I’d like to please ask the community how best to access TrueNAS while away from home. In particular, I would like to be able to access my school files while I’m on campus. I built a TrueNAS Scale box that I use for all of my school files. The only problem is that when I am in class taking notes, I don’t have access to save the notes to the TrueNAS until I get home and it’s making my life a nightmare to track whether I’ve uploaded everything days later. I’d also like to be able to retrieve notes from previous years on the spot.
My setup is a custom built TrueNAS Scale machine and a custom built pfSense box. The modem is in bridged mode such that pfSense sees the internet. My ISP uses dynamic IPs so I’m stuck having to figure out how to identify my IP.
I would like to set up a VPN using OpenVPN (I think) such that my MacBook and iPad can connect to my TrueNAS at home. Please correct me if I’m wrong, but I think the best way of trying to achieve this is through creating an OpenVPN tunnel within pfSense. That way, I’d be able to just connect to TrueNAS as if I were still at home on the network.
The only problem is that I have no idea how to do this. My superficial understanding is that I will need to get a certificate (no idea how!) in order to create the VPN tunnel and I will need to find a resolving service to address the dynamic IP situation. Could anyone please provide some guidance on how to go about doing this?
Also, I’m afraid I’m not 100% clear on the terminology as between a Site-to-Site VPN and a Remote VPN. I don’t really know what I need to achieve what I want here. Any ideas?
For your use case, I would rather look towards synchronization than remote access. Of course you can have both, they aren’t mutually exclusive. The advantage of synchronizsation is that you always have a local copy of your files on the device you’re working on. This means you don’t need a network connection at all times. A popular solution that also has a TrueNAS integration is Syncthing.
For remote access I recommend WireGuard. It is much simpler to set up than OpenVPN. As of right now, you have to install an experimental package to pfSense, but I’ve found it to work without any issues whatsoever. If you don’t have a static IP address, you’ll want to set up dynamic DNS.
I believe Tom has tutorials for setting up both Syncthing and Wireguard on his YouTube channel.
In case you want to go with OpenVPN: You don’t need a certificate from a trusted Certificate Authority. Tutorials for setting up OpenVPN will guide you through generating your own CA and server/client certificates. But again, I recommend using WireGuard instead, as you won’t have to deal with managing any of that.
Dynamic DNS and openVPN? https://www.noip.com/ NoIP can give you a certificate, but it is not required for openVPN, it will generate its own key, I’d suggest a 256 bit key.
Could Tailscale work for this too? I’m not at all up to speed on Tailscale so you would need to research it.
The easier way is probably synchronization as mentioned above.
Yes, Tailscale can be used for remote access as well. It builds on top of WireGuard by adding clever mechanisms for firewall and NAT traversal as well as handling roaming peers, so there’s no need for dynamic DNS.
Hi Paolo and Greg, thank you both for your comments and suggestions.
I appreciate the perspective re: synchronization but I’m afraid it’s not what I need right now. I actually already have SyncThing configured and use it to sync data between my phone and TrueNAS but I really don’t want to use it for school.
Instead, I want everything centralized on my TrueNAS with nothing locally on my laptop. TrueNAS has adequate backups implemented and I feel comfortable knowing it’s all centralized. I have in the past experienced conflicts with SyncThing that cause me to distrust it for this particular application, although it works great for needs on my phone.
Instead, I simply want access to my TrueNAS from afar. I have read about both WireGuard and OpenVPN. I appreciate that WireGuard is supposed to be simpler to deploy but I’ve also read that OpenVPN is safer. I am happy to hear that a certificate from a trusted certificate authority isn’t necessary and agree I want a 256 bit key. I’d just like guidance on how to set it all up.
I found an article that I might try to follow. It’s here: How to Set up Remote VPN Access Using pfSense and OpenVPN - TurboFuture
Any thoughts on the approach?
As for Dynamic DNS, I definitely need to figure it out and will explore noip.com, thanks Greg.
Thanks again to both of you for your thoughts here!
+1 on Tailscale. It’s probably the easiest way to accomplish your goal. And where you have pfSense you can set it up as a subnet and access all the devices on your home network. Tom has a video on how it all works.
Thanks for the suggestion re: Tailscale. I’ve looked into it a little and would prefer to learn how to do an OpenVPN implementation rather than relying on a third party service to facilitate the connection. I understand Tailscale uses end-to-end encryption but generally, I just don’t like relying on a third party service to achieve my goals; hence the decision to build a TrueNAS device rather than relying on a cloud service instead.
Might anyone have any suggestions, guidance or videos on how to configure OpenVPN on pfSense, iPadOS, Android and MacOS?
This might help with tailscale and a self hosted server Tutorial: Using Tailscale VPN with the Self Hosted Headscale Controller - Lawrence Technology Services
That said, I need to work with tailscale so that I understand it better, it seems like a really good way to go for a lot of things I need to do at/with work.
I also do have an openVPN between home and work. One word of warning: Transferring files from an SMB share (maybe others) is VERY slow, has to do with all the back and forth communication needed to transfer files. Thought it should probably be mentioned to help you decide what to do.
Hi Greg, thanks for the heads up. I had heard that it was slow using SMB over OpenVPN but no one has ever really put a number to it. Do you think it’s slow to the point where accessing word documents will become frustratingly difficult? I don’t plan on uploading files that are larger than 1 to 5mb (*.docx and *.pptx).
May I ask how difficult you found it to be to configure SMB over OpenVPN? This is exactly what I’m looking to achieve without using Tailscale.
I use OpenVPN on my pfSense machine for remote access and it’s very easy. I have also set them up for clients and they work great. For the IP, just get a dynamic DNS provider that is supported in pfSense (There is a huge list in pfSense itself).
Tom has awesome walkthrough videos on both and they work perfectly.
For file synchronization, I use FreeFileSync and then set up the included RealTimeSync that automatically syncs whenever it sees a change, so no need to even worry about whether or not you remembered to do a sync. RealTimeSync even works across my VPN, so I have used it many times to sync files I used in the field with my file server at home. Once I bring up the VPN, it will automatically connect and start the sync within 30 seconds. It’s donationware as well. I gave them $20 myself.
Do a search for Tom’s OpenVPN videos, I’m sure he has made one for a Remote Access Server and an OpenVPN client.
Personally I use both user credentials and certificates to access my openvpn server remotely, if you’re only moving files, I wouldn’t worry about accessing SMB over openvpn, it will work. Using certs is actually pretty straight forward once you crack it, if you lose your phone you can just revoke the cert, without affecting the users other devices.
When generating passwords, I had some issues with certain characters and length. During testing use a basic one so you know your setup works, currently I use 31 char alphanumeric. Perhaps it has changed but on my android that’s what I had to use.
I just typed the IP address\share\folder into windows explorer and grabbed the files I wanted, no real set up. I was getting 2 to 6 mbps with fairly large files (ISO files) which took a long time. Small files like a text document should not be of concern, if you need to wait 3 more seconds it will not wreck your day.
You can set up your device to use a DNS server on the home network, then you could access files by server\share\folder path in explorer, I’ve done this too and it might be slightly faster, but still going to feel like stepping back to DSL or dial up compared to what we have become accustomed to seeing.
This speed was from my home that normally has 150/50mpbs (down/up) to a server at work that has 100/100 (could be gig/gig but the port is currently locked at 100). If you only have a 6mbps upload at your server site, then it might be slightly slower, you’d need to test and see if it meets your needs.
RDP works exceptionally well over this same link. If you want faster file transfer, you might try setting up an FTP to the same share. Might help, might not.
Thanks for all the great feedback. While I am sure the team at Tailscale is trustworthy, I have some security concerns that likely aren’t to be resolved until “Tailnet Lock” is deployed. Specifically, I am uncomfortable using a service that could, in theory, be able to add nodes to my Tailnet. My understanding is that Tailnet Lock is in alpha and not yet available. Links for details:
Introducing tailnet lock: use Tailscale without trusting our infrastructure! · Tailscale
[Apparently I am not allowed to add more than 2 hyperlinks in a post and it seems I’ve already done 1 above so I’m limited to showing only the one Tailnet lock link. There’s another called “/kb/1230/tailnet-lock-whitepaper” for anyone interested. Same domain.]
In the meantime, I think I am going to do my best to figure out how to get an OpenVPN tunnel working for remote access. I will select dyndns.org since this seems to be widely regarded as a good service that works well with pfSense. Rob, if you have any tips, I am all ears/eyes here!
No need for file sync at all on my end seeing as I will simply be storing everything to the NAS via SMB once OpenVPN is working for me. The only complication I anticipate is working out access to the specific VLAN on which I have installed my NAS. I’m not sure how the tunnel will work - if it will simply gain access to 192.168.1.1/24 OR if I can assign it to a specific VLAN (e.g. 192.168.100.1/24). I may have the /24 wrong here, but you get the idea of what I’ve set up hopefully. This is what happens when noobs dive into networking, I guess. The idea is that none of my VLANs can talk to each other. Some get routed through a VPN (e.g. Pirivate Internet Access) while others are wide open and one is completely shut off from the internet altogether for IOT devices. Just not sure how the tunnel will connect and how to configure my rules to allow it access to only one of these VLANs. I imagine this may warrant a separate post if and when I get OpenVPN running correctly for remote access.
Thanks again to everyone for your suggestions and help!