yellowbananabus
Cadet
- Joined
- Dec 3, 2020
- Messages
- 4
This tutorial will go over all the basics in detail for a complete beginner that you will have to complete to set up a NAS on a dedicated machine you can access from both from a local and remote network securely, while also having the ability to SSH into the NAS securely remotely, allowing remote access to your NAS shell and the web GUI. To set up the NAS on a VM, simply follow these instructions, utilizing a VM. Note all the bolded text, these are important. Please keep in mind I recently got into this and am in no way a professional, however, doing the following has worked error-free for me.
Also quick comment regarding pasting code in shell/SSH (Putty). For the shell, to paste use CTRL+V. For the Putty just right click.
Required Materials
Common Problems Troubleshooting
Also quick comment regarding pasting code in shell/SSH (Putty). For the shell, to paste use CTRL+V. For the Putty just right click.
Required Materials
- 1 USB (1 GB min.)
- 2 separate hard drives or SSDs
- A dedicated computer to run the NAS from
- A router that allows port forwarding (most routers allow this)
- TrueNAS machine: 192.168.0.10
- Nextcloud Instance: 192.168.0.20
- Router Config Page: 192.168.0.1
- DDNS: example.duckdns.org
- To proceed, keep in mind you need both an install drive and a boot drive, separate from each other. The following will be about how to set up the install drive.
- Begin by downloading the ISO image of TrueNAS and Rufus - just google the links to these.
- Using Rufus, mount the ISO image to your drive of choice. Note - you can just use a USB for this step (must be at least 1 GB)
- You can keep all the settings at the default on Rufus.
- After it has finished mounting, go into the BIOS of your future NAS machine.
- Make sure that the boot order has the UEFI USB as the top priority, and uncheck secure boot (it will not boot if this isn't done).
- The following is about how to set up the boot drive.
- Now plug in your USB drive into your future NAS machine and boot it up.
- The program will automatically start.
- From the settings page select the drive you desire to make your boot drive.
- Note - though many tutorials state that it can be a USB drive, this has not worked for me AT ALL. Using a dedicated hard drive, external or internal is your best bet (keep in mind this will FORMAT ALL DATA on your hard drive).
- In the settings, it will ask if the device should install in UEFI or Legacy mode. UEFI should work for all modern drives.
- Create a root password.
- Now allow the program to install the boot media onto the hard drive.
- Once the installation is complete, you can power down your machine, unplug the USB, and keep the hard drive plugged in. PLUG IN AN ETHERNET CABLE (WiFi does not work on TrueNAS). Also plug in a separate hard drive (this will come in handy later).
- Start up your machine again.
- If you did everything correctly, the machine should automatically boot into the TrueNAS OS and begin installing more necessary files (this will take a while so just grab a cup of coffee).
- Now plug in your USB drive into your future NAS machine and boot it up.
- The following is how to configure your settings on TrueNAS.
- After everything is installed, the shell will give you a few options that look like the following
- Everything should technically be ready to go, so type in one of the two IP addresses you see below on a web browser on a different computer that is connected to your local internet. I.e. 192.168.0.10
- The WebGUI should pop up looking like the following.
- If you don't see this, then refer to the below.
- In your TrueNAS machine, type 1 and press enter to get into the network configuration.
- Here type in the number of your network interface from the options, should usually be 1.
- Then when it asks whether you want to reset the network configuration, type y for yes and press enter.
- Note - though you can type 1 and press enter again to change the IP address of your TrueNAS machine, I found it always eventually changed back to its default IP address, so to lessen confusion, I advise against this.
- The WebGUI should pop up looking like the following.
- The default username is root, the password should be the root password you set up in the installation of the TrueNAS boot media.
- Now you should see the web GUI, it should look like this
- To create shared volumes you can access through connection to your local network, see the following instructions.
- Go to accounts on the left panel.
- Click on groups.
- Click add.
- Enter a group name (you can leave the GID as it is).
- Enable permit sudo and samba authentication.
- Submit.
- Click add.
- Click on groups.
- Go to accounts on the left panel.
- Click on users.
- Click add.
- Fill in all the empty field under Identification
- Uncheck new primary group.
- Choose the group you made previously from the drop down menu in primary groups.
- Go ahead and check all of the boxes under Home Directory Permissions.
- Under Authentication check permit sudo and Samba authentication.
- Submit.
- Click add.
- Click on users.
- Go to Storage -> Disks on the left panel.
- Find the name of the disk you desire to use as your NAS shared disk.
- Note - the shared disk CANNOT be the same disk you have your boot media on. Use the different drive you plugged in previously.
- Go to Storage -> Pools
- Click add.
- Select create new pool then click create pool.
- Click add.
- Go back to Storage -> Pools
- You should see the name of your new pool pop up.
- Click on the three dots on the right side of that name.
- Click add Zvol (this must be done!)
- Put in a name and select a size for the Zvol (for a 1TB drive I used 1 GB, this is block device mainly used for VMs, so you can use less if you don't plan on using VMs on your NAS, more if you do).
- Click submit.
- Click add Zvol (this must be done!)
- Click on the three dots on the right side of the pool once again.
- Click add dataset.
- Type in a name and click submit.
- Click add dataset.
- Now you should be able to see the name of that dataset underneath your pool in Storage -> Pools
- Click on the three dots on the right side of the name of the dataset.
- Click on permissions.
- Set the user under owner to www and group to www.
- Click apply user and apply group.
- Under access mode, check all of the boxes.
- Click apply permissions recursively under advanced.
- Click save.
- Click on permissions.
- Click on the three dots on the right side of the name of the dataset.
- Click on permissions.
- Click on ACL manager.
- Click on the preset open under the dropdown menu.
- Set the user under owner to www and group to www.
- Click apply user and apply group.
- Click apply permissions recursively under advanced.
- Click save
- Click on permissions.
- Find the name of the disk you desire to use as your NAS shared disk.
- Go to Services
- Enable SMB and click on start automatically.
- Go to Sharing -> Windows Shares (SMB)
- Click add.
- Select the path to your dataset.
- Click submit.
- Click add.
- Now to access this folder from your Windows machine on your local network.
- Go to file explorer -> network
- Click on the top field and enter the IP address of your TrueNAS machine in this fashion (should be the same as the IP address you used to connect to your WebGUI)
- \\youripaddress
- When it asks for username and password, use the username of the new account you created in the WebGUI and its password.
- If you see your folder, great! If not, refer back to the previous steps to see if you did anything wrong.
- Go to accounts on the left panel.
- The following is how to set up remote access to your shared folder.
- The first thing you have to do is go to duckdns.org (this is a DDNS service that allows a static address to your constantly changing IP address to your local network externally).
- Sign in.
- Create a domain.
- Go back to you TrueNAS WebGUI
- Go to Tasks -> Cron Jobs
- Click add
- Enter DuckDNS as the description
- Under command, enter the following
- /usr/local/bin/curl "https://www.duckdns.org/update?domains=yoursubdomain&token=yourtoken&ip="
- To find your subdomain and your token, on DuckDNS.org, your subdomain is the first part before .duckdns.org, and your token should be shown near the top panel of the page. Replace the bolded text with this information.
- /usr/local/bin/curl "https://www.duckdns.org/update?domains=yoursubdomain&token=yourtoken&ip="
- Under schedule, enter how often you want this to run (I selected hourly)
- This is how often it will update your IP address to coincide with your DDNS domain.
- Click save.
- Click add
- Go to Plugins
- Note - This tutorial will use Nextcloud for remote access to files as I could not get OpenVPN to work for the life of me. This is a great alternative that offers many options for the user easily.
- Click on Nextcloud.
- Click install.
- Under plugin name, enter nextcloud
- VERY IMPORTANT - deselect NAT and select DHCP
- Click advanced properties -> custom properties
- Enable allow_tun (this allows tunneling into the network).
- Click save.
- The installation will take a while.
- Once installed, click on nextcloud under jail.
- Click STOP.
- Check boot.
- Click on mount points.
- Click add.
- Under source, utilize the path to your shared folder.
- Under destination, use this path
- /mnt/nameofpool/iocage/jails/nextcloud/root/media
- Click save.
- Now you need to find out the username and password to your nextcloud account.
- Go back to Plugins and click START.
- Go to Jails from the left side panel.
- Click on nextcloud and click on shell.
- Enter the following command.
- cat /root/PLUGIN_INFO
- The username and password should be under nextcloud admin user and password.
- Enter the following command.
- Go to Tasks -> Cron Jobs
- Go back to Plugins.
- Click manage under the nextcloud plugin.
- Login using the credentials found just before.
- Go to the settings page, it should be on the drop down menu that shows up when you click the circle profile icon on the top right.
- Go to Administration -> External storages
- Under external storage, select Local
- Under configuration, enter the code below
- /media
- Now go to files
- You should see your shared folder with this icon if everything was followed successfully!
-
- You should see your shared folder with this icon if everything was followed successfully!
- The first thing you have to do is go to duckdns.org (this is a DDNS service that allows a static address to your constantly changing IP address to your local network externally).
- Install the following
- Brute-force settings
- Ransomware protection
- Suspicious login
- Two-Factor TOTP Provider
- GeoBlocker
- Go to settings -> security
- To enable TOTP
- Click on generate backup codes
- Store this somewhere safe
- Click on Enable TOTP
- Use your preferred TOTP provider to set up the rest. I use DUO on my mobile phone.
- Click on generate backup codes
- To enable TOTP
- Go to settings -> GeoBlocker
- To enable GeoBlocker
- From the dropdown menu under Service, select RIRData
- Note - there are other options for this service, however, I found that none of these seemed to work for me without any issues.
- Click update database
- This will take a while
- From country selection, select what countries you want to block
- Most block all countries in Asia, but it's up to you.
- Under reaction, check all of the boxes.
- Once the database has completed updated, check the box under Test and use an IP address that would be in the country you blocked.
- Log out and try to log back in to see if it works. It only uses this IP address to login once, so once it fails you should be fine to log back in without any issue.
- From the dropdown menu under Service, select RIRData
- To enable GeoBlocker
- Note all of the other apps you installed should run automatically without setup.
- Go back to your TrueNAS WebGUI and go to Services
- Enable SSH
- Under general options, select Allow TCP Port Forwarding
- Under TCP port, enter a random port number from 1000-65535 of your choice. Note this.
- Click save.
- Download Putty, just google it. (this allows all changes made through SSH to be saved in the nextcloud instance. Simply using the shell from the WebGUI does not do this!)
- Run PuttyGen (this should have been automatically downloaded alongside Putty)
- Click on Generate (default settings should be fine)
- Under key passphrase add a password.
- Save the public key.
- Save the private key. Just name it pubkey
- Save the private key. Name it id_rsa
- Note - I suggest saving the private key on a removable USB drive for added security. DO NOT SHARE THIS FILE WITH ANYONE.
- Copy the ENTIRETY of the text under Public key for pasting into OpenSSH authorized_keys file:
- Go back to your TrueNAS WebGUI and go to System -> SSH Keypairs
- Click add
- Name it SSH
- Paste in the text you copied earlier under public key.
- Note - DO NOT ENTER THE PRIVATE KEY INTO THIS. You do not have to, the private key will pair with the public key automatically!!!
- Click submit
- Go to System -> SSH connection
- Click add
- Name it SSH Connection
- Under host, enter the IP address to your TrueNAS machine (same as the IP to access your WebGUI)
- Under port, enter the port you previously entered for SSH in Services
- Under username, enter root
- Under private key, use the dropdown menu to select SSH
- Copy the Remote Host Key, excluding the first line that beings with ssh
- Click save.
- Now to test if SSH has been successfully enabled.
- Run Putty
- Put in the IP address of you TrueNAS machine under Host Name and port of your SSH under Port
- Go to SSH -> Host keys
- Under key, paste the Remote Host Key you previously copied and click add key.
- Go to SSH -> Auth
- Click browse and find your private key you named id_rsa
- Go back to Session and click save!!!!
- Now click open.
- Login as: root
- Put in your password.
- If you see the following, everything has been successfully set up!
-
- Run Putty
- Run Putty
- Load the saved session from before
- use the code
- sudo iocage console nextcloud
- use the code
- Go to https://drive.google.com/file/d/1E68zif8k6V70KBqMGS09Xp_-eGb-RquX/view
- This video runs through it
- Use the directions there.
- Note that the following has simply created a self-signed CA and certificates for your nextcloud domain.
- Load the saved session from before
- Restart your nextcloud instance via TrueNAS WebGUI
- Go to your router configuration page, to do this open command prompt and enter ipconfig
- Enter the IP under default gateway in your web browser
- Default username and password for this is usually on your router itself.
- Once in, go to port forwarding
- For HTTPS
- The server IP address should be the IP address of your nextcloud instance on your local network.
- Select TCP/UDP
- Under Internal port, use 443
- Name it HTTPS
- Save
- For HTTP
- The server IP address should be the IP address of your nextcloud instance on your local network.
- Select TCP/UDP
- Under Internal port, use 80
- Name it HTTPS
- Save
- For HTTPS
- Enter the IP under default gateway in your web browser
- Now you should be able to connect to your nextcloud instance remotely using https://YourDDNS, i.e. https://example.duckdns.org
- Run Putty
- Enter following code one by one.
- sudo iocage console
- pkg install py37-certbot
- cd /usr/ports/security/py-certbot && make install clean
- certbot certonly --webroot
- under domain names, enter your DuckDNS domain name, i.e. example.duckdns.org
- Under webroot enter the following
- /usr/local/www/nextcloud/
- The output, under IMPORTANT NOTES should tell you where the key files have been save. Note these.
- Enter the following code
- nano /usr/local/etc/nginx/conf.d/nextcloud.conf
- Edit the following from
- server {
listen 0.0.0.0:443 default_server ssl http2;
listen [::]:443 default_server ssl http2;
ssl_certificate "/usr/local/etc/ssl/nginx/nextcloud.crt";
ssl_certificate_key "/usr/local/etc/ssl/nginx/nextcloud.key";
ssl_session_timeout 120m;
ssl_session_cache shared:ssl:16m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- server {
- To
- server {
listen 0.0.0.0:443 default_server ssl http2;
listen [::]:443 default_server ssl http2;
ssl_certificate "NewPathToCertificateAndChain";
ssl_certificate_key "NewPathToKeyFile";
ssl_session_timeout 120m;
ssl_session_cache shared:ssl:16m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;- change the bolded text to the respective paths noted above.
- server {
- Edit the following from
- nano /usr/local/etc/nginx/conf.d/nextcloud.conf
- Enter following code one by one.
- Restart your nextcloud instance via the TrueNAS WebGUI
- Go to https://yourdomain.duckdns.org and check if the lock symbol is on the URL space. If so everything has been done correctly.
- Go to your router configuration page, i.e. the default gateway under ipconfig in command prompt
- Go to port forwarding
- For SSH
- The server IP address should be the IP address of your TrueNAS machine on your local network. i.e. 192.168.0.10
- Select TCP/UDP
- Under Internal port, use the SSH port number you previously selected
- Name it SSH
- Save
- For SSH
- Go to port forwarding
- Run Putty
- Load the previously saved session
- Go to SSH -> Tunnels
- Click Dynamic and Auto
- In the source port, enter 15443
- Click add
- Go to session and save the session!
- Install Mozilla Firefox
- Run Firefox
- Go to options -> general -> network settings
- Click manual proxy configuration
- Click SOCKS V5
- Under SOCKS Host, enter localhost
- Under the corresponding port, enter 15443
- Under No proxy for, enter
- localhost, 127.0.0.1
- Enable Proxy DNS when using SOCKS v5 and Enable DNS over HTTPS
- Everything should save automatically.
- To test if everything is working correctly
- Connect to a remote network
- Run Putty using the saved previous session
- Open Firefox
- Go to your TrueNAS IP address
- i.e. 192.168.0.10 NOT example.duckdns.org
- If you can see the login page, everything worked!!!
- Keep in mind, to access the WebGUI remotely, you must always be connected to your TrueNAS machine via SSH in Putty!
Common Problems Troubleshooting
- If nextcloud shows something along the lines of this is not a trusted domain, use the following code
- cd /usr/ports/editors/nano/ && make install clean BATCH=yes
- nano /usr/local/www/nextcloud/config/config.php
- Add your domain/IP address you desire using the format you see in the file.
- i.e. 192.168.0.20 or/and example.duckdns.org
