Remotely access SMB folders

[Max90]

Dear, how can I remotely access SMB folders?
Currently I access via SMB protocol via computer or smartphone from LAN. I wish I could access remotely.
What is the best way to access network folders?
Use the SSH protocol? Is it possible to use the SMB protocol directly by doing a port forwording from the router? If so, which ports are the ones to use?

Thanks

 

[elvisimprsntr]

Do not port forward your NAS directly to the internet. That is a monstrously bad idea. It puts your data and home network at risk to potential ransomware or other malicious attacks.

Combating Ransomware with TrueNAS

TrueNAS is designed with security in mind. Ransomware can be prevented if TrueNAS is configured properly.

www.ixsystems.com

Your ISP will likely block SMB ports, so you will need to use a VPN. TrueNAS has OpenVPN server built in. There are other options depending on your network kit (router, firewall, etc.)

/core/coretutorials/services/configuringopenvpn/

Better official documentation for OpenVPN on TrueNAS 12

Here are some suggestions to improve the official documentation for OpenVPN on TrueNAS 12. I would also like to suggest some improvements to the user interface. 1. OpenVPN Server - If you want to allow connections to your OpenVPN Server from the Internet or accross the Internet, you will need...

www.truenas.com

Then access your NAS securely via VPN from smartphone or computer, then you can securely access NAS SMB shares, SSH, any protocol, etc.

I do it all the time from my iPhone and Mac, but I use IPSec VPN on my pfSense firewall. IPSec is built in to iOS and macOS, which eliminates the need to install a separate VPN client. It just works!

 

[Max90]

Do not port forward your NAS directly to the internet. That is a monstrously bad idea. It puts your data and home network at risk to potential ransomware or other malicious attacks.

Combating Ransomware with TrueNAS

TrueNAS is designed with security in mind. Ransomware can be prevented if TrueNAS is configured properly.

www.ixsystems.com

Your ISP will likely block SMB ports, so you will need to use a VPN. TrueNAS has OpenVPN server built in. There are other options depending on your network kit (router, firewall, etc.)

/core/coretutorials/services/configuringopenvpn/

Better official documentation for OpenVPN on TrueNAS 12

Here are some suggestions to improve the official documentation for OpenVPN on TrueNAS 12. I would also like to suggest some improvements to the user interface. 1. OpenVPN Server - If you want to allow connections to your OpenVPN Server from the Internet or accross the Internet, you will need...

www.truenas.com

Then access your NAS securely via VPN from smartphone or computer, then you can securely access NAS SMB shares, SSH, any protocol, etc.

I do it all the time from my iPhone and Mac, but I use IPSec VPN on my pfSense firewall. IPSec is built in to iOS and macOS, which eliminates the need to install a separate VPN client. It just works!

you are right.
But I would like to find a way to connect without installing anything on the client, using apps like "File Manager +". How can I do?

If I configure OpenVPN, can I then connect from my smartphone simply with the connection data?

 

[elvisimprsntr]

If you use OpenVPN, you will need to install the OpenVPN client on the client devices.

OpenVPN Connect - VPN For Your Operating System | OpenVPN

Download the official OpenVPN Connect client VPN software for your operating system, developed and maintained by our experts. Get started with our VPN software.

openvpn.net

Once you you have it configured and enabled on the client, you can access shares using SMB protocol.

You can simply prefix the LAN IP address of your NAS with smb://{IP address}

On iOS you can use the built in Files app. You will need to find an equivalent Android app if File Manager+ does not support SMB

 

[Max90]

If you use OpenVPN, you will need to install the OpenVPN client on the client devices.

OpenVPN Connect - VPN For Your Operating System | OpenVPN

Download the official OpenVPN Connect client VPN software for your operating system, developed and maintained by our experts. Get started with our VPN software.

openvpn.net

Once you you have it configured and enabled on the client, you can access shares using SMB protocol.

You can simply prefix the LAN IP address of your NAS with smb://{IP address}

On iOS you can use the built in Files app. You will need to find an equivalent Android app if File Manager+ does not support SMB

View attachment 49705

File manager on my android supports SMB. But do I need to install the OpenVPN app in addition to configuring the nas?

 

[elvisimprsntr]

Yes

 

[Max90]

Yes

Ah ok, what guide can i follow for the configuration of OpenVPN on the NAS?

 

[elvisimprsntr]

see links in previous posts

 

[Max90]

why when i download the ceriticate for a client, from vpn server, go to error:
[EFAULT] Please ensure provided client certificate is valid, following errors were found: 1) Client certificate requires common name (CN) to be set to verify properly.

 

[Max90]

see links in previous posts

I managed to configure the vpn on the smartphone and on the nas and I'm connected.
Now I have to connect to the network folders. I had already set the local ip address with "file manager +" for the SMB connection and from the local network it works. While when I try to access once connected to the vpn no, why?

 

[Constantin]

Another option is to connect your whole home network via OpenVPN, WireGuard, or IPSec. For example, with Edgerouters, it makes sense to use IPSec on account of edgerouters having dedicated encryption hardware for IPSec, which in turn minimizes the performance penalty associated with running an encrypted protocol between locations.

Keep in mind that just about every ISP in the US throttles upload speeds. Symmetric upload and download speeds are usually limited to business accounts and fiber. Thus, don't expect amazing throughput unless you spend the bucks to get fast up and download speeds.

Absent a super fast connection, another option is setting up a second NAS at the remote site - kill two birds with one stone, i.e. get the benefit of low latency and a offsite copy of your content. Downside obviously is the cost of buying and operating the second NAS, never mind the issues associated with keeping both NAS' synchronized.

 

[Max90]

I managed to configure the vpn on the smartphone and on the nas and I'm connected.
Now I have to connect to the network folders. I had already set the local ip address with "file manager +" for the SMB connection and from the local network it works. While when I try to access once connected to the vpn no, why?

Setting up with OpenVPN is fine but I have the problem listed in the quote. How can I solve?

 

[Max90]

helppp

 

[sretalla]

Does your OpenVPN connection give a new/different IP address to the server (which you would need to use for that connection).... also have you limited the IP address binding in the SMB service settings?

 

[Max90]

Does your OpenVPN connection give a new/different IP address to the server (which you would need to use for that connection).... also have you limited the IP address binding in the SMB service settings?

where should i look? in the SMB settings the blank IP field is set, which allows access to both the local and external ip address. And then once i'm connected in vpn i should have the local ip in theory.
Can you tell me where to look? so I control.

 

[sretalla]

in the shell (with openvpn already started) look at ifconfig

 

[Max90]

in the shell (with openvpn already started) look at ifconfig

i use openvpn from a smartphone not from a pc, how do i check the parameters?
from the openvpn app is show ip private 10.20.0.2

 

[Patrick M. Hausen]

Log on to your NAS via SSH and type "ifconfig" and hit the ENTER key - while the client is connected. Then post the complete text output here enclosed in code tags.

 

[Max90]

Code:

bge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: bge0
        options=c0099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
        ether e8:39:35:f0:8f:74
        inet 192.168.1.20 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=9<PERFORMNUD,IFDISABLED>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:b8:bd:87:61:00
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: vnet0.5 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 6 priority 128 path cost 2000
        member: vnet0.3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 7 priority 128 path cost 2000
        member: vnet0.1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000
        member: bge0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 20000
        groups: bridge
        nd6 options=1<PERFORMNUD>
vnet0.1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: Deluge as nic: epair0b
        options=8<VLAN_MTU>
        ether ea:39:35:b9:5d:64
        hwaddr 02:a9:a8:2f:70:0a
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>
vnet0.3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: Tautulli as nic: epair0b
        options=8<VLAN_MTU>
        ether ea:39:35:c8:bc:a3
        hwaddr 02:01:5c:2d:3b:0a
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.20.0.1 --> 10.20.0.2 netmask 0xffffff00
        groups: tun
        nd6 options=1<PERFORMNUD>
        Opened by PID 14487
vnet0.5: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: PlexMedia as nic: epair0b
        options=8<VLAN_MTU>
        ether ea:39:35:8d:c9:a0
        hwaddr 02:e0:14:39:59:0a
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>

 

[Patrick M. Hausen]

Try sysctl net.inet.ip.forwarding=1, please.
You should be able to connect to SMB at 192.168.1.20, then, even over OpenVPN.

If that makes it work, you can set a tunable in "System > Tunables":

• type: sysctl
• name: net.inet.ip.forwarding
• value: 1

So the setting will be permanent across reboots.