Question Remote access to server via VPN

Tomas1020

Reputable
Oct 2, 2015
72
0
4,630
0
Hi everyone,

I'm not sure if this is the right place to ask this but let's try... :p

I work in a small family company and we use Synology NAS to store all company data. It's located in the office, connected to the network with internet access.

What I need now is to have a remote access to this NAS for employees working in the field.

Specifically I need to achieve this:
  • secure access to the Synology NAS from anywhere with internet connection (not via browser but have a network drive in Windows explorer, like in the office)
  • accessing the NAS with employee's login (not everyone has access to all the folders)
I've never dealt with anything like this before but I have information that this could be achieved with a VPN?

If VPN is an option, then what do I need to make it work and which options would you recommend me?

I've recently learned that Synology has something called "Quick Connect", which will probably solve my problem too, right? But even then, I feel like it might be a good idea to start using VPN in the company, for security reasons.

Thanks in advance for any tips.

Tomas
 

beers

Distinguished
BANNED
Oct 4, 2012
261
52
18,790
8
You should be able to set up a remote access style VPN for that, depending on your level of knowledge will dictate platform and implementation.

There's a few decent guides for rolling OpenVPN for that. You'd need network equipment capable of using custom routes (for your VPN subnet) and something to host it on such as a VM or server. OpenVPN Access Server makes it super easy, although contains a license requirement for more than 2 concurrent users. The base OpenVPN is free/open but requires more knowledge to set up.

Some routers also have this functionality built in but generally have low performance in ARM based implementations.

There's some other hardware based appliances like a Cisco ASA 5506X or similar that would give you Anyconnect type of connectivity but also come with cost and complexity if you aren't familiar with them.
 
Reactions: Tomas1020
I have something very similar to what you have setup for myself and my brother who works on stuff remotely.

A couple of things to keep in mind:
  • If your employees are in fixed places with Internet access, there are hardware solutions that may be faster to implement, but a bit more expensive.
  • If your employees are NOT using work devices to connect to your network this way, they can introduce dangerous malware that can compromise your entire business as well as possibly destroy or ransomware your data. This is a VERY serious risk that I would not take lightly.
  • If your employees have direct access to the data in this way, it can be taken, copied, and transmitted to anyone and any place. This again is a business security issue.
With these things in mind, depending on the model Synology you have and how powerful it is and how many clients (employees) will connect to it, there is a way for the Synology to act as a vpn server. This will allow employees to connect directly to the nas and work with the files. However, in this configuration, you are dangerously exposed to all 3 of the caveats above. But there are other ways to get the same access safely.

If your employees have machines that they either normally use in the office or works laptops that they now have at home, this offers the opportunity for more secure access to be configured. I would have to know more about your complete network configuration as well as your workflow, but I will share my workflow and how we secure things.

We have an enterprise grade ipsec vpn router at our home base. It is the main router and is the dhcp server. It also is an ipsec vpn server.

The devices that connect to the vpn server are mobile windows thin clients. They run an embedded version of windows that basically can boot into windows and that's about it. It can also be completely locked down so an employee cannot change any settings permanently (a reboot restores it back to how you set it up). Using the normal built-in vpn clients in windows, these machines can log into the vpn server at home base.

Once these machines log into home base, they cannot access anything except the same machine that the person would be using if they were present in the office--so they can access the nas like usual with the same screen they are used to. They access this machine via remote desktop.

So to recap--they are using a thin client, which is essentially a toaster with no data on it and useless as a computer (not a theft target), they connect into a network where they cannot connect to anything directly (compromised entry can't directly access the nas), and they have the full power of their normal system working right there as if they were physically present. I've simplified everything a bit as we have some other layers of complexity in our setup, but essentially this is how it works for us.

Because enabling remote desktop on a system on a lan and setting up a thin client for remote access is trivial, these two tasks are easy. The biggest part of this setup is the enterprise router and configuring that.

If your employees are fixed at home, a used hp t510 or similar thin client is well under $50 ea and you can set this up so that the employee literally goes home, plugs it into their network, and then logs into their work machine. This makes everything smooth on the employee side.

If you already have work laptops, you can add the configuration to log into to the vpn server and configure them to directly access the nas. However, this does add some risk as the data is physically leaving your location.

VPN routers capable of 15 employees start at about $250. Many of them have support contracts, but these are optional after they expire on some brands and required for other brands. This is the hard part--researching what you need and finding the right fit. It doesn't help that enterprise IT distribution still relies on 'salesmen' and other middle men to muddle things even more, but luckily this setup is relatively 'simple' for most of these devices. The one we have is designed for 500 employees, but we knew what we were looking for and exactly how it worked so we picked it up for under $400 with a support contract.

Hopefully this will give you some ideas. Feel free to ask me any questions.
 
Reactions: Tomas1020

Tomas1020

Reputable
Oct 2, 2015
72
0
4,630
0
You should be able to set up a remote access style VPN for that, depending on your level of knowledge will dictate platform and implementation.

There's a few decent guides for rolling OpenVPN for that. You'd need network equipment capable of using custom routes (for your VPN subnet) and something to host it on such as a VM or server. OpenVPN Access Server makes it super easy, although contains a license requirement for more than 2 concurrent users. The base OpenVPN is free/open but requires more knowledge to set up.

Some routers also have this functionality built in but generally have low performance in ARM based implementations.

There's some other hardware based appliances like a Cisco ASA 5506X or similar that would give you Anyconnect type of connectivity but also come with cost and complexity if you aren't familiar with them.
Thanks, I'll look further into this :)
 

Tomas1020

Reputable
Oct 2, 2015
72
0
4,630
0
I have something very similar to what you have setup for myself and my brother who works on stuff remotely.

A couple of things to keep in mind:
  • If your employees are in fixed places with Internet access, there are hardware solutions that may be faster to implement, but a bit more expensive.
  • If your employees are NOT using work devices to connect to your network this way, they can introduce dangerous malware that can compromise your entire business as well as possibly destroy or ransomware your data. This is a VERY serious risk that I would not take lightly.
  • If your employees have direct access to the data in this way, it can be taken, copied, and transmitted to anyone and any place. This again is a business security issue.
With these things in mind, depending on the model Synology you have and how powerful it is and how many clients (employees) will connect to it, there is a way for the Synology to act as a vpn server. This will allow employees to connect directly to the nas and work with the files. However, in this configuration, you are dangerously exposed to all 3 of the caveats above. But there are other ways to get the same access safely.

If your employees have machines that they either normally use in the office or works laptops that they now have at home, this offers the opportunity for more secure access to be configured. I would have to know more about your complete network configuration as well as your workflow, but I will share my workflow and how we secure things.

We have an enterprise grade ipsec vpn router at our home base. It is the main router and is the dhcp server. It also is an ipsec vpn server.

The devices that connect to the vpn server are mobile windows thin clients. They run an embedded version of windows that basically can boot into windows and that's about it. It can also be completely locked down so an employee cannot change any settings permanently (a reboot restores it back to how you set it up). Using the normal built-in vpn clients in windows, these machines can log into the vpn server at home base.

Once these machines log into home base, they cannot access anything except the same machine that the person would be using if they were present in the office--so they can access the nas like usual with the same screen they are used to. They access this machine via remote desktop.

So to recap--they are using a thin client, which is essentially a toaster with no data on it and useless as a computer (not a theft target), they connect into a network where they cannot connect to anything directly (compromised entry can't directly access the nas), and they have the full power of their normal system working right there as if they were physically present. I've simplified everything a bit as we have some other layers of complexity in our setup, but essentially this is how it works for us.

Because enabling remote desktop on a system on a lan and setting up a thin client for remote access is trivial, these two tasks are easy. The biggest part of this setup is the enterprise router and configuring that.

If your employees are fixed at home, a used hp t510 or similar thin client is well under $50 ea and you can set this up so that the employee literally goes home, plugs it into their network, and then logs into their work machine. This makes everything smooth on the employee side.

If you already have work laptops, you can add the configuration to log into to the vpn server and configure them to directly access the nas. However, this does add some risk as the data is physically leaving your location.

VPN routers capable of 15 employees start at about $250. Many of them have support contracts, but these are optional after they expire on some brands and required for other brands. This is the hard part--researching what you need and finding the right fit. It doesn't help that enterprise IT distribution still relies on 'salesmen' and other middle men to muddle things even more, but luckily this setup is relatively 'simple' for most of these devices. The one we have is designed for 500 employees, but we knew what we were looking for and exactly how it worked so we picked it up for under $400 with a support contract.

Hopefully this will give you some ideas. Feel free to ask me any questions.
Thanks for an extensive answer! :) I feel like I need to clarify a few things:
  • we are a VERY small company (3 employees - 2 of which are family)
    • but we're no joke, making good money in a B2B industry :D
    • I'm like 95 % confident that the employees won't misuse the company data
  • we're not fixed - one employee is a sales rep, so he's traveling all over and the family guy works from home quite often - these are the reasons for the need for remote access to the company data
    • the sales rep has a laptop which he uses at the office as well as in the field
    • the family guy has a desktop at the office and another desktop at home
    • myself, I work only at the office, on a desktop
  • we have the Synology DS918+ NAS
  • the traffic is ultra low on average - we don't have more than 50 GB of data at the moment and we mostly work with PDFs, Excel files and we also have a company system created in MS Access (everyone has the frontend on their PCs and the backend is stored on the NAS)
  • we need to work with the MS Access system remotely
  • our network is currently set up as follows:
    • modem from the ISP in bridge mode
    • the modem is connected to a TP-Link router which is our base central config device for network and firewall
    • then there is a TP-Link 24 channel switch, which is connected directly to the router and handles all comms (computers, Synology etc.)
    • there is of course Wi-Fi available from the router, bunch of cell phones connected and some smart devices as well, and printers
Hopefully these will give you a good idea about our network configuration and our workflow.

My goal is for all employees to be able to access the Synology under their logins - not everyone has access to all the folders.

I'll apprecitate any follow-up recommendations :)
 
I completely understand as we're in the same situation--3 'employees' who are just all family. :D

Yeah, now the security doesn't have to be as strict.

Your synology is powerful enough to be your vpn server, especially if all the remote users need is access to the nas.

Your data sounds just like ours--mainly pdfs and regular 'office' files. However, if you will be accessing the database remotely, that may be an issue as the additional latency may cause it to not work properly. File access remotely over smb (windows explorer) is much slower since the protocol sends a lot of back and forth communications on each little bit of information transferred. The result is that larger file transfers can fail and accessing a large sequential file like a database may corrupt the entire database if the file isn't closed properly. This is going to be the key aspect of remote access for you as that's your main goal. In just some quick preliminary research, everyone is highly against trying to access access remotely as the likelihood to damage the database is very high:
https://www.google.com/search?q=accessing+ms+access+database+over+vpn&oq=accessing+ms+access+database+over+vpn&aqs=chrome..69i57.5791j0j1&sourceid=chrome&ie=UTF-8

The solution for the family guy is quite easy--he can simply remote access his office machine from his machine at home. This is actually nice because he can literally stop in the middle of a sentence at the office and pick up right where he left off at home. I find this convenience invaluable when I do this. :) Another bonus is that only his office machine will ever need to be upgraded as the home machine is simply displaying work, not actually doing it.

The solution for the sales guy is tricky if he needs to use his work laptop directly. But a better long-term solution is to simply have him remote into a desktop and use that computer in the same manner as the previous solution. The additional advantage to this is that the laptop will never need to be upgraded as all the heavy lifting is being done by the desktop back at the office and any upgrades on that desktop will result in speed improvements on the laptop since the laptop is simply displaying what is on the desktop--just like the previous scenario.

To set up the remote desktop access, you will need to port forward certain ports on your tp-link to the synology after enabling the synology vpn server. I would recommend using l2tp since it has a native windows client:
https://www.synology.com/en-global/knowledgebase/DSM/help/VPNCenter/vpn_setup

Then you would need to set up the client side on the users remote computer:
https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Network/How_to_connect_to_Synology_s_VPN_Server_using_a_Windows_PC_or_Mac#t2

The details I am not sure about since I have not set up synology's vpn server is how the authentication will work, but I'm guessing that you can use the same user names/passwords that are already established for access to the nas. The other area that isn't completely clear is how the user will access the other systems on the local network since the vpn ip range is different than the lan. And because that is the goal--you may need to add some routing information in the synology or the tp-link to enable this.

Once it is set up, all the user would do is connect their vpn and then use remote desktop to log into their office machine. (You will probably need dhcp reservations on these machines to keep the IP address consistent if you don't already do this.) Then they will log in like usual and can work with everything as if they were local as local speeds. :)

I have a synology unit locally and can find out the exact details of setting this up for you, but this is usually what I do as a consultant. If you're interested in working on that, send me a private message as I would need some details on your network that you don't want to publicly post and we would probably want to move to another communication medium to continue the work.
 

ASK THE COMMUNITY

TRENDING THREADS