To access your Hetzner Storage Box exclusively via a VPN, you’ll need to set up a private, secure network connection that acts as a secure tunnel between your PC and the Hetzner network. This configuration ensures that all traffic to and from the storage box is encrypted and routed through the VPN, making it inaccessible to the public internet.
How It Works
When you enable the “VPN-only access” setting for your storage box, you are telling Hetzner’s network to block all inbound connection attempts that do not originate from a specific, authorized IP address—the one assigned to you by the VPN.
Connecting to the Storage Box: After establishing the VPN connection, you can connect to your storage box using any of the standard protocols (SFTP, Samba, etc.) as you would normally. The difference is that your data is now traveling through the secure, encrypted VPN tunnel. The storage box itself is never exposed directly to the public internet, which significantly increases its security.
VPN Server Setup: You will first need a VPN server. Hetzner offers their own VPN solution, or you can use a third-party service. You need to configure this server to assign a static or dedicated IP address to your connection. This is crucial because the Hetzner firewall will only allow connections from this specific, trusted IP.
Client Connection: On your PC, you will use a VPN client to connect to your VPN server. Once the connection is established, your PC’s internet traffic, including attempts to connect to the storage box, will be routed through the secure VPN tunnel. Your PC’s external IP address will temporarily become the IP address of the VPN server.
Hetzner’s Firewall: Hetzner’s network firewall is configured to recognize the VPN’s IP address as a safe, trusted source. When you attempt to connect to your storage box, the firewall checks the incoming request’s IP address. Since it matches the authorized VPN IP, the connection is allowed to proceed. All other connection attempts are blocked.
Connecting to a Hetzner Storage Box via a VPN is very secure and is the recommended method for protecting your data. This setup is significantly more secure than a direct connection from the public internet because it eliminates the most common entry points for attacks.
🔒 Key Security Features
The security of this method is based on three main principles: a closed network, encryption, and a reduced attack surface.
1. IP-Based Firewall Protection
When you configure the storage box to only be accessible via a VPN, the Hetzner firewall blocks all incoming connection attempts from the public internet. It is configured to only allow traffic that originates from your VPN’s specific, trusted IP address. Any other attempt to connect is immediately rejected and dropped by the firewall. This is the single most important security measure, as it means the storage box is not visible or reachable to unauthorized users on the public web.
2. Data Encryption
The VPN (Virtual Private Network) tunnel is an encrypted connection between your PC and the Hetzner network. All data that travels through this tunnel is scrambled and unreadable to anyone who might try to intercept it.1 This prevents eavesdropping and ensures that your files and login credentials cannot be seen or stolen by attackers, even if your network traffic were to be monitored.2
3. Reduced Attack Surface
By eliminating direct public access, you drastically reduce the attack surface of your storage box.3 Common automated attacks that scan the internet for open ports and vulnerable services, such as brute-force password attacks, become impossible since the storage box cannot be reached. It’s like having a house with no front door—the only way in is through a secret, guarded tunnel that only you know about.
In short, the combination of a strict firewall and a secure, encrypted tunnel provides a robust defense, making a VPN-only connection a highly secure way to manage your cloud storage.
To grant all employees remote access to the storage box from their homes, they must first connect to the company’s VPN network. This method ensures that the storage box remains secure, as it is never exposed to the public internet.
🖥️ How It Works
- VPN Client: Each employee must have the company’s approved VPN client software installed on their home computer.
- Connecting to the VPN: Before attempting to access the storage box, the employee opens the VPN client and connects to the company’s VPN server using their assigned credentials. This creates a secure, encrypted tunnel from their home PC to the company’s internal network.
- Authentication: Once connected to the VPN, their computer is assigned an IP address from the company’s internal network. From the perspective of the Hetzner Storage Box and its firewall, the employee’s computer is now a trusted device on the corporate network.
- Accessing the Storage Box: The employee can now use a file transfer client (like FileZilla or Windows File Explorer’s network drive feature) to connect to the storage box. The connection attempt is routed through the VPN tunnel, and the Hetzner firewall, recognizing the valid IP address, allows the connection to proceed.
This process ensures that all remote access is secure and controlled, as it can only be done through the authorized company VPN. The storage box itself remains protected from direct public access.
Please note: Our company offers the complete setup of this service and ongoing maintenance to ensure optimal security and performance.