Hello everyone, I would like to generate download links that I can send to anyone on any network, and it securely sends them a file off of my TrueNAS Core server. I am pretty sure I would use SFTP for this, but I want to know the most secure way to implement this.
I have talked to a few people about this, and we have come up with a few solutions. Either I use Cloudflare tunneling, Nextcloud, separate Ethernet interface from a VLAN for a shared folder on my server (probably isolated in a jail), and another VLAN that runs a self-hosted VPN that hides the file source, or just host a sharing website, which I would like to try and avoid. With any of these methods, I assume I would want a firewall between the server and switch, or switch and home router?
The hardware I am working with is a server with 3 LAN ports (2 on board, one expansion card), a Sonicwall firewall, and an L3 gigabit Cisco switch.
I would like this to be as secure as possible, and preferably I would host everything myself. I am wondering which of these solutions is the most secure, or if there is a better solution then any of these, that would be much appreciated!
1.) VPN is also the safest - Tailscale would be the easiest.
2.) Cloudflare tunnel - you are not exposing your server directly to the internet and still has username/password options.
3.) Nextcloud - exposed but has username/password plus 2 FA. Put it in a locked down VM for extra security protection.
Nextcloud is number 3 but has a lot of other features that may be beneficial to you. It is a trade off.
Makes sense, I would like the links to not have credentials, but I can if needed.
You’re recommending setting up tailscale as a self-hosted VPN, then using Cloudflare tunnel, or using Tailscale share as the sharing medium? Also, would is it still a good idea to put the shared folder into a VLAN?
I should have asked this question first. What is your target audience and volume of users? Sensitivity of what is being shared? People you know or any random person requesting?
Making things too secure creates addional steps that a lot of people may refuse to engage in and alienate your userbase.
Self hosting may very well not be your best option.
There would not be large volume at all, single use every week or so.
It would sometimes be used for confidential files with people online, but the links will not be public anywhere, so I would like it to be secure and fully managed by me for this reason.
I would like it to be as easy for the recipient as possible, but if it is credential locked, or I have to approve each request, that is fine.
Cloudflare would be the best option as from a user standpoint you just use your web interface and do a login if you set that up. I can be used from any device. You would have to setup accounts for each user and are limited to I believe 50 on the free tier.
VPN may turn off some users as it is an extra step and would have to be setup by them on each device. I know it is easy, but for many users it can be intimidating.
It really comes down to your audience. If they find it too cumbersome, then they will not use it.