Accessing samba shares over the internet
What's a good, secure (ish) way to access a samba server over the internet?
My first thought is to just forward the necessary ports on the router to the samba server, but I'm not sure how secure that would be.
My second thought is to somehow tunnel over ssh.
I tried this for my second thought, but it didn't seem to work.
Solution 1:
You're going to find out that the SMB protocol sucks-like-a-vacuum-cleaner over links that have high latency. You're better off using a different protocol to access the files like, say, WebDAV, rather than trying to run SMB over the 'net.
Whatever you do, use encryption. If you're going to do SMB, use a VPN protocol (OpenVPN, IPSEC ESP, PPTP, etc) to tunnel SMB across. If you're using WebDAV you can just use HTTPS as the transport.
Solution 2:
I'd recommend using SSHFS instead - which if you're on a Mac you can just install MacFusion.
Solution 3:
My first thought is to just forward the necessary ports on the router to the samba server, but I'm not sure how secure that would be.
That's something you definitely don't want to do. SMB is something you need to protect from the Internet, not expose to it.
I semi-regularly use SMB over a VPN connection and have to agree with Evan that when the latency goes up it's time to use a different protocol. I'd suggest looking into something like SFTP.
Solution 4:
If you're dealing with a share that's used by multiple clients who can't/won't use other protocols, you can create this setup:
clients.lan | <--SMB through LAN--> | \\proxy.lan\share
proxy.lan/share | <--SSHFS through Internet--> | server.in.the.internet/share
In other words, on the remote server (server.in.the.internet
), enable SSH;
On a local server (in your network proxy.lan
), mount the remote folder through SSHFS
and share this folder on the local server via SMB.
That way, clients in the local network can access the Samba share on proxy.lan, yet it's transparently (for them) proxied from your remote server; you could even set up caching on the proxy so that the access is even faster.