New to NAS in general and new to Truenas. Is there an alternative yet still secure option for remote replication without using SSH? My router is a verizon fios cr1000a and does not natively support ssh. The remote location has a tp link router that also does not natively support ssh
Why would the routers mater?
They should simply pass any traffic through like any normal network equipment. You don’t SSH into the router unless you intend to log into the router. Since they don’t support ZFS, their is zero reason to even think about using ZFS Replication to the router.
Now, if what you mean is to create a secure connection across the Internet, through those 2 routers, that is a different story. You would need to investigate either VPNs or opening a port in the router to allow SSH traffic in. This is a whole different subject.
Something like Tailscale still an option?
Again I am new to nas and truenas. I don’t actually have a nas built yet… Just to clarify the part of your reply saying the routers should just pass traffic through… the ssh connection between a local and remote truenas server should be handled by both routers without much/any reconfiguration?
Most routers will let most traffic out. However, unless you open a TCP port, they tend to block all in-coming traffic, (for security, basically a brick wall firewall).
Ether a VPN, some have mentioned Tailscale here in the forums, or an open port at the remote end. Either way, it takes skill to setup without creating a security problem.
Sorry, I don’t use either of those.
What you should probably do, is edit this thread’s Title and add something like “Use VPN?”
1 Like
I am unable to find an option to edit the title of a thread… create a new one?
There is a pencil button near the topic name when you hover over it. Although, it could be that you have an insufficient trust level.
2 Likes
This is a process with three or more steps to form an ssh connection between the local NAS and the remote NAS.
The first step is that either the remote connection has a public ip, or the local connection has a public ip, or both do, or both can reach some common network (like tailscale or zerotier or something else).
The second step is to form a secure connection between the local location and the remote location. One way is to have an openvpn or wireguard server on the router at one location, and an openvpn or wireguard client at the other router, in a way that the NAS devices in both locations can see each other. Or, set up a client or server on the NAS devices and have the routers do port-forwarding.
The third, when the two devices can ping each other, to set up an SSH connection between the two. So you have secured transmission between the two, over a secure pipeline between the two networks.
The Verizon will barely do port forwarding, but you might hang another router on it to do the rest. The TPlink is likely to be able to do some tunneling implementations (maybe with some other security issues).
I have my local and remote networks connected site to site with Asus routers; the NAS/NAS ssh connection is then pretty trivial to implement.
1 Like
Screenshot of the verizon router’s port forward options. Sufficient? That’s the extent of what I have access to set up. The protocols I have to select from are TCP, UDP, “Both”, GRE, ESP, and AH. Also I forgot to mention in previous posts that the tp link router is model AX21
Also forgot to mention in previous posts…
While also being a first time nas build, the intended use case is basic on site file storage/access combined with offsite replication
Tailscale is a safer option than forwarding port.
An open SSH port is bound to attract an endless amount of interest and resulting intrusion attempts.
In theory the Ax21 will support an Openvpn or wireguard server, so the question is whether it is sitting on a public ip. Failing that, is the verizon router sitting on a public ip?
“Sitting on”??
Also with tailscale being wireguad based, id assume it may be supported?
Is either router assigned a public IP for its WAN connection? If it doesn’t have a public IP assigned to it, the router can’t be reached from elsewhere, and you have to go the tailscale or zerotier route where each location is connected to a common location.
Ahh gotcha, my brain wasn’t working totally, it was almost bedtime for me then.
Yes both routers have a public facing ipv4 address
Good. So you have three choices.
- Configure zerotier or tailscale on both NAS to connect out to a common connection (or configure zerotier or tailscale on the Verizon side and also on the TP-Link router if you want to access the whole TP-Link network).
- Configure WG peer or OpenVPN client on the NAS on the Verizon side, and a WG peer or OpenVPN server on the TP-Link router, to connect the Verizon side NAS to the TP-Link LAN. To do that, you will also want to set up DDNS on the TP-Link router (I think it is free). That assigns a name (like myip.com) to the public IP that the TP-Link is assigned. You need to do that because the public IP is likely to change.
- Instead of setting up the server on the TP-Link router, set it up on the NAS on that side. In addition to the DDNS, you will need to forward a port on the TP-Link router to the NAS.
Then you can set up the SSH between the two NAS. The Verizon router is crippled and the TP-Link router has some security concerns; you might be able to do a similar setup with the NAS on the Verizon side with port forwarding but I think it is a bit harder. I think you will find a lot of online resources on how to set up the TP side.
1 Like