Help me understand VPN


Recommended Posts

I have been looking into ways to be able to access my unraid server from outside of my home network without port forwarding and a VPN server seems to be the best answer.  What I cant wrap my head around for some reason is this.

 

On my router I have DD-WRT installed and currently use a VPN client, on the router, to connect to PIA vpn to secure my internet.  Can I use that to connect to unraid and do I need to forward ports through it?  I still think I need a VPN server on either my router or unraid to be able to connect to my home network securely when I am away but I am not sure.  The problem I see is that my internet IP address will change ever night when my router reboots because of the PIA vpn.  How do I deal with that?

 

Am I just over thinking or over complicating things?  Open to other suggestions that people have to make this work including ditching PIA.

Link to comment
3 hours ago, block134 said:

I have been looking into ways to be able to access my unraid server from outside of my home network without port forwarding

I believe the only way to accomplish this is with a 3rd party remote access company, like teamviewer. You can install the teamviewer client in a VM or another physical machine inside your network.

 

I can't think of a way to connect back to your machine from outside without either port forwarding or using a 3rd party to establish a persistent connection. AFAIK PIA is not going to work like that, and hosting a VPN inside your network like you would typically do requires a port forward to the VPN server inside the network.

Link to comment

First, decide what you mean by remote access my unraid server, does that mean ssh access to the machine, web access to view the UI and make changes or access to shares or services you are running.

 

--Let me be clear I'm not suggesting you setup a port forward to SSH or GUI access to unraid on your internet or VPN connection but it's an example.--

 

Take ssh as an example you can port forward on your real public IP and use a DDNS service to give yourself a static DNS which will update to your IP. -- This is not really the most secure way but it's an example.

 

I use AirVPN and the same could be done there. I can select a port forward and that arrives the same way as if it was my real IP address. This includes a DDNS service but you could use any online DDNS provider.

 

To answer your question, really you should be setting up a VPN server either on your router or potentially as a docker on Unraid. I don't really see a problem with opening a port on your public IP (not VPN) to host a VPN service for yourself only. That's for you to decide, using DDNS as described above will still work in this case.

 

I thought PIA did support port forwarding, but I don't use them so can't really comment, anyway I myself would run it on your public IP not the VPN IP.

 

EDIT - If running Teamviewer within a VM suits your need. It's likely a good option. Or use OpenVPN and the only port forward will be to the OpenVPN server then you'll need your details to connect similar to what you have for PIA.

Edited by Tuftuf
Link to comment
3 hours ago, Tuftuf said:

First, decide what you mean by remote access my unraid server, does that mean ssh access to the machine, web access to view the UI and make changes or access to shares or services you are running.

What I am looking for is access to the unraid UI and dockers as well as the shares, mainly the UI's.

 

I don't have a problem with opening a port for the VPN server since, from what I understand, it will still be secure because you will need the correct certificates to access it.  For some reason I think I was just over thinking that aspect of it.  If I  understand correctly if I use my non VPN ip address to access my server through a VPN server docker then it should work just fine.  For some reason I was thinking that I had to use the PIA VPN ip address to access my server which as I understand will cause problems because of the routers firewall since the router is running the VPN client for PIA.

Link to comment

One thing to be aware of if you create a docker to run the openvpn service you will need to add a network route back to the newly created vpn network via that new docker otherwise your machines will not know how to find the new network.

 

These can be added per machine or on your router.

Link to comment

The vpn you guys are talking has nothing to with PÍA. Vpn on your router does. If you set in your router, add a reallllyyyyy strong password. On remote computer you add a vpn connection to your wrt router (win, mac, iOS have it as a network type). You need to know your ip, or if dynamic, you have to set something up like no-ip.com. 

 

Once you you connect to your wrt router, its like you are in your home network. With unraid you do everything you normally do.

 

did I say the password has to be strong?

Link to comment
8 minutes ago, block134 said:

Would this be better to setup the VPN server on the router or as a docker?

 

Depends. Would you rather have access to your entire network, even if unraid is shut down? Or would you rather have higher bandwidth over the VPN connection?

 

Most home grade routers don't have a very powerful CPU, and a docker is going to be able to use the much more powerful CPU in your unraid machine.

Link to comment

What I am currently doing is my router has a VPN client for PIA.  I have  a rule for the VPN on my router that sets the access through the VPN by ip address, this way I can still use Netflix on the computers i need it on, unraid is not going through the VPN on the router.

 

I am using binhex-sabnzbdvpn for what I need on the unraid side because I get better download speeds for unraid dockers.

 

 What I still want is a way to access my unraid server when away from the home network.

Link to comment
10 minutes ago, block134 said:

What I still want is a way to access my unraid server when away from the home network.

Which means running a VPN server on either your router or unraid. Not a VPN client. You run the client on the device you wish to use when you are away, and point it at your IP and port that you opened to the VPN server inside your network.

Link to comment

Teamviewer is a good option IMO. It allows you to remote control a workstation on your network. Through the remote control, you have all the rights and privileges of a machine that is already in your network, and the machine you are remoting from is not on your network. You are literally on your home computer while away. You can transfer files to the remote computer as desired. 

 

If from your home computer you can remote into other computers, you can do the exact same thing using RDP, VNC, SplashTop, or whatever. You can access the unRaid GUI on the home computer via the browser.

 

This is simple and secure. And your not admitting some random computer into your network.

 

What you couldn't do is play a media file from your home network through a player on your remote computer, (although Plex and other tools have such features included in their products).

Link to comment

What I did was got a Raspberry Pi and install SoftEther VPN server https://www.softether.org/  SO I can connect to the Raspberry in my case via OpenVPN with a mac using Tunnelblick but you can use the OSX L2TP connection also!! ( if you use the L2PT you can use it with iPhone, Android or any client!! It even have his own DDNS built in!!!  So when I connect to the Pi I see the computers and devices on my home network as a local user!! I can even connect to my Sonos speakers and play music away from home!!! Hope it helps!!

Link to comment

start a vpn server on the same network as your unraid server and after you VPN into your network you are now on the network and can do whatever you want the same as you would if you were actually on that network: remote to other computers, bring up an http server, view local file shares, print to local printers, whatever. This is the "right" technical answer since you're using a secure protocol to solve the problem, however, there will be some bumps and googling needed along the way, so if you're not interested in that and just want it to work right now, just use an application solution that was already mentioned: teamviewer. Just make sure to enable multi factor authentication since if someone gets your password that means they get to control all the machines your login has permissions over.

Link to comment

Thanks for all of the help so far.  It has helped me understand better.  Since I will be out of town for the next few weeks I am now looking for something quick to setup that really only gives access to UIs on my server, not worried about the shares but it would be nice.  I have tried to setup a VPN server docker but I cant seem to connect to it from outside of my network, but that is an issue for another topic.  I am guessing it is a port/firewall issue with my router but I haven't been able to narrow it down.  Just don't have enough time in the day to troubleshoot and research.

Link to comment

I accomplished what you're looking to do by using Sophos on a couple of old computers -- the Sophos boxes establish a site to site VPN so I can access my unRaid box at the office from home as if it was local and from the office I can access by home unRaid box as if it was local to the office. Added benefit is that I can access everything else on either network as well. My laptop can also access the combined network by a VPN when on the road. 

You can do the same setup using VMs and maybe even with dockers but I prefer to keep the router separate and had two old computers to use anyway.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.