How to securely share files over the internet?

Gorbatsjov

Honorable
Apr 5, 2013
5
0
10,510
Hello everybody,

I'm really lost, I thought it would be really easy to be able to safely share files that are stored on my server over the internet, so that I can access them from anywhere. But it turns out it's almost impossible! I've tried OpenVPN multiple times, Openswan and even ownCloud, but I couldn't get them to work (except for ownCloud, but I disliked it). Am I missing something? Do any of you know an easy way to share files securely over the internet?

This is what I want:
- To be able to access my files through Windows Explorer (i.e. be able to map the shared folder as a network drive in Windows)
- To be able to open the files directly, without having to download them first (as is the case with a FTP-server), so I can stream my music files
- An encrypted connection, so noboby can intercept the data I am sending to and receiving from the server

This is what I have:
- A fast internet connection (100mbit)
- A Ubuntu 12.04LTS Server
- Two laptops running Windows 7 - these are the machines that should be able to access the files on the server

This is what I've tried:
- Setting up a VPN (using OpenVPN and Openswan, using all kinds of different VPN Clients)
- 'Tunneling Samba through SSH' - although I don't really understand what this means..
- Setting up ownCloud, but that didn't allow me open the whole shared drive in Windows Explorer and I also doubt the security of it
None of these things worked, obviously.

I'm already running a Samba server which allows me to access the server's files through my LAN, but I don't think it's really secure to open the Samba server up to connections from outside the LAN, or is it?

So my question actually is: How do I make my files safely accessible through the internet? There must be an easy way to do this, as this is one of the first things you want to do once you have your own server, right?

Thanks a lot in advance, I'm looking forward to your responses! (please keep in mind that I don't have much experience with Linux networking)
Gorbatsjov
 

kyzarvs

Distinguished
When you say "Tunneling Samba through SSL" - I presume you mean SSH?

That is a pretty straightforward thing to do - we use tunnelling as poor-mans vpn all the time :)

Without going into massive detail:

1. On the server, make sure you are running SSHD (secure shell deamon) and SAMBA (for the file shares).
2. Download and install PuTTY on the client machines.
3. Check that you can see the remote shares and login with PuTTY from within the network.
4. Port-forward your SSH port (usually 22) from your router to your server.
5. From outside the network, you should be able to use PuTTY to log into your server - you will need a static IP, or dynamic DNS service to always be able to find your server.
6. Use PuTTY's 'tunnels' feature to tunnel through the ports that you need for files (no need to open any additional ports on your router).

That's the very basics, but with Google and some time it's fairly straightforward to set up. Send me a PM if you can't work it out and I'll do you some documentation on how we use it.
 

Gorbatsjov

Honorable
Apr 5, 2013
5
0
10,510
Thanks for you response, kyzarvs! I'll also post the results here, because it might be useful for other people as well.

I'm now trying to create the SSH tunnel, but I can't get it to work.. I've already disabled File Sharing on my local computer, so my port 139 is free to use by PuTTY. But now when I browse to \\127.0.0.1, I just get an error saying that the network location was not found..
 

4745454b

Titan
Moderator
Can you give more details as to why it needs to be secure?

I used Logmein to remotely access my computer from my laptop. If you buy the pro version you'll be able to copy something from your computer/server and paste it to the laptop/remote computer. I think it uses FTP but it works in the browser so it uses port 80. It's probably not secure at all so I get the feeling you won't like it. But I'm not sure why a normal person would need advanced security unless you are doing something you shouldn't be doing.
 

Gorbatsjov

Honorable
Apr 5, 2013
5
0
10,510


Is 'anyone who' incorrect? I'm not english myself so I don't speak perfect english.. Btw, I think you are underestimating the risks if you think I'm overcomplicating things. Or wouldn't you mind if anybody could just freely browse your files?

 

dbhosttexas

Honorable
Jan 15, 2013
437
0
10,810
I am glad you got it to work,however I am a bit concerned you weren't able to get VPN to work.

I don't quite get it. If you have the SAMBA server working with the laptops on your LAN, and you have set up the VPN server / client properly, you are effectively "on" your LAN.

What errors are you seeing in /var/log/messages and /var/log/secure when you try to connect from the VPN connection?

What error messages are you seeing from the Windows clients?

Do you have some funny firewall config either IPtables or /etc/hosts.allow /etc/hosts.deny in your Ubuntu box?
 

Gorbatsjov

Honorable
Apr 5, 2013
5
0
10,510


The thing is, I'm fairly new to Linux. I don't know what IPtables are, I don't know the files that you mentioned, I don't know how a VPN works and I don't understand the pages-long configuration files of the VPN's I tried. :p I don't even know where the program's executable files of a installed program are stored, and I didn't know where configuration files are put normally. When you just start working with Linux after years of Windows-only, it's really non-transparant..
This is why it is very hard for me to set up a VPN. I've tried multiple different tutorials (always cleaning up after I tried one that didn't work) and none of them worked for me. I got al sorts of different error messages from the built-in Windows VPN client and the third party VPNs simply couldn't connect..

If you have any suggestion though, I'm willing to try something new. :)

edit:
Also, I didn't know where the VPN programs put their log files, and once I found one from OpenVPN, it flushed every minute..

edit2:
So the actual problem with setting-up the VPNs, was that I was just unable to connect. Not even once did I establish a connection from the client to the server. While testing, I had the firewall on the laptop disabled, and I don't think I have a firewall on the server, but I'm not sure because I don't know where to look for..
 

dbhosttexas

Honorable
Jan 15, 2013
437
0
10,810


That explains a lot. Since I myself am brand spanking new at setting up open source VPNs I can't be a lot of help there.

I honestly am more of a Red Hat Linux user, so I may not nail Ubuntu right on the head, but...

IPTables is the stateful packet inspection firewall used by most Linux distributions, a good number of commercial Unixes, and other specialized operating systems and firmware (Such as DD-WRT on routers).

Netfilter provides yet another layer of application level firewalling, and is controlled by the files /etc/hosts.allow and /etc/hosts.deny (at least on Red Hat that is where they are...). And remember, just like Windows security, the most restrictive rule set wins.

To get up to speed with the info you need, google what you want. So for example...

"Ubuntu IPTables HOWTO"
"Ubuntu netfilter configuration"

 

kyzarvs

Distinguished
Just to came back in on this:

@4745454b - There are a million and one perfectly legal and good practice reasons to not have your internal network open to Botnets, snooping or any other problems that can arise from being overly open. In fact I would go so far as to say it is highly irresponsible to allow machines onto the network without good security.

@dbhosttexas - Horses for courses - we also use OpenVPN quite a lot to allow access, but we find it is easier to setup SSH-tunneling than go through certificate generation & sharing for the complete novice to this area. Once set up and the tunnels are stored, the PuTTY method is very stable, quick to connect and requires almost no maintenance - whilst still only keeping one port-forward open. When advising customers remotely I'm not going to be able to visit, we always start with SSH and then move up to VPN as / when requirements change.

 

4745454b

Titan
Moderator
I agree. But I use the free version of logmein and I'm not "open" to botnets and other scum. When you use the program you still need to log onto the machine. You seem to want to transmit encrypted data which is why I suspect the illegal activity. As I said above I'm glad you got it working.

Edit: Or seeing as you aren't that OP I'm glad s/he got it working.