The goal of this guide is to create safe remote access to the QNAP server. This is achieved by disabling all direct remote access on the NAS. All access is done through a VPN tunnel to the local network of the NAS.
Remove remote access to the NAS to improve security.
- Access the QNAP web interface:
<nas-local-ip>:8080/cgi-bin/
. - Open the
myQNAPcloud
app and disable it completely. This ensures that no remote access to the NAS is possible.
We configure a static IP for the NAS so we always know where to access it and can map it in Windows Explorer.
- Navigate to
Control Panel : Network & Virtual Switch : Interfaces
- Click on the three dots icon next to the active Adapter and select
configure
- In the
IPV4
section selectUse Static IP
and configure it to a valid static IP for the local network. - Run
ipcofing
on a local machine to find relevant info. Copy the gateway and subnet mask. Use an IP that matches the pattern of the ip on that machine. Typically the last number just needs to be unique. - In the
DNS
section configure the DNS servers (eg.8.8.8.8
and1.1.1.1
)
Install WireGuard on both your client machine from which you want to access the NAS and a server machine that is in the same netowrk as the NAS.
Configure a static IP on the server.
- Open
View Network Connections
in theControl Panel
- Open the properties of the active adapter
- In the
Networking
tab double click on theIPv4
option and configure a static IP
Forward the port your WireGuard
server will listen to. The default port of this is 51820
. This process varies by router type, but generally there is a section that for forwarding ports.
- Set both the external and internal port to
51820
- Set the protocol to UDP
- Set internal IP address to the static IP of the
WireGuard
server
Two tunnel configs need to be created. One for the client PC and one for the server.
- Open
WireGuard
and right click on the empty space on the left side of the interface. - Click on
Add empty tunnel...
- Name it either
server-tunnel
orclient-tunnel
depending on which machine you are making the config. These are just example names. They can be set to anything that makes sense for you. - Note down the public keys of both the server and the client tunnels.
- Edit the configurations based on the following sample configurations.
[Interface]
PrivateKey = <auto generated private key>
# Set the port to whatever you used
ListenPort = 51820
Address = 192.168.100.1/24
[Peer]
# The server only responds to peers with the correct public private key pair
PublicKey = <peer public key>
# This ip has a different last digit than the server
# The subnet mask here is 32, in order to only allow communication from that given ip
AllowedIPs = 192.168.100.2/32
# Additional peers can beadded
[Interface]
PrivateKey = <auto generated private key>
# This has to match the allowed IP in the server
Address = 192.168.100.2/24
DNS = 8.8.8.8, 1.1.1.1
[Peer]
PublicKey = <server public key>
# List of IP's you want to route through the VPN
# In this example this is the whole local subnet where the NAS is located
# Due to the /24 the net mask includes all IP's from 192.168.1.0 to 192.168.1.255
# To route all traffic use the 0.0.0.0/0 wildcard
AllowedIPs = 192.168.1.0/24
# Public IP of the server/NAS network + the `WireGuard` port
Endpoint = <server public ip>:51820
Share the connection from the server's network adapter to route the traffic from the VPN. This process must be repeated any time changes are made to the server WireGuard
configuration!
- Activate the tunnel on the server. This creates a new network adapter
- In the
Network Connections
section of theControl Panel
open the properties of the active network adapter - In the sharing tab, enable sharing for the VPN network adapter
Usually ISP's assign you a dynamic public IP that can change over time or after a network outage. In this case you would need to reconfigure the endpoint in the client IP any time this happens. You can circumvent this, by ordering a static IP from your ISP. This can usually be done through the ISP's web portal or by calling them.
If a static IP is not an option you can use a dynamic DNS service that will track the changes of your IP. Eg. noip. Use the new domain instead of the ip in the indpoint configuration. There are alternative options for this as well.
Now you can enable the tunnel on both the client and server. The client will send all traffic addressed to the subnet where the NAS is located through the VPN. This enables the client to access the NAS like it was connected to the same local network. Addtionally the NAS is no longer exposed to the internet making it much more secure against any remote attacks.
The NAS can now be accessed through the remote client through the WEB interface and network drives can be mapped in Windows Explorer
.
- Enable the VPN connection
- In
Windwos Expoerer
right click onAdd network location...
- Set the address as
\\<local ip of the NAS>
and clickBrowse...
- Enter your credentials and select the directory you want to map
Notes
Setting up DHCP leases on the router would be a more elegant solution than setting static IPs on each individual device.
Setting up the local network of QNAP server to use some non standard IP range would also be a good idea. So the ip's don't collide with the network your remote device is connecting from through the VPN