Exposing the NAS to the Internet is the most unsafe of the obvious options even if you only allow one single port to allow you to access a specific service such as SSH, SMB or Plex.
Also, you really need to define what you mean by "best" - easiest? cheapest? most secure? most robust?
If the remote access is always from the same specific location (such as your holiday home in the Algarve) then probably the most secure option is to have a dedicated point-to-point network connection (e.g. leased line) installed but this is definitely not a cheap option.
The cheaper option involves a Virtual Private Network (VPN) connection which uses tunnelling protocols to mimic the point-to-point connectivity of a leased line and also provide an easy option to encrypt any traffic using that tunnel. It is therefore very important to note that VPN does not always include encryption even though you probably want it be included.
Normally when people want remote access they mean that they (a roaming client with a laptop, tablet or phone) want to connect to some random nearby network and then connect over the public Internet to a static server on a local area network in a fixed location as if they were in that fixed location. Such access requires a VPN.
To establish a VPN connection to a specific server, several things are required:
- client system (e.g. laptop, phone etc)
- VPN client software to initiate a virtual point-to-point link
- internet access for that client
- internet connectivity to the fixed location (this has to be taken for granted because you can't do anything about it if it is not available!)
- VPN endpoint at the fixed site
- Connectivity and functionality for the server to which you want to connect
There are three options for a VPN endpoint:
- the ISP router/your Firewall
- the QNAP to which you are trying to connect (there is an official QVPN service available)
- a different endpoint device on your network (e.g. another server, router etc)
To use options 2 or 3, you must first configure the Firewall to allow the ports and protocols required for the VPN tunnel to pass to the endpoint.
Then you launch the VPN client on the laptop, establish a VPN tunnel to the endpoint and proceed as if you were at home.
Option 2 of course exposes a single port of the QNAP server to the Internet for the QVPN service and is therefore not the most secure option but it is very easy and quick.
Option 3 is made more secure by creating a separate DMZ for the endpoint (note separate DMZ... do not put the endpoint in a publicly accessed DMZ!)
OpenVPN (included in the QVPN service) is one of the best options for VPN connectivity to your home network because it is readily available and only requires a single TCP port for full connectivity.
One "best" solution therefore might be:
- Pick a port not normally used by common services (or used by a service you never use such as Battlenet authentication TCP/1119) for your tunnel
- Buy a cheap Draytek router
- Connect WAN port of Draytek to the DMZ port of your ISP router.
- Connect LAN port of Draytek to the home network.
- Configure OpenVPN endpoint on Draytek using the preassigned port for specific user(s) and export the connection certificate
- Install OpenVPN client on laptop, phone, tablet etc... and import certificate.
- Go roaming and watch your videos!