VPN from home NAS system.
October 16, 2009 10:36 AM   Subscribe

I am trying to set up my router so that I can get at my files on my 3 NAS boxes. These NAS boxes are 1) D-Link DNS323, Infrant ReadyNAS NV+, and a Buffalo TeraStation HD-H2.0TGL/R5. The router is connected to the internet via a home service cable modem so it won't have a static IP and one step is to find the IP address before accessing. I have a router (DLink DGL-4100) which says it can make a IPSec VPN or FTP using a Virtual Server (I think). There would be no other PCs on the network since I would be taking my laptop with me when I access the network. The manuals for the routers talk about FTP serving but if I get a VPN set in my router then I should be able to just browse for whatever I want that way...right? The instructions say it can be done, but how? Please give me step by step instructions the best you can for setting up the router, the NAS boxes and my XP laptop (with suggested software, if necessary) since I have looked all over the internet and can't find anything I can understand. Of course the access should be encrypted and password protected. THANKS GUYS.

From the router manual. (DGL-4100):
Application Level Gateway (ALG) Configurations
Here you can enable or disable ALG’s. Some protocols and applications require special handling of the IP payload to make them work with network address translation (NAT). Each ALG provides
special handling for a specific protocol or application. A number of ALGs for common applications ar enabled by default.

Allows multiple VPN clients to connect to their corporate network using IPSec. Some VPN clients support traversal of IPSec through NAT. This ALG may interfere with the operation of such VPN clients. If you are having trouble connecting with your corporate network, try turning this ALG off. Please check with the system adminstrator of your corporate network whether your VPN client supports NAT traversal.

Allows FTP clients and servers to transfer data across NAT. Refer to the Advanced -> Virtual Server page if you want to host an FTP server.

Virtual Server
The Virtual Server option gives Internet users access to services on your LAN. This feature is useful for hosting online services such as FTP, Web, or Game Servers. For each Virtual Server, you define
a public port on your router for redirection to an internal LAN IP Address and port.
Example: You are hosting a Web Server on a PC that has Private IP Address of and your ISP is blocking Port 80.
1. Name the Virtual Server Rule (ex. Web Server)
2. Enter in the IP Address of the machine on your LAN –
3. Enter the Private Port as [80]
4. Enter the Public Port as [8888]
5. Select the Protocol - TCP
6. Ensure the schedule is set to Always
7. Check the Add Rule to add the settings to the Virtual Server List
8. Repeat these steps for each Virtual Server Rule you wish to add. After the list is complete, click Save Settings at the top of the page.
With this Virtual Server Rule all Internet traffic on Port 8888 will be redirected to your internal web server on port 80 at IP Address

From the D-Link NAS DNS-323 manual:
FTP Server
The DNS-323 is equipped with a built in FTP Server, which is easy to confgure. It allows users access to important data whether they are on the local network or at a remote location. The FTP server can be confgured to allow user access to specifc directories, and will allow up to 10 users to access the DNS-323 at a time.

This section contains the configuration settings for the DNS-323 FTP Server.
The current settings and status of the DNS-323 FTP Server are displayed here.

The FTP access for users and groups can be added and edited here.

Category Determines whether the FTP server rule will apply to an individual user or a group.

User / Group Select the group or user the FTP server rule will apply to.

Folder Browse to and select the folder or directory you are granting FTP access to. Select root to grant access to all volumes.

Permission Set the user or group permission to Read Only or Read/Write.

FTP Server Settings
Max User: Sets the maximum amount of users that can connect to the FTP server.
Idle Time: Sets the amount of time a user can remain idle before being disconnected.
Port: Sets the FTP port. Default is 21.
Flow Control: Allows you to limit the amount of bandwidth available for each user.

Most standard FTP clients like Windows FTP, only support Western European codepage when transferring files.
Support has been added for non-standard FTP clients that are capable of supporting these character sets.

Access List: Lists all defned FTP Rules.

If you are behind a router, you will need to forward the FTP port from the router to the DNS-323. Additional flltering and frewall settings may need to be modifed on your router to allow FTP Access to the DNS-323 from the Internet. Once the port has been forwarded on the router, users from the internet will access the FTP server through the WAN IP address of the router.

From the ReadyNAS NV+ manual.

To access the share via FTP in Share security mode, log in as “anonymous” and use your e-mail address for the password.
To access the share in User or Domain security mode, use the appropriate user login and password used to access the ReadyNAS. For better security, use an FTPS (FTP-SSL) client to connect to the
ReadyNAS FTP service. With FTPS, both the password and data are encrypted.

From the Terastation manual.
To allow Anonymous FTP, choose Enable for Anonymous FTP Server. Select a folder to share from the Anonymous User Public Shared Folder (only one folder may be shared by anonymous FTP) and
choose whether you want the share to be Writable or Read Only. Click the Apply button to set up anonymous FTP.
If FTP Server is disabled in the Basic window, this page will not be accessible.
Anonymous FTP mode uses port 8021 (e.g. ftp://IP Address:801).
posted by CodeMonkey to Computers & Internet (5 answers total) 2 users marked this as a favorite
Unless I'm misunderstanding the manual, you can only connect to a VPN as a client (so you would not need client software on your laptop). It doesn't not have the functionality to act as a VPN. If you had a VPN device you'd be able to traverse your network storage as you would on a local network. In my experience protocols like SMB do not do well over low-bandwidth high latency connections. You also need to do a bit of tweaking to improve performance, which I don't know if you'd be able to do with these NAS devices (Windows 2003 makes this sort of easy by editing registry entries, at least it is doable).
posted by geoff. at 11:03 AM on October 16, 2009

I mean act as a VPN server. Check out Cisco's low-end 800 routers for that capability. Don't know how much a pain in the ass having a dynamic IP address would do to you though.
posted by geoff. at 11:06 AM on October 16, 2009

You can get around the dynamic DNS issue if you purchase a domain name and use a dynamic service like dyndns. You router looks like it can handle automatic number updating.
posted by bonehead at 11:39 AM on October 16, 2009

You want to be able to VPN into your home network. Perhaps you can get OpenVPN installed on a smaller embedded router (like a WRT54GL or similar)?
posted by joshu at 12:15 PM on October 16, 2009

As bonehead says, you can get around the problem of your IP changing fairly easily by using a scheme known as dynamic DNS. You don't even need to buy a domain if you can come up with something you like using one of DynDNS's free domains. There are other dynamic DNS services, but DynDNS is the one I'm most familiar with.

Basically how it works is you go into your router set up (page 40 in the router manual) and feed it your DynDNS account info, and every time you home ISP issues your modem a new IP address, the router picks up on it and notifies the DynDNS service, which propagates the DNS change throughout the internet. That solves the problem of having to figure out your home IP every time.

As far as VPN, it appears that your router only supports the passage of VPN data. It does not provide VPN functionality in and of itself. You're going to need another device that acts as a VPN endpoint, or come up with a different solution.

By using DynDNS and the Virtual Server features, you could work around the VPN thing but it will be rather less elegant. It sounds to me like D-Link's Virtual Server feature is what others refer to as port forwarding. Basically how that works is you set your 3 FTP servers up with static IPs, then you configure the Virtual Server portion of your router to have 3 virtual servers, listening on 3 different public ports, and have each public port point to the private IP address of one of your FTP servers. Then if you connect to your home domain on port X, the router forwards you to server 1. Connect on port Y, it goes to server 2, and port Z to server 3, so if you wanted to be connected to all 3 FTP servers at once you would need to have open 3 different FTP sessions.

Here's my example set up:

You sign up with DynDNS and pick your free domain name to be codemonkey.dontexist.net and you set up your router as per the DynDNS info and the instructions on page 40 or the router manual.

You have 3 FTP servers. For this exercise we'll say one of them is for music, called Music, one of them is for movies, named Movies, and the 3rd is for all your work files, called Work.

You configure your 3 servers to have static IPs. You assign Music to be Movies will be and Work will be Those are the internal IP addresses that will never be shown to the outside world.

Following the instructions on page 20 of your router manual, you create 3 virtual server entries, named Music, Movies, and Work. You have to arbitrarily assign 3 public ports (ports on your domain codemonkey.dontexist.net) so you give 7777 to Music, 8888 to Movies, and 9999 to Work. The private ports on each entry will be the port that each server is listening on internally, most likely the default FTP port of 21, so you assign the private port of 21 for each Virtual Server entry.

Now, when you want to get to your music, you go to ftp://codemonkey.dontexist.net:7777. To access your movie server, you ftp to codemonkey.dontexist.net:8888, and to get to your work files, you go to ftp://codemoneky.dontexist.net:9999.

This is the way to do it without spending any more money. If you don't like any of the free DynDNS domains you can buy one you like and use that, or you could buy some sort of VPN endpoint like geoff. and joshu suggest to do away with managing 3 different virtual server connection. Or you could set up a cheap PC that can talk to all the NAS boxes and do a remote connection into it, something like that.

I hope this helps. MeMail me if you need clarification or have further questions.
posted by Liver at 1:10 PM on October 16, 2009 [1 favorite]

« Older Cat Drama. The cat's the sane one.   |   Receive me. Newer »
This thread is closed to new comments.