Setup access to TrueNAS from outside with Mikrotik DDNS

[LeMishoK]

Please help setup access.
I have Mikrotik router and was able to setup DDNS on it. Mikrotik provides their own built-in DDNS service and after a quick setup I got my URL and able to login to router from outside. Link looks like:

http://z1x2c3.sn.mynetname.net/

TrueNAS does not have preset for Mikrotik DDNS and I have to use Custom Provider option. Not sure what exactly should I type in there. Can you please help me with setting this up. Thank you.

P.S. I didn't forward any ports yet and not sure if I need to.

 

[ChrisRJ]

What do you want to achieve?

 

[danb35]

TrueNAS does not have preset for Mikrotik DDNS

If it's Mikrotik's DDNS service, and your Mikrotik router is using that service, you shouldn't need to do anything with it at all in TrueNAS--but I'm similarly wondering what your objective is. If it's "log into the TrueNAS web GUI from the Internet," than:

 

[LeMishoK]

I want to have access to files stored on NAS from internet.

 

[ChrisRJ]

I assume you are talking about mounting SMB shares on a Windows/Mac OS machine.

In that case you really want to use a VPN. I have no experience with Mikrotik, but Google shows that you can run an OpenVPN server. The latter works with TLS and is relatively easy to set up. The nice thing about a VPN is that it makes everything else transparent. In other words: You only need to set up the VPN and the rest (SMB shares in your case) is implicitly covered.

 

[Samuel Tai]

WireGuard - RouterOS - MikroTik Documentation

help.mikrotik.com

 

[LeMishoK]

Sorry for asking "obvious" questions, but it's not obvious for me, since I'm quite new to all that. I have basic level of understanding networking, so not everything is obvious for me. But I'm trying to learn.
So the purpose is to have access to my files on NAS from my other devices over internet, not the local network. I do not have any problems accessing files on NAS from local network - it's working perfect, fast and I can access from Windows PC or Android phone with no issues. My next step is access to NAS over internet. Off course I'd like to make it secure so no one else can have access to it. I thought I can do it through Mikrotik DNS service, that is built in to my router and it is absolutely free instead of using services like noip.com or others similar. I do not have static IP at the place, where NAS is located.
As I can see, some of you guys recommend using VPN (instead of using DDNS??). If so, as I understand, there should be device on my local network running as a VPN server (let's say it's my NAS), and other devices can connect to it from internet. But I do not have static IP, and it is outside of my understanding, how other devices can reach my VPN server if VPN server has no static IP address?

Thank you all for your help.

 

[danb35]

As I can see, some of you guys recommend using VPN (instead of using DDNS??).

Not instead of, in addition to. DDNS gives you a fixed address (the domain name), even if (when) your IP address changes. A VPN provides a secure means to access your LAN when away from home. They address completely different questions.

If so, as I understand, there should be device on my local network running as a VPN server (let's say it's my NAS),

I think the suggestion is that you run the VPN server on your router, which appears to support operating in that way given the documentation link Samuel posted. Remote devices reach that VPN server using your DDNS domain name.

 

[LeMishoK]

WireGuard - RouterOS - MikroTik Documentation

help.mikrotik.com

Samuel, my Mikrotik is running now on RouterOS v6.49.6 (stable). It seems like it doesn't have built-in Wireguard functionality. Videos that I have seen in internet that has Wireguard in main menu runs RouterOS 7...
Do I need to upgrade to beta 7 OS or I can install Wireguard somehow to my current OS version?

Not instead of, in addition to. DDNS gives you a fixed address (the domain name), even if (when) your IP address changes. A VPN provides a secure means to access your LAN when away from home. They address completely different questions.

I think the suggestion is that you run the VPN server on your router, which appears to support operating in that way given the documentation link Samuel posted. Remote devices reach that VPN server using your DDNS domain name.

Thanks, now it's more clear for me.

 

[ChrisRJ]

Sorry for asking "obvious" questions, but it's not obvious for me, since I'm quite new to all that. I have basic level of understanding networking, so not everything is obvious for me. But I'm trying to learn.

That is a great attitude!

The problem I see, though, is that your use-case is not really well-suite for "learning on the go". If you are willing to take the considerable risk that someone is going to hijack your system, that is of course your prerogative. But you run the risk of loosing data and being abused as a base for attacking other systems. @danb35 has nicely put it at the beginning of this thread. And the comparison I always use is to ask people whether they would be willing to play around with the brakes of their cars.

I can see the following routes from here (and there are likely more):

• Move on and accept the risks
• Start with a completely separate environment (aka playground) until you have mastered the various aspects sufficiently
• Go for a reputable external provider (e.g. AWS, Azure, etc.)
• Use a NAS like Synology, although I cannot judge how well they have implemented this
• Have someone qualified set this up for you
• ???

I don't want to spoil things, and 20 years ago would have been less pessimistic. So perhaps someone else has additional input that brings you closer to your goal.

Good luck!

 

[danb35]

Do I need to upgrade to beta 7 OS or I can install Wireguard somehow to my current OS version?

I wouldn't recommend running beta software on your router. But even if wireguard isn't available on your RouterOS version, it appears that OpenVPN is, as well as IPSEC. Do not use PPTP, even if it's offered there; it's long since been demonstrated to be insecure. See:

OpenVPN - RouterOS - MikroTik Documentation

help.mikrotik.com

IPSEC/IKE2 (with certificates) VPN server guide for remote access - MikroTik

forum.mikrotik.com

Now, I can't speak to Mikrotik's implementation of either of these; while I've used a couple of Mikrotik devices, they've just been switches used as switches. Another option would be to replace your router with something like OPNsense (which is what I use), pfSense, or Untangle, which include servers for any of these protocols.

Yet another option would be to run the VPN server somewhere else on your network, which could be on your NAS. I've found TrueNAS' implementation of OpenVPN to be ridiculously complex, so I wouldn't recommend this, but it'd be a possibility. Or you could run it in a jail or VM on your NAS. Or you could run it on a separate device like a Raspberry Pi (if you have one laying around; otherwise they're pretty much unobtainium) or other SBC or spare computer.

Or, to take the discussion into a completely different direction, you can set up Nextcloud to share your files, and forward ports for that installation.

 

[LeMishoK]

That is a great attitude!

The problem I see, though, is that your use-case is not really well-suite for "learning on the go". If you are willing to take the considerable risk that someone is going to hijack your system, that is of course your prerogative. But you run the risk of loosing data and being abused as a base for attacking other systems. @danb35 has nicely put it at the beginning of this thread. And the comparison I always use is to ask people whether they would be willing to play around with the brakes of their cars.

I can see the following routes from here (and there are likely more):

• Move on and accept the risks
• Start with a completely separate environment (aka playground) until you have mastered the various aspects sufficiently
• Go for a reputable external provider (e.g. AWS, Azure, etc.)
• Use a NAS like Synology, although I cannot judge how well they have implemented this
• Have someone qualified set this up for you
• ???

I don't want to spoil things, and 20 years ago would have been less pessimistic. So perhaps someone else has additional input that brings you closer to your goal.

Good luck!

I completely understand risks and it is actually my playground. I am junior systems administrator and do this for living and I am trying to learn and this is why I am playing with TrueNAS. I can not play with servers and NAS's at work, but I can play with this stuff at home. I do also have Dell server running XCP-ng hypervisor with few different VMs on it (all installed myself) - as a playground as well. I am trying to self learn. So this is why I do not want Synology or anybody else to set this up for me =)

 

[danb35]

I do also have Dell server running XCP-ng hypervisor

In that case; disregard my suggestion above of a jail or VM on your NAS--just use a VM on that system instead, if you go that direction.

 

[LeMishoK]

I wouldn't recommend running beta software on your router. But even if wireguard isn't available on your RouterOS version, it appears that OpenVPN is, as well as IPSEC. Do not use PPTP, even if it's offered there; it's long since been demonstrated to be insecure. See:

So, I guess my information about RouterOS was "outdated". I didn't take a look there for a while, now I just checked and RouterOS 7.4 is under Stable Release Tree on Mikrotik website, so it is not beta, as I thought when I stated it today in my previous post. I guess I'm going to try it with Wireguard.
P.S. I am familiar (a little bit) with setting up OpenVPN, I did set it up from scratch a while ago for small network (remote server and access to it for 10 users). But since we have Wireguard - off course I want to try that now =)

 

[LeMishoK]

I was able to set it up finally =)
DDNS with IP Cloud in Mikrotik. Forwarded port.
After that I did setup Wireguard VPN again on Mikrotik. Now I can access files in my NAS from anywhere =)