Wanted: Remote Server w/enclosed abilities

Agreeing 100% with @WayneG. Your set of specs seems like a Hard Problem, even for somebody who knows what they’re doing.

Out of curiosity, what’s the underlying reason you’re trying to avoid iCloud, Dropbox, etc.?

I don’t feel I’m too far out on a limb when I say that the first is going to be outright impossible, and the second is going to be unlikely. Either way, those specs are at odds with one another.

“Set and forget” solutions for complex problems typically come from vendors that charge recurring fees. In return you (usually) get a more “done for you” solution with less admin load.

Danger, danger Will Robinson!.

I learn a lot from Internet tutorials, don’t get me wrong. But if you’re non-technical you’re taking the word of (essentially) random people on the Internet without having any ability to sanity-check the responses you’re getting.

That’s great for solving problems with your home computer.

But punching holes in firewalls for services, setting up remote access, etc. are the sorts of things you want to either have a trusted software vendor / professional for (i.e. “somebody you pay”), or have a pretty good idea what you’re doing - at least if you care about your data / network security. And it seems like you do, otherwise you wouldn’t be talking about encryption both at rest and in transit.

If you just need streaming (something like Plex) and personal cloud that’s world-accessible, you could do a lot worse than to see whether or not Synology Drive and Plex running on the Synology would fit most of your needs. Odds are good the fine folks at Synology have thought through security pretty well - and they have a strong incentive to push out updates when they discover problems.

Again though, curious why you’re wanting to avoid the cloud providers. Cost? Security? Backup issues? … ?

Must confess when I read this, everything can be done with a
Synology NAS. I do all of these things (and more). Synology
has an “App Store” that provides packages with additional
functionality.

No 3rd party cloud services.

Synology Drive (package) is a Local Dropbox, iCloud type solution.
Sync, Post, access via app, web, etc., etc.

Runs on its own

You can set all packages to autostart if/when NAS restarts

Ability to remotely access server while VPNs are engaged
Of course (However, this is a function of your VPN as previously noted)

File Management
All “folders” (shares) can be encrypted. Recall though that a .dmg
is a “container” that has to be mounted to be accessed.

Synology has a Docker package and I run about 6 containers.
Handbrake, UniFi, iPerf, piHole, and a few file utilities.

I also run several VMs with the Synology VirtualMachine Manager

To be clear though, this is not a 2 bay NAS, and it takes some
effort. Once done, it’s set and forget. The dark horse is the VPN.
While there is a VPN package, I don’t have that on the NAS.
That’s on the router.

While recognizing these goals are not main stream, I would not think they are impossible and something that would be well w/in the skill sets of someone more technical…for me I need learn as I go. Do not like putting on the admin hat after everything is up and running. A tweak here and there fine, and no time to be wearing the admin hat.

Technical background - I am in software for a living, however not what I consider a coder. Familiar, understand the concept…dislike command lines…use them when there is no other choice (aka docker, homebridge etc.) With a few key known exceptions, comfortable w/the security set up. Still working through a solution or two…and while that is in play, nothing exposed of concern.

Cloud - clouds are convenient. Clouds have no ownership in the event of failure (I do my own backups etc. anyway). Clouds are targets. Even the best encryption are temporary, and cloud security is protected at the server level yet lot of holes elsewhere (devices, transit, techniques to bypass) and they are centralized for large groups of people making it all lucrative targets…someone w/the those skills sets of interests are not gong to be as interested in some one off rando where the no real gains…their time would be better spent in more lucrative efforts. When system is finally up and running in full mode, file sizes are large which breach cloud basic plans requiring expensive plans. Understand that even if apple gave 5 terabytes for free, I still wouldn’t be jumping on iCloud.

No need to put my data out someone else’s server…it is like iCloud Keychain… 99% of my passwords have no business ever being online at all and drives me nuts how Apple force feeds it for HomeKit etc.

Primary use case is secure remote access to my own data.
Secondary use case would be media services.

Synology has been in the consideration set.
Anyone here know if there are ways to mount .dmg files directly on Synology w/o having to go through the Mac to mount? Also curious how encryption is for Synology for both in transit and at rest state?

How is Synology on encryptions in transit and in rest? If a bad actor stole your Synology, how safe is the data? Could they pop the drive into another device and then open access?

Yes, .dmg is something that has worked well and hoping to maintain. Mounted, meaning it would need to be mounted through MacOS right? Wonder if a VM then of MacOS could be run to mount the dmg? More investigation needed.

VPN ~ yes, I may end up moving the vpn to the router if there is a technology upgrade. Feeling forced into it as the beloved TimeCapsule is getting so old and slow. Hestitant because there is so much attached that the level of effort and to upgrade the entire network would be in its own way another investment…including modem/router, all the IOT pieces.

Effort - wiling to put in the effort to get the file management system working. That might mean I just bust apart everything and start from scratch w/upgraded modem/router etc…then move Docker to Synology. Getting the docker apps properly configured took a long while, hate to revisit but night be part of the cost to get a real system.

Do you have your Synology, modem etc. on battery backup?

I have all my “infrastructure” on a $100 UPS. ISP box (ONT), Router, & NAS
Which is so much more than a NAS, and I think that is what confuses a lot of
folks. The NAS part is trivial, it is all the “server” packages that you can use.

Synology has a Live Demo site. You can check out the interface, and see if it
is worth the effort for you.

Synology Live Demo

Very helpful.

.dmg is compressed and encrypted…enter credentials and the dmg opens/mounts.
Can that (open encrypted .dmg) be handled directly on Synology? If yes, can that be done remotely (use a tool from an iPhone to open .dmg?)

Yes, in ‘theory’ you can copy docker (export etc) ~ I have several exports, backups etc.
If changing systems, then drive locations change, other settings all of which add up to possible breaks (and hopefully easy to fix.)

You hit the nail on the head right there. This is not only a Hard Problem, it’s rapidly becoming harder. This kind of thing has more most keeps-me-up-at-night value than almost anything else.

Anything that offers services to the Internet at large requires pretty much constant care and feeding and more so every day. The time between vulnerability notification and first attack is getting unbelievably short (minutes sometimes).

Not sure I am tracking this. You install a Synology NAS.
Recognizing that it is more than storage, you give it the name:
PIXR. You create an encrypted shared folder TAX.RETURNS.
You copy your compressed and encrypted .dmg (2021.dmg)
to that folder.

You are “home” aka NOT using a VPN, you look at your (mac) finder,
in the Locations section you see PIXR, you click on it and see the
folder TAX.RETURNS, clicking on that you see the .dmg 2021.dmg.
Click-Click, enter the password, there is all your data.

Your are NOT home aka USING the VPN. Same thing. All Day. Every Day.

*Can that (open encrypted .dmg) be handled directly on Synology?
Handled in what way? Do you want to access the Synology without
a MAC? SSH in (as an example), and then manipulate via the shell?

If yes, can that be done remotely (use a tool from an iPhone to open .dmg?)
You can not open a .dmg with an iPhone. Could you install a terminal app
and get there that way. I suppose, but this clearly suggests I don’t know what
you are trying to achieve.

If you want the .dmg “mounted/open” on the NAS (in the encrypted folder)
then don’t put it in a .dmg. Your folder is already encrypted.

As an aside, I agree with the comments concerning exposing services
to the Internet. This is why I keep pushing on the VPN. The items you
indicate are relatively straight forward “locally”. Exposing ports is not a
good idea. This is what a VPN is made for. I use Wireguard on top of
a robust pfSense platform.

Noting that in my experience, accessing DMGs / sparsebundles / etc. from spinning disks at all slows down a lot as size increases.

So if the only reason to have the DMG is for encrypting the data, I would think that the filesystem encryption provided by the NAS would be both sufficient and more efficient.

If you want a system that you can configure once and (generally) not have to mess with, that’s perfectly do-able UNTIL you connect it to the Internet and start poking holes in a firewall for services.

Hackers are vicious, relentless, and smarter than just about everybody else when it comes to breaking into your stuff and causing havoc.

And it’s not about whether you’re a high-value target. Yes, hacking Dropbox would be far, far more potentially lucrative. But your little server - discovered by somebody’s port-knocking bot in a random scan - is almost certainly an easier target. A little bit of inadvertent (or by design) info disclosure, and their bot can whack away at it with whatever exploits they want.

The benefit of a solution like Synology is that they’re at least aware of how these things work, and they have reputational incentive to at least make an attempt to keep things secure.

If the Synology handles your use case, and you can come up with a way to do a super-secure VPN tunnel through your router, then I think that’s going to be the best of all possible worlds.

You’ll still have to stay super-current on updates for the Synology, router, etc. of course.

The scanning is constant. For fun, stand up an ssh server on the open Internet and watch the logs as thousands of login attempts per day hit it. It is constant and relentless. My work firewall threat logs get multiple hits per second for medium or higher severity vulnerabilities.

I agree, it IS constant and relentless, but we CAN do this.
We are Mac Power Users; don’t let the bad guys win.

Much appreciated.

I am open to giving Synology a go if everything is encrypted in both at rest and in transit states…so a bad actor grabbing the NAS itself would not have access to the data (and this is pretty rare and more just a level of comfort as someone is security minded.)

CSF111:
When traveling I’m on an iOS device…and most of that time on an iPhone. So if sticking w/the .dmg model which has been working well, I would need a means to open and mount. Today I do that via remoting in (and not that familiar w/ssh and such…I use apps to remote back.) So, the question was if there was a means to open a .dmg through possibly Synology iOS app…tap file, enter credentials and then dmg mounts on Synology.

Terms of use cases, yes…right now there is an encrypted .dmg and there the tax returns are stored. On occasion, I may need to access a previous return when traveling. Current method of remoting in, while effective, is slow. It is only part of the need, does not play well w/others, and hits problems when there is a restart on the server (and as mentioned, currently have auto login on while testing and need to turn that off.) There are other use cases, the one you mention is a good example.

VPN is on for each device. This is not the traditional VPN of making a secure connection between two devices…it would be third party vpns.

Synology NAs
Presuming I’d need to get 2 bay Synology NAS, two drives w/the below expectations:

• Keep behind a 3rd party vpn (either on Synology or at router level, or connected to Mac w/vpn)
  (vpn has port forwarding for remote access, maybe not needed w/Synology account)
• Store large encrypted directory which I would access from multiple devices local and remote
• Data would be encrypted regardless if at rest or in transit (protected regardless of method)
  (meaning abandoning encrypted .dmg)
• Could create set up for self hosted cloud or webdav to access data in bullet 2, use w/iOS Files.
• Would operate as replacement for TimeMachine
• Run the following
  — Docker w/Jellyfin/Plex/Trasmit etc and related apps (begrudgingly HomeBridge)
  — Resilio Sync (think there is way to run this app as service via docker, or as service on Mac)
  — Unknown ~ way to run Kodi, Kodi server and access media through iOS app when remote?

Don’t think we are at the same level of understanding,
and would not recommend your proposed solution.

How are you doing your remote access now? What applications?

Perhaps it would help to think of this in sections. There is the file sharing piece.
You have offloaded your local machine, and are accessing those files either remotely or locally. When you process them, you are in effect “copying” them to your machine. As indicated, the bigger the file, and the slower the link (aka “poor”
VPN service) the longer the wait. However if you are accessing them via vnc
(some form of “screen sharing”) then you are processing the files on the target
machine. Perhaps this is why you keep asking about NAS opening the .dmg files?
Is that what you are using? vnc? or rdp?

I don’t understand what you mean by “VPN on for each device”. With a VPN you
have a client that connects to a server. While you can have many VPNs for all
practical purposes you use one at a time. Multiple VPNs and VPN chaining is a
fringe use case at best, and better addressed in a different manner.

So what kind of “not the traditional VPN of making a secure connection” is this?
If you mean the client? There are hundreds of clients to choose from and it is a
simple exercise to ensure your client and server can speak the same protocol.
Net, you can mix and match.

My assumption all along is that you would be using a VPN into your local LAN
and then availing yourself of home services. I am sensitive what happens when you assume In my case, I do not port forward anything. When I connect via my VPN (which is hosted on my router) I can access my entire network as if I am home. That’s what a VPN does, connects your remote network to your home network. I am taking some liberties in trying to align our thinking.

Coming back to the sections mentioned above. The file sharing (smb, nfs, etc)
is easily handled by a 2 bay machine. When you combine those other services
and all the encryption, think you will be SADLY disappointed with a 2 bay NAS

You will need a much more robust solution than a 2 bay NAS. However, as above,
How are you doing your remote access now? What applications? As I think that
is at the core, and would focus on getting that sorted first.

(PS Kodi runs in Docker)

Have you ever considered keeping a copy of your sensitive data with you? If that would work for you it might simplify things.

I keep my tax returns on 1password.com, but I carry a copy of my bank statements (past year + current) on my iPad Pro. If you don’t consider the iPad’s encryption enough you could keep the data in a local app like DevonThink To Go.

I also keep a copy of all my data (minus movies, etc) on an encrypted apfs SSD in my backpack that I can open and use through the Files.app.

Solution right now is a mix of ‘things’ that are sort of working independently and need a more comprehensive, secure and reliable solution.

“How are you doing your remote access now? What applications?”

Mix of VNC, ARN, RDP (apple screen share, screens etc.) ~ this can and will be tightened up once there is a solid solution in play.

I don’t understand what you mean by “VPN on for each device”.
There are VPNs that let you connect to your network from remote locations, like having your network with you when connected. I had one of these going back when Apple was offering server software (maybe Mavericks.) Handy, and while it served the one purpose it did nothing to anonymize. So when I state third party vpns, these are vpns to anonymize traffic.

Liberties are correct…access to local network when traveling AND keep connections secure and anonymized.

You may be right that a 2 bay machine might be too small or be quickly outgrown.
(for media, btw, I am not one who collects media. watch it and dispose…not one of those people who has their own private Netflix collection and rarely if ever watch something twice.)

Terms of Kodi - primary goal would be to access Kodi the same as one might access Plex to watch media when remote. All I have really found are Kodi players, not Kodi media servers…and any remote Kodi apps tend to be remote control like play/rewind/stop controls…not consuming media stored on your home network through your iPad when traveling.

I have been keeping a copy with me on a laptop and as the days go by the less and less I use or need a laptop. The primary large file is maybe a tb, and the local copy is a subset apx. 1 gig. This also becomes a pain when it comes time to sync as the new edits go the smaller local and then need to replicate that back and not miss anything…time consuming process. Prefer now to work from a central repository so there is no need to duplicate data (and file syncing doesn’t work in this type of instance.). So hoping to get a central repository, then have that repository continually backed up.

DTTG has been a consideration. I looked into the app prior to its latest release and the iOS app was a train-wreck and scared me off…that and what appears to be the need for an engineering degree and permanent admin hat to keep it going…this would be DTTG and DT for MacOS combined.

So I am always adding data, mainly digital scraps, yes bank statements and such…an ever growing list

What hardware are you using, if you do not mind me asking, for the SSD that is working w/iOS Files?

Appreciate the link on the iOS 14 update. Most times it is just my iPhone (sometimes the iPad) and try to travel minimally…would prefer not to carry yet another piece of tech gear.

A Samsung T7 (1TB), and I have a couple of T5’s which are basically the same thing only slower. Both are excellent, IMO.

ARN? - Army Reserve Network?

*There are VPNs that let you connect to your network from remote locations, like having your network with you when connected. I had one of these going back when Apple was offering server software (maybe Mavericks.)

Yes, that is what a VPN does (Virtual Private Network)

Handy, and while it served the one purpose it did nothing to anonymize. So when I state third party vpns, these are vpns to anonymize traffic.

Yes, but in this case YOU are connecting to YOU. There is no exit point where
you need to anonymize traffic. Your “home” is the exit point. Your sitting in Starbucks, connected to their WiFi, you start your encrypted VPN client and
connect to your home network. Encryption end to end.

Liberties are correct…access to local network when traveling AND keep connections secure and anonymized.

Security is built in, depending on the VPN you can have a 4096 bit key and
the end of your “tunnel” is your home network. YOU are the VPN provider.

You may be right that a 2 bay machine might be too small or be quickly outgrown.
(for media, btw, I am not one who collects media. watch it and dispose…not one of those people who has their own private Netflix collection and rarely if ever watch something twice.)

It’s not a question of media per se, it’s really the processor and memory.
You need memory for Docker, you need memory for each container, you
need memory for each file protocol, you need memory for backup services,
you need memory for the NAS itself, you need memory for…
PLUS you need a cpu big enough to drive all the services you intend to deploy.

Again, as we are spending more time on this, I continue to believe it is the
remote piece that is most critical. The file sharing is trivial.

Terms of Kodi - primary goal would be to access Kodi the same as one might access Plex to watch media when remote. All I have really found are Kodi players, not Kodi media servers…and any remote Kodi apps tend to be remote control like play/rewind/stop controls…not consuming media stored on your home network through your iPad when traveling.

Here is an example of Kodi “server” running in Docker. There are many

Docker Server Container

(You’ll need memory for that too )