Beginner question: where VPN?



  • G'day  ;D

    My brains are like 'where do I start?' and I was hoping for a small kick in the right direction.

    Situation:
    1. I have a Synology NAS in my house, and I am going to install a second one in an off site "co-location" (@ a friend's house) to backup to.
    2. My friend also runs pfSense.
    3. I don't know where/how I should install openVPN:
    3.A. Setup a VPN-connection between friend and me using pfSense (if at all possible, I have no clue);
    3.B. Setup a VPN-connection directly between the Synologies (this appears to be possible also, but I have no clue how yet).
    4. I don't know how I can "add certificates to the recipe", as in: currently I have no open ports on WAN. This will have to be changed for the Synologies to work. I'm starting to sweat already ( :-\ ). It should never be possible for those damn hackers to access my LAN, so I am thinking 'certificates!'. But that is ALL I am thinking, because I have no clue how it all works.

    Would anybody be willing to shed a light in the darkness, send me in the right direction?

    I'm in your debt,

    Thank you very much,

    Bye,


  • LAYER 8 Global Moderator

    Does your friend also have pfsense?  Can the NAS be an openvpn client?

    Do you want your friend to be able to access anything else on your network or just the nas?

    Using openvpn on pfsense, yes certs would be involved.  Just go to openvpn, and run the wizard.  This should get you started.



  • @johnpoz:

    Does your friend also have pfsense?

    Yes.

    Can the NAS be an openvpn client?

    Yes.

    Do you want your friend to be able to access anything else on your network or just the nas?

    Yes.

    Using openvpn on pfsense, yes certs would be involved.  Just go to openvpn, and run the wizard.  This should get you started.

    If I run a wizard without even knowing what I am doing in the first place (aside from clicking next, next, next) I'm sure it will all fail.

    I am in need of some conceptual insight: NAS or pfSense, why?

    Port knocking perhaps? Or not possible with pfSense?


  • LAYER 8 Global Moderator

    So yes to what, your whole network or just the nas?

    If you just want nas access then sure you could do nas to nas.  If you want access to whole network then pfsense to pfsense would be better.

    As to conceptual insight - so you don't know what a vpn is or how it works, but you need one? ;)



  • @johnpoz:

    As to conceptual insight - so you don't know what a vpn is or how it works, but you need one? ;)

    I know what a VPN is. I have had it for years on my phone and laptop, mandatory by our government.

    Why would you ever advise a VPN on a NAS, as you do?( that is very unsafe?)



  • 1. How about a site 2 site VPN via pfSense (https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site) and a VPN on the NAS? Does that have any added benefit?
    2. In that wiki, it doesn't say which firewall rules you need?
    3. And, it also doesn't say how to take care of dynamic IP's. Do you need dyndns for that?



  • More questions:

    • Local NAS = 192.168.3.A

    • Remote NAS = 192.168.3.B

    • Both have a different WAN-IP of course.

    Both NAS-ses first and aforemost function in the local LAN, of course. Only for off site backup does the NAS need to go outside on the internet.

    What kind of firewall rules do you need? The wiki is not very clear for me. It only says 'add rules', but there are no examples. So:

    1. Add firewall rules on both WAN's to allow port 1194 -> don't you need a port forward too to send the incoming, remote, NAS (A) to the local NAS (B)? Or is this done by the "Firewall Rules : Don't forget to add rules to Firewall > Rules on the OpenVPN tab to allow traffic inside the tunnel" from the wiki (Client part)?
    2. Or do you need a port forward AND that "Firewall Rules : Don't forget to add rules to Firewall > Rules on the OpenVPN tab to allow traffic inside the tunnel"? And what rule would that than be?
    3. In the local Synology, I have to enter an IP of the remote machine to backup to. Is that the external IP of the remote site, or the internal IP of the remote NAS? (The latter will go wrong, since both Synologies have the same IP on their local LAN).
    4. If .3. is the external IP of the remote site, how then will the local NAS find the remote NAS in it's own local LAN? Is that a port forward on the remote site too, or???

    Many questions :-[



  • @Mr.:

    More questions:

    • Local NAS = 192.168.3.A

    • Remote NAS = 192.168.3.B

    • Both have a different WAN-IP of course.

    Both NAS-ses first and aforemost function in the local LAN, of course. Only for off site backup does the NAS need to go outside on the internet.

    What kind of firewall rules do you need? The wiki is not very clear for me. It only says 'add rules', but there are no examples. So:

    1. Add firewall rules on both WAN's to allow port 1194 -> don't you need a port forward too to send the incoming, remote, NAS (A) to the local NAS (B)? Or is this done by the "Firewall Rules : Don't forget to add rules to Firewall > Rules on the OpenVPN tab to allow traffic inside the tunnel" from the wiki (Client part)?
    2. Or do you need a port forward AND that "Firewall Rules : Don't forget to add rules to Firewall > Rules on the OpenVPN tab to allow traffic inside the tunnel"? And what rule would that than be?
    3. In the local Synology, I have to enter an IP of the remote machine to backup to. Is that the external IP of the remote site, or the internal IP of the remote NAS? (The latter will go wrong, since both Synologies have the same IP on their local LAN).
    4. If .3. is the external IP of the remote site, how then will the local NAS find the remote NAS in it's own local LAN? Is that a port forward on the remote site too, or???

    Many questions :-[
    [/quote]

    I just found this tutorial, it seems clear:

    https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1

    However, still:
    1. How do I send the local NAS (A) to the remote NAS (B), especially if they both have the same IP? Example: local NAS 192.168.3.12, remote NAS on external LAN also 192.168.3.12.
    2. In the above link, there are no rules on the client part to send the client out to external server(?)
    3. I'm still lost as into the Synology:
    A. if I tell it there to connect to 192.168.3.12 (meaning: the remote one), it will of course go to the local one - and complain, because it is 192.168.3.12 itself on this LAN.
    B. If I give it the external IP, then, when arriving at the remote WAN, where there is WAN-firewall rule to allow it in, how, from there on, does it travel to the 192.168.3.12 in the remote LAN: I need a rule for that, don't I? Portfward rule? OpenVPN-rule? (client or server?).
    C. And how do I deal with dynamic DNS in this matter? The IP's are SOHO, so semi-static. Can I enter dynDNS-names in the VPN-config fields, or doesn't that work?

    Thank you,


Log in to reply