0

I have an Arch Linux machine acting as an SSH and file server, using vsftpd for FTP and samba for SMB. I would like to access this server via SMB over the Internet, and it is currently set up to allow that. However, I do not want to do this unless the connection between the client and server is encrypted.

To be clear: The files/directories being transferred are not encrypted; what I want is for the network traffic to be encrypted, like using SSL to encrypt a connection to vsftpd.

The clients being used are Windows Explorer on Windows 7 and Windows 8.1, and Dolphin and Caja on Linux. I do not have administrative privileges on some of the Windows PCs. Ideally, the solution could be implemented at the Samba server and would work even with the clients that I have no control over without the need for a specialized client program. However, if this is not possible, I can continue to use encrypted FTP on those clients and implement the solution on the PCs I administer.

Please note that I am new to the world of Samba/SMB/CIFS, so I would appreciate the simplest effective solution and easy-to-follow instructions.

Kyle
  • 393
  • 1
  • 3
  • 12
  • A discussion related to this was on Security SE (http://security.stackexchange.com/questions/9159/how-do-i-ensure-data-encryption-on-samba-transmission-on-nix-systems) but if possible, weigh your options with having a VPN. – Michael Bailey Jul 29 '15 at 04:53

1 Answers1

2

SMB traffic should not transit the public internet (without some form of protection). Period. In fact, many ISPs actually block the ports used by SMB/CIFS.

Set up a VPN connection to your server first (preferrably OpenVPN or IPsec), and then you can use SMB over your VPN tunnel from wherever you'd like.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • OP should understand too, that if they configure a VPN (assuming it's got LAN routing which it would need to even access the share), they run the risk of people trying to remote into their machines after hours, curious eyes after hours, etc. Also please update FTP religiously if you're going to expose to the internet, but they probably already know that. – Michael Bailey Jul 29 '15 at 04:56
  • @EEAA I have been following the instructions at (https://wiki.archlinux.org/index.php/OpenVPN) to set up OpenVPN on my server. OpenVPN seems to start correctly on the server side, but when I test it on one of my Linux clients (a VM), I get the error `TLS Error: TLS handshake failed` and it suggests I check my network connection (which is perfectly functional in all other aspects). I have attempted the setup twice, clearing the previous attempt's files before trying again and only deviating from the instructions to use my own DN details. Any ideas as to what is wrong? – Kyle Jul 30 '15 at 20:02
  • That's a separate question, Kyle. Go ahead and post another Q with as many details as you can provide and someone will help you get things worked out. – EEAA Jul 30 '15 at 20:13
  • I posted a new question at (http://serverfault.com/questions/709860/fix-tls-error-tls-handshake-failed-on-openvpn-client) – Kyle Jul 31 '15 at 00:59
  • Another thing to consider is that SMB protocol is quite sensitive to links with latency, which results in long wait for files requested by the user, even when having symmetrical links to the Internet (50/50 mbps,100 users) there are long hiccups (10-30s) when the link on the client side as well server side are empty, FTP with TLS (I use proftpd) is a way better, for example during 100 % of congestion of server and client link it reacts during 1-2 second to list directory contains 100-200 other files directories, same action in SMB2.0/1.0 takes at least two times longer. – Michal Sokolowski Jul 31 '15 at 11:30
  • I fixed the TLS error and OpenVPN is now functional. After a bit of experimentation, I figured out how to access the Samba shares over the VPN and I will soon have all of my clients accessing the shares with that method. Thanks for your help. – Kyle Aug 01 '15 at 00:26