Accessing nextcloud behind nat

hey there,

i will soon have a synology NAS , when receiving it i will install nextcloud on it.

since i am thinking ahead of time i know i will have a problem with port forwarding because i am behind a nat.

the nas will sit on a remote location connected via a 3/4G dongle (broadband usb modem),

my question is how do i access it behind a nat ?
the idea is to be at work and sync/backup my stuff on NAS.

i know that configuring a domain wont help me much in my situation because the domain will lead to the NAT ip .

is there a way to stay behind a NAT ip and still sync/upload my stuff.

thanks !

If you want to access a site which doesn’t get a static ip address assigned, you need to use a dyndns service to be able to access it over the internet. Afaik, Synology allows you to set-up such a service. Sometimes an internet router e.g. the German Fritzbox, provides such a service too.

https://www.google.com/search?client=firefox-b-d&q=synology+dyndns

I have the same issue

I think u miss understood what he meant.

He clearly stated that setting up a domain wont help him because is behind a nat ip.
Dydns is for setting up a domain :slight_smile: , a static/dynamic ip is not the question here.

Think of it this way, when u use the internet on ur phone and get an ip , do u think u are the only person who received this public ip?
The answer is no , there is tons(hundreds) of people that receive the same ip as u do .
This is a nat ip.

Or think of it a different way.
U are at work , a cooperate place , there is 1k people working there, everyone that browse the net do it with the same external (public ip).

U in the other hand , dont have access to the firewall nor the modem nor the router or switch.

In other words , the question is how do u access ur nextcloud behind a nat ip

Every internet router is translating an ip address to an internal address which might be the same or same ip address range for many user users on their LAN, so that is already NAT. In this case only your own the internet router is responsible for the correct address translation and port forwarding to the internal ip address.

But you’re speaking about double NATing, which happens if the internet provider is translating ip addresses to an internal ip address on his transit network, before your router is doing a second address translation for your LAN. That is indeed a different story.

I think there are two different ways to work around that problem.

  1. You can use a tunnel end point which is provided by the manufacturer of your internet router, which relays incoming connections over the established tunnel to your router. In Germany the company AVM is e.g. providing such an end point for their clients.
  2. You can use a tunnel broker service provided by 3rd-party companies, like e.g. SixXS.

This German article describes both mechanisms:

You can also ask aunt G. for “dsl light tunnel” :wink:

u took my words from my mouth .

i could not say it better than u.

@j-ed i respect ur time and trying to help out.
but what u are suggesting is totaly off.

think of it as i do not own the network gears on the netwrok.
as miko said, i dont have access to the ISP antena firewall/routers/switches .

and it does not call double nating , its simple NAT this is how NAT works everywhere in the world.
https://www.youtube.com/watch?v=FTUV0t6JaDA as simple as possible.

ur router at home does a nating translation , the ISP routers/antena does a nating translation , ur work router/modem does a nat translation .

i am NOT behind 2 nats, only one.
my device receive a internal ip and an external from the network (isp/antena) , like our phones.
i am not able to do anything about it .

as mention in my first post, i will be connected via a 3/4G broadband modem usb.

maybe for u to understand , what i am looking for is also called (maybe) peer 2 peer (P2P).

u can see this also in the online camera/dvr world , back then if u wanted to connect to ur camera u had to setup port forwarding (or dmz) the camera in the router and via ur pc/app/program to connect to a ip + port or a domain+port. so far so good untill hacks on cameras and other iot became common (aka maria bot) , then the companies started to implement a P2P into their devices, what it does in a nut shell is , u scan a QR code/SN with the camera app, the app then connect to the camera company and asks if the SN/QR code is online and available , if it is it will connect the client and the camera together and let them off after the connection is being done and successful.
now u’r asking how does company server know if the camera is online, simple. there is a checkbox that allow the “cloud/p2p” services on the camera.
and when this option is on, it gives each couple of minutes/seconds a notification to the company server that its online.

that way, u dont need to risk ur cameras /server /iot to be compromised by letting it online in the wild.

u can see what happen a year ago with NextCRY , where vulnerable nextcloud server was wild open on the internet and got hacked.
refference https://nextcloud.com/blog/nextcry-or-how-a-hacker-tried-to-exploit-a-nginx-issue-with-2-nextcloud-servers-out-of-300-000-hit-and-no-payout/

https://www.cvedetails.com/vulnerability-list/vendor_id-15913/Nextcloud.html

now understand this, a p2p option would protect all users from this from happening again. since servers wont be wildly open on the net, and that would give an answer to people like me that dont have access to network gear or behind a nat.

so here i am asking again perhaps some one alse have an idea or option to implement this or make nextcloud work behind a nat ip. ? any admin / mods ?

is your question: “is there a way to access a server with a private internet address aka 10/8, 172.16/12 or 192.168/16 where I have no access to the router to the public internet and therefore can’t configure port forwarding to my device?”

if no: please draw a picture because it would make more clear what’s your setup.

but both are private internet addresses. right?

btw: for me there is nothing like a “NAT IP”. Any IP address can be NATed.

if yes (we are talking about private/public IPs): @j-ed is leading you in the right direction. and you @kolet describe the solution as well.

you can’t access your nas/nextcloud device because it doesn’t have a public internet address. that is to say: you can’t send the first iup package to establish a connection because you don’t have an ip address to send it to.

you have to setup a relay server both your devices can reach. your nas/nextcloud will connect to it as well as your laptop where your nextcloud client is running. this relay server needs a public internet address. with or without dns. but it must be known to both your devices.

openvpn has an “client-to-client” option. i guess that’s what could do the trick. on the relay server run’s the openvpn server. nas/nextcloud and nextcloud/client are the vpn client. the nextcloud/client needs a route to the nas/nextcloud.

maybe zerotier is a solution your looking for. i don’t use it. it got to my attention because ehtaylor12 ask me to intergrade it to my playbooks.

hey!
thanks for replying .

quite a long response :slight_smile:

is your question: “is there a way to access a server with a private internet address aka 10/8, 172.16/12 or 192.168/16 where I have no access to the router to the public internet and therefore can’t configure port forwarding to my device?”

if no: please draw a picture because it would make more clear what’s your setup.

Answer is Yes.

but both are [private internet addresses]. right?

not sure what u just asked,
i mentioned that the device will act as a phone, it will receive a private ip from the nextwork switches/router (via dhcp) or w.e they implement there, and will go out to the internet via an public/external ip that i dont own the hardware of.

the NAS indeed does not being assign on a network card with an external ip (like a VPS for example) , it does receive an dhcp local ip and have internet connection via the switches and router/modem.

(just a side note, there is some ISP that even if u have a connection it will put u behind a nat. i mean u have access to the router and the router does connect to the isp via cable/adsl/broadband/fiber and when the router is being assign with an ip/external ip. this ip will be a nat one meaning multiple people routers have the same ip. but again this is a side note and not really important for what i am looking for.)

as mention in my solution (the p2p solution where i explained about the online camera world) there is all the basic information on how that works.
what u are saying about the relay is totaly right,
but the alternative way to approach it is wrong.

i know there is a vpn way to do it, but its not a right one to do.
the reason being is
1, u have to connect each and every station (pc/handset) to the vpn so they will be in the same network and that for they will be able to communicate with each other.

the draw back of this is speed and latancy and a burden to install a vpn on each client and set it up (managing it all) , to much point of failure , server is not responding,client not responding, hard for non technical users to fix the problems on the vpn client point, managing a list of users and password for the vpn connections .a real burden .
so now if i want to connect to my nextcloud i have to connect to a vpn before…? not easy to use for a non technical person , to be honest its an hassle

2, u have to yet open a port somewhere to allow the vpn communication (aka connect to the vpn server) , either if u decide to purchase a vps and setup a vpn there, or installing a vpn option on the NAS itself)
meaning u still can be compromise even tho its not likely because 0 days as to be used, but it still can happen. and again this is not a real p2p solution.

dont get me wrong the relay server is exactly what is needed here.
but perhaps if it does not exist maybe it is worth to implement this p2p/cloud option into nextcloud this will be a game changer.

about zerotier, thanks for letting me it exist, but after reading and understanding how it works its exactly the same as a vpn , u just connect to a vpn server and u get an id , this id is to join the same “group”/network for different devices .

with a p2p solution u dont need to open ports, port forwarding, dmz,setting up a dns, no nothing (for the user ofc) , u dont need to lose speed(bandwish) , and latency .
basically a p2p server will connect both the client and server together but with out losing any of the draw back that a vpn gives.
u dont need to compromised with anything with p2p not latancy,not security etc…

here an example

i explained in the nutshell how the p2p works

hoped u understand me correctly :slight_smile: (i mean i repeated my self like 2-3 times already so im not sure if what i am saying is not clear, or all this idea is totaly new for u guys .)

anyhow thanks again for all the help that u guys are doing for the community

https://www.laviewsecurity.com/cms/2019/03/21/p2p-camera/

u can also look here

the ezcloud id that the guy receive is a "p2p address "

a.) change your provider to a real provider and then use dyndns and port forwarding on your router
b.) host your nextcloud in the internet, start e.g. free with 8 GB: https://nc.nl.tab.digital/apps/registration/

hii :slight_smile:

u’r missing the whole point , if u have read the whole thread u would know that ur suggestion is not a good one unfortunately as i already answer why its a bad one…

there is a better way to do this as explained in my previews messages :slight_smile:

instead of compromised for security and easyness , something good can come out of this.

Have you considered running your nextcloud as a hidden service on tor? Setting it up depends on the OS, but for example on Centos it was as easy as installing one package and uncommenting two lines from the default config file. The Tor Browser can then connect to it, getting other clients to connect can be trickier.

hey hey

i have not , but when thinking about it , it does not seems to be a good idea.

1, speed, latency
2, the burden for regular user to access the nextcloud would be way to hard.

remember that clients phones/pc will need to upload and download and sync to the nextcloud server , with tor that would be almost impossible, reason being is they will need to install tor as a service/daemon that will run constantly in the background of the phone/pc so they will be able to access the onion link , while they would need to keep working and browsing .
that is not a good solution unfortunately.

however that can be great for single users who dont mind to access their cloud from a link , that also add privacy , but u’ll still have a bandwith and speed and latency problem still a nice idea for single users who are tech savy .
(that can also work with linux nextcloud software if u run it with proxychain .)

good idea tho, but not applicable for this issue :slight_smile:

is there any dev on the forum :slight_smile: ?

so can understand the reasoning behind what i wrote and perhaps implementing it , this would be a game changer for any cloud and will surpass any other cloud service outthere

in the end no one gave a solution hu :frowning:
unfortunate .

If you would have spent more time trying to understand what people are saying and less explaining why they are missing the point, there would be more interest to actually read your “opuses”…

1 Like

i did read everything , every single message, but that does not give a solution .

not sure why u take it so personal :slight_smile:

Solution to what?

I’ll let you in on a secret: this is the part of your 600+ word essay that turns people off

You prefer a P2P solution with a man-in-the-middle knowing everything to opening the 443 port and implement a VPN system. In the name of security, no less!?
This is called laziness, not security… to put it mildly…