Making data externally available OpenVPN?

1st Official Post

    Hello all,


    I have a question about the implementation. I currently have a NAS connected to my small HP EliteDesk 800 G3 USDT i5-6500T server. This is connected to an Asus router. This in turn is connected to the Fritz Box. The scheme is as follows (Internet) > Fritzbox > Asus router (VPN Server and WIFI) > HP EliteDesk with OMV and NAS with 4x4TB connected.


    I want to make my downloads, which are automatically downloaded with Jdownloader, available to my friends and me. I thought this would be possible with the help of OpenVPN.


    That is, the client connects to the router via OpenVPN. And can then use FTP to pull the files. I am aware that my speed at the moment with a 100 Mbit line is not exactly a highlight, but it is enough.


    Who has a good idea how I can implement this? It should at least be possible to restrict access, as private files are also on another drive. Mainly Windows clients are used. In my opinion SMB will not be usable externally, right?

    On my Android and via VPN I have already enabled access via an external file manager. But this only works via FTP.


    Does this option make sens?


    lg. Phil

    • Official Post
    Quote from Kenji

    Who has a good idea how I can implement this? It should at least be possible to restrict access, as private files are also on another drive. Mainly Windows clients are used

    Unless the router allows you to restrict access to the rest of the network, I don't think you can prevent your friends from having access to things other than that folder. I wouldn't do it that way.

    You can use openmediavault-sftp and provide them with a key to access those files, or you could also use Nextcloud. [How-To] Nextcloud with swag (Letsencrypt) using OMV and docker-compose

    Surely there are other formulas, someone else will contribute something.


    Note: There is a Wireguard plugin on OMV, but you would have the same problem as with OpenVPN, restricting access to just one folder. You can use it for your own access.

    Quote from Kenji

    In my opinion SMB will not be usable externally, right?

    No. No way do that if you don't want to get hacked.

    Thank you very much for the feedback. It all sounds like I'm leaning towards Nextcloud. Since this would really be a security gap via Openvpn....



    I have now tried to install Nextcloud in the Portainer. As far as I could tell, I created the users and assigned the rights. I put the volume "data" on my hard disk where I also want to make the data available, changed it (see bold below) and entered the url below. According to the provider bplaced, this is also LetsCrypt compatible and activated. Ports have been released in the Fritzbox and Asus router.



    Unfortunately, I still get the error message (docker logs -f swag) that no certificate can be created. (Last spoiler)

    The website https://anonymXXX.bplaced.net:443/nextcloud therefore only redirects me to the provider (Attention: modified email is not the correct one).


    Where can the error lie? I hope I can continue this in this thread.


    thanks :)



    nano docker-compose.yml


    nano /srv/dev-disk-by-label-disk1/appdata/nextcloud/config/www/nextcloud/config/config.php


    docker logs -f swag

    • Official Post
    Thread
    [How-To] Nextcloud with swag (Letsencrypt) using OMV and docker-compose
    Docker Container set up by this method can be managed by Portainer or from CLI.


    Pre-requisites
    In order to be able to reach nextcloud from the internet you need an external IPv4 address and a hostname.
    Regarding external IPv4 address check you router or ask your internet service provider.
    To register a hostname you can use services like duckdns, selfhost.eu, strato.de or many others.
    Make sure to use strong passwords!!!

    Preparation

    • Install and fully update OMV (a restart might be needed if the kernel
    macom

    Thank you very much for the feedback, I have now studied the manual again and

    and have been able to make some changes. Unfortunately, it is still not possible to

    certificate can be downloaded. Here I am now troubleshooting whether

    it's the provider, the port sharing or my settings here.

    Can anyone help me with the settings I have changed in bold?

    fit?


    I have currently created a stack with the settings via Portainer.


    lg.


    docker logs -f swag



    Portainer STACK



    Configuration of proxy

    • Official Post
    Quote from Kenji

    Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the li sted domains point to this machine and that it can accept inbound connections fr om the internet.

    You can check if your domain is pointing to your public IP with https://www.whatsmydns.net/

    Your public IP is easy to see with https://whatismyipaddress.com/ Check that this IP is the same public IP that is on your router. Otherwise you would be behind CGNAT.

    In your case it is easier and fastet to set up only a S/FTP Server without a VPN. S/FTP is Secure FTP that encrypt the login and the data transit. For data downloads this is good enough and secure. You can use a certificate, restrict access and set download speed.


    Nextcloud is a good tool and for file download it is overweighted with all other features. Nextcloud setup with a database and letsencrypt is not so easy to set up like the OMV S/FTP Plugin with a self generate certificate.

    • Official Post
    Quote from pcon

    In your case it is easier and fastet to set up only a S/FTP Server without a VPN. S/FTP is Secure FTP that encrypt the login and the data transit. For data downloads this is good enough and secure. You can use a certificate, restrict access and set download speed.


    Nextcloud is a good tool and for file download it is overweighted with all other features. Nextcloud setup with a database and letsencrypt is not so easy to set up like the OMV S/FTP Plugin with a self generate certificate.

    I offered the OP also that possibility in my first post. The advantage of Nextcloud is that you don't need to configure anything on the client. I guess that's the deciding factor. In the case of the OP I would do the same, I think, I would use Nextcloud.

    Actually a lot of Nextcloud's configuration failures is external access to the server through a domain, and I think that's what's failing here as well.

    Setting up Nextcloud following the steps in the macom guide should not cause any problems.

    • Official Post

    Kenji

    You did this? I don't see it in the information provided.


    Quote from macom

    cd /srv/dev-disk-by-label-disk1/appdata/swag/nginx/proxy-confs /srv/dev-disk-by-label-disk1 has to be adjusted
    cp nextcloud.subfolder.conf.sample nextcloud.subfolder.conf this will copy the sample configuration file for nextcloud and removes the .sample so that the file will become active

    Quote from chente

    I offered the OP also that possibility in my first post. The advantage of Nextcloud is that you don't need to configure anything on the client.

    Thats right, If you only using a Webbrowser for Nextcloud download. On the Client side, only a Browser is needed and the login data for the download. For S/FTP you need on the Client side an application like filezilla and the login data. If the client want to use the browser for S/FTP there are browser plugins. That is not a big different in the download doing on the client side. There is no configuration on booth solution on the Client side.


    If you use Nextcloud only for data Downloads/Upload instead of S/FTP you habe a lot disadvantages.

    • Official Post
    Quote from pcon

    If you use Nextcloud only for data Downloads/Upload instead of S/FTP you habe a lot disadvantages.

    I couldn't say, I've never used S/FTP :) What are those disadvantages?

    - Setup & configuration of 3 server/docker for Nextcloud. For S/FTP you need only OMV features,

    - Update, you have to update the 3 docker manualy or with another Container like Watchtower. After that Nextcloud must be updated in Nextcloud manually. S/FTP the updates will ne done with OMV.

    - Overhad CPU & RAM, docker is running with 3 - 5 Container. S/FTP is only a Plugin, less resources needed.

    - Nextcloud allows only 1TB files in the standard configuration. For bigger files you habe to change the PHP configuration.

    ….


    Nextcloud is a super private cloud solution. But if you need only secure file down/upload S/FTP is the better choice. Easier too install, less configuration and for non technical User it is safer if is done with OMV S/FTP.

    • Official Post

    I thought you were going to tell me about download speeds via ftp or webdav, or something similar, but I see that the disadvantages you mention are only maintenance and installation issues.


    In that I agree with you, configuring Nextcloud is more complicated, that is indisputable. But once set up, it doesn't take much effort to maintain. A long time ago updates were an ordeal, errors began to appear that had to be solved manually. But lately it's easier, everything works more smoothly and it's been many months since I've had any errors in the updates.


    I don't agree on the system overload, if you don't use plugins inside Nextcloud the CPU is not overloaded, it depends on what you want to use. If you use a lot of plugins you will need more resources, of course.


    Setting up the download of large files is not difficult to achieve. You do it once and you never touch it anymore. The limit is not 1TB, that limit would not be a problem :) If I remember correctly the default limit is 500MB.


    Regarding security issues, I do not agree either, Nextcloud is considered the most secure cloud storage in the world.


    And I still see the advantage in Nextcloud of access from any client without the need for any configuration. In fact, you can generate a link to share a file/folder without the need for a username and password on Nextcloud. Only one password for that link. That is very useful in this case. You can also choose if you want it to be editable or not. The options that Nextcloud provides are unachievable in most competing solutions, in my point of view.

    S/FTP is faster then WEBdav, but the OP is only using a 100 M/bits Internet access and the speed different isn't so different at 100 M/bits.


    I use Nexcloud and it is a good multi-tool. We think in the same way, but I think we have a wrong understanding. Let me try to explain. Nextcloud is a multi-tool like a toolbox and S/FTP is a single tool like a hammer.

    Quote from chente

    I don't agree on the system overload, if you don't use plugins inside Nextcloud the CPU is not overloaded, it depends on what you want to use. If you use a lot of plugins you will need more resources, of course.

    For hammering in nails, I only take a hammer with me to the construction site, if I don't just want to hammer in nails then I take a toolbox with me. The overload with the toolbox is that I have to carry much more than is necessary to hammer nails. :) For the Nextcloud you need 3 different services to do this secure. Nextcloud app, a Database Server and the Swag with a certificate. This will consume more resources on the computer. Than if you use only one S/FTP server.


    Quote from chente

    Regarding security issues, I do not agree either, Nextcloud is considered the most secure cloud storage in the world.

    I wasn’t able to find any third-party security audits or penetration testing being done by Nextcloud. That said, I did find two types of auditing/testing you should be aware of.

    Nextcloud Security Scan: The company does offer their own security scanning tool. The Nextcloud Security Scan is a system that, “…analyzes the security of your server and gives you an overview of what to improve.”

    Nextcloud used third-party services to scan the Internet looking for Nextcloud installations that might have security vulnerabilities. These services then reported the “problem” to the German government’s Federal Cyber Security Authority (BSI). The BSI would then send a letter to whoever was hosting your servers, telling them to tell you to update your software.

    This wo thinks means to me that there are a lot of Nextcloud instances in the Internet that are not secure.
    Here is the Hardening and security guidance that I would recommend to anyone to set up a secure system.


    Quote from chente

    The options that Nextcloud provides are unachievable in most competing solutions, in my point of view.

    For you it is OK to use Nextcloud. And if somebody has Nextcloud than he can use it for file download and upload. But for the OP that don't have any system set up and will only download/upload files. One app / one tool system is in my IMHO the better solution. S/FTP with OMV standard plugin is that what I will suggest. Because configuring, maintaining, securing Nextcloud is more complicated and will consume more resources on the computer. S/FTP is also faster.

    Quote from chente

    Kenji

    You did this? I don't see it in the information provided.

    Yes i did:


    cd /srv/dev-disk-by-uuid-7abc2b1f-3752-462a-be72-51d4e4e/appdata/swag/nginx/proxy-confs


    cp nextcloud.subfolder.conf.sample nextcloud.subfolder.conf


    but the same error.


    Quote from chente

    You can check if your domain is pointing to your public IP with https://www.whatsmydns.net/

    Your public IP is easy to see with https://whatismyipaddress.com/ Check that this IP is the same public IP that is on your router. Otherwise you would be behind CGNAT.


    it is available everywhere



    A question in general because I am a little confused:



    Do I actually have to enter this Letsencrypt host in the Fritzbox as a DydDNS? With my OpenVPN server I had to do this to always have the same IP/address, but with this provider I don't think I have the option of a certificate (https://ddnss.de/).


    lg.



    Many thanks for the lively discussion.

    • Official Post
    Quote from Kenji

    A question in general because I am a little confused:

    Do I actually have to enter this Letsencrypt host in the Fritzbox as a DydDNS? With my OpenVPN server I had to do this to always have the same IP/address, but with this provider I don't think I have the option of a certificate (https://ddnss.de/).

    If you do not have a fixed IP (the most common) you need a redirection service to your IP. If, as you say, you're already using one, you should be able to use it for Nextcloud as well. All these services do is associate a domain with a public IP. You can configure your Nextcloud domain to address the same IP as the domain you already have configured with dynamic IP. mmm... I don't know if I explained it clearly, it seems like a tongue twister...


    Quote from Kenji

    Many thanks for the lively discussion.

    Yeah, it's getting interesting, I'll prepare my answer when I have some time. The matter of the hammer and the toolbox gives a lot of play. :)

    • Official Post

    Actually, if your domain points to your IP according to the web page that I linked to you before, everything should be fine. I'm going through your all the information you posted and I don't catch the error, so I'm going to quote Soma that will solve it in 5 minutes :)

    • Official Post
    Quote from Kenji

    - SUBDOMAINS=www,

    Did you delete this on your swag pile on purpose to post? or do you really have it like that? There you must include the domain.

    On the Fritz!Box screeshot I don't see that the port 80 and 443 are open. You have to open the Port 443 and 80 and forwarding to the internal IP of the Host Computer / OMV IP Address. This 2 ports a needed for the validation.


    Question. Do you need Nextcloud only for the data download/upload?

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!

Register Yourself Login