[SOLVED] How to remotely access my network via a VPN

[jimmyfarmer]

My sister is an accountant and she has one business partner. My sister has an external hard drive attached to her router that automatically backs up the data on her laptop. She would like for her business partner to be able to remotely access these files. I imagine that there will be personal information for their clients that they would be accessing so this would need to be done in a secure manner.

I too have an external hard drive hooked up to my router(we have the same router) and I am trying to basically setup what she wants only at my house to see how well it works and if it would be a viable option for her.

Rather than me trying to explain what I did and probably leaving out details, this is basically what I did to setup an open vpn server and disable wan access to my router's usb port:

View: https://www.youtube.com/watch?v=fsS7UocfvFM

View: https://www.youtube.com/watch?v=KXdhhuBcpgU


Using my laptop, if I am connected to my home wifi, I am able to connect with the openvpn software and then using filezilla I'm able to access the files on the hard drive just as I would like to do.
The problem is, if I connect to a hot spot on my phone, rather than my home wifi, I am still able to connect with the openvpn software, but I cannot connect with filezilla, the connection fails and therefore I cannot access my files.

I feel like I'm missing something simple. I've been searching for days now and can't seem to find how to fix this. Does anyone have any idea how I can get this up and running properly so I can remotely access my files?
I'm not sure if I would need to enable port forwarding or not? I'm interpreting it as, if I'm connected via the vpn I am essentially connected to my LAN and therefore wouldn't need port forwarding, but I could be wrong.

Also, would this type of server provide adequate security for their sensitive files?

Thanks to anyone who offers assistance

 

[SamirD]

So doing this with consumer level hardware and vpn is not going to be reliable. It might work, but it will have quirks like this.

What you really need is that these two locations get joined by an always on vpn tunnel. Typically in the business and enterprise, this is done via IPsec, but I think openvpn might be able to do the job.

The concept is this--once both networks are joined, all the devices on the network will work from either side. This means the drive would be accessible, and so will the laptop and another devices on both sides (printers, etc.). This can get tricky if there are devices that are NOT supposed to be accessed from both sides. They will have to be outside of the vpn subnet range so that packets won't be routed over the vpn. This level of detailed configuration may not be available in consumer openvpn options.

I run a more advanced version of what they're trying to do across 3x different physical sites in the country, but I do it using enterprise equipment and IPsec tunnels. But the concepts are the same so I should be able to help you set it up.

 

[bill001g]

How do you know you are connected to the lan with the VPN can you ping other devices. If you really are on the lan then it has to be something strange with the router configuration.

A router is not really designed to be a NAS. It is a extra feature they throw on there. It mostly works but all the manufactures seem to do it differently so its hard to say what options you need to set to make it work with a vpn.

Note your performance is not going to be real fast. The VPN eats a huge amount of cpu power and the NAS function adds even more. The CPU in even the fastest routers are tiny compared to a pc.

 

[jimmyfarmer]

So doing this with consumer level hardware and vpn is not going to be reliable. It might work, but it will have quirks like this.

What you really need is that these two locations get joined by an always on vpn tunnel. Typically in the business and enterprise, this is done via IPsec, but I think openvpn might be able to do the job.

The concept is this--once both networks are joined, all the devices on the network will work from either side. This means the drive would be accessible, and so will the laptop and another devices on both sides (printers, etc.). This can get tricky if there are devices that are NOT supposed to be accessed from both sides. They will have to be outside of the vpn subnet range so that packets won't be routed over the vpn. This level of detailed configuration may not be available in consumer openvpn options.

I run a more advanced version of what they're trying to do across 3x different physical sites in the country, but I do it using enterprise equipment and IPsec tunnels. But the concepts are the same so I should be able to help you set it up.

Do you have a website or video explaining how to do this? I've been looking but so far everything I've found requires an enterprise version of Windows which my sister does not have.

 

[jimmyfarmer]

How do you know you are connected to the lan with the VPN can you ping other devices. If you really are on the lan then it has to be something strange with the router configuration.

A router is not really designed to be a NAS. It is a extra feature they throw on there. It mostly works but all the manufactures seem to do it differently so its hard to say what options you need to set to make it work with a vpn.

Note your performance is not going to be real fast. The VPN eats a huge amount of cpu power and the NAS function adds even more. The CPU in even the fastest routers are tiny compared to a pc.

So it turns out when I'm connected to my home wifi, regardless of if openvpn is connected, I am still able to connect via filezilla. So I don't think my initial tests really proved that it was working.

If I login to my routers gui, when I have openvpn connected, it shows that I have a user connected. That's the only thing I know for sure that is happening with openvpn so I'm inclined to think there is a setting or settings that are preventing this from working.

I know there are probably better ways of doing this but if there is a free relatively easy way to set this up she would obviously prefer that. I don't think the files they are working with are huge by any means, I could be wrong, but I think her business partner would simply download the file to her computer then work on it from there. My plan was to try to set this up at my place then have her connect to my router and try to access the files and she could see if the performance was satisfactory for her needs.

 

[jimmyfarmer]

https://www.linkpicture.com/view.php?img=LPic612f0527b4728510948142

I uploaded a couple of screenshots of the default VPN settings on my router, does anything stand out that I might want to change?

 

[SamirD]

Do you have a website or video explaining how to do this? I've been looking but so far everything I've found requires an enterprise version of Windows which my sister does not have.

The keyword to search for is 'site-to-site vpn tunnel' and you'll have to read a lot of different pages before you find one that makes the whole thing 'click'. Even though I know what it is the way different people can explain it, it can seem like a foreign concept.
Here's a few images I found that sums it up simply:

In this drawing, they're using 2x fortigate vpn routers, but they could be anybody's, and they don't have to be the same manufacturer as IPsec tunnels are a standard. I have found however that it's best to have 2x of the same as diagnosing what's wrong when tunnels don't connect is probably one of the toughest diagnostic jobs in networking imo.

So these two routers both have a public IP--a.1.2.3 and b.4.5.6. And using the pubic Internet connection, they can connect to each other and establish an IP VPN tunnel. Now the networks on Site A and Site B can ping each other like they were local, and so can anything on each network (if configured that way). So if you had a nas at Site A and wanted to access or back up to it from anything on Site B, it's as easy as using your favorite tool as if the drive was local. The only issue you typically run into with this is speed. My backups updates locally take an hour and to do the same thing to my remote backup takes about 4 hours (can take as long as 12). This usually isn't a problem though for a nightly backup.

Another image with a little bit more of a generic overview.

This is probably one of the more simple documents that I found that explains it in more detail, but this is an openvpn implementation and I'm not completely sure how it works since the client and server are behind the gateway router:

Setup Site-to-site VPN With Access Server | OpenVPN

Create a site-to-site VPN to connect your business networks using Access Server — secure access through an encrypted OpenVPN tunnel.

openvpn.net

As you can tell, this is a bit to learn, but hopefully you can also see this is a really robust technology that's pretty much 'install and forget' once you have it up and running. And reliability like that is what you want in a backup solution.

Hope this helps!

 

[SamirD]

I know there are probably better ways of doing this but if there is a free relatively easy way to set this up she would obviously prefer that. I don't think the files they are working with are huge by any means, I could be wrong, but I think her business partner would simply download the file to her computer then work on it from there.

I wouldn't compromise on security with something easy or free. They are dealing with financial records that if there is a security breech would pretty much destroy their company from the legal liability and resulting lawsuit. This is why big companies don't try easy or free solutions as they are rather unsecure or easy to compromise.