Needing Remote Access Advice

[BraveSirRobbin]

I’m needing advice on the best way to remote into my home network using my existing hardware (buying additional/better hardware such as PFSense is not an option for now).

I have a Netgear Nighthawk firewall/router (Model R8000P) that is used for my main firewall (yea, I know… ). This has native OpenVPN capability.

On my home network LAN, I have a Synology NAS and a HomeSeer 4 computer (only two devices that I need remote access). I can access the HomeSeer computer via myHS.com service and I currently use HSBuddy to access the system via our phones.

The Synology NAS has native OpenVPN capability as well.

What option would be more secure/better to use?

1. Use the Netgear OpenVPN to get access to the entire LAN remotely
   
   
2. Continue to use myHS for HomeSeer access, then use the OpenVPN capability of the Synology NAS (which would require port forwarding to the Synology NAS on the Netgear Firewall)?

Thanks for the advice,

BSR

 

[pete_c]

Personally #1 : Use the Netgear OpenVPN to get access to the entire LAN remotely

Less invasive and no need to open a port up for OpenVPN use on Firewall.

Here started with IPSec VPN many many years ago then installed OpenVPN and use both today.

There are OpenVPN clients available for iOS, Linux, Android and Windows. I have never used myHS for Homeseer access.

I do have a tabletop tablet that runs Homeseer Touch, HAI OmniPro Touch and VPN to call home and it works great.

 

[bbrendon]

IMO. Netgear is hot trash so I would port forward to the Synology and use that.

 

[electron]

I'd recommend going the Cloudflare Tunnel route, which is free, and doesn't require you to open up any ports, which is a much better security posture than port forwarding. Even if you do go with port forwarding in the end, never expose your NAS directly. Cloudflare relies on a very lightweight agent which establishes an outbound connection from your network to their infrastructure, and they reverse proxy the traffic safely into your network based on your rules.

Depending on the model you have, your Synology can run docker containers, so you can run the cloudflared service on this system, but it runs on linux and Windows just fine.

 

[bbrendon]

never expose your NAS directly.

Why not? Is there something wrong with OpenVPN?

 

[electron]

Your NAS usually contains important & personal data, so ideally you want to go out of your way to protect this data. This is not a dig at OpenVPN (despite plenty of CVEs). Even if you have everything configured properly and locked down nicely, the next 0-day authentication-bypassing exploit may be out there already.

A storage appliance hosting your private data should not be functioning as a firewall or remote access endpoint. I'm not even a fan of running additional applications on this device, despite the ability to run docker containers or install 3rd party plugins. In the end, it's all about carefully balancing your needs vs security, but I've seen way too many folks configuring cloud-based add-ons or make internal web services available via port forwarding, and regretting it later.

Some additional reading materials:

• Zero Trust Architecture
• QNAP Qlocker ransomware
• Synology warns of malware infecting NAS devices with ransomware

 

[BraveSirRobbin]

I took electron's advice and setup Cloudflare tunnel on my Synology NAS running a Docker container.

I would also like to get Remote Desktop working on one of my Win 10 Pro PC's, but having a bit of trouble setting this up with this tunnel. I'm having issues installing the Cloudflare client on the Win 10 pro machine. I downloaded the Cloudflare Windows Client .msi installer, but it doesn't seem to be installing.

I'll have to investigate this a bit more.