this post was submitted on 16 Jan 2024
27 points (93.5% liked)

Open Source

31135 readers
431 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

So I have a TrueNAS server set up at home, and it would be cool to have access to it at all times. I currently have Syncthing set up to access and back up my most essential files on my phone and laptop, but it would be nice to be able to access all the ... legally obtained files I have stored there wherever I go. I looked into Nextcloud, but that requires paying for a domain. So are there any other options for this?

you are viewing a single comment's thread
view the rest of the comments
[–] TCB13@lemmy.world 3 points 9 months ago* (last edited 9 months ago)

You don't need to own a domain, what you most likely need is some kind of dynamic DNS service.

https://freedns.afraid.org/ is one of them, they'll give you a subdomain you can pick and the client will update the IP to which the domain point whenever it changes.

This is what you need, assuming you've a public IP from your ISP and you can go into your router and port forward ports to your TrueNAS server.

Now regarding software, since you're using Syncthing already I would suggest you stay away from the complexities and vulnerabilities of Nextcloud and simply use FileBrowser, this is way easier to setup and use. I believe there's even something on TrueNAS to get it running.

How if you're about to expose your NAS/setup to the internet you've to consider a few things for your own safety.

Quick check list for outward facing servers:

  1. Only expose required services (web server nginx, game server, program x) to the Internet. Everything else such as SSH, configuration interfaces and whatnot can be moved to another private network and/or a WireGuard VPN you can connect to when you want to manage the server;
  2. Use custom ports with 5 digits for everything - something like 23901 (up to 65535) to make your service(s) harder to find;
  3. Disable IPv6? Might be easier than dealing with a dual stack firewall and/or other complexities;
  4. Use nftables / iptables / another firewall and set it to drop everything but those ports you need for services and management VPN access to work - 10 minute guide;
  5. Use your firewall to restrict what countries are allowed to access your server. If you're just doing it for a few friends only allow incoming connection from your country (https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching)

Realistically speaking if you're doing this just for you / a few friends why not require them to access the server through WireGuard VPN? This will reduce the risk a LOT and won't probably impact the performance. This is a decent setup guide https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-debian-11 and you might use this GUI to add/remove clients easily https://github.com/ngoduykhanh/wireguard-ui

With WireGuard you'll only need to port forward the WG port reducing the attack surface. After you connect to the VPN you get access to the server as if you were on the local network. This mean you'll even get SMB/Samba access to the files and/or access to any other service the server might me providing, you don't need anything else or change your current workflow, simply connect to the VPN and access your data as if you were home.

Another advantage of going with WireGuard is that you can more safely ignore the step (4) and (5) because only exposing the VPN through a port forward in your router won't create much of an attack surface / anything that can be bruteforced. Your setup will be easier to deploy and maintain.

Note that WireGuard is designed with security in mind and it won't even be visible in typical IP scans / will ignore any piece of traffic that isn't properly encrypted with your keys.