QNAP Remote Access with WireGuard VPN

QNAP Remote.md

WireGuard Setup for Qnap

The goal of this guide is to create safe remote access to the QNAP server. This is achieved by disabling all direct remote access on the NAS. All access is done through a VPN tunnel to the local network of the NAS.

Guide

Remove Remote Access from QNAP

Remove remote access to the NAS to improve security.

• Access the QNAP web interface: <nas-local-ip>:8080/cgi-bin/.
• Open the myQNAPcloud app and disable it completely. This ensures that no remote access to the NAS is possible.

Setup a Static IP on the NAS

We configure a static IP for the NAS so we always know where to access it and can map it in Windows Explorer.

• Navigate to Control Panel : Network & Virtual Switch : Interfaces
• Click on the three dots icon next to the active Adapter and select configure
• In the IPV4 section select Use Static IP and configure it to a valid static IP for the local network.
• Run ipcofing on a local machine to find relevant info. Copy the gateway and subnet mask. Use an IP that matches the pattern of the ip on that machine. Typically the last number just needs to be unique.
• In the DNS section configure the DNS servers (eg. 8.8.8.8 and 1.1.1.1)

Install WireGuard

Install WireGuard on both your client machine from which you want to access the NAS and a server machine that is in the same netowrk as the NAS.

Setup a Static IP on the WireGaurd Server

Configure a static IP on the server.

• Open View Network Connections in the Control Panel
• Open the properties of the active adapter
• In the Networking tab double click on the IPv4 option and configure a static IP

Forward the WireGuard Port on your Router

Forward the port your WireGuard server will listen to. The default port of this is 51820. This process varies by router type, but generally there is a section that for forwarding ports.

• Set both the external and internal port to 51820
• Set the protocol to UDP
• Set internal IP address to the static IP of the WireGuard server

Configure the WireGuard Tunnels

Two tunnel configs need to be created. One for the client PC and one for the server.

• Open WireGuard and right click on the empty space on the left side of the interface.
• Click on Add empty tunnel...
• Name it either server-tunnel or client-tunnel depending on which machine you are making the config. These are just example names. They can be set to anything that makes sense for you.
• Note down the public keys of both the server and the client tunnels.
• Edit the configurations based on the following sample configurations.

Server Tunnel Config

[Interface]
PrivateKey = <auto generated private key>
# Set the port to whatever you used
ListenPort = 51820
Address = 192.168.100.1/24

[Peer]
# The server only responds to peers with the correct public private key pair
PublicKey = <peer public key>
# This ip has a different last digit than the server
# The subnet mask here is 32, in order to only allow communication from that given ip
AllowedIPs = 192.168.100.2/32

# Additional peers can beadded

Client Tunnel Config

[Interface]
PrivateKey = <auto generated private key>
# This has to match the allowed IP in the server
Address = 192.168.100.2/24
DNS = 8.8.8.8, 1.1.1.1

[Peer]
PublicKey = <server public key>
# List of IP's you want to route through the VPN
# In this example this is the whole local subnet where the NAS is located
# Due to the /24 the net mask includes all IP's from 192.168.1.0 to 192.168.1.255
# To route all traffic use the 0.0.0.0/0 wildcard
AllowedIPs = 192.168.1.0/24
# Public IP of the server/NAS network + the `WireGuard` port 
Endpoint = <server public ip>:51820

Network Sharing

Share the connection from the server's network adapter to route the traffic from the VPN. This process must be repeated any time changes are made to the server WireGuard configuration!

• Activate the tunnel on the server. This creates a new network adapter
• In the Network Connections section of the Control Panel open the properties of the active network adapter
• In the sharing tab, enable sharing for the VPN network adapter

Static Public IP

Usually ISP's assign you a dynamic public IP that can change over time or after a network outage. In this case you would need to reconfigure the endpoint in the client IP any time this happens. You can circumvent this, by ordering a static IP from your ISP. This can usually be done through the ISP's web portal or by calling them.

If a static IP is not an option you can use a dynamic DNS service that will track the changes of your IP. Eg. noip. Use the new domain instead of the ip in the indpoint configuration. There are alternative options for this as well.

Conclusion

Now you can enable the tunnel on both the client and server. The client will send all traffic addressed to the subnet where the NAS is located through the VPN. This enables the client to access the NAS like it was connected to the same local network. Addtionally the NAS is no longer exposed to the internet making it much more secure against any remote attacks.

The NAS can now be accessed through the remote client through the WEB interface and network drives can be mapped in Windows Explorer.

Accessing Files with Windows Explorer

• Enable the VPN connection
• In Windwos Expoerer right click on Add network location...
• Set the address as \\<local ip of the NAS> and click Browse...
• Enter your credentials and select the directory you want to map

Notes

Setting up DHCP leases on the router would be a more elegant solution than setting static IPs on each individual device.
Setting up the local network of QNAP server to use some non standard IP range would also be a good idea. So the ip's don't collide with the network your remote device is connecting from through the VPN