Accessing File Shares Through VPN

tman222

Hi all,

I'm looking for some advice / security best practices when accessing NAS hosted file shares through a VPN. Let's assume I have a site which has a NAS on its local network and has an VPN server setup accepting client connections. Those connected clients would need access to files stored on the NAS while connected via VPN.

1. Would it be safe enough to use NFS mounts through a VPN tunnel if the connected clients support it? Or is this a security risk because access control is done just by IP address?
2. Would CIFS/SMB be better option (from security standpoint) because the client would have to authenticate again to access any file shares they are allowed to mount?
3. Or, am I thinking about this all wrong and there is a better way to access files hosted on a NAS through a VPN tunnel?

Thanks in advance for your help, I really appreciate it.

KOM

Nobody can advise you without knowing your operation al requirements. Are you talking about sharing a folder full of movies with a few buddies, or using ACLs to restrict access to thousands of documents from hundreds of users? Also, your options are limited by what you're using locally for NAS, VPN, clients, etc.

tman222

@KOM said in Accessing File Shares Through VPN:

Nobody can advise you without knowing your operation al requirements. Are you talking about sharing a folder full of movies with a few buddies, or using ACLs to restrict access to thousands of documents from hundreds of users? Also, your options are limited by what you're using locally for NAS, VPN, clients, etc.

Thanks @KOM - apologies for not being more specific about my use case. Essentially I'm just looking to access files on a NAS on my local network through OpenVPN (server hosted on pfSense) while working remotely. What do you recommend as the most secure way to do that through OpenVPN tunnel? CIFS/SMB, NFS, FTP, SFTP, are all potential options for me.
Thanks again.

KOM

Well, once you're connected you're basically inside your own LAN, so external security isn't so much of an issue because your traffic is being encrypted by the OpenVPN tunnel. How secure does your LAN access need to be? The most common method of presentation would be a Samba share, and you can put auth on it if you need to as you already mentioned.

tman222

@KOM said in Accessing File Shares Through VPN:

Well, once you're connected you're basically inside your own LAN, so external security isn't so much of an issue because your traffic is being encrypted by the OpenVPN tunnel. How secure does your LAN access need to be? The most common method of presentation would be a Samba share, and you can put auth on it if you need to as you already mentioned.

Thanks @KOM - I was thinking either NFS or Samba (SMB). I tend to use Linux as my primary OS and I like using NFS via AutoFS for automatically mounting shares on demand. Is there any disadvantage to doing just that besides it being perhaps less secure (i.e. I can only filter NFS share access by IP address rather than user id / password on a SMB share). Any thoughts on that? Thanks again.

KOM

Again it boils down to LAN security, and it's easy to get hung up on endless onion layers when it might be overkill for your particular environment. Is your LAN used by hostile actors? Or is it a home LAN used by you, the wife and kids? Is the data you're trying to secure that sensitive? These are all questions that need to be answered before you can choose the correct approach.