Need to setup my NAS for access from external trusted IP addresses.

Ok so the story goes like this. My older brother in Glasgow needs somewhere to back-up some stuff of his and I told him I’d be able to give him some space on my NAS which has 3 hard-drives, and runs on Ubuntu Server 10.04 with webmin installed.

He runs Windows XP Home, and I’d like to grant him access to my NAS.

How do I go about giving him the permissions to access the NAS from his side?

Hmm. I would say that would be generally a BAD idea but it is doable.
First of all look in your router setting how to set up a DMZ for your NAS
Secondly you would need a second NIC in your NAS (to separate local network from WAN)
Then you would go about to set up the permissions on your NAS to allow your brothers IP address only

Without a static IP (which you don’t have if you’re with Sky) … you’ll first need an free account with DynDNS … then you’ll need to enter the DynDNS account login details into the Sky router (Advanced > Dynamic DNS).

Now whenevr he enters the the domain name you set up with DynDNS, he’ll end up connecting to your router … which will by default block him … so now you’ll probably want to set up openVPN on the server and forward the correct ports to your server in the router

or you could - not bother with openVPN, and just set up an FTP server on the server, and forward whatever port you choose for the FTP server in your router.

Personally I’d use openVPN, as only PC’s that contain the certificate will be allowed in (passwords on their own being less secure) … but the choice is yours.

I suppose you’ve now got some reading to do on openVPN :slight_smile:

Install openvpn on the server:

suo apt-get install openvpn

then read all the docs in:
/usr/share/doc/openvpn
and
/usr/share/doc/openvpn.easy-rsa

there are also templates available in those directories somewhere.

Once you’ve used easy-rsa to generate the certificate, you can email it to your brother … but you’ll have to work out how to use that certficate at the Windows end (shoud be simple enough).

Simple FTP server = easier - read up on setting up “ProFTPD Server” in Webmin.
OpenVPN = more work, better security.

Another option (once DynDNS is set up) would be to set up a webserver (LAMP stack required) … you have many options here, but non of them are “Click → Done” :wink:

It would also be a VERY good idea to make sure your routers “Remote Management” is turned OFF, and that you’ve changed the routers password to something more secure than the default “sky” password.

@SeZo

There’s no need for a second NIC, or DMZ (DMZ would most definitely be a bad idea) … the router should block all incoming connections unless told to forward them.

I’d also suspect that his brother is unlikely to have a static (WAN) IP … which is why I’m suggesting openVPN.

Yeah my brother is on a dynamic IP. Plus my PS3 is in the DMZ.

I’ll read up about open-vpn and get that set up then. I’ll come back here if I need help.

Personally I’d not have the PS3 in a DMZ … i’d just forward the necessary ports to thhe PS3’s static IP.

Well the PS3 really doesn’t have to be behind a firewall. Plus my connection is so much better through DMZ.

Also, I found this article about setting up openvpn between Ubuntu & Windows.

Could someone just quickly skim through it to check that it should work?

Looks about right … at least the Linux stuff … but nothing like trying it out to find out if something works :slight_smile:

Right thanks. :slight_smile:

Also see:

Thanks, a lot of reading to do, haha.

Ok kinda lost here on setting up.

I’ve gotten to step three in the link I posted. In it he/she says "change working directory to /etc/openvpn/easy-rsa/2.0 and become superuser.

I’m guessing what he/she means is, “cd” to that directory and become sudo? I’m already root so that last part won’t matter.

root@bally-server:~# ls /etc/openvpn easy-rsa update-resolv-conf root@bally-server:~# ls /etc/openvpn/easy-rsa 1.0 2.0 root@bally-server:~# ls /etc/openvpn/easy-rsa/2.0 build-ca build-inter build-key-pass build-key-server build-req-pass inherit-inter Makefile openssl.cnf README.gz sign-req whichopensslcnf build-dh build-key build-key-pkcs12 build-req clean-all list-crl openssl-0.9.6.cnf.gz pkitool revoke-full vars

So do step 4 … open vars in a text editoe:

nano vars

I’m stuck at step 7… I can’t build the DH parameters.

root@bally-server:/etc/openvpn/easy-rsa/2.0# ./build_dh bash: ./build_dh: No such file or directory

I’m not currently at my main PC, but if I remember correctly build-dh is in /etc/openvpn/easy-rsa NOT /etc/openvpn/easy-rsa/2.0

Just looked on my VPS and that directory doesn’t even exist … which is somewhat confusing ???

Anywho

locate build-dh

or

sudo find / -name build-dh

should give you a clue :wink:

build-dh is in 2.0 I checked using:

ls /etc/openvpn/easy-rsa/2.0

which returned:

bks@bally-server:~$ ls /etc/openvpn/easy-rsa/2.0 build-ca build-inter build-key-pass build-key-server build-req-pass inherit-inter list-crl openssl-0.9.6.cnf.gz pkitool revoke-full vars build-dh build-key build-key-pkcs12 build-req clean-all keys Makefile openssl.cnf README.gz sign-req whichopensslcnf

your last command:

sudo find / -name build-dh

says the same thing.

bks@bally-server:~$ sudo find / -name build-dh [sudo] password for bks: /etc/openvpn/easy-rsa/2.0/build-dh /etc/openvpn/easy-rsa/1.0/build-dh

Ahh … just spotted the problem, you entered:
./build_dh
not
./build-dh

:slight_smile:

I swear to god, VPN does not like me.

root@bally-server:~# cd /etc/openvpn/easy-rsa/2.0 root@bally-server:/etc/openvpn/easy-rsa/2.0# ./build-dh Please source the vars script first (i.e. "source ./vars") Make sure you have edited it to reflect your configuration. root@bally-server:/etc/openvpn/easy-rsa/2.0# ./vars bash: ./vars: Permission denied

How can ./vars be DENIED ON ROOT???

source ./vars

What’s better for my requirements. TCP or UDP?

I’m currently at step 8, and making a server.conf.

You can probably leave that as is if you want … here’s mine if it helps

local 0.0.0.0 ← you can probably leave that commented out
port 1294
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
cipher BF-CBC
script-security 2