121247

Want a low-cost, always-on “NAS” you can mount from anywhere? A budget VPS works great. Below are three battle-tested approaches, from quickest to most robust. Each includes exact commands for Ubuntu 22.04/24.04 on the VPS and copy-paste client steps for Windows, macOS, and Linux.

• Method A (Fastest to set up): SSHFS (SFTP over SSH)
• Method B (Most reliable for Windows & networks): WireGuard VPN + SMB (Samba)
• Method C (Flexible & sync-friendly): rclone mount (SFTP backend)

✅ Recommendation: If you want a “real drive” that behaves like a Windows share and survives flaky networks, Method B is the best long-term choice. For quick personal use, Method A is fine. If you also want syncing tools and cloud-style workflows, Method C is excellent.

---

Prerequisites

• A VPS (1 vCPU / 1 GB RAM is enough for personal storage; SSD preferred).
• Ubuntu 22.04/24.04 (commands assume this; other distros are similar).
• A static IP or a stable public IP (replace 203.0.113.10 below with yours).
• A non-root user with sudo on the VPS (we’ll create it if needed).
• Basic SSH access from your PC to the VPS.

🗂️ We’ll store files under /srv/storage on the VPS by default. Change paths if you like.

---

VPS Prep (one-time)

SSH into your VPS as root (or use your provider’s console), then:

# Create a non-root sudo user (change 'alice' to your name)
adduser alice
usermod -aG sudo alice

# (Optional but recommended) Add your public key for passwordless SSH
# Replace the key below with YOUR actual public key
mkdir -p /home/alice/.ssh
echo 'ssh-ed25519 AAAA...YOURKEY... alice@pc' >> /home/alice/.ssh/authorized_keys
chmod 700 /home/alice/.ssh
chmod 600 /home/alice/.ssh/authorized_keys
chown -R alice:alice /home/alice/.ssh

# Basic updates
apt update && apt -y upgrade

# Create storage directory
mkdir -p /srv/storage
chown -R alice:alice /srv/storage

Secure SSH (optional but smart):

# Install fail2ban and UFW firewall
apt -y install fail2ban ufw

# Allow SSH
ufw allow OpenSSH
ufw --force enable

# Optional: change SSH port from 22 to 2222 for obscurity
# Edit /etc/ssh/sshd_config and set:
#   Port 2222
# Then run:
# systemctl restart ssh
# And update firewall accordingly:
# ufw allow 2222/tcp

Note your VPS IP (e.g., 203.0.113.10) and the SSH port you’re using (22 or 2222).

---

Method A — SSHFS (SFTP over SSH)

Pros: Quick, secure (SSH), minimal server setup.
Cons: Can be slower on Windows; not ideal for heavy database files or large multi-user workflows.

A1) Server requirements

You already have SSH from the prep. No extra services needed.

A2) Windows client (two options)

Option 1 — SSHFS-Win (Explorer integration)

1. Install WinFsp and SSHFS-Win:
   • WinFsp: https://winfsp.dev/
   • SSHFS-Win: https://github.com/winfsp/sshfs-win/releases
2. In File Explorer address bar, enter: \\sshfs\[email protected]
   • If you changed the port to 2222, use: \\sshfs.r\[email protected]!2222
3. Enter your SSH password or select your key. You’ll see a network drive showing your home directory.
4. To mount /srv/storage specifically: \\sshfs\[email protected]\srv\storage (Use \\sshfs.r\ and !PORT suffix if not on port 22.)

Option 2 — rclone (uses SFTP; supports drive letters)

(See Method C for full details. It often behaves better on Windows and you can map to a drive letter.)

A3) macOS client

# Install sshfs (macFUSE + sshfs). On Apple Silicon/macOS, use:
brew install --cask macfuse
brew install gromgit/fuse/sshfs-mac # community tap (if official sshfs is unavailable)

# Create a mount point
mkdir -p ~/VPS-Drive

# Mount over SSHFS (port 22)
sshfs [email protected]:/srv/storage ~/VPS-Drive \
  -o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,cache=yes

# If using custom SSH port 2222:
sshfs [email protected]:/srv/storage ~/VPS-Drive -p 2222 \
  -o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,cache=yes

# Unmount when done:
umount ~/VPS-Drive   # or: diskutil unmount ~/VPS-Drive

A4) Linux client

# Install sshfs
sudo apt -y install sshfs   # Debian/Ubuntu
# sudo dnf install fuse-sshfs  # Fedora/RHEL

mkdir -p ~/VPS-Drive

# Mount (default port 22)
sshfs [email protected]:/srv/storage ~/VPS-Drive \
  -o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,cache=yes

# Or with custom port:
sshfs -p 2222 [email protected]:/srv/storage ~/VPS-Drive \
  -o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,cache=yes

# Unmount:
fusermount -u ~/VPS-Drive

---

Method B — WireGuard VPN + SMB (Samba)

Pros: Feels like a true LAN share, great Windows compatibility, solid performance, you can access multiple services privately.
Cons: Slightly longer setup; but worth it.

B1) Install WireGuard on the VPS

sudo apt -y install wireguard qrencode

# Create keys
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

# Create wg0 config (10.6.0.1/24 as VPN subnet)
cat <<'EOF' | sudo tee /etc/wireguard/wg0.conf
[Interface]
Address = 10.6.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
# SaveConfig = true

# (Optional) If you plan to route all traffic via VPS, enable and set PostUp/Down NAT rules.
# For SMB-only, we don't need NAT; the VPN is just for private access.
EOF

# Insert the real private key:
PRIV=$(cat /etc/wireguard/server_private.key)
sudo sed -i "s|SERVER_PRIVATE_KEY|$PRIV|" /etc/wireguard/wg0.conf

# Enable and start
sudo systemctl enable --now wg-quick@wg0

# Firewall
sudo ufw allow 51820/udp

If your provider filters UDP, ensure 51820/udp is open. Keep SSH allowed.

B2) Create a WireGuard peer (your PC)

Generate a client keypair on your PC or on the VPS (safer to generate locally). Here’s a quick VPS-side method (copy results to your PC; delete afterwards):

wg genkey | tee /etc/wireguard/client1_private.key | wg pubkey > /etc/wireguard/client1_public.key
echo "Client private key:"
cat /etc/wireguard/client1_private.key
echo "Client public key:"
cat /etc/wireguard/client1_public.key

Add the peer to the server:

# Replace CLIENT1_PUB_KEY with the printed public key
cat <<'EOF' | sudo tee -a /etc/wireguard/wg0.conf

[Peer]
PublicKey = CLIENT1_PUB_KEY
AllowedIPs = 10.6.0.2/32
EOF

sudo systemctl restart wg-quick@wg0

Create the client config (on your PC) as wg-client1.conf:

[Interface]
PrivateKey = CLIENT1_PRIVATE_KEY
Address = 10.6.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = 203.0.113.10:51820
AllowedIPs = 10.6.0.0/24
PersistentKeepalive = 25

• Replace keys and endpoint IP accordingly.
• Windows/macOS: install the WireGuard app, import wg-client1.conf, activate.
• Linux: sudo apt install wireguard && sudo wg-quick up ./wg-client1.conf

Test ping:

# From your PC
ping 10.6.0.1

B3) Install SMB (Samba) on the VPS

sudo apt -y install samba

# Create a user-backed share
sudo mkdir -p /srv/storage
sudo chown -R alice:alice /srv/storage

# Create a Samba user (prompted for SMB password)
sudo smbpasswd -a alice

# Configure the share
sudo tee -a /etc/samba/smb.conf >/dev/null <<'EOF'

[storage]

path = /srv/storage browsable = yes read only = no guest ok = no valid users = alice force user = alice create mask = 0664 directory mask = 0775 EOF sudo systemctl restart smbd

Lock SMB to the VPN only (good security):

# UFW rule: allow SMB only on wg0 interface
sudo ufw allow in on wg0 to any port 445 proto tcp
sudo ufw deny 445/tcp

Now SMB is reachable only via 10.6.0.1 over the VPN.

B4) Map the SMB share from your PC

Windows:

1. Ensure WireGuard tunnel is active (you have 10.6.0.2).
2. Map the drive in Explorer: This PC → Map network drive
   • Folder: \\10.6.0.1\storage
   • Use different credentials → username alice (SMB password from smbpasswd -a).
3. Or via PowerShell (maps to drive S:): New-PSDrive -Name S -PSProvider FileSystem -Root "\\10.6.0.1\storage" -Persist -Credential (Get-Credential)

macOS:

# Finder: Go → Connect to Server...
# Enter: smb://10.6.0.1/storage
# Login as 'alice' with the Samba password

Linux:

sudo apt -y install cifs-utils
sudo mkdir -p /mnt/storage
sudo mount -t cifs //10.6.0.1/storage /mnt/storage -o username=alice,iocharset=utf8,vers=3.0
# To unmount: sudo umount /mnt/storage

That’s it—you now have a private, LAN-style drive backed by your VPS.

---

Method C — rclone mount (SFTP backend)

Pros: Works great on Windows/macOS/Linux, can mount to a drive letter, supports caching and sync; uses SFTP (no extra server service).
Cons: Needs WinFsp on Windows; FUSE permissions on macOS/Linux.

C1) Server requirements

SSH + SFTP are already available from the prep. No extra server software.

C2) Install rclone on your PC

• Windows: Download from https://rclone.org/downloads/ and install WinFsp (https://winfsp.dev/).
• macOS: brew install rclone (and ensure macFUSE if you’ll mount).
• Linux: sudo apt install rclone (or your distro package).

C3) Configure an SFTP remote

rclone config
# n) New remote -> name: vps
# Storage: sftp
# host: 203.0.113.10
# user: alice
# port: (22 or 2222)
# y) Use SSH agent or provide key/password
# Accept defaults; save config

C4) Mount the VPS storage

Windows (map to drive R:):

# Ensure WinFsp is installed
rclone mount vps:/srv/storage R: --vfs-cache-mode writes
# Keep this terminal open while mounted (or use nssm/task scheduler to run in background)

macOS/Linux:

mkdir -p ~/VPS-Drive
rclone mount vps:/srv/storage ~/VPS-Drive --vfs-cache-mode writes
# Unmount with: fusermount -u ~/VPS-Drive   (Linux)
# Or:          umount ~/VPS-Drive           (macOS)

Tip: For background mounting on Windows, use nssm to run rclone as a service; on Linux, create a systemd unit.

---

Security & Hardening Tips

• Never expose SMB (port 445) to the public internet. Use WireGuard.
• Use SSH keys instead of passwords for SFTP/SSH.
• Keep your system updated: apt update && apt upgrade regularly.
• fail2ban helps against SSH brute-force.
• Firewall everything: Only open 22/2222 (SSH) and 51820/udp (WireGuard).
• At-rest encryption: For sensitive data, consider an encrypted filesystem (e.g., LUKS on a secondary volume) or encfs/cryptomator inside /srv/storage.

---

Performance Tips

• VPS with NVMe SSD improves I/O.
• WireGuard MTU: If you see fragmentation or poor throughput, try setting MTU = 1280 in both peer configs.
• SSHFS/rclone cache: --vfs-cache-mode writes (rclone) and -o cache=yes (sshfs) helps with apps that expect local-like behavior.
• Avoid editing large DB files directly over the network. Sync locally, then upload.

---

Backups (Don’t skip!)

Your VPS “NAS” is not a backup unless you back it up:

• Snapshot the VPS disk if your provider supports it.
• Use restic, borgbackup, or rclone to push encrypted backups to object storage (e.g., restic -r s3:s3.amazonaws.com/your-bucket ...).
• Keep off-site copies (another region/provider).

---

Troubleshooting Cheatsheet

Can’t connect via SSH/SFTP

• Confirm IP and port: ssh -p 22 [email protected]
• Check firewall: ufw status
• Ensure SSH running: systemctl status ssh

WireGuard connects but can’t reach 10.6.0.1

• Confirm interface: ip addr show wg0 on VPS
• Check AllowedIPs on client includes 10.6.0.0/24
• Try PersistentKeepalive = 25 on client peer section
• Firewall: ufw allow in on wg0

SMB share not mapping

• Ensure WireGuard is up, then smbclient -L //10.6.0.1 -U alice (Linux/macOS)
• Restart Samba: systemctl restart smbd
• Ensure smbpasswd -a alice was completed
• On Windows, try \\10.6.0.1\storage in Explorer and verify credentials

SSHFS/rclone feels slow

• Add caching flags (above)
• Prefer WireGuard + SMB for Windows workloads

---

FAQ

Is it safe to expose SSH to the internet?
With key-based auth, fail2ban, and updates, it’s reasonably safe. For extra safety, put SSH behind a VPN or limit by IP.

Can I share this drive with friends/family?
Yes. Add more WireGuard peers (10.6.0.3, 10.6.0.4, …) and Samba users. Ensure you manage permissions on /srv/storage.

What VPS size do I need?
1 vCPU, 1–2 GB RAM, and enough disk for your data. Heavy SMB workloads benefit from 2 vCPU.

Can I use NFS instead of SMB?
Yes—NFS is great for *nix clients. Use it only over WireGuard, never exposed publicly.

---

Quick Copy-Paste Recap

Minimal SSHFS setup (Linux/macOS):

# VPS (one-time)
sudo apt update && sudo apt -y install ufw fail2ban
sudo ufw allow OpenSSH && sudo ufw --force enable
sudo mkdir -p /srv/storage && sudo chown -R $USER:$USER /srv/storage

# Client
mkdir -p ~/VPS-Drive
sshfs [email protected]:/srv/storage ~/VPS-Drive -o reconnect,cache=yes

Recommended: WireGuard + SMB (Windows-friendly):

# VPS
sudo apt -y install wireguard samba
# Configure wg0 (10.6.0.1/24), add client peer (10.6.0.2), open 51820/udp
sudo smbpasswd -a alice
sudo tee -a /etc/samba/smb.conf <<'EOF'

[storage]

path = /srv/storage read only = no valid users = alice force user = alice EOF sudo systemctl restart smbd sudo ufw allow 51820/udp sudo ufw allow in on wg0 to any port 445 proto tcp sudo ufw deny 445/tcp # Client # Import WireGuard config, connect, then map: \\10.6.0.1\storage

rclone mount (cross-platform):

rclone config     # create 'vps' SFTP remote
rclone mount vps:/srv/storage R: --vfs-cache-mode writes   # Windows
# or
rclone mount vps:/srv/storage ~/VPS-Drive --vfs-cache-mode writes  # macOS/Linux