2

I need to set up a way to share files securely and remotely with other users. I have a file server on which the user's files will be stored. Would it be more secure to have the users SFTP into the server to get/put files, or would it be better to set up a VPN, have the users connect to it, and have a Samba share available on the network for the files?

nwrobel
  • 21
  • 1
  • 2
  • Have you, will you, consider alternatives like WebDAV or scp? There are lots of encrypted ways to get files. – MikeP Aug 26 '16 at 20:52
  • 2
    This post seems as a typical [XY problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). Please describe your context and the actual issue you are trying to solve, this will be more helpful to everyone than asking about SFTP vs. Samba (and then why not SFTP vs. WebDAV, WebDAV vs. Samba, ... you see the idea). – WhiteWinterWolf Aug 27 '16 at 09:11
  • asking "what is more secure?" requires a lot more detail and context, including what you want to secure *against* – schroeder Aug 27 '16 at 20:47

2 Answers2

1

The disadvantages of using Samba over VPN are:

  1. I've found in practice that windows file shares often get stuck up doing something in the background without giving any user feedback about what is happening. I've had to disconnect and re-create the share to continue file sharing. Although specific instances can be investigated and configuration related issues resolved to fix these problems, but the lack of clear feedback to the user during file transfers makes it frustrating to users. On the other hand, SFTP user programs like FileZilla give clear and specific details about the file transfer and any errors encountered.
  2. If users already have VPN connections they regularly use for work or connect to clients, they would need to disconnect form those and connect to your to transfer files.
  3. A VPN client must be installed as it creates a virtual network interface; whereas for copying files over SFTP users could simply copy Filezilla, WinSCP or Putty files and start using them without installing them.
  4. If you have problems with file transfers you need to look into two services/logs to understand and resolve the issues - VPN logs/config & Samba logs/config.

Considering all these reasons, I would recommend using SFTP.

Maybe a decade ago I would have recommended Samba when simple user-friendly SFTP interfaces were hard to find, but with excellent user-friendly opensource programs available now, SFTP is a better option.

Sandeep S. Sandhu
  • 402
  • 3
  • 5
  • VPN is today available on most home routers so if the home router can bridge the remote network it usually works better. Assuming that there are also gigabit speeds it gives quite good usability. – Aria Aug 27 '16 at 13:28
  • Although VPN tunnels are based on standard protocols, it is almost impossible to use one vendors VPN client to connect to another vendor's gateway. This is because the vendors try to make their clients installations as easy as point-and-click so that all the user would need is a correct id/password. To achieve this all config options are either hardcoded or hard to locate & modify. Additionally, vendors never cooperate with users in revealing their exact protocols and configs in the guise of security! So I've found home router setup tunnels never work, users end up having to install software. – Sandeep S. Sandhu Aug 27 '16 at 17:02
0

SFTP and VPN/Samba are the solution to the same problem - accessing resources remotely.

The difference between them is that SFTP does both networking and file operations, while VPN is pure network tool.

So with VPN you handle networking part and then you use Samba for file transfers. This is more elegant way of solving it.

By using VPN/Samba you are OK because you are using standards so you can-reuse VPN for other purposes and users can use shares as usual.

Of course don't forget to secure the VPN server with firewall, and limit users to the given server with the share.

Aria
  • 2,706
  • 11
  • 19
  • Doesn't the VPN-based solution put some specific requirement on the user's side? While a lot of software allows to access SFTP servers, accessing tunneled SMB share may be more challenging. – WhiteWinterWolf Aug 27 '16 at 09:04
  • Most todays home routers support VPN. Also it's not always one user, it may be office to office. I think it's elegant and secure option if VPN server is good and secure. – Aria Aug 27 '16 at 13:22