Wanted: Remote Server w/enclosed abilities

ARN - Apple Remote Network. (sounded good not recalling the actual acronym.)

Sitting at Starbucks on personal private vpn encrypts the connection to its end point and not further.
VPNs connected at each point further anonymizes. Yes, I understand being your own vpn provider and yet have doubts in terms of the anonymity. You are at Starbucks, connect to your self provided vpn so you can now access your own network. You start surfing and, as I understand it, the traffic will route as coming from your destination location…your home IP is now what is being captured. So while there is encryption to protect some of the content transmitted, all traffic is as exposed as the same as on a postcard for anyone who cares to sniff and read the log.

Memory - expect you are spot on. Everything is running with 8 gigs on a mini atm. it does get bogged down.

Remote access / file sharing together as highest priority.
Media server lower priority (though nice enough to have that it remains part of the plan)

Memory ~ how much one might need if going w/Synology for the following:
ª File management
• Resilio Sync as a service (might also go into docker tbd)
• Docker
– sonarr / radarr / lydarr / plex / jellyfin / transmit / (possibly Kodi, possibly home bridge)

Looks like a nice drive. Was originally thinking these were wifi drives for iOS Files…guessing there is a way to plug 'em in and Files picks them right up.

As mentioned I use them with an iPad Pro. From what I’ve read to use them with an iPhone/iPad with the lightning connector it will require the official Apple camera kit adaptor and a power source.

lol, ok ARN, no such thing, but I get your meaning.

I see where you are going. Yes, you are correct. Where you
“exit” the tunnel, you will be visible. If it’s at your home, then
your home ISP will/might have visibility to your actions.
There are methods to mitigate this, DoH, ToR, etc., but I get
your point, only an EXTernal VPN will hide you from your ISP.

There are VPN RAM services. They advertise that your VPN
session is run in RAM, and when you sign off, so does the RAM.
As an example (no advertisement) Perfect Privacy in Switzerland.

So you sign in from Starbucks, connect to a RAM VPN in Switzerland
and away you go. Sign off, session deleted. However, you will not be
able to get to your tax returns on your home NAS unless you connect
to a VPN that can connect to your NAS or you punch holes in ports.
Don’t punch holes in ports.

This goes back to my initial confusion about your mention of multiple
VPNs, and clients. If I am following you, you would then need a client
that will connect to your RAM VPN for anonymity and then a client for
your Home VPN for the tax returns. (The could probably be the same
client, just with different profiles)

Just to make this more complicated, Synology offers a service “Quick Connect”
With QuickConnect, you can easily connect to your Synology NAS over the Internet without the hassle of setting up port forwarding rules or other complicated network settings. QuickConnect allows you to connect via a simple customizable address

Net, you go through a Synology VPN, although it is not advertised as such.

Is this something you do all the time? Just a nice to have? The 2 times a year
that I go to Starbucks and want to access my tax returns are probably not worth the effort. If you need remote access 24/7/365 that’s different.

To me, the deciding factor would be how much anonymity, and autonomy you
require or desire. This is all within the realm of known computer science.

You indicated that you use Docker now, How much memory do you give
each of your containers now? 4G? 2M? Add it up. Also, you are going to be
pushing a lot of containers, don’t know if I would be comfortable with a Celeron.

My current NAS has 32GB, a Xeon, and 10GbE. As previously mentioned,
I do all this and more. Yes, it took a while to set up, now it just runs.

I’ve the Synology DS220+. It’s an Intel powered Synology and would be the bare minimum you would need you your shopping list, because only the Intel Synology’s run Docker (officially I believe). I installed an additional 4GB RAM.

In terms of the shopping list:

1. I don’t use the VPN feature of the Synology, as I can remote access it via a browser and do what I need to via that from outside the house using Quickconnect, but have used the VPN in the past and it worked fine.
2. Data storage can be encrypted at rest. When you create a share, you tell the Synology to encrypt it. When the NAS restarts, you have to go in and manually mount the drive using the password. I think there is a way to automate it using a USB stick but if that’s kept plugged in, there’s no point encrypting them really!
3. I access mine via SFTP, so it’s encrypted when I need to access the files. I also have the built in fail2ban software within the NAS setup to block all access attempts from outside the UK.
4. Self hosting isn’t an issue. Domain name access may be, but Quickconnect can help there, or I’ve got DuckDNS setup.
5. It can be a target for Time Machine if you wanted it. Otherwise, I use Arq and the NAS as a backup target. Equally Synology Drive can backup and store documets.

In terms of running Docker, I imagine they all work, though I have seen some issues regarding Plex (as there is an official package). I think this was to do with transcoding, but I’ve not paid to much attention but I think there is a trade off for Plex Docker, rather than Plex App. I run the Pi Hole docker install.
Resilo Sync works perfectly - it’s what I use to sync between my NAS and devices.
In terms of Kodi, I run Kodi on my nVidia Shield, so I’ve not got that installed so I’m afraid I can’t answer that one.

Noting that in this scenario your home ISP will have access to things like the websites you visit (they need that to route the traffic), but if you’re using HTTPS on those websites your actual traffic will be encrypted.

If you go to https://gmail.com, for example, your ISP knows you’re going to Gmail. But once you connect to Gmail over HTTPS, the contents of what you’re doing on Gmail are opaque to whatever degree they’re not directly revealed in the URLs of the pages you visit.

The postcard analogy would hold as long as you’re talking about what’s written in the address section of the card. Over HTTPS the actual message of the card would be encrypted.

Do you need the actual website addresses to be anonymized? For most people, encrypting the contents is likely sufficient.

Good point, that is why I mentioned DoH (DNS over httpS:)

It moves a DNS query from UDP to more session oriented
TCP, and applies security with the S. In this case your ISP
would see that you were going to a name server BUT not
what you are looking for.

As you can imagine not every ISP is thrilled with it.

Does it need to be DoH? Or would just swapping your nameservers to (let’s say) the 8.8.8.8/8.8.4.4 combo accomplish largely the same thing?

Well kinda sorta, in that you now have the 8.8.8.8 folks
(Google) “looking” at where you are going. You could
use 1.1.1.1 (Cloudflare) BUT they say “they will never
track you”.

Also, to be honest, there is no magic in DoH, there are
still other protocols that web browsing uses beyond DNS.
SNI, OCSP, etc. (certificate stuff) leaks like a sieve

In my experience, if we want you, we will get you, and if
you have that big of a concern regarding your anonymity
you will not solve it with a 2 Bay NAS.

One drawback to using alternative DNS servers that I’ve found is the possibility of slower streaming services. Netflix, for example, will place one of their content delivery appliances in a local ISPs data center. I understand Apple and other providers are known to do the same thing.

So in my case if I use Comcast’s DNS I will stream my movie from the local cache. If I use another I will connect to a different CDN possibly multiple hops away.

That is a great call out, and is often not considered in
the pursuit of anonymity. There is always a trade off.

Fair enough. Although given the rest of the discussion, “I need to be able to stream Netflix anonymously while VPN’d into my home network and viewing my archived tax returns” is hopefully not a necessary use case.

Personally, I’d be afraid that if I did that all the address translation and re-routing would cause a temporal anomaly and the implosion of our reality.

Currently each device has its own 3rd party vpn.
The server VPN has port forwarding, so one port allows me to tunnel back.
So, when everything is up and running as expected, I can access the network however that is still through VLC type screen share services. Had a WebDav working on this though it didn’t seem as useful and dropped to the background.
Ah, just now remembering Hamachi (the memories,) prior to LogMeIn acquisition ~ though it was only for desktops…but great because you could get your remote laptop connected to your home network in a flash regardless of vpns, regardless of employer firewalls etc. Now that I am mostly on mobile device this sort of fell by the waste side. There is a Hamachi mode for iOS, however it is essentially a profile vpn.

Quick Connect
Some ‘quick connect like’ services such as Parallels Remote Access, Remote seem to work fine when the host computer is connected to a 3rd party vpn (w/o port forwards etc.) Others, such as Screens Connect outright do not work regardless of their locally installed helper apps (and then require the forwards.). Anyone have insight how Synology Quick Connect would work when there is a 3rd party VPN connected? Can you essentially use iOS Files, then, and quickly connect to your home Synology network? Asking specifically because I had a WD MyCloud a few years back (yes, all part of this same quest) and the software was so hard to use and did not play well with anything on iOS…all you could really do was maybe move a few photos…it was so poor I ended up bailing on all of it. If Synology would connect to the local network and use iOS files for navigation then that would be a much simpler option and confidence in the UI.

The reason for this quest is because yes, always accessing the files. Not the once or twice a year at Starbucks. If I carry my laptop and have the files not a big deal, though 1) the laptop files are a small fraction of the file library…would prefer access to full library and 2) barely a need to travel around w/the laptop these days…and 3) PIA reconciling docs from the small and large library etc.

Security - I am someone who prefers the max security (though it is not like I have a 3rd party encryption key yet.) Nothing questionable happening and no one’s business…bothers me when apps feel entitled to your location data (maybe masked in statements of security)…try to use the iOS version of OfferUp now…blocking nearly all vpns it seems…and they allow you to log into your account through the web but disabled meaningful functions forcing you to their iOS app. And yes, I’m sure a security expert would have a good laugh if they saw the setup to spent a few minutes to break it.

Docker ~ I do not recall allocating memory to the containers. Do not remember. They have been running untouched now for maybe 1.5 years (yes, that is what I mean by set and forget) HOWEVER the scrapers seem less potent and Transmission speeds are now terrible (even w/the strong ratio.)
Also, vpn (while it does make things a little slow) isn’t the main culprit on the speed. Been too busy to get back in and adjust the scrapers, trackers and such. Pushing a lot of containers…doubtful. Sonarr,Radarr,Jellyfin are the main ones. I’d likely move Transmission and Resilio Sync to docker.
If Kodi will act as a media SERVER (where I could consume content from other iOS devices on it, then I’d likely add Kodi.)

Thinking end-state, it would be nice if the majority ran from a NAS like setup and then no need to really mess w/the computer…need for computer to auto start when away…nice to have everything centralized.

Started looking into pricing and just the 2bay Synology (say DiskStation DS218j) is close to $400 and that is bare…still need to add the drives. Maybe $500-$700 outlay?

–

fail2ban software within the NAS setup to block all access attempts from outside the UK.

Interesting. guess I could do the same, then for giggles when outside the country see if the vpn will let me in…

Plex app is fine…docker not ‘required’

Conversation is great alll..thank you....

UPDATE:

Amazon Prime - just took the leap and ordered the ‘Synology 2 Bay NAS DiskStation DS220+ (Diskless)’

Figured this will get me up and running, I will likely need to add ram. If this goes super smooth and I outgrow it fast, then I upgrade and that will be ok because the solution has been tested and proven to work.

Anyone w/suggestions on disks to purchase?
Best bang for buck, and it doesn’t need to be insane with high specs in storage or performance.

Ordered two WD4000FYYZ 4TB which I expect will handle needs for years to follow (data storage needs are not huge)
(glad to have located a compatibility spreadsheet online mind you!)

@bolero I am exploring Tailscale (looks promising) and curious how you are connected and using if you get a moment and would not mind sharing.

ATM I have Tailscale installed on Synology 220+ and an iPhone. Dashboard shows them both connected and working…and yet not finding a way to access synology using the tail scale ip etc…tried through iOS Files and various 3rd party apps, protocols from http, https,smb, afp etc, and with a variety of confirmed working ports.

Currently, I am using it only for photo back up using PhotoSync app. It’s working fine with that. I will check with files app and see how it goes.

going back to basics here… how is the iPhone connected to back up your photos? Did you use the Tailscale ip and enter as. server for example?

That’s correct. I put in the Tailscale IP on the NAS as the server (webdav).

I was able to get Files ‘connected’ but it shows nothing but a blank white page each time. Shows Read Only, yet there are files in that directory which are not being read, and credentials are for full read-write which work w/the dns host.

Have also been trying tail ip and tail server name in a variety of different apps and no success…experimenting w/http,https/ports 5006, 5005…

It looks like it would be straight forward.
Mind if I ask the specifics of your set up (masking the actual ip and any sensitive info) to see if you are using the https and the 5006 etc? Probably some configuration issue on my side.