OpenSSL for encryption of QNAP NAS SSL WebDav connection

  • Tutorial
The task is to connect the network disk array QNAP TS-420 via the Internet for remote work.
I decided that the best solution for this would be to use WebDav technology over a secure channel.
Accordingly, the official instructions say how to use WebDav without encryption.
The wiki here and here is written in English with some inaccuracies. In general, to simplify, I decided to pile this instruction.

Initial requirements: Your disk array must be accessible via the Internet at a dedicated IP address on ports 80 and 8081. It is also advisable to open access to the array on port 443. Any changes (forwarding) of standard ports to non-standard (for example, 34000 or others), leads to significant brakes when connecting and working with a network folder.

To get started, you need to download OpenSSL here or in my article (respectively, the required width of 32 or 64).

If an error occurs in the program: Then you need to run the following command (if the program is installed in the C: \ OpenSSL-Win64 folder): After installation, first generate a private key with a length of 2048:
WARNING: can't open config file: /usr/local/ssl/openssl.cnf

Unable to load config info from /usr/local/ssl/openssl.cnf



Set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg


C:\OpenSSL-Win64\bin>openssl genrsa -out priv.key 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
......................................................................................+++
..........................................................+++
e is 65537 (0x10001)

Then we make a certificate for 10 years. In the process there will be questions for the certificate.
The only important thing is “Common Name (eg server FQDN or YOUR name) []:” We need to drive the address of our disk array there.
In my case, I drove the IP address 123.456.789.012.
If the connection will go through an alphabetic name, like nas.mydomain.net, then we need to drive it:
C:\OpenSSL-Win64\bin>openssl req -new -key priv.key -out server.crt -x509 -days 3650
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ru
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:khb
Common Name (e.g. server FQDN or YOUR name) []:123.456.789.012
Email Address []:

Now we have 2 files: priv.key and server.crt:


Next, we need to import the made certificate so that the system believes him. Double-click on the server.crt file, a window appears:


Next, we need to choose where to put this certificate:


We tell the system that this is our root level certificate:






The system is extremely suspicious, but we tell it that everything is under control:


Next, go to the disk array and make some changes to the settings. Everything should be as in the picture:


Next, go to the shared folders and click on the settings of the folder that you want to share:


Choose the users and groups that will have access to the folder:


Next, we need to add our certificate and key.
Go to Security.
Open our priv.key and server.crt files in notebook in parallel and copy the text from server.crt to the upper field and the text from priv.key to the lower field, respectively. Click "Download":


The system displays such a window. Indicates that it is downloading certificates.


After loading, the following inscription should appear:


Everything is ready on the disk array.
Now we need to configure the workstation so that the computer can connect to the disk array.
There is a problem on Windows 7. QNAS requires a security change in the computer registry.
We start regedit and along the way: we
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters
change the BasicAuthLevel parameter to the value 2

After that, we must either restart the computer or restart the webclient service.
Stop:
C:\Users\raymond>sc stop webclient

Имя_службы: webclient
Тип : 20 WIN32_SHARE_PROCESS
Состояние : 3 STOP_PENDING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
Код_выхода_Win32 : 0 (0x0)
Код_выхода_службы : 0 (0x0)
Контрольная_точка : 0x0
Ожидание : 0x0

Run:
C:\Users\raymond>sc start webclient

Имя_службы: webclient
Тип : 20 WIN32_SHARE_PROCESS
Состояние : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
Код_выхода_Win32 : 0 (0x0)
Код_выхода_службы : 0 (0x0)
Контрольная_точка : 0x0
Ожидание : 0x7d0
ID_процесса : 376
Флаги :

Finish. Now you can try to connect to our disk array.
Right-click on the computer and select "Map a network drive ..."


Select the drive letter, and in the folder field we write the address of our array with the port and name of the shared folder:


Next, the system asks for a password to access the folder. We write what was hammered in the settings of the disk array:


If everything succeeds, then a network WebDav folder with encryption via SSL will appear.


In general, everything is ready! After 10 years, you will have to redo the keys.

Only registered users can participate in the survey. Please come in.

How useful is the article?

  • 63.6% Desired article. I have been looking for it for a long time. 7
  • 18.1% All this is already understandable. In vain wrote. 2
  • 18.1% Overall, good, but there are inaccuracies. 2

Also popular now: