Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

VPN and File sharing

cavi

cavi

macrumors regular
Original poster
Sep 19, 2010
151
28
Haifa, Israel
Hello everyone,

I want to enable file sharing for users on my local network. In case that someone wants to connect from his/her home (or any other location which is not the office (i.e. the office network)he/she will must use VPN. The thing is that I didn't managed to understand how to set this configuration on the server app... shall I use "privet networks" of "this Mac" option under the "permission" pane? How do I define the only people who are in the office network can connect without VPN?

Thanks!
A.
 
cavi

cavi

macrumors regular
Original poster
Sep 19, 2010
151
28
Haifa, Israel
Hi!
I know this video (I watched all the videos of Todd – highly recommended =]) and I even contacted him about this issue (and he kindly respond to my email, but I didn't understand it...).
The thing is if I turn on file sharing, the user didn't need a VPN connection to see the files. I want that if the user is in remote location he will use VPN in order to see the shared files...
 
satcomer

satcomer

Suspended
Feb 19, 2008
9,115
1,973
The Finger Lakes Region
cavi said:
Hi!
I know this video (I watched all the videos of Todd – highly recommended =]) and I even contacted him about this issue (and he kindly respond to my email, but I didn't understand it...).
The thing is if I turn on file sharing, the user didn't need a VPN connection to see the files. I want that if the user is in remote location he will use VPN in order to see the shared files...
Click to expand...

Yes he will VPN into a network from outside that network as long as you have a VPN server setup.
 
  • Like
Reactions: cavi
cavi

cavi

macrumors regular
Original poster
Sep 19, 2010
151
28
Haifa, Israel
OK, Thanks! I thought that I need to make some changes in order to "force" him/her to use VPN.
THANKS! :)
 
cavi

cavi

macrumors regular
Original poster
Sep 19, 2010
151
28
Haifa, Israel
And if he or she "forget" to connect via VPN. If file sharing is on they have access to the files (which are more exposed...)?
Sorry of being "annoying", I'm in a middle of setting up my business which contains sensitive data and I want to make sure that everything is protected as much as it can.
 
DJLC

DJLC

macrumors 6502a
Jul 17, 2005
958
401
North Carolina
VPN is a "tunnel" from a trusted user outside your network. Thus they can connect to file sharing services on the local network when the connection is active.

If you're able to connect to the file shares outside when disconnected from VPN, check your firewall. Those ports should not be open to the outside.
 
  • Like
Reactions: Ajmaq and cavi
Altemose

Altemose

macrumors G3
Mar 26, 2013
9,189
487
Elkton, Maryland
cavi said:
And if he or she "forget" to connect via VPN. If file sharing is on they have access to the files (which are more exposed...)?
Sorry of being "annoying", I'm in a middle of setting up my business which contains sensitive data and I want to make sure that everything is protected as much as it can.
Click to expand...

No. The VPN is a way to allow a client access into the local network. While the person is halfway across the world, their machine connects in to the server and is just like a local client. Only at that point can they use File Sharing on the server.

There are two primary protocols for File Sharing: SMB (Server Message Block) and AFP (Apple Filing Protocol). Most ISPs block SMB (ports 139 and 445), but allow AFP (port 548). Those ports should not be open unless you opened them on your router, thereby forcing the user to VPN in before having any File Sharing access.
 
  • Like
Reactions: cavi
kiwipeso1

kiwipeso1

Suspended
Sep 17, 2001
646
168
Wellington, New Zealand
cavi said:
Hello everyone,

I want to enable file sharing for users on my local network. In case that someone wants to connect from his/her home (or any other location which is not the office (i.e. the office network)he/she will must use VPN. The thing is that I didn't managed to understand how to set this configuration on the server app... shall I use "privet networks" of "this Mac" option under the "permission" pane? How do I define the only people who are in the office network can connect without VPN?

Thanks!
A.
Click to expand...

VPN is basically a private broadband connection that is like a "dialup" direct to your server.
Your local network people direct connect by AFP or SMB as usual, by connect to server K. (They don't need VPN)
The only thing you need do to setup VPN is have a password and address to share to users.
Then all they do is add the office VPN to their network preferences, and set it to run from the menubar (connect).

It should only take a couple of minutes on each mac to setup & maybe five minutes on the server to pick a good password.
 
  • Like
Reactions: cavi
cavi

cavi

macrumors regular
Original poster
Sep 19, 2010
151
28
Haifa, Israel
komatsu said:
You're welcome.

Did you find a suitable solution?
Click to expand...
I spoke with an advisor which toled me that as long as I use SMB with encrypted connecting I don't really need a VPN (for remote users also)... That is true also to other services like mail and calendar — as long as I use SSL for the service.
 
Altemose

Altemose

macrumors G3
Mar 26, 2013
9,189
487
Elkton, Maryland
cavi said:
I spoke with an advisor which toled me that as long as I use SMB with encrypted connecting I don't really need a VPN (for remote users also)... That is true also to other services like mail and calendar — as long as I use SSL for the service.
Click to expand...

SMB is one of the most compromised ports and as a result most ISPs block SMB traffic altogether requiring the use of VPN to get File Sharing running.
 
  • Like
Reactions: cavi and kiwipeso1
chrfr

chrfr

macrumors G5
Jul 11, 2009
13,517
7,034
cavi said:
Even if encrypted? :eek:
Click to expand...
Back in the early days of Windows XP, it was possible for the computer to be compromised via these ports even before the user had a chance to install patches that might block it. Consequently, most ISPs blocked these ports back then.
 
kiwipeso1

kiwipeso1

Suspended
Sep 17, 2001
646
168
Wellington, New Zealand
cavi said:
I spoke with an advisor which told me that as long as I use SMB with encrypted connecting I don't really need a VPN (for remote users also)... That is true also to other services like mail and calendar — as long as I use SSL for the service.
Click to expand...

Your advisor knows nothing about basic cryptography, or networking.
You need a VPN to keep your secrets safe, as SSL is not as reliable for connections.
 
  • Like
Reactions: BeefCake 15, Ajmaq and cavi
cavi

cavi

macrumors regular
Original poster
Sep 19, 2010
151
28
Haifa, Israel
OK, so how I enforce the use of VPN on users?
lets say that I have a user which I allow to him several services, including file sharing. now, this user also has a MacBook which he uses at his home (or iPad, iPhone etc'). when this user enters his username and password he can see all the files and he do not need to use VPN. so, how I create a rule which allow users to see the office files only if they use VPN?

Thanks a lot!
 
Altemose

Altemose

macrumors G3
Mar 26, 2013
9,189
487
Elkton, Maryland
cavi said:
OK, so how I enforce the use of VPN on users?
lets say that I have a user which I allow to him several services, including file sharing. now, this user also has a MacBook which he uses at his home (or iPad, iPhone etc'). when this user enters his username and password he can see all the files and he do not need to use VPN. so, how I create a rule which allow users to see the office files only if they use VPN?
Click to expand...

Easy... Make sure that the AFP and SMB ports are not open on the router. If you created a port forward allowing port 548 to be open, then the Mac can connect without VPN.
 
  • Like
Reactions: cavi
L

LC Phil

macrumors newbie
Apr 7, 2016
15
6
Vienna
cavi said:
Thanks! I'll try
Click to expand...
Hi Cavi,

I just read this thread and I'm not too sure this is the best road for you to go down, especially as your technical knowledge may not be sufficient for setting up and troubleshooting a VPN. Plus, you mentioned sensitive data.

  • What is your current upload speed (not download) for the Server?
  • What firewall or router do you have, could it handle the VPN connection instead?
  • Do you have a static IP address with your ISP?
  • If so, is that mapped to a sub-domain for ease of use?
  • How are the files stored? Are they on a drive that mirrors your data in case of a single drive failure, or just a typical external HDD?
At the end of the day anyone can setup a VPN. But is it actually going to work for your business, it may not. Perhaps have a look at other file sharing solutions such as Dropbox for Business as there is more to consider then just access to the data.

If cost is an issue make sure your data isn't just stored on an external drive but that it's a proper storage solution that allows for the mirroring of drives for when a drive fails.

If you must setup a VPN, then I'd recommend opening the ports for 1701, 4500, 500 for L2TP VPN, then the ports for Calendar and Contact DAV if you are using that too. I wouldn't open the ports for AFP and SMB, it will be inviting trouble. Ensure your Firewall will not respond to pings.

Good luck!

Regards,

Phil
 
  • Like
Reactions: cavi
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom