Securing Remote TrueNAS VPS?

[altano]

I'm running TrueNAS on a VPS in a datacenter for the purposes of replicating my home NAS to it. The VPS has a static, public IP at the moment. I also have secure, VNC access to the host on a separate NIC.

I don't have access to the infrastructure the VPS is running in other than the access above. I can't run any other machines, I can't stick an rPi into the rack, nothing. How would you go about securing this setup? I know the general advice is "don't expose the Web GUI to the public internet" but how would you do that here?

Run OpenVPN, Wireguard, ZeroTier, etc on the host directly and then tell TrueNAS (somehow?) to not let the WebGUI, SMB shares, or other services bind to the interface exposed to the internet?

My first thought was to install and setup ZeroTier and then set the Web Interface and ssh to only bind on the ZeroTier interface, but it looks like installing ZeroTier in TrueNAS is a disaster and/or not reasonably possible.

Does anyone have any suggestions?

 

[jgreco]

Yeesh.

This is difficult because the FreeNAS system wasn't built with firewalling, and as many years of computing history teach us, middleware is always buggy.

If you have a static IP at home, a simple strategy that isn't completely secure but is probably good enough would be to avoid configuring a default route, and then specify a static route on the FreeNAS host that allows access from your home static IP to the FreeNAS host. This does not prevent the FreeNAS host from receiving unsolicited traffic, but does send it from sending it, which makes it hard for a bad guy to identify what it is, or to exploit any software bugs.

You could also set up a jail on the public IP, and set the NAS up with only IP connectivity internally, so that you would need to SSH in through the jail (essentially a bastard bastion host setup). You could instead (or additionally) run OpenVPN/Wireguard alongside SSH as well. This is probably not a beginner project, however.