Documentation
Access your NAS remotely — without exposing it to the internet
A NAS holds your most precious data: photos, backups, documents. Reaching it from outside always raises the same question — how do you reach it without making it reachable by just anyone? The usual answers (the vendor’s cloud relay, port forwarding, a VPN server to set up) each come with a trade-off. The private-network approach offers another way: the NAS, or a machine on its local network, joins an end-to-end encrypted mesh where only your machines exist — zero inbound ports, zero router configuration, nothing visible from the internet.
The three classic ways to reach your NAS, and their trade-offs
Consumer NAS units — Synology, QNAP and the rest — generally offer two remote-access routes: a vendor cloud service that relays the connection, or opening ports on the router. A third, more hands-on route is running your own VPN server. All three work; none of them is free of trade-offs.
The vendor's cloud relay
Simple, and no port to open: the NAS connects out to the vendor’s servers, which relay your sessions. The trade-off is dependence: your access runs through third-party infrastructure, tied to an account with the vendor, and it follows that service’s availability. It is a reasonable choice for many uses — but it puts an intermediary between you and your data.
Port forwarding (and DDNS)
Opening a port on the router and pointing a DDNS name at your home makes the NAS directly reachable — by you, and by the entire internet. The NAS interface becomes an exposed service, scanned around the clock. And on a CGNAT connection (4G/5G, some fibre plans) there is simply no port to open: the NAT belongs to the carrier.
The home-grown VPN server
A VPN server on the NAS or the router avoids exposing the NAS interface — but it still requires an inbound port for the VPN itself, plus key or certificate management, per-device client configuration, and keeping all of it maintained over time. Solid, but demanding.
The private-network approach: the NAS joins your machines
With VIGIL-MESH, you do not make the NAS reachable from the internet: you bring it into a private network where only your machines exist. Each member makes outbound connections only — a single flow on 443 UDP, like a web browser — and connects immediately through a relay before the session migrates, without interruption, to the direct peer-to-peer path. Nothing to open on the router, nothing visible from outside.
- End-to-end encryption — sessions are QUIC/TLS 1.3 connections between your machines, with a hybrid post-quantum key exchange (X25519 + ML-KEM). The relay is structurally blind: it does not hold the keys.
- Stable address — each machine keeps the same address (100.64.0.0/10) wherever it is: your network drives and bookmarks do not break when you change networks.
- Closed by default — access policies (ACLs) are deny by default: only the devices and flows you allow can reach the NAS, and revoking a machine cuts its access immediately.
- From all your devices — Windows, Linux, Android and NVIDIA Jetson clients, and even the browser through the WASM node. Free for personal use.
There are two ways to connect the NAS. The first: install the client directly on the NAS. VIGIL-MESH ships a Linux client; if your NAS can run a Linux binary (for instance in a container or virtual machine its system provides), it becomes a full member of the network, reachable by its address and name. The second, which works everywhere: enrol a machine on the same local network as the NAS — a PC, a mini-PC, an always-on Linux box. You reach that machine across the mesh, and it accesses the NAS locally, as usual.
Access by name, SMB, DLNA: the NAS feels local
Once it is a member of the network, the NAS is reachable by name thanks to MagicDNS: “home-nas” instead of an address to memorise. Resolution is entirely local, served from the signed network map distributed by the controller — no DNS query ever leaves the machine, and nobody learns who is trying to reach what.
- File shares (SMB) — mount the share by the NAS’s name or stable address; the network drive stays valid wherever you are.
- Automatic discovery — each VIGIL-MESH network is a broadcast domain: mDNS, SSDP and WS-Discovery cross the mesh as encrypted multicast, so the NAS can announce itself to your remote machines just as it does on the local network.
- DLNA and media — a media server announcing itself over SSDP is discovered across the network by compatible players, as if they shared the same segment.
Setting up access, step by step
- 1Create your workspaceCreate an account and a workspace in the VIGIL-MESH console. It is free for personal use.
- 2Install the client on the machines involvedThe NAS if it can run the Linux client — otherwise a machine on its local network — plus the devices you want to access it from: laptop, Android phone, workstation.
- 3Enrol each machineIn the console, Networks page → Machines → “Add a machine”: the wizard hands you a single-use enrolment key to pass to the client, as a command or a QR code.
- 4Verify connectivityEach machine receives its stable address and its MagicDNS name. A ping or a request to the NAS’s name confirms the path is in place.
- 5Access the NAS as if you were homeMount the share, open the NAS interface or start the backup, targeting its name or address — from anywhere, without it being exposed.