Geuni/ April 24, 2020/ Englisch/ 0 comments

1) Store your data at home, e.g. on a NAS!

I wanted to store my Data on my NAS! I didn’t want to send my data about America any more! That was the idea that made me think about another solution to my data storage. I’m an IT specalist, so I quickly thought about what I would need to set up a small server at home that can meet my new requirement.

2) Defining the goal of what I want to achieve

I want to store my data safely and in a controlled manner at home. Furthermore, I want to reach my data securely via the Internet.

3) Trial and failure of a selfmade NAS

I tried to build everything myself. Raspi and go (in my case a cu-box i). A few external hard drives connected via USB, Debian installed, a RAID built and Owncloud installed. Port forwardings set up on the Fitz.Box and a free Dyn DNS is registered. Let’s Encrypt certificate. OwnCloud Client installed on all devices and it is running. Now I still needed local shares, quickly SAMBA installed, also runs.

Now I can use the system (it was so 6-9 months)! In doing so, I notice that the transmission speeds in the LAN are was approx. 5MB. The RAID likes to fall apart because the power supply from the cu-box is too low. I notice that the entire device has only one circuit! A RAID rebuild took days. The SD card from which the cu-box starts doesn’t last long and simply “burns” (it was no longer readable after a short time).

These were just some of the problems I noticed. I have to admit that I have more requirements for such a solution. Above all, I have to believe the usual sayings that Raspis are not meant for a productive environment are true!

4) What are my requirements to a NAS?

This little story of a good 9 months made me think longer about what I need and for what. Ultimately, the following requirements were the basis. I want to:

  • not store my data in the cloud,
  • securely reach my data via the Internet,
  • access the data independently of the device,
  • achieve a fast data exchange on the LAN,
  • not have to invest much effort in the operation of the solution.

Because of these requirements, I had to accept that a NAS will probably be the best solution for me.

Consequently, I was a little concerned with common NAS manufacturers and models, what they can do, which are how loud (was a retrospective requirement: it must be quiet) and so on. The result was I bought a Qnap ST-453A with 2x 4TB HGST Deskstar server hard drives. My old SSD came as a cache accelerator to the third bay of the NAS and an external hard drive that I still had was put to the 4th Bay. Another external hard drive is connected to the NAS via USB.

5) What do I have to do now?

For the first time, it was time to connect the NAS, turn it on, start configuration wizard and go through, done. In the special example of QNap, I can say that it makes sense to disable all functions that you do not want to use (UPNP, Timemachine, FTP, HybridDesk Station, iTunes Server, RADIUS, TFTP, NTP).

From my previous experience, a free Dyn DNS disturbed me (I didn’t like the name and Let’s Encrypt has so-called “Encrypt”. rate limits on SSL certificates), that’s why I bought a domain first. In my case, name.com (was the cheapest provider). name.com does not have a useful dynamic DNS service, so I had to take the name server from FreeDNS.

6) How do I (cheaply) set up a domain?

Name.com Nameserveranzeige
Name.com Nameserveranzeige

The construction is as follows: Wear on name.com if you have logged in under the menu item “Name server” simply enter the 4 servers of FreeDNS (must have bought a domain there before of course), instead of those of Name.com. This looks like this:

FeeDNS Dialog nach dem Login
FeeDNS Dialog nach dem Login

Now log on to FreeDNS, register my domain there, as the image shows (Add A Domain into FreeDNS) and done. If you still want subdomains, you can create as many as you want via FreeDNS, or other DNS record types (I come to this in another post, which is not so important for the beginning). When you have finished since, this should look like the image above (inside the image below). Now all that’s missing is the automatic update of your IP in DNS. At my home I have a Fritz.box and therefore I show you with pictures what it looks like there.

7) How do I set up a dynamic DNS with FreeDNS?

Basically, FreeDNS, you update your domains with a special update URL, as well as your username and password of the website. As described in the picture below, you enter this on your Fritz.box accordingly (for navigation in the Fritzbox take note of the picture).

Fritz.box Einstellungen des Dyn DNS
Fritz.box Einstellungen des Dyn DNS

Now you’re wondering where to get your update URL. See the image below. On FreeDNS in the menu item “Dynamic DNS”, select a domain below from the list of “Update Candidates” to download the “Wget script”. You’ll get a *.bat file, right click on the file, edit it (if you’re doing it by mistake, not bad, you’re only updating your DNS record with your current public IP). A notepad should appear, in it there is a line that then looks like this:

wget -q --read-timeout=0.0 --waitretry=5 --tries=400 --background http://freedns.afraid.org/dynamic/update.php?" String"

You enter this string (marked in bold in the snippet) as your update URL in your Frit.box, as in the picture above.

FreeDNS DynDNS Einstellungen im Web UI
FreeDNS DynDNS Einstellungen im Web UI

If you have entered everything correctly in the Fritz.box now, you should see nothing in the Frit.Box-Logs, more excitingwise! Confused me too! But this is not a problem for us, because we simply check it quickly on FreeDNS under the menu item “Dynamic DNS”, there should appear at the top of the picture (within the image, bo[add]ttom right below) after which it has worked, an IP after the domain.

If you’ve made it to this point, your domain should have your current IP and you could already address your domain. Unfortunately, there should be nothing behind it yet, which is probably why you will get an error.

8) What is Port Forwarding or PortForwarding?

Now only one small thing is missing in the Fritz.box. You need to configure port forwarding to make your NAS/server truly accessible from the Internet. Short explanation: Your router usually allows everything from your LAN into the large wide Internet and back everything someone from your LAN requests from the WAN (simply another term here for Internet). Never, by default, should your router let someone out of the Internet (if they find out your IP) into your LAN. Port forwarding changes that for all requests for a fixed IP in your LAN on one or more defined ports.

By the way, I recommend disabling the Upnp function. The function in the Fritz.box is called “Allow independent port shares for this device”. You can see that in the picture below.

9) Set up port forwarding on a Fritz.box

To do this in the Fritz.Box Internet -> Share -> Add device for shares. If you have done this, something similar to the one in the picture below should appear. For the device, you select the NAS or server. Further down the right you will see “New Release”, if you click on it, there will be another window in which you will (so I usually do it) select the radio button “Port Sharing”, under which drop-down application will always select “Custom”, define the protocol and ports. HTTP is by default the tcp protocol on port 80 (for all port fields enter 80, to, until , external), HTTPS is TCP 443 by default. The Fritz.box can so-called “PAT” do, but we don’t need that yet.

Fritz.Box Webui for editing the port shares for a device on the LAN
Fritz.Box Webui for editing the port shares for a device on the LAN

If everything is entered correctly, it should look something like this:

Fritz.Box Einstellungen einer Portweiterleitung
Fritz.Box Einstellungen einer Portweiterleitung

Now, when you access your domain, you should come to your NAS.

10) Testing accessibility and security from the Internet

The accessibility is simply tested, the domain, as configured above, in a browser when a website is displayed, is done.

The safety is also quite simple tested (superficial). For this I like to take the Qualys SSL-Labs online test. There you simply enter your domain and wait until the result has been produced. As an example, the result of my domain:

Qualys SSL Labs Online Security Test Results
Qualys SSL Labs Online Security Test Results

I am not going to explain the whole test here, what it all means. That’s just too much for that. But what is important is that an “A” would be good in the rating (worse is not a doomsday). If this is not the case, then you should look in detail what the report says, often already descriptions are linked to help, witch explanations what affects the evaluation negatively.

This test can therefore give an initial assessment of whether everything is safe according to a standard.

11) What is HTTPs / TLS / SSL

Let us start by explaining what these words are called. Importantly, they all refer to the same thing. Historically, there was first SSL, is called “Secure Socket Layer” and was an encryption for so-called “Secure Socket Layer”. Sockets. It quickly became apparent that this encryption can encrypt anything possible in transport, so it was eventually renamed to TLS and that stands for “Transport Layer Security“. HTTP stands for “HyperText Transfer Protocol” and is the basis for many websites as they are presented. If you encrypt the HTTP protocol with TLS on the transport, we call it the HTTPS (S = Secure), because HTTP is the basis for browsers to be represented as websites and TLS is necessary for securing the transport of this data.

In order to set up TLS for your server, we need a so-called “SSL-Certificate” first. SSL certificate from a “Certificate Authoritiy (CA)”. You can buy SSL certificates or simply request it from Let’s Encrypt for free. We take the free version without mentioning the disadvantages of it here. There are some, i.e. to say so. For the time being, I do not explain how such certificates contribute to security, even that is sufficient for a separate article.

We also reduce ourselves here in the report to the fact that QNAP has a Let’s Encrypt integration (I don’t think it’s good!) and only show how to use it (without guarantee that it works, because I know QNAP had problems with it!), because how to use Let’s Encrypt e.g. with the Linux tool CertBot, comes later in the posts when we start pushing functions into Docker containers and there we don’t get around anything like that.

12) Set up HTTPs / TLS / SSL on your NAS

Using the example of Qnap NAS, let’s go to the admin web UI, click on the “three bars” in the newly opened menu in the upper left corner, we click on “Control Panel” and get a new window
(see below). In the Control Panel, under the heading “System” we select the sub-heading “Security”, there the tab “Certificates & Private Keys”, click on the button “Replacement Certificate” and receive a small additional window (replaced because by default a so-called Self-Signed Certificate is included, which is now to be overwritten by one of Let’s Encrypt), where we select “Get from Let’s Encrypt” in the drop-down menu and click Next.

LetsEncrypt Qnap UI to get a certificate
LetsEncrypt Qnap UI to get a certificate

Now we get another view and enter the necessary data there. We should have them, because we have set it all up before. With domain name your domain comes in, with e-mail an e-mail from you and the “alternative name” you can leave away first.

Qnap LetsEncrypt Zertifikats UI
Qnap LetsEncrypt Zertifikats UI

After the process is complete, you should be able to address your NAS via your domain using HTTPs on port 443 (if not, look up as you release the ports, that should be a problem). If every
thing works, then you should be able to access your domain with the prefix “https” and you should see a lock icon in your browser quite close to the address. If you look at the certificate now, you know that it is one of Let’s Encrypt for your domain (recognizable here by the word “Valid”, only because we have previously applied for one on your domain).

Chrome Anzeige eines SSL-Zertifikats
Chrome Anzeige eines SSL-Zertifikats

If HTTPS is not yet possible, you should check the Qnap Control Panel under “General Settings” to see if “Enable Secure Port (HTTPS)” is turned on. Unfortunately, the same applies to QNap for “the web server” under Control Panel -> Applications -> WebServer. This sounds a bit confusing, I am a bit dissatisfied with the configuration at Qnap here, because it is not clear where the differences between the two “Enable HTTPS” options are

13) Set up network drives on the LAN (SMB)

First of all, two words about SMB. The “Server Message Block” protocol is not very secure. It has some structural weaknesses, but is good in overall performance, which is why it is widely applied. You should not use SMB over the Internet! SMB should only be used on the LAN, unless you know what you are doing and what data is going over the line! Technically, of course, it works.

Turning on QNAP is quite easy. In the admin ui go to Control Panel, in the “Network and File Services” section, select the sub-heading “Win/Mac/NFS”. Turn on the service on the right side of the view, leave it on “independent server” for the time being, take over, finish.

Aktivierung von SMB über das QNap UI
Aktivierung von SMB über das QNap UI

Now you can use your user and password either in a Windows File Explorer with so-called “File Explorer”. UNC notation in the address line(“A”) access the NAS via SMB or include it as a network drive. To include, select the select “Connect this PC” in the workstation/FileExplorer with right click on “Connect this PC” and enter the IP of the NAS as UNC notation as a UNC notation in the following dialog as a “folder” and, if necessary, enter the IP of the NAS as a UNC notationand, if necessary, enter the IP of the NAS as a UNC notation. select the hook below to select “Connect to other credentials”.

Windows FileExplorer to integrate a network drive
Windows FileExplorer to integrate a network drive

When dialoging to log on with the NAS user data, you may have to enter the domain of the NAS as the “name” beforehand (that is usually the name of the nas itself) in the spelling “Domain-Username”. If it worked, it should have been here.

14) Connect smartphone (Android) with your NAS

Smartphones are hybrid devices from a network perspective. They eventually move between a WAN (e.g. mobile Internet) and a LAN (e.g. Wi-Fi). From a network perspective, this can be a problem.

The advantages of LAN are almost always the speed. But we don’t have LAN everywhere, so we build everything up as if it were in the WAN, because on the smartphone we are used to the WAN speed and therefore do not feel this disadvantage directly.

Using QNap NAS as an example, integration on smartphones is fairly easy. She sucked. Download qfile app and configure it in Wi-Fi, done. You don’t need to do more.

15) Connect Smart TV (Android TV)

A smart TV is usually almost as flexible as a smartphone, only that the control from the TV via the remote control is not as flexible.

Basically, I don’t know any apps from manufacturers that let on-the-fly Qnap interact with a smart TV (in my example Android). However, since we have activated SMB, we can still use this to access the data on the NAS. I limit myself to Kodi as an SMB client on the smart TV.

We start Kodi, use the remote control at the top left to select the gear to get into the file manager. We’ll add a new source there now. Where first “” is written, we click on it and type in.

 
smb://IP/ 
Kodi Dialog zum einfügen einer SMB Ressource
Kodi Dialog zum einfügen einer SMB Ressource

Take over the whole thing and can now browse the NAS with the TV via SMB after the username and password have been entered. Alternatively, you can now continue to use the “SMB source” in Kodi, e.g. to build libraries, etc. Of course, this works with almost all SMB clients, the spelling for connecting is sometimes different but basically identical.

16) Connect Windows with your NAS

In the course of the article, we have already “connected” Windows several times, at least via the web UI. Yes, this is an option that is available throughout the world after our preparatory work, for sure.

If we now want to have a local file synchronization a la DropBox, we download the Qsync client from Qnap and set it up. I don’t explain that, because it’s very simple.

Furthermore, in File Explorer, as already described above, you can access the NAS via SMB for all the data that you might want. does not want to have synchronized directly locally, but still uses it more often.

17) Conclusion/summary

We’ve done a lot. In particular, we have:

  • registered a domain
  • configured a “custom” DNS server for the domain
  • a dynamic DNS set up for our domain
  • obtains and installs an SSL certificate on our server
  • tested the online security of our server
  • SMB activated
  • Clients connected to our new ecosystem (Android, Windows, Smart TV)

Generally speaking, we managed to build a foundation to bring our data from the cloud into our living room. The whole thing is safe and can be reached anywhere via the Internet. Goal achieved! Now you can move the data!

18) Outlook

We’ve only just started playing with things like that. We have our data locally, but somehow not all yet. What about our contacts? We still have them in the cloud, the same applies to our calendar. Hmm, that has to be made in the living room now.

That will also be the subject of the next article. How we store our contacts and calendars locally and securely over the Internet, as well as have them synchronized with our clients.

I’m still unsure if it fits into an article, because it could get longer ;D

Share this Post

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*