Using TrueNAS like a Cloud Storage and give access to friends outside my network

[Gévarred]

Hello everyone,

I'm interested in using TrueNAS as a cloud server for me and my friends.
We're playing Dungeons and Dragons and are recording every session.
Up until now we were using Google Drive but we wanna switch to a private solution. Furthermore I don't like paying monthly subscriptions unless it's absolute necessary..
I've plenty of "old" hardware that's suitable serving as a cloud storage.

So far I already did a lot of research and also tried out many different things.
At first I thought SMB share would work but as far I can tell and tested that's only an option for devices on the same network.
I've tried Nextcloud and so far it was working. I was able to upload the files but no one except my girlfriend and me (we're on the same network) were able to gain access despite the fact I used the "Share link" function.
After some research I figured out that it's because my router / server aren't public to the internet (port forwarding not enabled) which would explain why only my girlfriend and me had access to the files.
Then I stumbled upon FTP / SFTP. At first it sounded perfect because I don't want to force my friends to download extra software. Having access to the recordings via Windows Explorer sounds like a perfect idea. I'd give everyone a user profile / group profile, password etc. and that's it (roughly explained of course).
But in order to use FTP / SFTP I have to enable port forwarding which obviously has many security problems.

I definitely misunderstood something (or a lot) since I'm relatively new to that topic.

What do I want?
I would like to use TrueNAS (preferable TrueNAS Scale since I had fewer problems with it's UI) as a self hosted cloud storage that's not only accessible to the people on the same network, but also accessible to my friends from their home networks so that they can watch / download the last session.
A nice to have would be if they were also able to upload additional content but not necessary.

I know many posts already exists talking about that topic but some posts link to a dead and unusable link and others aren't finished finding a solution.

To further questions I will answer as detailed as possible.

Kindest regards
Gévarred (｡･∀･)ﾉﾞ

 

[Gévarred]

I totally forgot to mention that our network connection should be stable enough to handle higher network traffic.
We have download speeds of around 1000 MB/s and upload speeds of around 250 MB/s.

 

[danb35]

But in order to use FTP / SFTP I have to enable port forwarding which obviously has many security problems.

There will be no way to give external people access to your system without either port forwarding or setting up a VPN for them to connect to. The latter will be more secure if done correctly, and the best way to do it is on your router.

Otherwise, my vote would be to set up Nextcloud--but that will require forwarding 80/443 to that app.

 

[ChrisRJ]

I don't want to sound impolite or patronizing. But setting up a "cloud storage", i.e. something with access from the public Internet, is not a trivial thing. Personally I see the following options here:

• Continue to use the current solution. That would in fact be my recommendation, as much as I dislike to say it.
• Spend a couple of months on learning networking and security
• Pay someone to set it up for you
• Get a device like e.g. Synology/QNAP etc. and use their public access solution.
• Run Nextcloud with your ISP, although the storage amount may be an issue

You can of course also try to get things up and running with help from this forum. But there is tremendous risk that something is overlooked and you expose data. The legal implications of that I cannot estimate, but they may fall into the category of (gross) negligence these days.

 

[Patrick M. Hausen]

Seconding @ChrisRJ. Nextcloud is a perfectly viable solution, but running Nextcloud you suddenly are a systems administrator of a three-tier web application (PHP engine, web server, database) and you are required to keep it secure and updated - which means on average an update at least once per month and some of these are not automatic but require manual steps on the command line afterwards.

With a small trustworthy group of people probably NAS access via SMB over a VPN that terminates at your Internet router/firewall might need the least maintenance effort. E.g. german "Fritzbox" routers offer not perfect but reasonably secure remote access.

 

[Gévarred]

Huge thanks for every answer so far!

or setting up a VPN for them to connect to. The latter will be more secure if done correctly

With a small trustworthy group of people probably NAS access via SMB over a VPN that terminates at your Internet router/firewall might need the least maintenance effort.

Based on that information I would like to go with a NAS access via SMB over a VPN first. As far my understanding goes no one has to download extra software and can access the NAS simply through Windows Explorer, is that correct?

E.g. german "Fritzbox" routers offer not perfect but reasonably secure remote access.

It's funny that you're mentioning that because I do live in Germany and currently use a FritzBox 7530 AX.
Today I was just looking into the viable options my FritzBox offers but I couldn't find anything useful as of right now. There needs to be done more research from my side.

 

[ChrisRJ]

Based on that information I would like to go with a NAS access via SMB over a VPN first. As far my understanding goes no one has to download extra software and can access the NAS simply through Windows Explorer, is that correct?

That is not correct. People need to install and configure the VPN client software.

 

[Etorix]

It's funny that you're mentioning that because I do live in Germany and currently use a FritzBox 7530 AX.
Today I was just looking into the viable options my FritzBox offers but I couldn't find anything useful as of right now. There needs to be done more research from my side.

The whole point of filling in location in your profile is to give others clues for locally useful answers…
The first option in the screenshot should be what you want. Set it up and try how you can access your home network remotely. If you're happy with that, see about creating further users for your friends and whether and how you might subdivide your network so that your friends have remote access to the cloud service on your NAS but not to further services or to any device in your home network.

That is not correct. People need to install and configure the VPN client software.

I did not have to install anything on my MacBook Pro to enable my own Fritz! VPN: macOS comes with client software for standard VPN protocols. Windows, of course, may obfuscate things…

 

[HoneyBadger]

Hello @Gévarred

If your friends are wanting to download the recorded sessions to their local systems, something along the lines of Syncthing might be a low-friction way to get this going - it would necessitate an additional piece of software on each system participating in the Syncthing group, but among a few trusted individuals it's a very easy way to get files shared and replicated.

Blog - Enterprise File Sync Improves Data Mobility and Furthers Data Freedom

One aspect of freedom that applies to storing and managing data is relatively easy to understand and measure: Data Mobility. At one end of the spectrum, you are entirely free to move data between any storage systems without restrictions. On the other end, proprietary systems effectively imprison...

www.truenas.com

 

[Davvo]

Personally the FTP option looks reasonably safe (if configured correctly) while being the most simple to implement.
VPN tunnelling would be my choice too.

Syncthing looks interesting as well... but I personally don't like apps (it's the reason I like Jails).

 

[Patrick M. Hausen]

Disable SSH password authentication and root login.
Use SFTP with public/private key authentication.

"Poor man's VPN" - reasonably secure.

 

[ChrisRJ]

Personally the FTP option looks reasonably safe (if configured correctly) while being the most simple to implement.

I hope you don't mean FTP but SFTP or FTPS

 

[Gévarred]

The whole point of filling in location in your profile is to give others clues for locally useful answers…

During writing I wasn't thinking about that feature :>

something along the lines of Syncthing might be a low-friction way to get this going

I'll keep it's existence in mind in case I'll change my mind but I'll try to stick to the other method first.

So far I was able to setup a VPN in my routers settings. Right now I've activated VPN (IPSec) and VPN (Wireguard).
I'm fully aware only one is necessary but in case one is easier to setup or doesn't work for whatever reason.

The next step would be to connect the NAS with the VPN of my router as far as I understand.
When searching for "connect truenas to router vpn" the first result is the "Configuring OpenVPN" documentation from TrueNas.
Feel free to let me know if I'm wrong.
I know it is a complex topic especially for someone who never did something in that direction and I'm fully aware of the risk which is why I wanna do it right and I'm willing to learn all of that stuff. Also because I want to know more about it in general.

Disable SSH password authentication and root login.
Use SFTP with public/private key authentication.

I'm sorry to say this but I don't think I've reached that point yet where that's necessary but I could be wrong. So I don't know yet when or where this step comes :/

 

[Patrick M. Hausen]

The point of the VPN is to give VPN clients on the Internet access to the LAN behind your Fritzbox. There is nothing to be done on the TrueNAS except plugging it into the LAN. Once the connection of the outside client is established people can then just use \\<ip of truenas>\<name of share> to connect e.g. via SMB.

SSH/SFTP is an alternative to using a VPN. Since you already decided to use a VPN you can ignore that comment.

 

[Gévarred]

Sorry for the late reply!

I have to admit I misunderstood how a VPN works but now I finally get it!
Everyone was able to connect to the VPN (except one user) and had access to the video files.
The other user is only able to connect when using WireGuard. I can't remember the exact error he got but it's working with WireGuard which is absolutely fine since it's such a small program.

Huge thanks to everyone for helping me here!
I really appreciate it and must agree the community is extremely helpful and nice :)

- Gévarred