VIGIL MESH

Documentation

Access your NAS remotely — without exposing it to the internet

A NAS holds your most precious data: photos, backups, documents. Reaching it from outside always raises the same question — how do you reach it without making it reachable by just anyone? The usual answers (the vendor’s cloud relay, port forwarding, a VPN server to set up) each come with a trade-off. The private-network approach offers another way: the NAS, or a machine on its local network, joins an end-to-end encrypted mesh where only your machines exist — zero inbound ports, zero router configuration, nothing visible from the internet.

The three classic ways to reach your NAS, and their trade-offs

Consumer NAS units — Synology, QNAP and the rest — generally offer two remote-access routes: a vendor cloud service that relays the connection, or opening ports on the router. A third, more hands-on route is running your own VPN server. All three work; none of them is free of trade-offs.

The vendor's cloud relay

Simple, and no port to open: the NAS connects out to the vendor’s servers, which relay your sessions. The trade-off is dependence: your access runs through third-party infrastructure, tied to an account with the vendor, and it follows that service’s availability. It is a reasonable choice for many uses — but it puts an intermediary between you and your data.

Port forwarding (and DDNS)

Opening a port on the router and pointing a DDNS name at your home makes the NAS directly reachable — by you, and by the entire internet. The NAS interface becomes an exposed service, scanned around the clock. And on a CGNAT connection (4G/5G, some fibre plans) there is simply no port to open: the NAT belongs to the carrier.

The home-grown VPN server

A VPN server on the NAS or the router avoids exposing the NAS interface — but it still requires an inbound port for the VPN itself, plus key or certificate management, per-device client configuration, and keeping all of it maintained over time. Solid, but demanding.

The private-network approach: the NAS joins your machines

With VIGIL-MESH, you do not make the NAS reachable from the internet: you bring it into a private network where only your machines exist. Each member makes outbound connections only — a single flow on 443 UDP, like a web browser — and connects immediately through a relay before the session migrates, without interruption, to the direct peer-to-peer path. Nothing to open on the router, nothing visible from outside.

  • End-to-end encryption — sessions are QUIC/TLS 1.3 connections between your machines, with a hybrid post-quantum key exchange (X25519 + ML-KEM). The relay is structurally blind: it does not hold the keys.
  • Stable address — each machine keeps the same address (100.64.0.0/10) wherever it is: your network drives and bookmarks do not break when you change networks.
  • Closed by default — access policies (ACLs) are deny by default: only the devices and flows you allow can reach the NAS, and revoking a machine cuts its access immediately.
  • From all your devices — Windows, Linux, Android and NVIDIA Jetson clients, and even the browser through the WASM node. Free for personal use.

There are two ways to connect the NAS. The first: install the client directly on the NAS. VIGIL-MESH ships a Linux client; if your NAS can run a Linux binary (for instance in a container or virtual machine its system provides), it becomes a full member of the network, reachable by its address and name. The second, which works everywhere: enrol a machine on the same local network as the NAS — a PC, a mini-PC, an always-on Linux box. You reach that machine across the mesh, and it accesses the NAS locally, as usual.

Access by name, SMB, DLNA: the NAS feels local

Once it is a member of the network, the NAS is reachable by name thanks to MagicDNS: “home-nas” instead of an address to memorise. Resolution is entirely local, served from the signed network map distributed by the controller — no DNS query ever leaves the machine, and nobody learns who is trying to reach what.

  • File shares (SMB) — mount the share by the NAS’s name or stable address; the network drive stays valid wherever you are.
  • Automatic discovery — each VIGIL-MESH network is a broadcast domain: mDNS, SSDP and WS-Discovery cross the mesh as encrypted multicast, so the NAS can announce itself to your remote machines just as it does on the local network.
  • DLNA and media — a media server announcing itself over SSDP is discovered across the network by compatible players, as if they shared the same segment.

Setting up access, step by step

  1. 1
    Create your workspaceCreate an account and a workspace in the VIGIL-MESH console. It is free for personal use.
  2. 2
    Install the client on the machines involvedThe NAS if it can run the Linux client — otherwise a machine on its local network — plus the devices you want to access it from: laptop, Android phone, workstation.
  3. 3
    Enrol each machineIn the console, Networks page → Machines → “Add a machine”: the wizard hands you a single-use enrolment key to pass to the client, as a command or a QR code.
  4. 4
    Verify connectivityEach machine receives its stable address and its MagicDNS name. A ping or a request to the NAS’s name confirms the path is in place.
  5. 5
    Access the NAS as if you were homeMount the share, open the NAS interface or start the backup, targeting its name or address — from anywhere, without it being exposed.

Frequently asked questions

Can I back up one NAS to another NAS off-site?
Yes — it is one of the natural use cases: two sites (your home and a relative's, say), each with its NAS as a member of the network, or joined through a machine on its local network. Each NAS sees the other by its stable address or its name, and replication runs through the end-to-end encrypted tunnel, without either NAS being exposed to the internet.
What transfer speed can I expect?
Once the direct path is established, traffic goes peer to peer with no server detour: throughput then depends on your internet connections at both ends, not on an intermediary. While direct is not possible (for instance two symmetric NATs facing each other), traffic goes through the relay — a longer path, still encrypted end to end.
Do I need to configure my router, and does it work behind CGNAT?
No router configuration is needed: each machine only makes outbound connections, a single flow on 443 UDP. It also works behind CGNAT (4G/5G, some fibre plans), where port forwarding is impossible: the connection comes up through the relay, then migrates to a direct path if NAT traversal succeeds.
Can I close the ports I had already opened for my NAS?
That is the whole point. Once access through the private network is verified, the port-forwarding rule and the exposed NAS interface serve no purpose: you can remove the rule on the router. Access from the local network is unchanged.
What about my phone?
The Android client brings the phone into the network: any app that can target an address or hostname can then reach the NAS by its stable address or its MagicDNS name, as if you were on the local network.
Read nextVPN without port forwarding