Skip to content

Accessing BSB–LAN securely from the internet

fredlcore edited this page Jun 18, 2024 · 1 revision

This section describes the basic options for securely accessing BSB-LAN from the Internet. Due to the large number of routers available, only the most important steps can be described here; for further details, please refer to the manual for the respective router. We cannot provide support for setting up these steps, please ask for advice in suitable Internet forums.

Basic requirement: Set up (sub)domain with dynamic DNS

To enable external access, you need your own (sub)domain that can be reached from the internet via a dynamic DNS service. Some router or NAS providers such as AVM or Synology offer such a service directly for their customers, otherwise you must have your own domain (e.g. mein-zuhause.de), where you then set up a subdomain (here in the example bsb-lan.mein-zuhause.de), which must then be configured accordingly together with the dynamic DNS provider.

Option 1: Virtual private network (VPN)

Many routers provide a server for a virtual private network (VPN) by default. This is the most secure option, as it generally blocks any other access to the home network. If such a VPN server is set up and activated on the router, for example, you can access BSB-LAN with a VPN-capable device in the same way as you would normally do, i.e. via your home IP address. The disadvantage, however, is that it is not possible to access BSB-LAN without a VPN-enabled end device. Similarly, the Internet access used to access the Internet while traveling may be configured in such a way that VPN is not possible. In these cases, there is then no way to access the home resources.

Option 2: Reverse proxy

Among other things, a reverse proxy offers the possibility of accessing several devices in the home network via a single, externally visible device on which a reverse proxy server is running. The following steps are necessary for this:

1. Set up port forwarding

A port share must be set up in the local network for the device on which the reverse proxy is running. Port 443 must be used so that this access can be secured via SSL/TLS. Please note that it may then no longer be possible to access the actual router via port 443. However, the SSL port can be changed on some routers, so this does not have to be a fundamental problem. To use SSL/TLS / port 443, a corresponding (possibly self-signed) certificate must of course be installed on the device. However, many router or NAS manufacturers already offer the installation of free Let's Encrypt certificates out of the box.

2. Install and set up the reverse proxy

The device on which the reverse proxy runs can be any computer that is permanently accessible, e.g. a file server/NAS. The reverse proxy server is installed and set up on this. If you are using a Synology NAS for this purpose, such a function is already built in from DSM 7 onwards (see Control Panel / Application Portal / Advanced). You now configure the reverse proxy so that it accepts the requests for the selected (sub-)domain via HTTPS(!) on port 443 and then forwards them via HTTP(!) to port 80 of the BSB-LAN adapter. The way back is then exactly the opposite: from BSB-LAN via unsecured HTTP to the reverse proxy and from there via HTTPS back out to the Internet. BSB-LAN can now be accessed directly via the HTTPS call to the (sub)domain. It is now advisable to activate HTTP authentication in BSB-LAN in any case, as otherwise anyone would have access to BSB-LAN.

Clone this wiki locally