VPN = VPN? No!

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

VPN = VPN? No!

Post by FSC830 »

A (very) short overview over different VPN solutions.
This is not a deep dive into VPN technology, just a brief overview of the different use cases and setups.
Due to the variety of possible setups, protocols, use-cases, ... a detailed description is not intended in this post.

What is VPN? VPN stands for Virtual Private Network.
A VPN allows a secure connection between two end points (mostly client-to-LAN or LAN-to-LAN).
Secure connection means that an algorithm negociates by using a key or strong passphrase the connection between the endpoints.

The traffic and connection is established using the public internet. But because only the VPN endpoints are knowing the key/passphrase
all other devices cant "see" the content of the traffic, so the VPN provides a secure "tunnel" for exchange of data.

There are two main use-cases:

1. To hide the own WAN IP and traffic for any purposes, i.e. to bypass geo-fencing, to mask something, for de-identification, etc. etc.
For this usually a paid VPN service like NordVPN or Cyber Ghost is used (there are a lot more, just to name this two).
So connection is usually from your client to such a service and than to any other endpoint. The WAN IP is masked going that way.
Anyhow, you need to rely to the VPN provider that he does not track you and your data.

2. For a secure access from anywhere with your mobile device to your companies network. In that case the IT department is responsible for the VPN setup at client and server.
For accessing to your own LAN/devices at home. For that you need to setup your own VPN server at best at the router you are using for the internet access. If your router does not provide such an option, consider to replace it or to setup a dedicated firewall behind the router (i.e. opnSense or pfSense) which provide such abilities.
As an alternative you can also install and run a VPN Server (Openvpn or Wireguard) on hardware such as a Raspberry Pi.

For a proper function you need to setup a VPN client at each (mobile) device you are using when not at home, i.e. at your laptop, cell-phone or tablet.
Common operating systems like Android, IOS, Windows provide a VPN client. You need to configure the client and the server with the keys/passphrases before you can establish the connection.

So the second option is exactly what is needed here. Dont use a paid service for an secure access to your LAN, that is not necessary.
Setup your own VPN server and you are at the safe side of accessing from remote.

Again, there are numerous configurations possible, for i.e. openVPN there are dozens of setup guides available in internet.
Most important is that your router should support a VPN setup.

Because we are in a QNAP forum: dont use QVPN for a remote access! QVPN uses often outdated versions, configuration options are limited, AND: a NAS is not designed for this, use a router/firewall to protect yourself.

This is no rocket science, but some basic skills about networking will ease up the configuration steps, i.e. for a setup of a LAN-to-LAN VPN (aka site-to-site VPN): mandatory in this case is, that the LAN at each site uses different IP ranges for the network!
If both site using the same IP range (i.e. 192.168.1.1/24) the VPN will not work!
Last edited by FSC830 on Fri Jan 06, 2023 7:30 pm, edited 4 times in total.
User avatar
spile
Been there, done that
Posts: 638
Joined: Tue May 24, 2016 12:13 am

Re: VPN = VPN? No!

Post by spile »

I would add to…
“If your router does not provide such an option, consider to replace it or to setup a dedicated firewall behind the router (i.e. opnSense or pfSense) which provide such abilities.
E.g.
You can also install and run a VPN Server (Openvpn or Wireguard) on hardware such as a Raspberry Pi.
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: VPN = VPN? No!

Post by FSC830 »

Done! :D

Regards
maver1ck09
Getting the hang of things
Posts: 53
Joined: Tue May 05, 2020 11:59 am

Re: VPN = VPN? No!

Post by maver1ck09 »

FSC830 wrote: Tue Jan 03, 2023 10:08 pm For accessing to your own LAN/devices at home. For that you need to setup your own VPN server at best at the router you are using for the internet access. If your router does not provide such an option, consider to replace it
Just to clarify, what you're suggesting here is to replace with a router that's capable of operating as a VPN server to allow protected access to all Home LAN devices, correct?

Would setting up Wireshark on the QVPN application on a NAS drive be a viable alternative to this - this idea had been suggested by a user in another thread which was starting to go off-topic. As such, would like to have this alternative reviewed here, since it primarily relates to the topic of securing access to LAN devices at home
FSC830
Experience counts
Posts: 2043
Joined: Thu Mar 03, 2016 1:11 am

Re: VPN = VPN? No!

Post by FSC830 »

No, never. VPN at NAS is may be better than nothing, but I do not recommend using the NAS as a VPN device.

QVPN i.e. has been affected itself sometime ago, so attacks have been successfull by running a app which was designed to protect against such attacks. :evil:
A VM running at NAS with VPN server is IHMO the best option if for any reasons the NAS is to involve in VPN setup.

But there are a lot of disadvantages:
if NAS is not running 24/7 your LAN is not protected.
if NAS fails, your LAN is not protected.
during QTS updates your LAN is not protected.
there have been updates in past, which made VMs not running anymore (cant remember if this was an update of QTS or VS).
updates of QTS have had created issues in NAS network settings, so VPN is affected too.
...

I strongly recommend not to put any of such a critical apps at at NAS.

I am using Wireguard and IPsec at my router (pfSense), no issues seen at anytime.

Regards

Edit: To answer first question, yes, if possible replace the router. If not, use a dedicated small pc for VPN.
Last edited by FSC830 on Wed Mar 15, 2023 5:37 pm, edited 1 time in total.
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: VPN = VPN? No!

Post by Moogle Stiltzkin »

when using vpn, performance is dependent on hardware spec for the vpn server and other factors. so there is a few things to consider

location A and location B. what download and upload speeds at both locations? (consider the bottlenecks)

Then the VPN server, what spec does the hardware hosting it have? e.g. usually a vpn server on a router.

So a low spec router might NOT be able to do vpn performance for the max 1gbps as an extreme example for someone that has a high speed broadband package. So you may want to browse reddit to see what spec is required to operate a vpn server and what kinds of speeds you may be able to achieve via vpn.



Usually we talk about VPN for NAS, we are usually referring to the one you self host on the router. So then you have client device that uses a vpn client (pc, laptop, android mobile etc) to connect to the VPN server. This is an encrypted tunnel that adds a layer of protection. Why we do this is, to limit access to the network by requiring a VPN certificate and credentials in order to login to the network, to then access your NAS.


Another type of VPN is subscription based vpn. The purpose for this is to connect to a remote VPN server to tunnel your internet through, so that you can use their IP from another country. Usually to get around geoblocking or to not divulge your public ip. The only use case for this in regards to nas, is probably if your doing torrent downloading e.g. using a torrent client docker app, and you want to hide your public ip while doing so. So thats about it.

So as we can see, these 2 use case for vpns are different. One is self hosted, and the other is subscription based. And they serve different purposes. Often the newbs confused one for the other ^^;


Anyway i highly recommend this video if you plan to do a homelab using your NAS

Self-Hosting Security Guide for your HomeLab
https://www.youtube.com/watch?v=Cs8yOmTJNYQ

additional tips for setting up docker homelab for qnap (is incomplete fyi)
https://github.com/QNAP-HomeLAB/docker- ... containers


extra tip: there are 2 trusted vpn protocols. openvpn and wireguard. these are the only ones most people are recommended to use one or the other (wireguard supposedly is faster, by openvpn has been around much longer)
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
User avatar
great_vc
Know my way around
Posts: 215
Joined: Mon Apr 11, 2016 9:45 pm

Re: VPN = VPN? No!

Post by great_vc »

interesting,
i consider my self an advance user
can you please clarify more or give articles about QVPN exposed or hacked.
I have using OPENVPN with QVPN only with one UDP port open.

I see on the menu new options like qbelt and wireguard, are these safest ?

Why isn't that safe ?
TS-251-4G, 2 x WD RED 4TB
Firmware: Always the latest, you know...every week :o
SMB for Windows 10 64bit - SMB for MacMini Mojave / Kodi
Mainly used for storage (Home Use)
VM Windows 7 Isolated for RDP Jump Host only
Amazon S3 Backup, Google Drive Hybrid Backup, External USB once every 2 months back (one touch copy)
OpenVPN Only Access Remotely, no public ports opened
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: VPN = VPN? No!

Post by dolbyman »

User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: VPN = VPN? No!

Post by Toxic17 »

I personally use a spare raspberry pi as my vpn for me to remote back into my network and use this script for the openvpn installer: https://github.com/angristan/openvpn-install on a port of my choice. works for me....
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
User avatar
great_vc
Know my way around
Posts: 215
Joined: Mon Apr 11, 2016 9:45 pm

Re: VPN = VPN? No!

Post by great_vc »

dolbyman wrote: Fri Feb 17, 2023 1:51 am probably this

https://www.qnap.com/en/security-advisory/qsa-21-61
sorry that doesn prove anything, like everything even openvpn versions have bugs and exploit codes, even ubuntu, windows, macos .
You are quoting an article from 2022 which has been patched as to make your point of it is not secure ?

anyone has a legit reason for backing-up the thread ?
TS-251-4G, 2 x WD RED 4TB
Firmware: Always the latest, you know...every week :o
SMB for Windows 10 64bit - SMB for MacMini Mojave / Kodi
Mainly used for storage (Home Use)
VM Windows 7 Isolated for RDP Jump Host only
Amazon S3 Backup, Google Drive Hybrid Backup, External USB once every 2 months back (one touch copy)
OpenVPN Only Access Remotely, no public ports opened
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: VPN = VPN? No!

Post by dolbyman »

Video/photo/music/file/etc stations have been exploited and patched many times..are you telling me you now think they will never be compromised again?

Just don't trust QNAP with any WAN facing stuff..
User avatar
great_vc
Know my way around
Posts: 215
Joined: Mon Apr 11, 2016 9:45 pm

Re: VPN = VPN? No!

Post by great_vc »

dolbyman wrote: Fri Feb 17, 2023 2:40 pm Video/photo/music/file/etc stations have been exploited and patched many times..are you telling me you now think they will never be compromised again?

Just don't trust QNAP with any WAN facing stuff..
you are just explaining how OS and Apps work. Everything gets compromised, even the OPENVPN protocol even your rasbery PI which ever fork you are using. so what do we do ? return to stone age and not be able to connect ?

Even firewalls appliances and home user routers are more vulnerable than QNAP because users do not update them as they do not get notifications, need a more expert user to do it, not familiar with it.
TS-251-4G, 2 x WD RED 4TB
Firmware: Always the latest, you know...every week :o
SMB for Windows 10 64bit - SMB for MacMini Mojave / Kodi
Mainly used for storage (Home Use)
VM Windows 7 Isolated for RDP Jump Host only
Amazon S3 Backup, Google Drive Hybrid Backup, External USB once every 2 months back (one touch copy)
OpenVPN Only Access Remotely, no public ports opened
AlastairStevenson
Experience counts
Posts: 2415
Joined: Wed Jan 08, 2014 10:34 pm

Re: VPN = VPN? No!

Post by AlastairStevenson »

Everything gets compromised, even the OPENVPN protocol
Citation?
Nothing that I've been aware of.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
adetogni
Getting the hang of things
Posts: 75
Joined: Tue Oct 03, 2017 10:37 pm

Re: VPN = VPN? No!

Post by adetogni »

Hello, I came here since I'm looking at remote connect to my home NAS (and home network to be honest). And I'm evaluating different options:
1 using QVPN: I've done it in the past, but still lots of people here says don't do it. Reading the reasons...well...if NAS is off, I don't really need to access home. And 99% of the stuff I need is on the nas, so with nas off there will be no point in accessing
2 using an external device with a DD-WRT or OpenWR (for example gli MT-300Nv2). Looks like a better option but kinda hard to configure (for me at least)
3 running wireguard as a container app within the NAS. Isn't it the same as case 1? And what about performances?

Still very puzzled...given that it will act as a VPN only for the occasional times I need to connect home, not on a daily basis
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: VPN = VPN? No!

Post by dolbyman »

Why is running VPN on the router complicated ? .. it's as easy as on the NAS!
Post Reply

Return to “Users' Corner”