Best protocol/way to remote file share on OSX? AFP, SMB, SSH, BTTM, VPN?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by NazgulRR, Jul 20, 2015.

  1. NazgulRR macrumors 6502

    Joined:
    Oct 4, 2010
    #1
    Hi.

    I've just set up a Mac Mini with OSX Yosemite and Server.app as a home server and got the remote file sharing to work. I'm about 1500km away from my Mac Mini server now and it works no problem over the internet.

    I am able to connect to it in a couple of different ways: 1) direct AFP, 2) direct SMB, 3) Back To My Mac (BTTM) from Finder, 4) SSH, 5) VPN, 6) VNC (Screen Sharing).

    Questions:
    a) I've got a bunch of ports open on the router at home now for all of this to work, which makes me a bit worried as I assume 1) and 2) aren't the most secure ways to connect, correct?

    b) Are there any of the above mentioned protocols that iOS devices/apps cannot connect to?

    I sometimes use iOS apps that access SMB shares over internet. Would I still need to keep that direct port for SMB open on my router for that to work or could I SSH/BTTM into that as an alternative from my iPhone/iPad?

    c) What is really the difference between BTTM, SSH, and VPN in terms of security or performance? Which one would you choose as your default method of connecting for file sharing and screen sharing?

    d) Can I have different users (i.e., people with different iCloud accounts) tunnel to my Mac Mini server via SSH for the purpose of file sharing that is restricted to only certain folders (I'm under the impression that BTTM is locked to a single user/iCloud account?)?

    Thanks for all the help!
     
  2. rctlr, Jul 20, 2015
    Last edited: Jul 20, 2015

    rctlr macrumors 6502a

    rctlr

    Joined:
    May 9, 2012
    #2
    VPN is a good method, and one of the safest and secure.
    For PPTP VPN connections, you need to open TCP port 1723
    No need to add the apps ports. All traffic from your device is send via the VPN tunnel to your network.
    Once you are connected to the VPN, you can then smb, vnc, btmm, afp, etc etc etc as if you are on the local network.

    --

    If you are not using a VPN, then you should use secure protocols.
    SSH/SFTP are great for transferring files over the internet (that uses just TCP port 22).

    VNC is insecure - there are ways to secure it, and a lot of documentation is online how to do it. It usually runs on TCP port 5900

    Both ssh and vnc can be set up per user - so different directories, and screens.

    For SFTP I use ifiles http://ifilesapp.com
    For SSH I use Prompt https://panic.com/prompt/
    For VNC (BTMM) I use RealVNC http://www.realvnc.com
    All on my idevices.

    I would not recommend AFP or SMB over the internet as they are insecure.
     
  3. NazgulRR thread starter macrumors 6502

    Joined:
    Oct 4, 2010
    #3
    Thanks for your reply, very helpful.

    I run a L2TP VPN server with the OSX Server app, which I find to be quite spotty in function - i.e., sometimes it takes a couple of retries before it connects.

    Here is what I am thinking now:
    1) AFP over SSH for Remote File Sharing and VNC as per this guide as a default method of connection: http://www.tech-otaku.com/networking/establishing-ssh-tunnel-remotely-access-mac-afp-vnc/

    This should allow me to mount remote Mac's natively in Finder as well if I understand things correctly.

    2) SFTP for remote file access on my iOS devices.

    3) AFP/SMB over VPN if 1) doesn't work

    4) Close all ports except for 22 (SSH), 80 (needed for my dynamic DNS service), 32400 (Plex) and the 4 ports needed for L2TP VPN server

    Question:
    - I think I opened up 4 different ports to run the L2TP VPN Server. Does this make it less secure than PPTN? Should I switch it to PPTN?
    - What should I do with BTTM? Switch it off? Or is it needed in any way for the SSH to function properly?
     
  4. nebo1ss macrumors 68030

    Joined:
    Jun 2, 2010
    #4
    You can use port forwarding as well. I never open port 22 on my router i generally pick some wierd port and forward it to 22 in the router config.
     
  5. rctlr macrumors 6502a

    rctlr

    Joined:
    May 9, 2012
    #5
    PPTN is still considered the easiest to setup, and is secure. I prefer it over L2TP.

    To be honest if you have the VPN in place, then you don't need the ssh tunnel, unless you really really want to mount AFP over a web connection. I've done it and its v v v slow. There is Macfusion where you can mount sftp, though I've just prefer filezilla to connect to get and put files as i want.
     
  6. NazgulRR thread starter macrumors 6502

    Joined:
    Oct 4, 2010
    #6
    I'll definitely play around with both AFP through SSH and VPN to see which one works better. Is there any good speed test app I can use to test upload/download speed?

    The reason why I'd want the shares to mount in Finder is so that I could backup up to Time Machine remotely (works brilliantly so far directly over internet to AFP).

    Also, how do I know if a share in Finder is mounted over VPN, BTTM or AFP tunneled through SSH?
     
  7. NazgulRR thread starter macrumors 6502

    Joined:
    Oct 4, 2010
    #8
    I wasn't clear enough on this - I meant how do I know whether it is connected via direct AFP as opposed to BTTM, etc. However, I found this out - cmd+I on the connected share and I get this info :).

    I tried the following now and ran some speed tests (downloading a 1GB file):
    - AFP over internet: fast & insecure
    - AFP over L2TP VPN: fast & secure
    - AFP over BTTM (I assume this is a AFP tunnelled through SSH?): slow & secure

    I haven't noticed much difference in VNC speeds across the three different ways.

    So I'll be using the AFP/VPN with the AFP/BTTM as a fallback on OSX :).

    One small problem:
    When I'm on VPN, I'm able to connect to my server using its local IP (192.168.x.xxx), but not its name (macname.local). Any ideas as to why this is? I'm 100% sure I am using the correct name - verified in both System Preferences and Server.app.

    On the iOS front, I was able to connect with SFTP in Readdle's Document.app. However, I see only the main user folder and not the connected USB drive. How do I get it to show my USB drive as well?
     
  8. rctlr macrumors 6502a

    rctlr

    Joined:
    May 9, 2012
    #9
    the name is broadcast over bonjour, which does not work over VPN - if it did, then we could do cooler things like iTunes Wireless Sync remotely etc.
    Adding an entry into your /etc/hosts file (should work)
    192.168.x.xxx macname

    I'll have to play with readdle's app, but I guess you've specified a default path?
    /Users/username ?

    The mounted USB Drive will be under /Volumes/usbname

    Im not sure if Readdles App will honour it, but you could create a symbolic link to the usb drive in your /Users/username
    folder.
    Open Terminal and type in:

    ln -s /Volumes/usbname ~/usbdrive

    That makes a symbolic link called usbdrive in your /Users/username folder
    Then the doc app might read it.

    I'll have a play later, and report back, but its worth giving it a go yourself.
     
  9. NazgulRR thread starter macrumors 6502

    Joined:
    Oct 4, 2010
    #10
    Ah, wasn't aware of that! I'll just use the IP for now - it have it fixed within LAN anyway.

    FYI, this is (reportedly) a way to set up Bonjour to work over VPN:
    http://provideotech.org/bonjour-and-vpn-or-how-i-learned-to-stop-googling-and-love-simplicity/

    Don't think I'll get time to try this out for quite a while though, but let me/us know if you try it and if/how it works. I'd be curious to see iTunes Home Sharing to work on iOS/OSX that way.

    No, I just pointed it to the server directly and it defaults to my user directory for some reason. Symbolic link is a good trick, thanks for that. Wonder why I didn't think of that sooner :p.

    FWIW, I set up Infuse on iOS to connect to my server via SFTP in the same way and that one correctly defaults to the top-most level of the server - i.e., showing me such folders as bin, cores, dev, home, library, users. etc. and, lastly, volumes too.
     
  10. SlCKB0Y macrumors 68040

    SlCKB0Y

    Joined:
    Feb 25, 2012
    Location:
    Sydney, Australia
    #11
    With SMB, this translation usually requires WINS. With AFP this is done with Bonjour.
     
  11. steve123 macrumors regular

    Joined:
    Aug 26, 2007
    #12
    Oh my gosh. PPTP is definitely not considered secure anymore. Stick with L2TP.
     
  12. rctlr, Jul 31, 2015
    Last edited: Jul 31, 2015

    rctlr macrumors 6502a

    rctlr

    Joined:
    May 9, 2012
    #13
    Reading more on PPTP I stand corrected, it has been compromised in the past - so it's not considered secure.

    [​IMG]
    Red Signifies Secure Channels for terminal access and SFTP file transfer. Keys are used as opposed to passwords.
    The Tunnel (I've used VPN Enabler) I've made L2TP with a Shared Key.
    As for access to AirVideo/AFP/Plex - they are local. I do not access them outside of the local network.
     
  13. 556fmjoe macrumors 65816

    Joined:
    Apr 19, 2014
    #14
    SSH is simple, secure, fast, and cross platform. I won't use anything else.
     
  14. NazgulRR thread starter macrumors 6502

    Joined:
    Oct 4, 2010
    #15
    Thanks guys for continuing/adding to the discussion.

    Sticking with L2TP VPN then.

    I just set up SSH Tunnel Manager and loving the ability/simplicity to remotely SSH to my home server and access pretty much anything over it (File Sharing, Screen Sharing, Plex (Web UI), Torrent Remote (Web UI), etc.).

    One question regarding SSH on iOS devices:
    How does it actually work on iOS devices? Does Prompt behave similarly to Terminal (or SSH Tunnel Manager) on OSX in regards to SSH? In other words, would I be able to set up my own local and remote ports for my server and then once connected, switch to iOS Safari to SSH to, for example, Plex Web UI on my Server the same way as I would usually on OSX? If so, does SSH tunnel connection time out after a while (think apps in the background have time-limited activity?)?

    On OSX, I'll be using L2TP VPN as preferred way of connecting remotely, with SSH tunnelling being the fallback measure if VPN isn't working. On iOS, it will be VPN or SFTP for files/SSH for VNC (Screens VNC supports it!). That way I will have open ports 22, 80, and the 4 ports for VPN. What do you guys think about this? Eventually I plan on changing the SSH port to something else instead of 22.
     

Share This Page