So I have a TrueNAS server set up at home, and it would be cool to have access to it at all times. I currently have Syncthing set up to access and back up my most essential files on my phone and laptop, but it would be nice to be able to access all the … legally obtained files I have stored there wherever I go. I looked into Nextcloud, but that requires paying for a domain. So are there any other options for this?
You don’t need to own a domain, what you most likely need is some kind of dynamic DNS service.
https://freedns.afraid.org/ is one of them, they’ll give you a subdomain you can pick and the client will update the IP to which the domain point whenever it changes.
This is what you need, assuming you’ve a public IP from your ISP and you can go into your router and port forward ports to your TrueNAS server.
Now regarding software, since you’re using Syncthing already I would suggest you stay away from the complexities and vulnerabilities of Nextcloud and simply use FileBrowser, this is way easier to setup and use. I believe there’s even something on TrueNAS to get it running.
How if you’re about to expose your NAS/setup to the internet you’ve to consider a few things for your own safety.
Quick check list for outward facing servers:
- Only expose required services (web server nginx, game server, program x) to the Internet. Everything else such as SSH, configuration interfaces and whatnot can be moved to another private network and/or a WireGuard VPN you can connect to when you want to manage the server;
- Use custom ports with 5 digits for everything - something like 23901 (up to 65535) to make your service(s) harder to find;
- Disable IPv6? Might be easier than dealing with a dual stack firewall and/or other complexities;
- Use nftables / iptables / another firewall and set it to drop everything but those ports you need for services and management VPN access to work - 10 minute guide;
- Use your firewall to restrict what countries are allowed to access your server. If you’re just doing it for a few friends only allow incoming connection from your country (https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching)
Realistically speaking if you’re doing this just for you / a few friends why not require them to access the server through WireGuard VPN? This will reduce the risk a LOT and won’t probably impact the performance. This is a decent setup guide https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-debian-11 and you might use this GUI to add/remove clients easily https://github.com/ngoduykhanh/wireguard-ui
With WireGuard you’ll only need to port forward the WG port reducing the attack surface. After you connect to the VPN you get access to the server as if you were on the local network. This mean you’ll even get SMB/Samba access to the files and/or access to any other service the server might me providing, you don’t need anything else or change your current workflow, simply connect to the VPN and access your data as if you were home.
Another advantage of going with WireGuard is that you can more safely ignore the step (4) and (5) because only exposing the VPN through a port forward in your router won’t create much of an attack surface / anything that can be bruteforced. Your setup will be easier to deploy and maintain.
Note that WireGuard is designed with security in mind and it won’t even be visible in typical IP scans / will ignore any piece of traffic that isn’t properly encrypted with your keys.
Yes it’s easy, install WireGuard in a container, port forward to it and copy the profile to your other devices.
When you connect to the WireGuard network on the second device, you’ll have access to your internal network and hence your nas.
I also use a reverse proxy so I can remember computer names rather than ip.
VPN
Nextcloud is simply software that runs on something. You might use DNS to find the something that your Nextcloud runs on … or not. A domain can cost as little as say £10/year (no details given - loose costing provided!) but you say you don’t want one.
You could do some weird stuff involving something like this: Your clients update a database on the server with their current IP address(es) and the server reciprocates in kind regularly.
For an internets conversation, both sides need to know IP address, protocol, and optionally port; for both ends. For example, a webby conversation might involve:
My end: 192.168.100.20/24, tcp port 2399 -> NAT -> 33.22.4.66, tcp port 2245 Remote web server: 99.22.33.44/37, tcp port 443
Now, provided both sides are warned off about changes to addresses and port numbers on a regular basis, then comms will still work.
Say, your home external IP address changes, then your browser writes that new address to the remote server and comms continue. Provided one end knows all the details of the other end at any point in time and can communicate local changes then we are good.
000000000000000000000000000000000000000000000000000000000000000000
Maybe not. Lookup: Dynamic DNS.
If you have a public IP and can forward ports, exposing SSH (with key-based login) is quite safe. You can browse the server storage and copy files to/from your phone.
If you can’t open ports you will need something that punches out of NAT and intermediates a connection to your phone. Simplest way is to use a service like Tailscale, you install and start it on both the server and your phone and they will see each other from wherever they are.
