Tutorial: How to connect your QNAP safely from the internet

In this tutorial I’ll explain the inherent risk of exposing your QNAP to the internet and how we can establish a setup secure enough to be able to connect and manage our unit from outside our LAN with minimal risk.

DISCLAIMER: Zero risk doesn’t exist. While there are different security grades depending on your setup, it is impossible to be 100% safe when your unit is connected to the internet.

If you need 100% security, follow these steps:

1. Turn off your unit

2. Unplug any attached cable, including power connection

3. Your QNAP is now 100% safe against remote attacks

DISCLAIMER 2: I’m not computer expert. What I say here is an oversimplification, so people not too tech savvy can understand. Please, don’t laugh too much at me.

First, some basics (you can skip to the setting tutorial at the end if you don’t care about “why” and only want to know “how”)

What does “to expose the NAS” means?

Your unit needs network connection to perform tasks, be them download, browse, connect to other computers, etc. Inside your LAN, usually any computer is directly accessible to any other computer, because your local network is considered “safe”. If your Raspberry Pi wants to access a Jellyfin server running in another computer, there is no reason to deny it, as we assume that the Pi will not be a malicious computer.

But outside your LAN (the internet) there are malicious actors, and so, your router needs to separate outside (WAN) from inside (LAN) and will, by default, negate access to any computer in your LAN to any inbound connection from WAN, while, at same time, allowing response from outside servers to reach the questions your computers make.

It goes more or less like this:

Computer A inside LAN wants to get a .jpg from server B in WAN, so it sends to your router a request. Router sends the request to server B, and it sends back an answer with the .jpg file to your router. Your router receives that connection, and since it’s a followup from a previous request from computer A, it allows the connection to reach computer A. Computer A shows the .jpg file.

But, if Server B directly sends a connection with .jpg file to your router that was not preceded by a question from computer A, your router do not know what to do with it, and blocks it.

By default, if you give internet access to your QNAP, you are not “exposing” it to WAN, because any random connection originated from WAN will not reach it. To expose it, you have to actively perform port forwarding on your router.

What is port forwarding

Port forwarding means redirecting inbound connections to specific ports originated from WAN into specific IP addresses inside your LAN.

Server B sends a connection request to your router in port “8000”. Your router gets that connection, and if you opened (port forwarded) port 8000 to IP 192.168.1.200 (computer A), then it will “forward” that connection to port 8000 on computer A, allowing server B to directly reach computer A.

Port forwarding exposes your computer to internet, and bad things can happen. You don’t usually expose “all ports” to internet, but specific ports, usually corresponding to services running in your NAS.

If you have Jellyfin server running on port 8096, Deluge on port 9000, and Jdownloader on port 5000, and you want to access them from any computer outside your LAN (the internet) then you can simply port forward those ports to your NAS, and any connection to your public IP (router) on port 8096, 9000 and 5000 will reach your NAS.

Easy, isn’t it?

OK, DON’T DO THIS

That would allow ANY computer to access those services running on your NAS. That is the way attackers (please, don’t say “hackers”) can reach your services and use them to invade your computer.

Let me stress this a little more: DO.NOT.OPEN.PORTS.TO.YOUR.NAS

If you do, you deserve what happens to your NAS.

Now, go to your QNAP ASAP and disable: MyQNAPcloud, and UPnP. Those are also security risk.

So, if I don’t open ports, I’m pretty safe, but it this will not allow me to access my services from internet, right

YES. This is the safest possible choice.

But I want to access my NAS or services from internet

Ok, then keep reading.

My service (insert here QTS, Plex, Jellyfin, Deluge, etc etc etc) is protected with a 64 digit password and 2FA. No one is going ever to guess my password

It’s not a matter of guessing or bruteforcing passwords. There are ways to gain access to any software bypassing login. Those are called vulnerabilities, and include a full array of techniques, including code injection, exploits, buffer overflow, bugs, and lots of other techniques. Vulnerabilities are often patched when published, but until they are (those are called 0-days or near-days) they can be very dangerous.

Wait, wait, wait, wait. So you are saying that there are/have been vulnerabilities in QNAP OS (QTS) that might allow attackers to gain access to my unit?

Mmmm…

Yes, a couple of them, maybe?

But those are old/outdated vulnerabilities

Yes, but vulnerabilities are always being discovered, and some never even get reported. Don’t push your luck.

I’m using myQNAPCloud, I’m safe?

No. myQNAPCloud just acts forwarding requests to your NAS through their severs. If you can reach QTS, you can exploit it. Disable MyQNAPCloud. NOW. Also, disable UPnP.

This only applies to QTS? Should I still port forward my other services (Plex, Jellyfin, Deluge, etc)?

This applies to every single service. More services available means more attack surface, just the same way that it is easier to penetrate a computer with SSH, FTP, Apache, MySQL, VNC services enables than a computer with only SSH enabled. As more services are reachable, chances of finding an unpatched vulnerability increase.

There are, of course, services more secure than others. Nexcloud instance will be much more secure than QTS (mainly because the FOSS nature of nextcloud), but why should you take the risk?

Those services are being run into a docker container // Virtual Machine, so, even if they are penetrated, they will not reach my unit’s OS

While it is true that container or virtualization add an extra layer of security, because in case of service breaching, attacker would find itself contained inside the container, not in the main OS, it is not impossible to escape a container or VM.

So, again, less attack surface means safer.

Fear not, there are ways to securely (mostly) access all your services that does not involve port forwarding all your services. One example could be using a reverse proxy like Nginx, but I sincerely lack the required network knowledge for this. So, as an alternative, I will teach (or at least try to) you how to access your services using a VPN server.

VPN stands for Virtual Private Network, and it’s just a way to create an encrypted tunnel between two computers.

You might have read about VPNs as a way to bypass network control (PIA, nordVPN, protonVPN, etc). Those are services that you pay for and allow to encrypt your connection from your computer to their servers, making difficult any data monitoring that exist in between. Well, this is the same, but instead of paying to connect to some random servers outside, you will connect to your NAS. The magic about this is, once you establish a VPN connection between a computer and your NAS, since your NAS is inside your LAN, you will have access to any other computer or service in your LAN. It is essentially, as if you were inside your house, connected to your WiFi.

Isn’t this wonderful?

Any computer inside your LAN can act as VPN server (Raspberry Pi, Desktop PC, Router, NAS…) but not everyone has a Raspberry Pi laying around, or a router able to perform VPN server functions (usually, routers work the best for this, as they are specifically designed for this task, but low grade commercial models don’t allow this, so I will skip this). I will teach you how to configure your QNAP to act as VPN server using OpenVPN protocol. There are other protocols, like PPTP or L2TP/IPSec, but the most secure is OpenVPN, and this is the one we are going to use.

GUIDE STARTS HERE

This guide is based on this document available at QNAP

In first place, ensure you have QVPN installed in your QNAP. This is the software we are going to use in this tutorial.

Select the OpenVPN tab on the left side, and click “Enable OpenVPN server”. Now let’s configure:

• On VPN client IP Pool, select range 10.8.0.2 - 10.8.0.254. This is the subnet IP ranges you will be assigned when you connect.
• Server port: Select UDP, and whatever port you want to use, for example 33666
• Maximum number of clients: Select the max number of clients you want to connect simultaneously. i.e. 5
• Encryption: You can choose either AES 128 or 256 bit. 256 bit is more secure in case someone is snooping your connection and tries to decipher it (like a MITM attack), but it consumes more resources. Generally speaking, 128 bit is more than enough.
• Network interface: Select All
• DNS server: Whatever you want or leave it blank
• Check “use this connection as default gateway for remote devices” and “enable compressed VPN link”
• Then Apply changes.
• Click on “Download configuration files”. You will be prompted to save an .ovpn file. Save it. If you are curious, you can open it (it is a text file). You can edit the OpenVPN settings here. Note the “remote XXX.XXX.XXX.XXX 33666” line, were XXX is your public IP, and 33666 is the selected port. You can change this if your public IP changes. If you have dynamic IP, you want to put here your DDNS server, like this: “remote qnaptest.duckdns.org 33666”

Now, Go to privilege Settings tab (just under OpenVPN). There, you will see your QNAP users. Choose what users you want to enable access to the VPN server and check OpenVPN for those users. Apply.

Congrats. You got it

To be able to access your VPN service, you need to port forward the openVPN server port in your router. In this case, the target IP would be your NAS IP, and the port would be 33666. Each router configures differently, just search for your specific model’s instruction. Don’t worry, you are not exposing your full QNAP to internet, just a single port.

Now all that is left is to configure the OpenVPN client in the computers you want to be able to access to your VPN. You can download the OpenVPN client here:

• Windows
• Mac (I have not tested this one)
• Android
• Most Linux like Ubuntu and Mint have integrated VPN client, but if not, you can install it with the classic “apt-get install openvpn” CLI.

Install the software OpenVPN GUI. Create a new connection using the .ovpn file you downloaded before: Right click, Import File (the .ovpn file you saved before), Chose Connect and fill in user login and password. Establish connection. If everything went OK, you will now be connected securely to your QNAP. Now open browser and try to access QTS and your services as if you were inside your LAN and see if it works.

Now, each time you want to access your QNAP for anything (watch a movie, download a file, manage QTS, manage torrents, etc) just connect using OpenVPN, and you will be able to safely access.

You said that opening ports is bad, and that there is no way to be totally safe

Yes. You will be more safe if you can’t access your unit from WAN. But we are doing a compromise here. OpenVPN is a secure, Open Source protocol, that will provide you enough security while at same time allowing to access every single service on your QNAP opening a single port, in which is running a secure service (OpenVPN).

If you want to access your QNAP from internet, this, is the best you can do, and the only advisable way to do this. It is more uncomfortable that opening ports, but it is more secure. It is totally worth the effort.

That is all. I’ll be linking this tutorial in the wiki. Corrections and suggestions are welcomed.

Stay safe, folks.

I’m not trying to say that you are not correct. I just want to challenge the, what seems to be general, consensus that OpenVPN is the only safe remote access solution for Qnap. I’ve got couple of comments on that:

By using OpenVPN, you are completely, unconditionally, even blindly, relying on OpenVPN security. Once OpenVPN is breached, attacker is in the local network where there is no Firewall. Everything is allowed on network/transport layer. All ports are open. Even some application layer protections might be less strict from local network (SMB is allowed). This poses even worse problem if you consider that you need only OpenVPN password and/or stolen certificate to get full access.

Also, what makes you think that when OpenVPN gets hit by a zero-day, and when it gets patched by open source community, that that patch will propagate to your NAS before a patch for web server or SSH server. We are not really interested when do patches exist, only when they actually get installed. In the meantime, you are open. And with OpenVPN, attack surface is much greater.

My balance between security, accepted risk level and usability looks like this: forwarded ports for HTTPS and Plex, HTTPS forced to prevent HTTP password sniffing, Network Access Protection to slow down brute-force password cracking, OpenVPN to dedicated zone with firewall-controlled access for everything else.

I’m ready to get shot by everybody now…

Good tutorial, now, how can we make sure our vpn service is not breached?

Good post,

I would also caution to create a new user who has no access to anything other then being the user to connect into the OpenVPN and not an admin account.

Why? If someone ever happens to get a hold of the .opvn file, steal the phone / laptop, knows/sniffs your UN/PW. They cannot use the same credentials to log into the NAS via web and take full control of the device.

Our QNAP (TVS-872xt) is connected to our office (co-working space) network. Is this possible without going through our IT guy? I don’t have direct access to the router. We’re using our QNAP as a video editing server that I would like to be able to occasionally access files when out of the office. Not interested in any other services (except connecting a few editing computers via our 10G LAN).

There are other tutorials stickied but not this one. Is there a place where we can view all the tutorials you’ve made?

(Thank you)

Is there a way to test the security of the connection?

With other services you can test/trust the VPN is working. Is there anyway to do that with this?

Thank you for this detailed and incredibly helpful tutorial on connecting to a QNAP safely from the internet! Your explanations, especially the step-by-step guide, make it accessible even for those of us who aren’t very tech-savvy. It’s great to have clear, practical advice on enhancing security while still being able to remotely access our units. I really appreciate the effort you put into making this information available and easy to understand. This will definitely be my go-to resource moving forward. Thanks again!

thanks so much for this tutorial. I have followed it as I’d like to get off qnapcloud and moved over to vpn. I followed all steps, but cannot get OVPN to connect via my Andoid app or via the Windows 10 app. I get the same error message in both: “Connection Error | Missing external certificate”

Not sure what to do to correct this. Any help would be greatly appreciated!

Where does the downloaded configuration file go? I’ve tried to download it, but I see no notifications of it being downloaded or where it would be.

Yes I’m a noobie

Thanks for your tutorial, it made sense and was very helpful! However, after setting up the VPN server on my NAS (and port forwarding on my router) I can’t seem to connect to it. The OpenVPN client fails to connect with the .ovpn file I downloaded. The QVPN app’s overview shows the OpenVPN server is active, but when I use http://www.portchecktool.com/ or telnet to check if the port is open, they say the connection is refused. I made sure I could forward other ports correctly (I opened an SSH port and that worked). Any ideas for what could be wrong?

Great tutorial, but I disagree somewhat what you state that myQNAPCloud is unsafe. Given the fact that nothing is 100% safe, it is fair to say that myQNAPCloud is indeed fairly safe as it is easily end-to-end encrypted traffic using QNAP certificates. There are no inbound connections so it will pretty much work from any environment without you having to have firewall or port forwarding concerns. I guess the weakest link in that chain is if your myQNAPCloud account is hacked. But as you QNAP now support 2FA logon, I guess you’re pretty safe.

Thanks for this article! I’m not an IT guy but was able to follow all the steps. Unfortunately when I tried to connect with OpenVPN it would not connect. The log shows it tried several times and gives these TLS errors: TLS key negotiation failed to occur within 60 seconds and TLS handshake failed.

It doesn’t appear that OpenVPN supports two factor verification. Could that be the issue? Do I have to disable that feature?

I use Nordvpn and I am following this : How to configure QNAP 4.4.2 NAS – Live Chat, VPN Setup, Troubleshooting | NordVPN Customer Support

Is it possible to connect to my Nas remotely using this method? Thanks .

Completely agree. Self host anything you like on your own domain securely behind a reverse proxy (NGINX, HAProxy, or my favorite, Traefik), and serve up whatever you like securely behind https and whatever authentication mechanism you like.

I don’t think anyone is gonna shot you Your opinion is pretty respectable.

It’s true that a successful attack over VPN would grant access to your whole network. That is true, unless of course you create a separated subnet.

But Plex running baremetal is also a risk. If we assume that someone can 0-day openVPN, then we should assume that someone can 0-day plex, and gain root access. With root access on your NAS, an attacker can perform the same attacks that if he got access to OpenVPN. From your NAS he can scan your LAN and attack any other compute in it.

It’s not true that you only need password to get access. OpenVPN is compatible with 2FA, so you still have another layer of protection. The problem is that QVPN implementation does not allow it. So yes, If this were a tutorial for advanced users, I’d probably concur that it would be safer to use a raspberry Pi in a subnet with 2FA and provide access only to your specific services on the NAS. But this is hard to do, and this is supposed to be a beginner tutorial. If we intimidate new users, they’ll just keep opening ports to avoid “all this mess”

Ok, so, Plex on HTTPS. Seems good to me. CVE for plex server shows few vulns. But… you only use plex in your NAS? my QNAP is currently running and I want WAN access to:

• QTS
• Deluge
• Jdownloader
• Linux container for wget scrapping
• Linux Mint VM
• Occasionally W 10 machine
• Borg Backup server to remote backup my laptop
• Jellyfin media server
• Syncthing server
• Nextcloud Ubuntu server VM

Now, even if some of this services are more or less safe to expose (like plex is), probably some others no. And by no means I would expose QTS.

So, why bother segregating plex (or jellyfin) outside openVPN if we still need openVPN to access the rest of the services? for me, two clicks to activate VPN is not nuisance enough to justify get one service outside the VPN.

So, as recap: I concur about enabling full access to your whole network to OpenVPN is more risky than creating a subnet to isolate OpenVPN and only services you want to access. Provided, of course, that user have a router capable of VLANs, another computer to act as OpenVPN server with 2FA that would receive fast patch in case of 0-day, and networking knowledge enough to manage this.

I, personally, don’t know how to do all this. This was intended to be a beginners tutorial, so I tried to KISS. If you know about network managing and are willing to create an advanced tutorial for extra security, you are more than welcomed to do so

As I said, you cannot “make sure” that openVPN is not breached. There is not 100% safety in internet. Even ultrasecure servers of big companies like facebook, google and similar get breached sometimes.

Even so, right now, OpenVPN offer you the best protection you can get. It’s FOSS, so it is constantly audited by a HUGE community. check this out:

Last published vuln was on 2018-5. and it was a 4.6/10. In whole 2018 only 2 vulnerabilities were disclosed, one of them disputed, and they were a 4.6 and 6.4 (and the 6.4 was disputed). Not a single new vulnerability disclosed on 2019. The last serious vuln disclosed was in… 2006.

Do you need more proof?

In any case, it’s the best alternative available. Much better than opening ports or using MyQNAPCloud.

Most probably not. You need some kind of port forwarding to redirect inbound connections to the NAS. Besides that, most offices usually segment different subnets, and connection routing usually need to be configured at router and switch level .

You can see them in the wiki! (Only three so far)

There is no need to test for security, as VPN has really no configuration that you could possible mess, like other services (Nginx, nextcloud…). It is designed to be secure when exposed to internet, so, no need to test it. The only check needed is that it is updated.

To check if the tunnel is working after connecting just go to any webpage that shows your IP, like whatismyip.com and if the IP shown is your house’s IP then you are correctly connected.