How to share a folder between a Windows VPS and a local PC (2026)

You want to access the files on your Windows VPS from your PC as if it were an external drive - to drop a backup, read logs, share files with colleagues. The standard solution on Windows is called SMB (Server Message Block). But connecting SMB as is between an Internet-exposed VPS and your home PC is a security disaster.

This guide explains how to share a folder from a Windows VPS and mount it on Windows, macOS, and Linux - with 4 methods ranked by security: SMB via VPN (recommended), SMB via SSH tunnel, SFTP, WebDAV. You will leave with a functional, secure configuration tailored to your client OS.

Why share a folder from a Windows VPS

Some common use cases:

• Store/retrieve backups on the VPS as if it were a remote NAS.
• Access logs of a hosted application without having to open an RDP session.
• Share files among colleagues via a common VPS.
• Centralize media (photos, videos, documents) accessible from multiple workstations.
• Network drive for business applications pointing to \\server\folder.

The advantage of a VPS over a dedicated NAS: accessible from anywhere (not just the local network), for a few euros per month, and capable of hosting other services in parallel.

⚠️ The SMB trap on the Internet - read this first

SMB was never designed for the Internet. The protocol and its port 445/TCP are the number one target for massive attacks - since 2017, it has been the main vector for ransomware (WannaCry, NotPetya, and their current heirs).

If you open port 445 of your VPS directly to the Internet:

• Thousands of scans per day will test Windows passwords and known SMB CVEs (EternalBlue and variants).
• A single unpatched vulnerability can grant complete admin access.
• Current ransomware encrypts all exposed files within minutes.

Absolute rule: never expose port 445 directly to the Internet. Always encapsulate SMB in a VPN, an SSH tunnel, or use an encrypted alternative (SFTP, WebDAV/HTTPS).

The methods below all comply with this rule.

Decision table - Which method to choose

Quick choice:

• You want an integrated network drive like a local NAS → Method A (SMB + VPN)
• You just want to transfer files occasionally → Method C (SFTP)
• You already have SSH access to the VPS → Method B (SSH tunnel)
• You want web access from any browser → Method D (WebDAV)

Method A - SMB via WireGuard VPN (reference)

Principle: install WireGuard on the VPS, the PC connects to the VPN, the VPS becomes accessible via a private IP (e.g. 10.0.0.1). You then access the SMB share as if on a LAN - but invisible from the Internet.

A.1 - Install WireGuard on the VPS

Download WireGuard from wireguard.com/install and install it on the VPS.

Generating server keys:

cd "C:\Program Files\WireGuard"
.\wg.exe genkey | Out-File -Encoding ascii server_private.key
Get-Content server_private.key | .\wg.exe pubkey | Out-File -Encoding ascii server_public.key

Create C:\Program Files\WireGuard\Data\Configurations\wg0.conf:

[Interface]
PrivateKey = <content of server_private.key>
ListenPort = 51820
Address = 10.0.0.1/24

[Peer]
PublicKey = <client PC public key>
AllowedIPs = 10.0.0.2/32

Start the tunnel via the graphical WireGuard client.

A.2 - Open the WireGuard port in the firewall

New-NetFirewallRule -DisplayName "WireGuard UDP 51820" `
    -Direction Inbound -Protocol UDP -LocalPort 51820 -Action Allow

A.3 - Restrict SMB to the VPN network only

Block port 445 on all interfaces except the VPN:

# Disable SMB on Internet interfaces
Set-NetFirewallProfile -Profile Public,Private -Enabled True

# Allow SMB only from the VPN subnet
New-NetFirewallRule -DisplayName "SMB via VPN only" `
    -Direction Inbound -Protocol TCP -LocalPort 445 `
    -RemoteAddress 10.0.0.0/24 -Action Allow

# Block SMB from any other source
New-NetFirewallRule -DisplayName "Block SMB from Internet" `
    -Direction Inbound -Protocol TCP -LocalPort 445 `
    -RemoteAddress Any -Action Block -Priority 1

A.4 - Install WireGuard on the client PC

Download the WireGuard client for Windows/macOS/Linux. Create a tunnel:

[Interface]
PrivateKey = <client private key>
Address = 10.0.0.2/24

[Peer]
PublicKey = <server public key>
Endpoint = <public-ip-vps>:51820
AllowedIPs = 10.0.0.0/24   # routes ONLY the VPN, not all your traffic
PersistentKeepalive = 25

Activate the tunnel. Check:

ping 10.0.0.1

A.5 - Access the share

Open Windows Explorer → type in the address bar:

\\10.0.0.1\Share

You see the contents of the shared folder. Enter your Windows credentials for the VPS.

Major advantage: the VPS's port 445 remains closed to the Internet - invisible to scans, immune to SMB ransomware.

Method B - SMB via SSH tunnel

If you already have OpenSSH installed on the VPS (since Windows Server 2019, installable as an optional feature), you can tunnel SMB over SSH without a VPN.

B.1 - Install OpenSSH Server (if not already done)

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Start-Service sshd
Set-Service -Name sshd -StartupType Automatic
New-NetFirewallRule -Name sshd -DisplayName "OpenSSH Server" `
    -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

B.2 - Establish the tunnel from the client PC

On your PC (Windows 10/11, macOS, Linux):

ssh -L 4450:127.0.0.1:445 admin@<ip-vps>

This command redirects local port 4450 to port 445 of the VPS via encrypted SSH.

B.3 - Mount the share locally

On Windows:

net use Z: \\127.0.0.1\Share\port=4450

⚠️ Windows Limitation: the Windows SMB client does not easily accept a non-standard port with net use. Solution: use loopback addresses or a tool like Network Drive Mapper (commercial). Simpler: use Method A (VPN).

B.4 - On Linux/macOS

sudo mount -t cifs //127.0.0.1/Share /mnt/vps -o port=4450,username=admin

This method is elegant but more complex on Windows. For regular use, prefer Method A.

Method C - SFTP (the simplest secure)

SFTP is the native file transfer protocol of OpenSSH. No heavy installation, full encryption, works with any client (WinSCP, FileZilla, Cyberduck, Finder, Files Nautilus).

C.1 - Enable OpenSSH with SFTP on the VPS

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Start-Service sshd
Set-Service -Name sshd -StartupType Automatic
New-NetFirewallRule -Name sshd -DisplayName "OpenSSH Server" `
    -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

SFTP is enabled by default once OpenSSH is installed. No additional configuration.

C.2 - Restrict SSH access by IP (recommended)

Set-NetFirewallRule -DisplayName "OpenSSH Server" -RemoteAddress "<your-authorized-ips>"

Or change the default SSH port to reduce scan noise.

C.3 - On the client side: configure an SFTP client

• Windows: install WinSCP (winscp.net) - free, drag-and-drop interface.
• macOS: Finder → Cmd+K → sftp://<ip-vps> - integrates the VPS as a mounted volume.
• Linux: Files / Nautilus → Other locations → Connect to server → sftp://<ip-vps>.
• Any OS: FileZilla (filezilla-project.org) - free, cross-platform.

C.4 - Map SFTP as a Windows network drive

To have SFTP as a Z: drive in Windows Explorer:

1. Install SFTP Net Drive (free) or rclone mount (open source).
2. Configure the connection to sftp://<ip-vps>.
3. Choose the drive letter (Z:).

The VPS folder appears as a local disk, accessible from all your applications.

Advantages of SFTP

• ✓ End-to-end encryption (SSH).
• ✓ SSH key authentication (impossible to brute-force).
• ✓ Native cross-platform.
• ✓ No exposed SMB ports.
• ✓ Same ports as SSH = only one port to open.

Method D - WebDAV via HTTPS

WebDAV extends HTTP to allow file reading/writing. Advantage: uses port 443 HTTPS, so it passes everywhere (businesses, hotels, hotspots that block SSH/VPN).

D.1 - Install the WebDAV role on IIS

Install-WindowsFeature -Name Web-Server, Web-WebDAV-Publishing, Web-Basic-Auth `
    -IncludeManagementTools

D.2 - Configure the IIS site

Via IIS Manager:

1. Select the site → Authentication → enable Basic Authentication.
2. Go to WebDAV Authoring Rules → enable WebDAV.
3. Add a rule: authorized users, Read/Write permissions.

D.3 - Force HTTPS

Install a certificate (Let's Encrypt via win-acme for example) and configure the site to use port 443 only.

D.4 - Client side

• Windows: Explorer → right-click This PC → Map network drive → https://your-domain.com.
• macOS: Finder → Cmd+K → https://your-domain.com.
• Linux: package davfs2, then mount -t davfs https://your-domain.com /mnt/dav.

WebDAV limitations

• Lower performance than SMB/SFTP.
• Less reliable locking (do not use for databases or concurrent files).
• Longer IIS configuration.

On the VPS side - Create the SMB share in detail

Whichever Method A or B you choose, you need to create an SMB share on the VPS. Here are the two ways: GUI and PowerShell.

GUI Method (graphical)

1. Create the folder to share in Explorer: C:\Share.
2. Right-click on the folder → Properties → Sharing tab → Advanced sharing.
3. Check Share this folder.
4. Click on Permissions → add your Windows user → check Read/Write (Modify + Full control as needed).
5. Click on Caching → uncheck offline caching if you want real-time responsiveness.

PowerShell Method (quick)

# Create the folder
New-Item -Path "C:\Share" -ItemType Directory -Force

# Create the SMB share
New-SmbShare -Name "Share" `
    -Path "C:\Share" `
    -FullAccess "DOMAIN\YourAccount" `
    -Description "OuiHeberg user share"

# Check
Get-SmbShare -Name "Share" | Format-List

Useful variants

# Hidden share (name does not appear in network neighborhood)
New-SmbShare -Name "Share$" -Path "C:\Share" -FullAccess "YourAccount"

# Read-only share
New-SmbShare -Name "ShareRO" -Path "C:\Share" -ReadAccess "Everyone"

# Enable SMB encryption on the share (Windows Server 2019+)
Set-SmbShare -Name "Share" -EncryptData $true -Force

Enable global SMB encryption (recommended)

Set-SmbServerConfiguration -EncryptData $true -Force
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Set-SmbServerConfiguration -EnableSMB2Protocol $true -Force

• SMB1 disabled = protection against EternalBlue.
• EncryptData = even via VPN, the content remains end-to-end encrypted.

On the client side - Mount the share

On Windows 10 / 11

Method 1 - Explorer:

1. Open File Explorer.
2. Right-click on This PC → Map network drive.
3. Drive letter: Z:.
4. Folder: \\10.0.0.1\Share (VPS IP via VPN).
5. Check Reconnect at sign-in and Connect using different credentials.
6. Enter the Windows account for the VPS.

Method 2 - PowerShell:

# Temporary mapping
New-PSDrive -Name "Z" -PSProvider FileSystem -Root "\\10.0.0.1\Share" -Credential (Get-Credential)

# Persistent mapping after reboot
New-PSDrive -Name "Z" -PSProvider FileSystem -Root "\\10.0.0.1\Share" `
    -Credential (Get-Credential) -Persist

Method 3 - net use:

net use Z: \\10.0.0.1\Share /user:YourAccount YourPassword /persistent:yes

On macOS

1. Finder → Go → Connect to server (or Cmd + K).
2. Enter: smb://10.0.0.1/Share.
3. Click Connect, enter credentials.
4. The share appears in the Finder sidebar.

For automatic mounting at startup:

1. System Preferences → Users & Groups → Login Items tab.
2. Add the mounted volume.

On Linux (Ubuntu / Debian)

Install cifs-utils:

sudo apt update
sudo apt install cifs-utils

Create the mount point:

sudo mkdir /mnt/vps-share

Manually mount:

sudo mount -t cifs //10.0.0.1/Share /mnt/vps-share \
    -o username=YourAccount,password=YourPassword,uid=$(id -u),gid=$(id -g)

For automatic mounting at boot, create a credentials file:

sudo bash -c 'cat > /root/.smbcredentials << EOF
username=YourAccount
password=YourPassword
EOF'
sudo chmod 600 /root/.smbcredentials

Then add to /etc/fstab:

//10.0.0.1/Share  /mnt/vps-share  cifs  credentials=/root/.smbcredentials,uid=1000,gid=1000,iocharset=utf8,_netdev  0  0

Test without rebooting: sudo mount -a.

NTFS permissions + share permissions: the confusing rule

Two layers of permissions apply to an SMB share:

1. Share permissions (SMB Share) - apply only to network access.
2. NTFS permissions - always apply (local + network).

Calculation rule: the effective permission is the most restrictive of the two.

Recommended best practice:

• Share permissions: Full Control for Authenticated Users.
• NTFS permissions: granular (by account or group), this is where you really manage security.

# NTFS permissions via PowerShell
$acl = Get-Acl "C:\Share"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "YourAccount", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$acl.SetAccessRule($rule)
Set-Acl "C:\Share" $acl

Troubleshooting

“Access denied” despite correct permissions

Cause: conflict between share permissions and NTFS, or Windows credentials cache.

Solution:

net use * /delete /y    # purge all cached mappings
cmdkey /list            # see stored credentials
cmdkey /delete:<name>    # remove an obsolete credential

“The network path was not found”

Cause: no connectivity to the VPS, or name not resolved.

Solution: ping the VPS IP via VPN. If the ping works but not SMB, check:

• Port 445 open in the VPS firewall for the VPN range.
• LanmanServer service started: Get-Service LanmanServer.

Extreme slowness in read/write

Possible causes:

• MTU mismatch on the VPN - add MTU = 1280 in the WireGuard config.
• Antivirus on the client scanning all SMB traffic.
• SMB1 enabled (always disable): Set-SmbServerConfiguration -EnableSMB1Protocol $false.
• Encryption enabled without hardware acceleration on an old VPS: use the VPN tunnel that already encrypts, and disable EncryptData.

The share disappears after rebooting the VPS

Get-SmbShare -Name "Share"
# If not present, the share was not created in persistent mode

Re-create with New-SmbShare (shares created by PowerShell are persistent by default, unless you used a script that recreates them at each boot - check the Task Scheduler).

Error “STATUS_USER_SESSION_DELETED” (0xC0000203)

Cause: the SMB session was lost (VPN disconnection, network timeout).

Solution:

# Client side, increase SMB timeout
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" `
    -Name "SessTimeout" -Value 600

“The user is locked out”

Cause: lockout policy triggered by too many failed attempts (see our RDP brute-force guide).

Solution: unlock via net user YourAccount /active:yes or wait for the lockout to expire (30 min by default).

FAQ - Share and mount a Windows VPS folder

Can I share a folder from my Windows VPS directly on the Internet? Technically yes, but it is extremely dangerous. SMB port 445 has been the main target for ransomware since 2017 (WannaCry, NotPetya). Never do this: always encapsulate SMB in a VPN (method A) or use SFTP (method C).

What is the command to create an SMB share in PowerShell? New-SmbShare -Name "Share" -Path "C:\Share" -FullAccess "YourAccount". The share is immediately available and persistent across reboots.

How to mount a VPS folder on Mac? In Finder, press Cmd + K then type smb://<ip-vps>/Share (via VPN) or sftp://<ip-vps> for SFTP. Enter your credentials. The folder appears in the sidebar as a mounted volume.

SMB or SFTP: which one to choose for a VPS? SFTP if you just want to transfer or view files occasionally - simpler, more secure by default. SMB via VPN if you want a permanent network drive mounted like a local disk for applications that point to an UNC path.

Why is my VPS slow over SMB via VPN? The main causes: (1) MTU misconfigured on the VPN - set MTU = 1280 in WireGuard; (2) SMB encryption combined with VPN encryption - disable EncryptData on the share if the VPN is already encrypting; (3) client antivirus scanning all traffic. On a good connection, you should achieve 80 to 100 Mbits/s over SMB via WireGuard.

Should SMB1 be disabled on a VPS? Yes, absolutely. SMB1 is exploited by EternalBlue (the vulnerability behind WannaCry). Command: Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force. No modern client needs SMB1.

Is my Windows share accessible from Linux? Yes, via cifs-utils (package cifs-utils on Debian/Ubuntu, samba-client on Fedora). Command: sudo mount -t cifs //ip/share /mnt/point -o username=X,password=Y. For automatic mounting at boot, configure /etc/fstab with the _netdev option.

What is the difference between NTFS permissions and share permissions? Share permissions = access via the network only. NTFS permissions = access under all circumstances (local + network). The effective permission is the most restrictive of the two. Good practice: set share permissions to “Full Control” and manage actual security via NTFS permissions.

Can WebDAV be used instead of SMB? Yes, and it is useful if you are on a network that blocks SSH/VPN ports (hotels, businesses). WebDAV goes through HTTPS (port 443) so it passes everywhere. However, performance is lower than SMB/SFTP and locking is less reliable - to be avoided for databases or concurrent files.

How to share a VPS folder with multiple users in read-only mode? New-SmbShare -Name "ShareRO" -Path "C:\Share" -ReadAccess "Users". Then configure the NTFS permissions of the folder to limit who sees what inside. It is the NTFS layer that provides fine security, not the SMB share.

Conclusion

Sharing a folder from a Windows VPS to a PC comes down to choosing between encapsulated SMB (via VPN or SSH) for a permanent network drive, or SFTP for encrypted occasional transfers. The absolute rule to follow: never expose port 445 directly on the Internet - it is the main cause of ransomware on Windows VPS since 2017.

With a WireGuard + encrypted SMB configuration, you get a remote NAS accessible from Windows, macOS, and Linux, with native performance (80-100 Mbits/s typical) and security equivalent to a LAN share.

Are you looking for a suitable Windows VPS to host a remote file share? OuiHeberg Windows VPS include NVMe SSD for optimal SMB performance, immediate RDP access, and optionally pre-installable WireGuard VPN, with 7/7 support based in France.