Access to the NAS from the outside without a public IP

noel200 11277 49

Best answers

How can I securely access my NAS photos from my phone from outside the home network if my ISP does not give me a public IP address?

Without a public IP, you cannot run your own home VPN server in the normal way, so the practical options are to buy a public IP, rent a VPS/VPN proxy, or use a service like ZeroTier [#19560572][#19570405] If you do get a real public IP, the clean solution is to enable the VPN server on the ASUS router, use DDNS if the address changes, connect from Android with a VPN client, and then reach the NAS by its local LAN IP instead of the DDNS address [#19570231][#19570276][#19572466] If you want to avoid paying for a public IP, ZeroTier was recommended as the simplest working alternative even without one, but it has to be installed on each device you want to access [#19566091][#19570210] The port-forwarding approach only works if the ISP allows the port and you forward the exact service port; using uncommon ports is safer than exposing standard ones like 80 or 443 [#19560572]

Generated by the language model.

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

Reply | New topic

#31 19570276 19 Aug 2021 10:16

Anonymous Anonymous

Level 1

» |

Post #31
19570276 19 Aug 2021 10:16

noel200 wrote:
...
I already have a public IP and a permanent dyndns address.

It will work without problems.

[edit]
I recommend the IPSec variant:

https://www.asus.com/en/support/FAQ/1044190
ADVERTISEMENT
#32 19570327 19 Aug 2021 10:52

voxck voxck

Level 9

Posts: 16

Rate: 1
» | Helpful post? (0)

Post #32
19570327 19 Aug 2021 10:52

Really. Colleague @Erbit wrote well. The principle of operation of Zerotier is slightly different than I wrote earlier. I had time to delve deeper into the description of the service. Sorry for spreading misinformation.
#33 19570334 19 Aug 2021 10:56

noel200 noel200

Level 27

Posts: 1891

Help: 36

Rate: 812
» | Topic author Helpful post? (0)

Post #33
19570334 19 Aug 2021 10:56

voxck wrote:
Really. Colleague @Erbit wrote well. The principle of operation of Zerotier is slightly different than I wrote earlier. I had time to delve deeper into the description of the service. Sorry for spreading misinformation.

I've read now and apparently the external server is only used to set up the connection, and then everything goes p2p.
Well, but some external apps and servers are always an additional leak point.
ADVERTISEMENT
#34 19570341 19 Aug 2021 11:01

voxck voxck

Level 9

Posts: 16

Rate: 1
» | Helpful post? (+1)

Post #34
19570341 19 Aug 2021 11:01

noel200 wrote:

I've read now and apparently the external server is only used to set up the connection, and then everything goes p2p.
Well, but some external apps and servers are always an additional leak point.

Even apart from the technical side, it is a very useful service. This is how I have a PLEX issued for my family. I don't really feel like opening ports so in this case Zerotier works great.
#35 19570405 19 Aug 2021 11:53

Anonymous Anonymous

Level 1

» |

Post #35
19570405 19 Aug 2021 11:53

voxck wrote:
....
Even apart from the technical side, it is a very useful service. This is how I have a PLEX issued for my family. I don't really feel like opening ports so in this case Zerotier works great.

So that it's not that I'm so "bad" I will add that this is a very good solution, especially when there is no public IP . It is simply impossible to run your own VPN server without a public IP and then the connection must be initiated "from the inside of the network".

Added after 5 [minutes]:

noel200 wrote:
...
I've read now and apparently the external server is only used to set up the connection, and then everything goes p2p.

I don't want to believe it. Just assuming that I am connecting from a place without a public IP to a place without a public IP, it is impossible to send data - because what address should the data be sent to?

Well.. they are sent indirectly through a tunnel created with an intermediary server and not directly between points without a public address because such a tunnel (without a public address) cannot exist. So packets sent must go through a public address. This is the idea of a public address (its public access).
ADVERTISEMENT
#36 19570419 19 Aug 2021 11:58

voxck voxck

Level 9

Posts: 16

Rate: 1
» | Helpful post? (0)

Post #36
19570419 19 Aug 2021 11:58

Erbit wrote:

So that it's not that I'm so "bad" I will add that this is a very good solution, especially when there is no public IP . It is simply impossible to run your own VPN server without a public IP and then the connection must be initiated "from the inside of the network".

It's not about 'bad' or 'good' . A master server is needed to establish a connection. Hosts don't initiate connection directly with each other (as I thought before) and you were right of course here, because you need a server between them.

And the service itself is great. I've been using it for a long time and it works really great. Particularly useful, for example, when you want to put even Pihole outside the LAN and have Internet filtering outside the house (and in combination with unbound DNS) it works very well. And that's without opening ports on the router.
#37 19570424 19 Aug 2021 12:03

Anonymous Anonymous

Level 1

» |

Post #37
19570424 19 Aug 2021 12:03

voxck wrote:
...
I've been using it for a long time and it works really great.

I believe it is. This is a valuable point - a practice point.

voxck wrote:
...
Particularly useful, for example, when you want to put even Pihole outside the LAN and have Internet filtering outside the house (and in combination with unbound DNS) it works very well. And that's without opening ports on the router.

Here I would have some doubts because your own VPN server gives you much more possibilities and it is also not a redirection.

However, it is certainly useful when you don't have a public IP and in this place (and probably only in this place) zerotier wins with its own VPN server.
ADVERTISEMENT
#38 19572288 20 Aug 2021 17:15

noel200 noel200

Level 27

Posts: 1891

Help: 36

Rate: 812
» | Topic author Helpful post? (0)

Post #38
19572288 20 Aug 2021 17:15

I just tried setting up a VPN. On the router, in the VPN server tab, there are PPTP and OPENVPN. First, I set up PPTP. On the phone with Android 10 and the MIUI 12 overlay, I set a new VPN profile. I selected PPTP there, entered the user and password as on the router. I also gave the server address, i.e. my IP from dyndns. PPP (MPPE) encryption is also set on the phone. I turned it on and it showed that it was connected. The router also shows that there is a connection.
I have disabled port forwarding on the NAS and from a phone with WiFi disabled, I cannot access the NAS service pages. Doesn't work Maybe you need to enter something else in the browser? another port? Or in the router some redirection to this VPN?
I also tried on the OpenVPN router. I set the user and pass, exported the .ovpn file. I installed the OpenVPN connect app on the phone, loaded this file, gave the user and pass and the effect is the same. What can I be doing wrong? There is no IPSec on this firmware in Asus.
Helpful post

#39 19572294 20 Aug 2021 17:22

Anonymous Anonymous

Level 1
» |

Helpful post
Post #39
19572294 20 Aug 2021 17:22

What IP did you get after logging in?
What's your NAT address?
When configuring the OpenVPN server, what did you choose?

Code: text Expand Select all Copy to clipboard
Client will use to access: - local only - internet + local

?

[edit]
From what I've seen on some video, server configuration is trivial. All in all, there's not much to "break".

Are you accessing the NAS by the IP address or the network name?
Check by IP (local).
#40 19572316 20 Aug 2021 17:37

noel200 noel200

Level 27

Posts: 1891

Help: 36

Rate: 812
» | Topic author Helpful post? (0)

Post #40
19572316 20 Aug 2021 17:37

Erbit wrote:
What IP did you get after logging in?

Using PPTP on the whatismyip site I have the same address as the router and PC connected at home. But this is not the address I got from the ISP. As I wrote earlier, they still have some NAT redirects? the address shows 109.231.7.x, but from the ISP I have a permanent address 10.9.209.x.dyndns.xxxx.pl.
Is that why it doesn't work?

Erbit wrote:
What's your NAT address?

This question is probably related to the first one, and I hope I answered above, but I don't know that much.

Added after 2 [minutes]:

Erbit wrote:
When configuring the OpenVPN server, what did you choose?
Code: Client will use to access:
- local only
- internet + local

"both"
Helpful post

#41 19572328 20 Aug 2021 17:45

Anonymous Anonymous

Level 1

» |

Helpful post
Post #41
19572328 20 Aug 2021 17:45

noel200 wrote:
...
Using PPTP on the whatismyip site I have the same address as the router and PC connected at home.

It's just the gate you exit through. This address should be on the router's WAN. If that's not the case, I'm surprised you logged in at all.

noel200 wrote:

from ISP I have a permanent address 10.9.209.x.

This is a private address (which is definitely set to DMZ).

noel200 wrote:

Is that why it doesn't work?

This is the most likely - although in my opinion you shouldn't log in at all, and since you did, "devil knows" what they set there.

When logging in to the NAS, do you use its IP or domain name?
Use IP (NAS local IP).
#42 19572350 20 Aug 2021 18:24

noel200 noel200

Level 27

Posts: 1891

Help: 36

Rate: 812
» | Topic author Helpful post? (0)

Post #42
19572350 20 Aug 2021 18:24

Erbit wrote:
When logging in to the NAS, do you use its IP or domain name?

Remotely, when I enter NAS services, I enter 10.9.209.x.dyndns....:xxx on the phone, and I have port forwarding enabled on the router.
I guess I'm left with the zerotier. I read, I registered, I have a network id, I installed it on the phone. He did on the VPN phone and connected to the remote server. But I don't know how to install it on OMV.
Probably via docker, but I have no idea what to type there. With the rest, if the service fails in a month or two, it will be a pile.
Or maybe WinSCP?

Quote:
zerotier is one option, others can be use a VPN, or most simple, use WinSCP to access from outside of your LAN to your data

(quoted from the openmediavault forum.)
But isn't that Putty? to SSH?

Added after 25 [minutes]:

In the DDNS tab on the router, I changed the "Method to retrieve WAN IP" option from external to internal but it did not help.
Helpful post

#43 19572466 20 Aug 2021 19:23

Anonymous Anonymous

Level 1

» |

Helpful post
Post #43
19572466 20 Aug 2021 19:23

noel200 wrote:
...
Remotely, when I enter NAS services, I enter 10.9.209.x.dyndns ....:xxx on the phone,

When logging in via VPN, you must use the local NAS address. A VPN "has taken you inside the network".
#44 19572479 20 Aug 2021 19:34

noel200 noel200

Level 27

Posts: 1891

Help: 36

Rate: 812
» | Topic author Helpful post? (0)

Post #44
19572479 20 Aug 2021 19:34

Erbit wrote:
You must use a local NAS address. A VPN "has taken you inside the network".

It actually works But terribly slow
#45 19572499 20 Aug 2021 19:47

Anonymous Anonymous

Level 1

» |

Post #45
19572499 20 Aug 2021 19:47

noel200 wrote:
... But terribly slow

Slower than ddns and redirection?

Maybe set PPTP server and check then.

Added after 57 [seconds]:

noel200 wrote:
...
It actually works

It works, it works. And by the way, you have access to the entire network (printers, cameras, etc.).
#46 19572503 20 Aug 2021 19:48

noel200 noel200

Level 27

Posts: 1891

Help: 36

Rate: 812
» | Topic author Helpful post? (0)

Post #46
19572503 20 Aug 2021 19:48

Erbit wrote:
Slower than ddns and redirection?

Definitely slower. The emba page has not yet loaded.

Erbit wrote:
Maybe set PPTP server and check then.

I've just done that.
#47 19574015 21 Aug 2021 21:57

Anonymous Anonymous

Level 1

» |

Post #47
19574015 21 Aug 2021 21:57

noel200 wrote:

Erbit wrote:
Slower than ddns and redirection?

Definitely slower. The emba page has not yet loaded.
...

Try clearing your browser's cache and additionally using ctrl+F5. Do you also use IP or domain while connected to WiFi?
#48 19575934 23 Aug 2021 09:14

noel200 noel200

Level 27

Posts: 1891

Help: 36

Rate: 812
» | Topic author Helpful post? (0)

Post #48
19575934 23 Aug 2021 09:14

Erbit wrote:
Do you also use IP or domain while connected to WiFi?

If I have VPN enabled on my phone, it's from IP.
Now I checked and it works faster. Movies in 4k@60fps take a long time to load, but photos of 10MB on average take 1-2s to load.
So it's probably as good as it can be.
Thank you for your help. I'm not closing the issue. I will probably still have some questions and problems.
#49 19575939 23 Aug 2021 09:20

Anonymous Anonymous

Level 1

» |

Post #49
19575939 23 Aug 2021 09:20

noel200 wrote:

Erbit wrote:
Do you also use IP or domain while connected to WiFi?

If I have VPN enabled on my phone, it's from IP.
...

The question was not about VPN but about WiFi. I want to know if you are using IP when you are connected to WiFi.
#50 19575950 23 Aug 2021 09:31

noel200 noel200

Level 27

Posts: 1891

Help: 36

Rate: 812
» | Topic author Helpful post? (0)

Post #50
19575950 23 Aug 2021 09:31

Erbit wrote:
I want to know if you are using IP when you are connected to WiFi.

Yes. If I understood the question correctly.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply | New topic

Report a violation of the law

Topic summary

✨ Accessing a NAS (Network Attached Storage) device externally without a public IP can be achieved through various methods. Users discussed the necessity of a public IP or alternatives like Dynamic DNS (DDNS) to maintain consistent access. The conversation highlighted the importance of configuring a VPN server on the router (specifically Asus routers with AsusWRT) to securely connect to the NAS. Users shared experiences with different VPN protocols, including PPTP and OpenVPN, and emphasized the need for port forwarding to access NAS services. Additionally, Zerotier was suggested as a viable solution for users without a public IP, allowing for easy configuration and direct device access. The discussion also touched on upload speeds and potential performance issues when accessing media files remotely.
Generated by the language model.

Home page
/
Forum
/
Networks, Internet
/
Beginner Networks
/
Access to the NAS from the outside without a public IP

FAQ

TL;DR: 50 Mbps upload and a PLN 5 / month public-IP fee give "so very decent" remote NAS access once you add VPN + DDNS [Elektroda, IC_Current, post #19542520] Secure setup: enable router VPN, use local LAN IPs, avoid port 80 scanning.

Why it matters: Fewer open ports mean fewer attack vectors while keeping photos and 4 K video reachable anywhere.

Quick Facts

• Public dynamic IP: PLN 5 / month from KOBA ISP [Elektroda, noel200, post #19542501] • Real upload: 50 Mbps ≈ 5.2 MB/s usable throughput [Elektroda, KOCUREK1970, post #19542630] • AsusWRT ships with PPTP & OpenVPN server tabs [Elektroda, noel200, post #19572288] • Free DDNS issued by ISP maps changing IP to hostname [Elektroda, noel200, post #19556637] • ZeroTier works behind CG-NAT but relays via master server [Elektroda, voxck, post #19570327]

Do I need a public IP to reach my home NAS?

Yes, for direct VPN hosting you need one public IP on the router WAN. Without it you must use relay services like ZeroTier or pay for VPS hosting [Elektroda, IC_Current, post #19542429]

Static vs. dynamic public IP—does it matter?

Dynamic works if you pair it with a DDNS client, but frequent changes break sessions. A true static address removes that risk [Elektroda, KOCUREK1970, post #19542478]

How much outbound speed is enough?

50 Mbps upload delivers about 5 MB/s real-world transfer—enough for HD streaming and quick photo browsing [Elektroda, KOCUREK1970, post #19542630]

What is the safest way to expose NAS data?

Run the VPN server on the router, keep NAS on the LAN, then connect from phone through the tunnel. No NAS ports stay open to the internet [Elektroda, Anonymous, post #19570262]

How do I enable VPN on AsusWRT in 3 steps?

Open VPN Server tab, pick OpenVPN. 2. Generate keys, set "Internet + Local" access, export .ovpn file. 3. Import file into OpenVPN Connect on phone, enter credentials, connect [Elektroda, noel200, post #19572288]

Which protocol: PPTP, OpenVPN or IPsec?

OpenVPN or IPsec give strong AES encryption. PPTP is faster but uses weak MS-CHAPv2 auth and may be blocked by carriers [Elektroda, Anonymous, post #19570276] "Choose IPsec when available," notes a network admin [Elektroda, Anonymous, post #19570276]

Can I skip port forwarding once VPN works?

Yes. After VPN connects, use the NAS’s local IP (e.g., 192.168.1.x). Forwarded ports become unnecessary and can be closed [Elektroda, Anonymous, post #19572466]

Why avoid ports 80 and 443?

Shodan lists over 4.1 million devices answering on port 80; automated scanners probe it constantly [Shodan, 2023]. Moving services to high ports reduces noise and log spam [Elektroda, takijasiu, post #19560572]

What if my ISP blocks uncommon ports?

Remap the NAS’s internal port to an allowed external port (e.g., 8080→80). Test accessibility after each change [Elektroda, takijasiu, post #19560572]

How does DDNS keep my address reachable?

A DDNS client updates the hostname whenever the ISP changes your IP, so you always connect via the same URL [Elektroda, IC_Current, post #19542520]

Can ZeroTier replace a public IP?

Yes. Install the client on every device; traffic routes through a relay until a peer-to-peer path forms. A master server still mediates setup [Elektroda, voxck, post #19570327]

Why is my VPN session slow?

Encrypted tunnels add 10-15 % overhead. Double-NAT or CG-NAT can add latency. 4 K@60 fps video may buffer on 50 Mbps upstream [Elektroda, noel200, post #19572479]

Edge case: ‘public’ IP shows 10.x.x.x—what’s wrong?

10.x.x.x is private; you are behind carrier NAT. VPN may connect yet external services stay unreachable [Elektroda, noel200, post #19556637]

How can I stream media for family securely?

Run Jellyfin, Emby, or Plex in Docker on the NAS. Expose it only through the VPN or ZeroTier network [Elektroda, przeqpiciel, post #19564745]

Which mobile apps work with OpenMediaVault?

OpenVPN Connect, Solid Explorer (WebDAV), and official Plex/Jellyfin apps all access OMV shares once VPN is live [Elektroda, noel200, post #19564690]

What happens if the relay service goes offline?

Clients lose the overlay network, blocking access until servers return. Keep local VPN credentials as a fallback [Elektroda, Anonymous, post #19570405]

Generated by the language model.