Building home network including a NAS to be accessed remotely through VPN

Hello,

Seeking some assistance to bounce my thoughts off of please. I am a Corp IT Analyst that has spent 25 years on various first level help desks supporting retail POS systems in brick and morter stores. I attended an IT school about 1.5 years ago to upgrade my skills to include networking, servers and AD. Due to health issues I have been out of work and not had the ability to seek work using my newly upgraded skills.

I am in the process of upgrading my own personal home IT and networking hardware. So far I have upgraded the following:

Set up and using a QNAP TS932PX NAS which has 2 x 16TB Seagate Ironwolf mechanical drives

1 HP DV7 Corei7 laptop that is 12 years old but has been upgraded to its maximum hardware capabilities including replacing the original 640GB mech HD to a 1TB SSD, added a 1TB mech second HD, upgraded RAM from original 8GB to maxed out 16GB. Upgraded from original W7 to W10 Pro (will NOT attempt 11 - I know when to stop - did I say this laptop ios 12 years old? LOL)

1 Newer (1 year old) MSI Katana Laptop

Just purchased and installed a new DOCSIS 3.1 cable modem

Just purchased and installed a new ASUS RT-AX3000 V2 WiFi router

Generic 5 port switch

Have parts ready to build a new creator/gaming desktop PC (I am recuperating from MAJOR back surgery with some complications at my brother’s 1st floor apartment - will start building the desktop when I move back home to my own apartment)

Now for the configs I will need to work out when configuring the hardware on my network. The network is a home network in a 1 BR apartment. I need/want to be able to access my own NAS/Server remotely with my laptop(s) utilizing a VPN. I have never done port forwarding before but I know I can do it but need to bounce my thoughts off some people before I do anything.

My NAS has it’s own proprietary firmware and cannot do any other third party server software. This was my first purchase of upgraded tech in over 12 years, a lesson about flexibility has been learned regarding shopping and OS compatibility. The only VPN it can work with is Open VPN which I have already enabled in the native QTS 5 firmware. I have set a static IP for the NAS on my internal network. I want to change the default port assigned to the NAS to something unusual that outsiders will not think of for security purposes. I have a question on this before I do it.

The current default port for the NAS is set to the usual 8080.

The port assigned for the NAS is that purely internal to my own network and the port I will pick for the VPN that will be forwarded using the router configuration control panel also something I can arbitrarily pick? Are there any ports I MUST NOT USE? I know that usually VPNs utilze port 443, for security purposes I would prefer to pick an arbitrary port for both the NAS and the VPN for the port forwarding.

When I am ready to set up the forwarding on the router I plan on turning off UPnP.

I keep all my equipment patched/updated with firmware updates etc…

For clarity, my ISP is cable and the brand/company is Optimum (Altice) and they have residential customers locked out from using the public facing static IP feature and only allow business customers to set a public static IP.

Sorry this is so long but lots of questions I needed clarification on.

Thank you in advance for taking the time to read this and for all replies.

Sincerely,

WndrWmn77

Couple of comments. I wouldn’t worry too much about using a non-standard port for the VPN. “Security by obscurity” isn’t much of a strategy. Ultimately, you only need a single UDP port open which is far less risky than opening TCP ports. The port used by the NAS for access is not of any concern since it won’t be accessible except when connected through the VPN. That’s the point of the VPN since it creates a single but secure point of entry.

Since you have a dynamic, public IP, you’ll probably want to set up a dynamic DNS so that you’ll have a single hostname that will always point to your public IP.

Not sure if that answers all of your questions but feel free to reply back on anything needing more clarification.

If you don’t want to deal with port forwarding and/or dynamic dns, you can also look into a few other technologies: ZeroTier or Tailscale , both are kinda Mesh VPNs that you setup using trusted devices that you authorize and allow access that way.

You may be able to install Tailscale directly on your QNAP, but that’s something you can look into yourself.

Use the vpn serve feature on the router and set up a wireguard vpn server. Port forwading needs setting up if there is anything between that router and your isp (cable modem for example) so set up the modem to forward the wireguard port to the router (the standard port for wireguard is UDP 51820). Use a DDNS service like NoIP from your modem, then in the wireguard app on your client device change the setup from an IP to your new hostname/domain that you set up in NoIP. (NoIP is free for the basic functionality that you need) . You dont need to make any changes to the QNap as once you have connected in via VPN to your network, you just access the QNAP as if you were at home. You dont want to be exposing the QNAP or anything else on your network to the outside world, and you dont need to with the above method. I’ve done the above myself around 2 weeks ago after upgrading my own home network using Unifi kit, so I know it works well!

Thank you for those suggestions. I can definitely live without getting really fancy with changing ports if the security benefits are minimal.

I do have Tailscale installed. I had to abandon that for a little bit because I was having problems getting it to work. The problems for that and why I had to ditch the combination modem/router provided to residential users by my ISP is because their system is, well, how do I say this? Unreliable & crap when it comes to being able to reliably access my own router’s config page. Optimum/Altice forces residential customers to have to sign into the ISP’s own website using for customers accounts to access the router’s config page. That page has been down more than it is up and I just spent 3 weeks (during which time I was not fully living in my own apartment because of major spine surgery and recuperating at my brother’s apartment - no stairs there and being in pain) troubleshooting acccessing the configs page which got fixed then promptly went back down. I said I had enough of their equipment and got my own and I am happy I did that. I think the problems with Tailscale was because of 2 things, the ISP service being crappy for getting at the router configs and my being in pain and not having full patience (was running back and forth from my brother’s apartment and my own).

I want to do to the port forwarding and VPN set up because it will help me up my skillset with what I learned back in school and up my confidence level at the same time. I do plan on returning to the working world at some point.

Next question I have refers back to something you said regarding the dynamic DNS. Is that something I need to configure or is that something that is automatically handled by either the router, ISP or the VPN?

My current setup has me using a 2TB subscription to Google Drive which I would like to ditch at some point because of how much more room I have on my NAS. I am involved with a group of like minded people on YT that I have information built up into a library that I would truly like to be getting them involved with contributing content to. If I can set myself up to access my own NAS remotely using a VPN then I should be able to add user accounts as people request them to access it which I would really like to do. I am also planning on getting a few YouTube accounts up and running and want to be able to get into some minor gaming (last game I played was on an original Atari 2600 console - I am 56 - so yes, when it first was released in the late 70s) to increase my skills and eventually be getting my own website to post more in depth content to than YT likes (I am a conservative, a Republican and a MAGA Trump person - YT and other SM hates people like us because we like decency and putting violent criminal animals in cages where they belong - go figure). The website will be sincerely down the road…hopefully beginning of next year if my YT turns successful enough. All of that means that if I want to work on video editing and I wind up not being home I need to work on the files conveniently remotely and I don’t like the QNAP cloud environment. It is clutzy and not elegant.

​

That’s all for this reply…Looking forward to your thoughts. I am home overnight at my own apartment to keep working on things. I have access to my T-Mobile 5G hotspot to isolate my laptops and test out a VPN connection off my Optimum/Altice.

​

Sincerely,

WndrWmn77

I have been able to get the OpenVPN client to connect but I am not able to get access to my actual NAS and map any folders or access anything or even see the NAS. I have disabled the firewalls on both my testing laptop (Norton 360) and the native firewall on the NAS using only the firewall on the router. I have activated the DDNS service. I have set up port forwarding for both ports 8080 and 443 on the router.

I don’t know what I am doing wrong. I can see on the router when the OpenVPN client connects actively to the router but I am not getting from the router to the NAS.

This should not be this difficult and frustrating. I am about ready to contact Geek Squad and see if I can “rent a Geek” to work with at my home but would rather not spend the money.

All I need is to get this set up the first time and my confidence level will increase exponentially. I need that “AH-HA” moment…

Former Altice customer here, and yes , you will need to deal with Dynamic DNS. Every time your modem reboots or Altice has an outage, you have a chance of getting a new IP Address.

If you’re not able to get a static IP address from Altice, there are services such as NoIP, DuckDNS and others that will publish your numerical IP address to a service, and you just use something like MyNameHere.DuckDNS.org to access your services.

Tailscale, ZeroTier, and to an extent Cloudflare Tunnels are all good technologies to become familiar with as Carrier Grade NAT (CGNAT) is unfortunately a thing, and port forwarding doesn’t work with those.

You might run into that if you ever need to use your 5G Hotspot as an ISP connection as most mobile ISPs employ CGNAT.

The only port forwarding you need is from modem to router, assuming open vpn is running on the router? and you only need it for the one port your vpn is using. Your external client connection should come in via the internet, hit the modem first, which forwards the vpn port only to the router where vpn server is running. The router then authenticates your client and allows access to the internal network. Turn off the firewall on the NAS, its not needed. Are you testing from outside the network? i.e. disconnect your device from your internal wifi, and connect to the internet another way, via a mobile device hotspot for example. then test the vpn.

I am looking at my QNAP NAS control panel for the hardware setup and I am seeing two different sections that have port numbers. One is called System Port and that is set to 8080 and the second section is under "Enable Secure Connection (HTTPS) with a check box for “Enable strong cipher suites” with a drop down that says 1.2 or later (defaulted to that) and it also has a 1.3 but starts at the old 1.0 and later. Then it has a Port number of 443 listed in that section. and it has a check box that is unchecked for "Force secure connetion (HTTPS only).

My questions now are:

Do I set the port configs for the VPN on the router to the 8080 or the 443?

Do I select the “1.2 or later” or the “1.3”?

Do I turn on the "Force secure Connection (HTTPS only)?

When you say I will have to deal with the DDNS do you mean I have to configure something or I will have to periodically refresh the VPN configs to reflect the new dynamicly changed IP? If I have to configure it, are the DDNS settings located anywhere unusual or should it be pretty easy to find and is that on the NAS configs or the router configs or both?

Separate question that I just noticed.

Both the QNAP NAS and the ASUS router offer the ability to export the OpenVPN config file. Which do I use to import into the OpenVPN client?

Been doing that all day. Firewall turned off on NAS. Please see all other comments in this thread. I am still recuperating from major spine surgery and don’t have the energy to repeat the explanation of everything that has already been done.

When you say I will have to deal with the DDNS do you mean I have to configure something or I will have to periodically refresh the VPN configs to reflect the new dynamicly changed IP? If I have to configure it, are the DDNS settings located anywhere unusual or should it be pretty easy to find and is that on the NAS configs or the router configs or both?

This usually will happen automagically for the service you choose. It should provide some means of a script or something that you install either on your QNAP or on your router (if it supports installing software) that will periodically update your IP address with your service of choice. No-IP and DuckDNS are some of the services I’ve heard about, would recommend that you research on your own to see what’s best.

​

Both the QNAP NAS and the ASUS router offer the ability to export the OpenVPN config file. Which do I use to import into the OpenVPN client?

It depends on where you setup the VPN Server. If you’ve set it up on the QNAP, you use the QNAP to export the config. If you’re running the VPN server on the Asus router, you export the config from the Asus router.

I’m not a QNAP user so not comfortable answering any of the other questions, sorry.

This is where I am at right now. It is almost 12:30 AM and this will be my last post until later today due to the time. I would still appreciate continuing input from people.

I am currently not able to get the VPN connected. I have been on multiple forums all day. Here is where things currently stand. I discovered that the Asus router had its own customized OpenVPN client that it was recommending. I went ahead and download that client and uninstalled the generic open VPN that I had been using that was at least connecting to the router. I know it was connecting to the router because the client would indicate it was connected, and on the router, I could see the profile light up that it was connected. At that point I was dead in the water could not get any further than that. What I mean by that is I could not get any sort of connectivity to my NAS. after uninstalling the generic open VPN client and switching over to the Asus specific open VPN client I was no longer able to even get connected from the Asus open VPN client, and could not see the profile on the router light up that it was connected. I kept getting error messages indicating something to do with cipher codes not being right. I have been googling that all day I have posted to the open VPN forums as well as multiple other Reddit forums, including a home networking forum this forum, and an Asus Reddit forum. As things stand right now, I cannot try to ping anything because I can’t get the VPN connected. For the record when I’m ready to test, VPN connectivity, I always switch from my LAN to using my T-Mobile hotspot because I know I need to isolate from the LAN.

What about the two different port numbers of 8080 and 443? Which do I use when setting up the router? It also sounds like I only need to choose between setting up the VPN server on EITHER the NAS OR the router not both. Am I understanding that correctly?

As I said before, I am not comfortable answering anything QNAP related. I have no idea what the System Port is in QNAP speak. Maybe /r/QNAP can help you.

And yes, you would choose either the NAS or router for VPN server.

Ok, will pop on over to QNAP and ask them.

Here’s a sneak peek of /r/qnap using the top posts of the year!

#1: How to secure your QNAP?!
#2: Plex data breach - reclaim your server if it has disappeared from Plex
#3: Array says degraded, all disks good… ?? | 32 comments

^^I’m ^^a ^^bot, ^^beep ^^boop ^^| ^^Downvote ^^to ^^remove ^^| ^^[1](https://www.reddit.com/message/compose/?to=sneakpeekbot) ^^| ^^[2](https://np.reddit.com/r/sneakpeekbot/) ^^| ^^[3](https://np.reddit.com/r/sneakpeekbot/comments/o8wk1r/blacklist_ix/) ^^| ^^[4](GitHub - ghnr/sneakpeekbot: sneakpeekbot from reddit)

1. Contact ↩︎

2. Info ↩︎

3. Opt-out ↩︎

4. GitHub ↩︎