Jump to content

How To: Secure Remote Connection (Without buying domain)


Recommended Posts

Posted (edited)

I was looking to get secure remote connection but dealing with security certificates just seemed a bit too much. So here's my approach to get secure remote connection by setting up a local VPN server on host. (Read downsides and upsides at the end of the post to see if this method will work for you)

Step 1: Get a DDNS to automatically update your IP.

  1.        Go to https://www.noip.com/, sign up and confirm your email.
  2.        Login and setup a username. https://my.noip.com/account
  3.        Setup a host name incase you didn’t do it at the signup page. https://my.noip.com/dynamic-dns
  4.        Download their update client from https://www.noip.com/download, log in and choose the host name for updating

Step 2: Setting up Wireguard Server

  1.        Install WireGuard. https://www.wireguard.com/install/
  2.        Go to https://www.wireguardconfig.com/
  3.        Make the following edits,
    •        Number of clients depending on the number of devices you wish to access the server. (You can choose more than you need)
    •        CIDR to 192.168.200.0/24 
    •        Client Allowed IPs to 192.168.1.0/24 (This is so that only the local network requests are passed on the server)
    •        Endpoint to the name of hostname you made. Eg: myembyserver.ddns.net:51820
    •        Delete Post-up and Post-down rule
  4.        Generate the config.
  5.        Copy the server config. (Don’t close the browser, we’ll need the client configs later)
  6.        Open wireguard, click on the arrow beside add tunnel > Add empty tunnel
  7.        Choose adapter name as “wg0”. (You can choose something else too)
  8.        Paste the server config here and activate the VPN.

Step 3: Allow port 51820 through windows defender. Create allow rules for both TCP and UDP protocol, and inbound and outbound. https://www.windowscentral.com/how-open-port-windows-firewall

Step 4: Enable network sharing

  1.        Open control panel> Network and sharing center > Change adapter settings
  2.        Choose your adapter > Properties > Sharing Tab
  3.        Check mark “Allow other network users to connect ……… connection” and choose “wg0” from dropdown.

Step 5: Set your network to Public

  1.        Click on the Wi-fi button in taskbar
  2.        Right click on your Wi-fi > Properties
  3.        Change from private to public

Step 6: Enable port forwarding on router for port 51820

  1.        https://www.wikihow.com/Set-Up-Port-Forwarding-on-a-Router
  2.        Go to https://www.canyouseeme.org/ and check if port 51820 is visible. If everything went as intended, it should be visible.

Step 7: Configuring Client

  1.        Download WireGuard on your phone/other clients where you need to access your server remotely.
  2.        Now we have to import the client config here.
  3.        You can directly scan the QR code. Or create text files of client configs and transfer them to the device.
  4.        Activate the VPN.
  5.        Now switch to a different network and check if you can access Emby remotely. (You won’t be able to access Emby if you both client and host are on the same network)

 

Downsides of this approach: 

  1. You'll need to turn on VPN before you can access the server. (Alternatively, you can also let it running all the time, it won't slow down your internet since VPN only captures the local network requests and passes them on to the server)
  2. You can only access content on devices if you have authenticated beforehand.
  3. Adding more clients will require additional setup.
  4. Not viable if you want to give access to other people, you'll need to setup VPNs on their devices.

Upsides:

  1.  Easier to setup than dealing with certificates in my opinion
  2. Since clients are authenticated beforehand, Greater security.
Edited by GrimReaper
Edit Title
  • Thanks 1
Posted

Hi, thanks for sharing your experience.

pwhodges
Posted

I don't deal with certificates either - I installed Caddy, provided a config file with one line (other than the one specifying the server name) which makes it a reverse proxy for Emby, and that's it.

Apart, that is, from setting up the domain name and router forwarding, which are both more complicated jobs than running Caddy.  Caddy does all the certificate work itself - it gets them, uses them, renews them.

Paul

  • Agree 1
Posted (edited)
1 hour ago, pwhodges said:

I don't deal with certificates either - I installed Caddy, provided a config file with one line (other than the one specifying the server name) which makes it a reverse proxy for Emby, and that's it.

Apart, that is, from setting up the domain name and router forwarding, which are both more complicated jobs than running Caddy.  Caddy does all the certificate work itself - it gets them, uses them, renews them.

Paul

Can you direct me to a guide.

Edit: I found the guide, https://emby.media/community/index.php?/topic/81476-ssl-made-easier-with-a-reverse-proxy/ 

I had previously looked at it, it required me to buy a domain which is why I didn't follow through with it.

Edited by MaxRobs
pwhodges
Posted

Certificates are linked to domain names, by design.  If you do not want to buy a domain name, then as a consequence you cannot use https.

Paul

GrimReaper
Posted
3 hours ago, pwhodges said:

Certificates are linked to domain names, by design.  If you do not want to buy a domain name, then as a consequence you cannot use https.

Paul

That ain't exactly true, as you can obtain Certificate for free DDNS as well. 

  • Agree 1
pwhodges
Posted

OK, is is possible to get a free name; but in practice you do need a name is what I was saying.

Yes, and it is actually possible to get a certificate for an IP address, but you have to prove you own it - DHCP from your ISP wouldn't cut it - and it would be no use if your address changed, for instance.  Even the people who can sell them to you discourage even thinking about such a certificate, and the free people don't do them.

Paul

Posted (edited)

 Should have mentioned in the title that this guide was for those who don't wanna buy a domain. No edit option available now.

Edited by MaxRobs
GrimReaper
Posted
15 minutes ago, MaxRobs said:

 Should have mentioned in the title that this guide was for those who don't wanna buy a domain. No edit option available now.

How do you want Topic title to read?

Posted

How To: Secure Remote Connection (Without buying domain)

 

This seems good enough

GrimReaper
Posted
Just now, MaxRobs said:

How To: Secure Remote Connection (Without buying domain)

 

This seems good enough

Done.

Posted
Just now, GrimReaper said:

Done.

Thanks!

  • 7 months later...
Posted

Will this work for a Mac and QNAP NAS setup?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...