Sign in Subscribe

Setup VPN for remote access to my NAS

Setup VPN for remote access to my NAS

After I finish my initial setups for my freshly built NAS, I want to have the ability to connect to it from outside from my house, so that I can monitor my server easier.

Using a VPN, or tunneling, is generally safe and flexible for remote access to local network that you do not want to expose to the public internet.

I chose to setup my VPN using WireGuard as it is easy and intuitive to use.

Install WireGuard

First, download WireGuard.

sudo apt update && sudo apt install wireguard

Then, enable ip forwarding

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

After that, generate public and private key for authentication. It is the concept for ssh.

wg genkey | tee ~/path/to/privatekey | wg pubkey > ~/path/to/publickey

The privatekey and publickey can be set to any name for easier management.

Warning!
Make sure to keep the private key secret!

Now, create a config file for WireGuard

sudo nano /etc/wireguard/wg0.conf

The configuration will look like something below:

[Interface]
# The machine that is running wireguard
Address = 10.0.0.1/24 

SaveConfig = true

# The port of this machine
ListenPort = 51820 

PrivateKey = <YOUR_PRIVATE_KEY>  # Replace with the key from "privatekey"

# iptables rule to forward traffic
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Save the file, and set proper permission.

sudo chmod 600 /etc/wireguard/wg0.conf

After that, enable the WireGuard service and start it.

sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0

Configure port forward on Router

Assume the NAS/server is behind a home router, and depends on the ISP, the settings on the router may differ, but the concept is the same.

We have to route the traffic from public internet to the destination, which is the NAS.

The diagram should look something like below:

public internet --> home router --> NAS

Before going to client devices (the devices you want to connect from public to this local network.), we have to make sure the ports from public internet is properly routed.

We have configured WireGuard to use port 51820, so we want the router to forward outer traffic to port 51820 of the NAS.

First, login to the router admin page. Normally ip addresses look like 192.168.1.1 or 192.168.10.1 . You can look for it on the label of your router.

After logging in, look for port forwarding/mapping setting, add new rule to it.

Item Value
Priority number(1,2,3....)
Host private IP for NAS
Port from 51820
Port to 51820
If the router does not allow 51820 to be forwarded from, choose any other port.
Remember it for later use.

Install WireGuard on client

In the devices you want to connect to the VPN, download from the official site.

Create an empty tunnel, and insert the details below:

[Interface]
Address = 10.0.0.2/24
PrivateKey = <CLIENT_PRIVATE_KEY>  # Generate a new key pair for the client
DNS Server = 8.8.8.8 # Google's DNS server

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>  # Use the public key from your NAS
Endpoint = <YOUR_PUBLIC_IP>:51820  # Replace with your router’s public IP
AllowedIPs = 0.0.0.0/0, ::/0  # Route all traffic through VPN
PersistentKeepalive = 25
In the Endpoint, enter the port number from port from you set in your router earlier.

Then, on the server(NAS) side, add the client to the config file.

sudo wg set wg0 peer <CLIENT_PUBLIC_KEY> allowed-ips 10.0.0.2/32
The CLIENT_PUBLIC_KEY is generated during the setup on your client device

Try to connect for the first time!

Open WireGuard, import wg-client.conf(which you created just now), and click activate.

On Laptop or PC, navigate to file explorer, type in \\10.0.0.1/24 , and you will see the folders on your NAS appear!

On mobile device, you can download file managers that can use SMB, and do the same.

From now on, you can access to your home local network anytime, from anywhere!

After Thoughts

I was able to made it work for the first time and it was so exciting.

However, most ISP will change your public IP from time to time, and you need to manually change the public IP in your WireGuard config. But it will work at the moment.

The more secure and reliable way is to use something like cloudflare tunnel if you have a domain name.

I will try to configure that to my server since I am hosting my blog on it already, so might as well use the feature for remote access.

But until then, see you next post! And have a nice day!