0

I'm currently running one Samba server open to the internet (yes I know, bad idea but using encryption, SMB3 etc) behind a dynamic DNS (let's call it myhomesmb.net). I'm looking at starting a second Samba server on a different machine but I'd like to be able to access it externally without the use of a VPN so using the same route as the 1st samba server.

Is there any way to do this? Like a reverse samba proxy? Basically like to smb://myhomesmb.net/server1 for server 1 and smb://myhomesmb.net/server2 for server 2.

Yes I know it's pretty stupid and there are much better ways to do this but I'd like to give it a shot before setting up something proper when I get the time.

Running Ubuntu 20.04, SMB3 on both servers, on the same NAT, behind the same router gateway with ports 445 and 139 open to a dynamic DNS address.

Thanks!

Improve this question
7
  • you can of course mount a share from the second server on the first, and share that mounted directory. But, as you say yourself, this is a bad idea for many reasons, and the main reason is that it's erasing all user information, because you can only be one user that mounts that directory on server 1. (and I'm less worried about your encrypted or unencrypted traffic, I worry about your Samba being crawled by a million of malware bots, and one day might have a security bug or guessable password, giving an attacker control over your machine or access to your data) Commented Sep 4, 2022 at 6:54
  • Thanks Marcus, I didn't think of doing that! I agree it's a rather bad idea I just need it for a temporary solution, will definitely change to something more secure. Thanks! Commented Sep 4, 2022 at 7:51
  • well, consider this: security only needs to be broken once to cause significant damage. Making a solution more comfortable can be done at any time. I think you should simply do a VPN. It's crazily simple using wireguard. Just use for name in {server1,external{1,2}} ; do wg genkey > ${name}.priv ; wg pubkey < ${name}.priv > ${name}.pub; done to generate private and public keys for your server1 and two external clients (you'll guess how you can make more!), and write a really minimal wireguard config in /etc/wireguard/, which allows the two external public keys, gives them addresses from Commented Sep 4, 2022 at 8:00
  • your LAN, and uses the server1.priv content as private key for the server. On the external clients, just use your dyndns address as Endpoint with the server1.pub as PublicKey. And tada, now you have a private network in which all your servers and external clients are, no further setup needed, no proxying, no security danger; you can at that point close the port forwarding on your NAT router. It's honestly easier than taming samba :) Commented Sep 4, 2022 at 8:02
  • Ok I'll give that a shot :) I'm already running an OpenVPN server to connect to my home NAT to access other resources but I found that the samba speeds were terrible over the VPN (over 10x slower on the same internet connection) versus directly over the internet. Hopefully, Wireguard will yield better results or maybe I'll set up a 'knock' type interface keeping all the samba ports closed unless I trigger them to open when needed and automatically close after. Thanks again! Commented Sep 4, 2022 at 21:35

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.