Hi all! I’ve been using TrueNas Scale for a few years now. I have it installed on my 2 x 36tb Sun Oracle X3-2L servers (running in RAID1). However, I’m just now diving into it. I do not have Linux-based server administration experience so it’s been quite the ride.
I’ve decided to host my own website so I don’t have to pay a monthly fee for someone else to do it. I installed an Ubuntu Server VM with the LAMP stack to do so. The first thing I did was install my VPN on Ubuntu Server. The thing I’m concerned with is that won’t Truenas still be vulnerable while web facing? If so, how can I make it more secure? Please excuse my ignorance on the matter!
Put Cloudflare in front with proxying enabled. It will hide the real IP of your server + provide caching. In this case you still need to open port 80 and 443, and your real IP is reachable, but the DNS records point to Cloudflare’s server IP instead (the proxy + cache).
Another more sophisticated solution is an ssh tunnel to Cloudflare from your machine. This has the advantage that no ports are open at all, a peer connection goes out to Cloudflare which internally routes traffic via this tunnel to your server. It’s more complicated to setup, but more secure as you don’t expose your real IP at all, no ports open.
Afaik these work with the free plan without issue.
This is fantastic! Thank you so much. Sounds like another fun learning experience. I’ve not used Cloudflare but I understand it fairly well. I’ll go for the ssh tunnel to Cloudfare first, see if I can do it. If not, I’ll go for option #1.
Sorry to double post but apparently you can no longer add the Truecharts catalog and based on the instructions I found, it seems to be necessary. Do you know of a way around that?
Truecharts hasn’t supported TrueNAS for well over a year, but it isn’t at all necessary for this application. And if you’re running a VM, neither is the Cloudflared app; you’d run whatever Cloudflare daemon you want in the VM, not on the NAS.
But if you’re running an Ubuntu Server VM, even ignoring the Cloudflare suggestion, it would have its own IP address. When you forward ports on your router to your web server, it would be to that server’s IP address, not to your NAS’s IP address. Your NAS is still not exposed to the Internet in this case.
Fair, but not the point. Exposing the Ubuntu Server VM to the Internet does not expose the NAS to the Internet. And if you want to use a Cloudflare tunnel connection for that Ubuntu Server VM, you should run cloudflared there, not on the NAS. As far as your network is concerned, those are two different computers.
There are reasons why it is a good idea in a home server setup. If it’s an enterprise environment, why would you even think about it?
In the case of a home server, hiding the wan ip hides your private ip, and also implies less bot traffic knocking on your router. There can be just the privacy as a reason itself.
Another reason can be a cr*p home router or just the ISP itself. You might think port forward is simple, but today, when IPv6 is actually happening, many ISPs do ipv4 with double NAT, so your IPv4 forward will not work at all. If you are in this situation, but you want dual stack support for your web-server, tunneling is a great option. Cloudflare (or alternatives) will handle this and you will have an “A” record too.
I agree 100% that you shouldn’t do this in an enterprise environment
Marginally, perhaps. IP blocks are public information, and a whole lot of bots just scan the whole range. They don’t know or care that it’s “your” IP.
…which is a completely different problem set. And yes, Cloudflare tunnels are one pretty decent way of dealing with it. But now we’re completely out of the realm of “securing the NAS when a VM it hosts is on the public Internet.”
Wanna add 2 cents. IMO, if you want to expose some host to the internet, this host should be in DMZ. If you just port forward it on your router and the host gets compromised, the hacker would have access to your entire LAN (including your NAS, your laptops, PCs and so on).
I personally think that placing the exposed host into a dmz is more important than some fancy cloudflare (or the like) protection. I’m not a security expert, though.
