Problem/Justification
I need a way to access a remote truenas server for repllication without either side having access to respective internal networks.
Impact
Secure and private replication for offsite backup is indispensable!
User Story
Configure one truenas server as a OpenVPN server and another as a OpenVPN client on dedicated interfaces.
Replicate datasets without access to internal networks.
Hey, thanks for your answer! Here are my 2 cents…
Perhaps OpenVPN was a dumpster fire, though my setups are still working fine on TrueNAS Core. Perhaps it was a better idea to fix it then to remove it?
OpenVPN infrastructure works on various platforms natively (pfSense for one), without “apps” or “containers” or other solutions that are haphazardly stacked on top of main functions. This focus on “ease of use” and “endless features” is ruining developer focus and purpose built, stable and long lasting products.
One size fits all NAS is better left to Unraid or Synology, as experiments with Kubernetes, docker etc. attest. TrueNAS (FreeNAS) was a dedicated system that did it’s job well.
That said, I’m an old dog tired of learning new tricks…
It’s kind of ironic IMO for you to say this in the same thread where you’re requesting that a VPN client and server be added back into the base OS–manifestly neither of them (especially the server) have anything to do with networked file storage.
Sure it does–as does Tailscale, and IPsec, and Wireguard (on which Tailscale is built), and others. Whether it’s part of the base installation or an additional package, and the form that additional package takes, are implementation details.
All the more reason to remove features that aren’t truly part of the NAS and put them into optional apps/plugins/whatever you want to call them.
You still have the problem (which was one of the devs’ stated reasons for removing it) that you need to roll a whole new release of TrueNAS to address a CVE in OpenVPN (which could be pretty serious in the case of the server, as the server would almost always be public-facing). If it’s a separate app, they only need to roll a release of the app, if that.
I’ll agree that it was pretty crappy of iX[1] to remove these features (even if IMO they didn’t belong in the first place), say, “replace them with apps,” and then not provide any OpenVPN apps (client or server). But they do provide both Tailscale and Zerotier, both of which are designed for exactly the kind of use case you mention, and neither of which require any port forwarding, static IP or FQDN, etc. Both of them use a third-party service, but both of those are free for smaller deployments (I think Tailscale is up to 100 devices; I don’t recall what ZeroTier’s limit is for their free tier). In neither case does your data pass through those services.
My point was that OpenVPN was a part of the base OS - what follows is that it was subject to QC and developer focus like the rest of the OS code.
As for the function not being part of the networked file storage I respectfully disagree. Secure offsite replication is a core part of NETWORKED storage and being self-sufficient, independent of the rest of IT infrastructure was a major strength.
Fixing bugs, plugging security holes, releasing timely updates, in other words maintaining the code is the most important part of software development in my opinion. It’s boring, tedious work and it is also the right reason for subscription fees - you know, the thing that brings home the bacon.
Reliance on outside infrastructure is annoying. Yet another account, yet another security risk, yet another chance for free tier to dissapear.
Consider this: what if Microsoft stopped developing new features for Windows 10 (let alone Windows 11) and just focused on making it as stable, compatible and fast as possible - would it not be better for all of us?
VPN servers belong in firewalls and UTMs not your NAS. With the exception of very large environments with dedicated hardware VPN concentrators, this role should be handled at the point of ingress/egress to your network not inside of some random server you have.
Where do Minecraft servers belong? Does Pi-Hole belong in your NAS? Does Handbrake?
VPN server/client services were incorporated in FreeNAS, and still are a part of TrueNAS Core - do you think that developers who put them there had no reason to do so?
I see that you’ve written about “TrueNAS scale as a Hypervisor”, “TrueNAS SCALE to build a Datacenter In a Box” - maybe it’s worth a re-read?
I strongly disagree with your disagreement (and so does your former self)!
Hosting your firewall as a VM inside of your TrueNAS isn’t the same thing as running a VPN server inside of the host operating system.
I fear that I did not do a good job of explaining myself in my resource. If you re-read the same article, the entire purpose of what I did was to separate and isolate the two roles and their data. Security is created in layers.
The management plane for your nested VMs or Apps living in your host OS has every reason to be in a hyperconverged NAS like TrueNAS SCALE. It’s as much a hypervisor at this point as it is a NAS.
However, the dataplane for those same functions should remain separate. That was the entire purpose of that article. I would absolutely encourage you deploy OpenVPN server on your TrueNAS in a more security minded way…isolated in a virtual machine inside a firewall operating system.
Tailscale is the right answer and it works almost everywhere (Including PFSense). It is stupid easy to configured, uses wireguard underneath, free and not a dumpster fire like OpenVPN. I moved off OpenVPN two years ago and tailscale is AWESOME. Works on Mac/Linux/iPad/iPhone/Android/BSD/PFSense/OPNSense, etc ad naseum. don’t let “This has always worked from me” deter you from trying tailscale. It is free and if you understand basic network, it should take like 10 minutes to get it up and running.
I’m new here. I didn’t even considered it.
Seems kind of obvious that I am in favour of the thing I suggested, as said suggestion was intended to garner some support! Alas…
Also, voting for oneself is something one should never entertain, at least that was how I was taught! O tempora, o mores!
I expected lots of technical reasons for omitting OpenVPN from linux version of TrueNAS, perhaps some security insight, or complicated config, anything but apologies for developer stated motivation.
I get that there are alternative solutions, but none of them is 1 to 1 replacement.
Looks like it’s time for me to let go.
Have a marvellous holidays and a happy new year everybody!!!
Scale doesn’t have full firewall support because it’s an appliance and they expect you to do the hardening upstream.
Apps or VMs can be updated much quicker than the OS. Do you want to take down your smb/nfs server in the middle of the day to do a reboot or just update an app? Remember that iX makes their money from business use, not the free product that home users are installing. Dell servers don’t reboot in 45s like your old desktop that you turned into a media box.
Just use tailscale if you want to remote in. If you want to tunnel apps out, then use Gluetun. Or use a router that has vpn/wg support built in.
So much more simple than managing all the steps/middleware that would be needed to have it added to the appliance:
Blockquote
I get that there are alternative solutions, but none of them is 1 to 1 replacement.
You’re right, none of them is a 1 for 1 replacement, but tailscale is 1000x better (okay, maybe 10x better). Just a cursory look shows 130 CVEs opened for OpenVPN. It is a dumpster fire with security issues and A TON OF OLD CODE. I dropped itr from my PFSense multilocation cloud 2 years ago and have not looked back. The TrueNAS devs made the right choice dropping OpenVPN, we are just trying to get you to try the new shiny tool because it is a ton better.