mapping on your router, so that OpenVPN packets from your "away" device are routed to your NAS.

Another option is to use a file synchronisation solution. A commonly used application is called Syncthing. What Syncthing does is to keep several file repositories in sync. So you might configure Syncthing to synchronise a folder on your NAS, and configure the same parameters in the Syncthing app on your mobile phone, so that you have an instance of the folder on your phone. If you change a file in the syncrhonised location on your NAS that, within a brief time frame, your phone has the updated copy of the file. And if you delete/add/modify a file on your phone, the changes are quickly propagated to your NAS. Syncthing instances find each other without you having to setup port forwarding or dynamic DNS, although you might need to enable uPnP on your router, and port forwarding might be a more secure option than enabling uPnP.

One added benefit of using Syncthing (and other synchronisation services) is that if your NAS goes belly-up, you still have all of your synchronised files on your other device. You can have many different Syncthing Some people use this as a crude form of backup - although it doesn't provide a true backup solution. One down-side to using Syncthing is that if a file was accidentally or maliciously deleted on one device, it's also deleted on all other on-line devices that are synchronised.

For either solution, be aware that you're increasing the chance that someone can access your files or your home network. While OpenVPN and Syncthing both use good security design and encryption, you can't be sure there won't be a bug in software that allows an attacker to get a foothold into your data or your network, that wouldn't have otherwise been there. For some, the risk is not worth taking. For others, the benefit outweighs the risk.

Cheers

Jeremy

--
You received this message because you are subscribed to the Google Groups "Alt-F" group.
To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/alt-f/2a7314fa-5896-4046-889f-539cc1372ff3n%40googlegroups.com.

[Daniel Bellot Molera]

Well, I third good option is to install a web server as for example by means of the owncloud package. I have installed it and it goes pretty well (a little bit slow perhaps). I had several problems to install, but they have been solved thanks to the informtion provided within the forum. Unfortunatelly, im experienced some problems with the validation certificates (VC) for both tasks, connecting to owncloud by secure https and using the webDAV capability of this service. Could anybody give me some advise about VCs management? I have created a SSL Certificate from System utilities in webUI, but i must have done something wrong because it doesn't go.

Many thanks in advance.

Dani.

[Jeremy Laidman]

Another solution I've used in the past, but forgot, is simply to allow ssh access from the Internet. I say "simply" but I should warn you that it's easy to make this insecure, but with a few tweaks it's possible to reduce the risk of the wrong people getting in. The simplicity of ssh makes it a bit more complicated to use, but it's also more flexible - for example, you can setup a tunnel and use this to remotely access other devices in your home network.

When I was about to go travelling, I would setup port forwarding on my router, to map ssh traffic to my NAS. When on the road, I could access the NAS using an ssh/sftp client. My client of choice on Android is X-plore, and it can present my NAS files in a file explorer, alongside local files and folders on my phone. I can copy a file to my phone, edit it, and copy it back to the NAS. I only wanted to be able to view documents, not to edit them, so I didn't need complex synchronisation features.

Security is important. There are lots of people out there who are motivated to take control of devices on your home network, whether it's for running a proxy to cover their tracks when they download kiddie porn, or to run bitcoin mining software, or to find your NAS and encrypt all your documents for ransom. Attackers are scanning for ssh servers all the time and running brute-force password attacks on the root/admin accounts. A poorly configured NAS is an easy target.

The things I do to increase security are:

1) Use a non-standard port on your port-forwarding configuration, to reduce the likelihood of network scanners finding your ssh port. Some people use "port knockers" to increase security further still, but this makes it more complicated to use, and increases the chance that you can't access your own files when you need them, because the port knocker software is misbehaving.

2) Create yourself a non-root account, and configure OpenSSH to not permit logins for the root user, from outside your home network range.

3) Create a key pair for your non-root account, and configure OpenSSH to not permit password logins for

I actually run both Dropbear and OpenSSH (on different ports of course), so that I can configure one of these in a more restrictive way for remote access, without fear of accidentally blocking local access to my NAS. Also, when I'm not travelling, and don't need remote access, I shut down the extra server and/or disable the port forwarding rule, so that it can't be compromised.

Cheers

Jeremy