connect to SMB share away from home?

[Winefield]

Hi,

As many others (hopefully), I have issues with connecting to an SMB share away from home...

I had it working at one point for me and two of my friends, but... Then we started being unable to connect other users.
*Cutting to the end just for a second here*
After all the troubleshooting that my skills can provide, I have found that it could be an issue with internet providers, Windows itself, or something completely different..
*back to real-time information*
I have an HP Proliant Microserver Gen8 standing in Denmark at my dads place, running 300/300 on a static IP address. Nighthawk R7000 router. Port forwards with my NAS device on the standard ports for SMB.

I moved to sweden back in february and had it working from there, since I had been connected previously with my PC. I guess at least?
I had some issues in the beginning with some restrictions on the network from the provider, this got fixed after a relay or something like that, got replaced with something much newer.
- It then worked fine for me.
I wanted to share my NAS folder to a couple of friends to help them keep track of their things and such, sharing movies, music, etc..

I have run out of ideas of what to do to get this working.. I need some expert help. :-(


I have started over completely (without re-installing the device) as good as I can away from the actual device.
- I can access it over the GUI in a browser no issues. Even with my A-record address that I have created because I always forget the WAN IP the device has.


As I am writing this at 3am, I'm tired and have given up a looong time ago.. If you need any information, or have any questions to be able to help me - Ask, and I will provide you with the information as I cannot think of what other information should be provided straight away.. :/

I really need some help...

Best regards
Winefield

 

[m0nkey_]

The best way to access your data remotely is to set-up a VPN, such as OpenVPN. There are plenty of tutorials on the forum.

 

[Winefield]

@m0nkey_ Thank you for your input!

Sadly this option would not work for me... As I share with multiple persons, they would all have to have the VPN information... I know it will work without a VPN, and I'm sure I am doing something wrong somewhere... I just dont know where :-(

Would it be easier with a domain set up? - If so, how do I do that the best way?
I have looked at all of the guides FreeNAS have, sadly these do not work for me. Might just be me not understanding it correctly?

 

[sretalla]

I think what you're looking for is the nextcloud plugin... you should never expose SMB directly to the internet due to the high number of potential vulnerabilities.

 

[garm]

First of all, what ever the issue is you have an even bigger issue. You have weak security and you are broadcasting your existence. You need to re-evaluate your entire approach to this. Nextcloud is one option, even if it isn’t a fire-n-forget solution either. If you “need” to stick too smb, start with implementing certificate based authentication. OpenVPN is a good recommendation.

 

[Winefield]

@sretalla I totally agree with you the possibilities of intruders by exposing the SMB to the internet. It's in general quite stupid.. But I had it setup like so, that 2 tries is all that is allowed for..... 30 minutes? I believe. Can't remember..

I tried the Nextcloud thing, but it seemed that I was unable to set it up. Why? Never really figured that out... :(

In the mean time I accidently changed the interface config, and now I can't access it. Trying to guide my totally IT killing dad to reset the interface :P
That's a challenge in itself :D

I will take a look at nextcloud whenever I get it up and running again, and I will post what happens.

I appreciate all of you taking your time to help me. Means a lot!

 

[Winefield]

@garm

I tried with OpenVPN for a while, though through my Router so that I could connect to the network and have it working like so - This worked fine for me, but sadly not for my friends. We never got that working.
I also tried setting up the VPN thing in FreeNAS - Can't remember, is that also OpenVPN?

certificate based authentication sounds tricky, but if anything, I'm willing to give it a try :-D

 

[Winefield]

I got it up and running again!! Wuh! Only took 2 hours with my dad on the phone.

Regarding Nextcloud... I have no clue what I'm doing wrong, except that there are no added storage to the "jail"? for Nextcloud. This I can't really get working either...

From here on, I will be able to try out your suggestions - But I would appreciate short guides, if that isn't too much to ask for.. :)

Once again, thanks for the inputs so far.

 

[kdragon75]

Port forwards with my NAS device on the standard ports for SMB.

This will get you HACKED. not to mention many ISPs filter these ports for this exact reason. To many people connecting computers directly to modems and getting hacked and used as part of a botnet.
You need to use a VPN tunnel!

 

[sretalla]

In nextcloud, you will need to add the app "External Storage Support"

On the menu in the top left, select Apps +

Then on the left side, "not enabled"

Then find that app and enable it.

Then top right Admin -> Admin

On the left, (or just scroll down) to External Storages (yes, they added an s that isn't necessary)

Select the SMB/CIFS type and connect to your share (I guess you know how to do this bit)

Then back to the top left and select files, you'll see your SMB shared folder there now.

Repeat as necessary.

 

[sretalla]

You will then need to share out port 443 on your Internet router and direct it to the jail/plugin.

However, this is where the suggestion from @garm to use certificate authentication would help, plus some more stuff...

I would suggest using nginx as a reverse proxy to nextcloud, forcing client certificate auth there. This means that only users in possession of the right certificate can even try to authenticate with their nextcloud credentials (but it does break the nextcloud mobile apps if you do that since they don't allow for client certificates to be specified for the server connection).

Up to you from there anyway... there's plenty of tutorials online for nginx reverse proxy and client certificate auth if you decide to do it.

 

[garm]

A OpenVPN is certificate based.. and there are other solutions as well

 

[kdragon75]

Get a pfSense router and use that as your VPN endpoint, get the client export utility and be done. Full user based (with cert) authentication and fully encrypted over the WAN using hardware acceleration.