TrueNAS Core Software Review – Part III, Managing Your Network, Security, Apps, Add-ons & the Conclusion
Making the decision to opt for open source and go DiY for your perfect storage server can be quite intimidating. Building a PC might well be easier in 2022 onwards than ever before, but when it comes to the management of your storage media, managing the security, balancing user access vs keeping things secure all the while ensuring that this 24×7 solution keeps on running is no small task! It is for that reason that many users look towards software solutions such as TrueNAS Core (formally FreeNAS) and TrueNAS scale to create their ideal server setup that will last years. TrueNAS has an incredibly well-established reputation as the most customizable server software in the world and what it might lack in ease of use and novice-friendly options, it counters with a truly incredible range of layer security and management design options. In the third and final part of my full review of the TrueNAS core platform, I want to look at the security of the system, how it allows you to micro-manage your network, how it supports 3rd party services and finally conclude this review with my verdict on TrueNAS. Should you choose TrueNAS and invest your budget purely into hardware, or should you opt for a turnkey solution from Brands such as Synology and QNAP? Talking of turnkey solutions, did you know that you can get TrueNAS in a premade solution? This is the 3rd option that many tend to overlook when weighing up their private server options and today’s review was made possible thanks to iXsystems supplying one of their Mini X+ pre-built NAS systems. iXsystems are the official hardware and business service provider of TrueNAS. You can find out about their range of iXsystem’s TrueNAS solutions on Amazon here. Let’s carry on with the review of TrueNAS Core 12.
Part I of the TrueNAS Review Can be found HERE
Part II of the TrueNAS Review is HERE
Alternatively, you can read the (LONG) FULL Review of TrueNAS is available HERE.
Review of TrueNAS – Network Management & Security
Aside from the storage of your data, another HUGE element of managing your NAS (TrueNAS or otherwise) is how well the system manages its network connectivity. This is such an important part of the perfect storage setup that it can often be the make-or-break of a system. This is especially true in 2022 as concerns of cyber security, ransomware, malware and remote access to your home/business network are extremely current! In the last 18 months, big turnkey/off-the-shelf NAS solution providers have been affected by ransomware and remote command injection-based attacks (Deadbolt, QSnatch, Dirty CoW, Dirty Pipe and more) and this has led to a large number of users rolling up their sleeves and deciding to move towards highly customizable/configurable solutions that allow them to craft a completely unique network security setup. Using TrueNAS to do this is arguably going to be a much more technical process BUT the range of customization and unique internal separate options that the platform offers is completely unique in many places and part of that stems from TrueNAS being built on FreeBSD (rather than Linux, as most other NAS platforms are built on, though there IS a Linux kernel TrueNAS option for those that want the benefits inherent to that platform in TrueNAS Scale). This allows a greater degree of partitional design that allows incredibly unique storage setups that brute force attacks and injected code methods can not overcome beyond a certain point. Eg If you think of TrueNAS on FreeBSD as a house, every single door in the house has a unique lock (multiple unique locks per door if you choose) and having keys to even a single door is just not enough to access everything. Even command-line/back-end access can be forbidden and for many that level of native isolation to the storage, backups and snapshots is damn near irresistible! Here are the elements of TrueNAS core that stood out for me in its network management and security.
Wide Range of Connections, Services and Protocols Supported but off by Default
The first thing that struck me about the TrueNAS system is how all of the available means to interact with the system (in terms of both file protocols, internal services and external communication services) can be configured quite extensively AND are all switched OFF by default. This is going to divide opinion a little, but I really, REALLY like this! For a start, having all of these services listed in a single place means that in the event of a system lockdown (eg you think your system may be under attack and/or you want to restrict processes that can be used as attack vectors/entry points), this makes shutting these processes down (or even lowering their individual access levels to allow existing critical services to continue) CONSIDERABLY easier! Additionally, some services that are necessary to system maintenance but crucially can be resource hungry might need to be temporarily suspended by the system admin (eg SMART disk checks) to ensure that other short term but high priority services have enough horsepower. Then you have the option to suspend some/all SSH/Command level access very quickly which can often be a catch-all method of suspending an active malware attack. These configuration and system service control also can be extended to which ones are available/active at start up (for those that are concerned at the impact of a firmware update restarting the system and activating/disabling specific services). These controls are available (for the most part) in the majority of turnkey solutions and off-the-shelf NAS drives such as QNAP and Synology, however they are not presented in such a single-portal access and config fashion, which can make all the difference when changes that are required are time-sensitive!
Use of the JAILS system is Smart Once You Get Your Head Around it
The term JAILS is one that is thrown around a lot when people talk about security in the TrueNAS platform and for good reason. When it comes to installing a new third party tool/service that is not native to the platform, in TrueNAS you can install these additional components as completely contained areas of the system. These JAILS are excellent for securely and safely partitioning the system and services, that way in the event of troubleshooting, giving limited access to or quickly locking down a specific application or service. In essence, TrueNAS has two options to create a jail. Unusually for the platform, they even include a Jail Wizard (a hand holding guide, not a man in a big hat) which makes it easy to quickly create a jail. ADVANCED JAIL CREATION is an alternate method, where every possible jail option is configurable. There are numerous options spread across four different primary sections. This form is recommended for advanced users with very specific requirements for a jail. Many users might query why you would use a jail system such as this to run these contained storage/services, as opposed to a virtual machine or a container (as found more often in Linux). However, as jails run the FreeBSD operating system. These jails are independent instances of FreeBSD. The jail uses the host hardware and runs on the host kernel, avoiding most of the overhead usually associated with virtualization that requires hardware to be hard-locked or provisioned. The jail installs FreeBSD software management utilities so FreeBSD packages or ports can be installed from the jail command line. This allows for FreeBSD ports to be compiled and FreeBSD packages to be installed from the command line of the jail in a way that is considerably more configurable and more hardware efficient overall. That isn’t to say that TrueNAS ignores the versatility of Linux and containers, as their newer TrueNAS SCALE (Scale-out, Convergence, Active-active, Linux, Easy – doesn’t quite roll off the tongue, but covers the big advantages inherent to Linux kernel use) platform is built on Linux and takes advantage of those benefits too.
Ability to Bind the Admin GUI to a Specific IP and Port
This is a small but often overlooked setting, but when setting up your TrueNAS network interface ports, you can either leave the interfaces as dynamic and wide-ranging in access to the GUI – OR – you can craft an impressive static IP and fixed access credential to the administration GUI. Dynamic/Static IP control is widely available on most NAS systems (allowing the address of the NAS to be more fluid or fixed to ensure long term connections do not become interrupted between system/router restarts and/or updates) but the wider range of system controls and customization allow you to create incredibly closed admin control rules, thanks to authentication and white/black listing settings being used in conjunction. This is also applicable to the SSH/Command line-level access too. It is far from unique to TrueNAS BUT it is a great deal easier to build this routine on their platform than others (as well as arranging secure recovery methods).
Additional Interesting Passphrase Access Method for encryption alongside Key Use
Another unique piece of methodology by TrueNAS that (although far from new) is provided in a very interesting way on this platform is encrypted storage locking/unlocking. Alongside a very wide range of encryption options available to choose from when setting up every stage of the storage creation tiers (pool, volume, datasets, shares, etc) the TrueNAS also allows the user to create a passphrase. Now, on the face of it, I can hear a few seasons storage users saying “HOLD ON – THAT IS NO BETTER THAN A PASSWORD!”, but let’s dig a bit into this. Now, most users when they create an encrypted container (or whatever they are encrypting, run with it for a sec), the system generates an elongated key (depending on encryption algorithm of choice_), as well as the option of a downloaded key form. Now, it is ALWAYS highlight advice NOT to place this key (code or download) onto the NAS storage as that would massively undermine the whole security of the system. However, sometimes you do not have the encryption key available or just want momentary access. For that ease of access, during the setup of the encrypted setup, you are offered the chance to enter a passphrase in order to allow faster access to the encrypted storage. Now, this does not reveal the encryption key as it is not stored locally. Also, the passphrase is heavily limited in its # of entries and can be adapted to ensure that attempted bruit force hacks will lock the system down (like any other security setting). It is not going to be a system service that is widely used, however, it is still a nice additional option for faster access on the fly whilst not undermining the encryption.
Significantly Number of Options to Segment Admin/Controls Across System to Avoid a single ‘All-Power’ Control Panel if Desired
This all brings me to one of the most outstanding architectural differences that TrueNAS brings to the NAS market that a lot of turnkey solutions (by accident or design) do not fully offer, and that is the overall ability to completely remove creating a single all-power user. Now, on the face of it, I can hear some IT Admins fainting/getting angry BUT with most people’s storage business storage becoming physically spread wide BUT all connected over the internet, that is placing ALOT of power in the admin/power-users hands. There is absolutely a need in most Network/Data storage setups for a single account that can do and access EVERYTHING on a storage system, but that also means that this account, if exploited/accessed via a vulnerability, can be used to dismantle/destroy your storage system much, MUCH faster than anyone can physically disconnect individual components from the greater storage network. With the growing desire for enterprise towards hybrid storage and SD-WAN setups, interconnected storage is incredibly common and if your multi-site deployment doesn’t maintain uniform rigorously high-security standards across the board, one weak link can let the whole system down. But in the case of TrueNAS you have so many means to separate and compartmentalize the system, control access privileges to services, binding methods to users, groups and services, fixed connection rules and closed-shutter pre-emptive measures that can be adjusted to your needs (in an arguably complex setup it has to be admitted) means that you have the option in design to choose to create batches of locally powerful users instead of an all-powerful single user. Likewise, you can create multiple hierarchical rules that supersede others on the system that can create a checks and balances system of control that might well be better suited to many businesses that run in a more parallel style, all whilst the TrueNAS systems that are spread out can still communicate automatically and do their job. Again, this CAN be created to a very close degree on Synology and QNAP platforms, but you cannot truly remove the power user.
OpenVPN Support Integrated into the OS in the Available Service list
Most NAS systems in 2022 onwards have some form of support of VPN clients. This can stem significantly from brand to brand but in most cases, you find that they will select a handful of particular Virtual private network providers to provide tailored setup config options for (as well as generic setup options for others). In the case of TrueNAS, along with the support of WireGuard (which it is possible to connect your TrueNAS directly to via the WireGuard network with a few easy steps by creating some custom tunables to enable the service in the system settings menu) the system provides some great support of OpenVPN. OpenVPN (much like TrueNAS) is open source project and therefore free to use (non-commercial use, which requires the OpenVPN Access Server product which is sold by OpenVPN Inc. is not free). Within TrueNAS OpenVPN is a native service (so available from the start) and this allows much faster implementation and deployment of the VPN Server and/or Client functionality. This means TrueNAS can act as a primary VPN server to allow remote clients access to data stored on the system using a single TCP or UDP port. Alternately, TrueNAS can integrate into a private network, even when the system is in a separate physical location or only has access to publicly visible networks. OpenVPN includes several security options that, while not required in all user case scenarios, can help protect the data being sent into or out of the private network.
- Authentication Algorithm: This is used to validate packets that are sent over the network connection. Your network environment might require a specific algorithm. If no specific algorithm is required, SHA1 HMAC is a good standard algorithm to use.
- Cipher: This is an algorithm to encrypt data packets sent through the connection. While not required, choosing a Cipher can increase connection security. You might need to verify which ciphers are required for your networking environment. If there are no specific cipher requirements, AES-256-GCM is a good default choice.
- TLS Encryption: When TLS Crypt Auth Enabled is set, all TLS handshake messages are encrypted to add another layer of security. This requires a static key that is shared between OpenVPN server and clients.
OpenVPN is widely supported on the bulk of NAS providers but it is nice to see it here as a native application within TrueNAS, given that the platform is somewhat restrictive in the services it natively arrives with outside fo the app/add-on center.
Full System API Design
One thing that TrueNAS is always keen to highlight about the architecture of their platform (and for those that care for this, it IS a big design appeal of Core) is that pretty much the whole system is API designed. API is the acronym for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other. If you are planning on connecting your server with one or more external services (more often as a database, but there are many other 3rd party client services that can communicate with a NAS) it can be somewhat of a security concern to provide login user credentials to these services so they can communicate with the system. API keys allow you to create a single access portal to a specific service to communicate with the NAS in a select and controlled fashion and without impact on the access control levels or privilege levels of your existing user groups. Remote connections with services can be made with all parts of the TrueNAS system services with API keys (rather than the administration/root login), aiding automated remote processes access without dangerously powerful credentials available to them. API keys can be generated on Synology and QNAP NAS systems, however not to the same system-wide extent thanks to the architecture of TrueNAS and that means that (once again) the platform is considerably more flexible than most – IF you have the time to craft it that way.
No Security Walkthrough? No Security Councilor?
I know I am starting to sound like a broken record here, but yet again, the thing that might well put a lot of users off the TrueNAS platform when it comes to security and Network management is the sheer complexity and intimidating scale of the options presented to you. In most cases, I think that TrueNAS takes an understandable hard position on storage complexity – you cannot be THAT customizable and configurable and keep things easy/straightforward. However, when it comes to network and security, I think TrueNAS could stand to benefit from further security and network setup guidance. They support the usual ‘?’ tips on most pages and links to the extensive community/official guides, which are a big help. But with fewer examples of dynamic help (setup wizards being mandatorily available on all network/security setups as you find on Synology and QNAP) as well as a security councilor/single-portal being absent to see all your system security in a single window (as TrueNAS DOES provide this in the storage manager) this is where many users will pause continuously in the early setup to triple check and unless they are a network security professional, will always feel that nagging sense of doubt. A security councillor or setup wizard may seem overly simplistic for TrueNAS, but it would serve as a useful alternative for some users who want to use a pre-set setup that they can customize down the line.
Review of TrueNAS – 3rd Party Tools, Applications and VM Deployment
One element of TrueNAS that divides opinion about the platform is its first-party services. TrueNAS offers a huge number of native services, tools and storage setup options that allow you to craft a fantastically bespoke and secure storage system, but the demands from most business/enterprise-class data storage users in recent years have changed dramatically thanks to the rise of cloud platforms and turnkey NAS solutions arriving on the scene to provide SaaS and PaaS solution – namely Software as a Service and Platform as a Service. These solutions (generally hybrid cloud/bare-metal such as Synology NAS + C2 or pure cloud such as Google WorkSpace or Office 365) provide your storage AND a range of applications and tools native to the brand (i.e 1st party) that allow you to interact and utilize your data in a closed ecosystem. This starts at tailored access to formats such as images, docs, music and video and inevitably extends to virtual machine deployment, native email & accounts management and more. Now, TrueNAS does not really provide any first-party/native tools that are comparable to this but DOES provides a fantastic base of operation that allows you to integrate a HUGE number of third party SaaS and PaaS provide to integrate with their system. Let’s discuss how TrueNAS handle that 3rd party support of add-ons.
App Installation is Highly Customizable and Has Advanced Options
Thanks to that open-source architecture and large community/homebrew community available to TrueNAS, there is a wide range of options to connect your existing services and client tools with the system and TrueNAS has a plugin center immediately available from the GUI. As you might expect, it is remarkably configurable but also is not quite as intimidating as other areas of the system that require installation and setup to be refined in great detail (but it DOES have the advanced option to go down that road if you want), but for those that care about how well/secure applications will be running, there is a tremendous range of config options available that include storage location, network, privileges (limiting root access) to start with and then widen out dramatically towards who can access, how they access, what powers the tool will have, safeguards and much more. Perhaps you created your DiY TrueNAS server to serve a specific purpose and want that tool (Plex, Emby, NextCloud, Smart Home tools, etc) to have the lion share of the performance and hardware options at it’s disposal – that is incredibly scalable and configurable in TrueNAS that is simply impossible in QNAP and Synology.
Choices of Different App Repositories and Homebrew Installations
At the outset, when viewing the available addons and tools afforded to the app center of your iXsystems NAS, you will see that there are very few tools immediately available to download and install. These tools are ones that have been better catered to the system in conjunction with iXsystems on the TrueNAS system but you are not limited to these and alongside the option to access the verified/unverified community applications list (which is significantly broader in its tools than the iXsystems list), but you also have options to install custom made plugins at the command line level (creating jails and cages quickly) and for those with the skillset, this makes the TrueNAS significantly easier to adapt towards specific 3rd party tools and custom server use. Once again, compared with the Synology or QNAP platform, although their range of 3rd party applications (and 1st party apps of course) are wider in support in their respective app centers, once you try to step outside of this portal, their system’s more closed architecture can be a real bind. Both of those turnkey platforms have their own homebrew communities in Synocommunity and QNAPClub, but you are still relying on 3rd party app crafting in a way that the TrueNAS platform otherwise allows direct homebrew tool creation and deployment more broadly.
Virtual Machine Deployment is extremely QUICK and scalable!
When it comes to hosting and deploying virtual machines, this is one of the most compelling cases for opting for TrueNAS for many users. Typically right now deployment of virtual machine infrastructure in businesses (even smaller businesses that want to deploy centralized virtual systems to their staff on a local level) fall into two categories. There is opting for subscription-based pure cloud services such as the SaaS and PaaS options mentioned earlier in the review to host virtual terminals/PCs in conjunction with a hypervisor platform such as VMware or Hyper-V OR host them on a physical/bare-metal server on-site for network/remote access. There is of course the option to combine the two via hybrid storage and the right hosting/sync tools, but this is mostly an enterprise option and we are entering the NetApp/EMC tier at this point for most hyperscale users. Now, the reason TrueNAS commands such a compelling argument for itself when it comes to Virtualization is that you have full control of the components and hardware that make up your server – something that is just not as open in choice to turnkey solutions (which by design are closed in hardware specifications and offer limited scalability). Virtual machine deployment on the TrueNAS platform is possible in several ways.
First, there is using the system’s own hypervisor level tools to deploy a VM natively which allow a number of virtual hardware emulation choices immediately, as well as configurable network and setup options that will dynamically use the system hardware (also allowing you to be flexible on how the system reserves that hardware when a VM is powered on. Alongside this, the open-source and configurable nature of TrueNAS means that pointing an existing hypervisor VM tool locally on a client system or via installation in a jail etc on the NAS itself is a great deal more frictionless than the fixed design of Virtualization Station and Synology Virttaulization Station. These tools from QNAP and Synology do an excellent job and are wide-ranging in the platforms, OS’ and existing 3rd party SaaS/PaaS provides they support in their presets, but on the whole, they are less flexible to bespoke VM deployment than TrueNAS and then further bolstered by the scalability and upgradability of TrueNAS in it’s hardware. Migrating your existing TrueNAS storage and services into a much more powerful DiY setup as the cost/efficiency/power of modern hardware arrives is much more open-ended, with most NAS provided hypervisors requiring migration to remain in the closed ecosystem (i.e you can only move your Synology VMM setuP to another Synology NAS and that brand’s choice of hardware). Virtual Machine deployment on TrueNAS is still much more of a technical affair than those of turnkey solutions and it also lacks a few of the 2-3 click deployment-ready Windows/Linux VM advantages of QNAP Virtualization Station, but it is still a fantastically customizable, highly scalable and extremely adaptable virtual machine platform.
Apps Cannot be installed in the Background
This is a remarkably minor gripe I know. But when installing multiple services via one of the means afforded TrueNAS, it is a slower process than those found in many turnkey solutions. Between the system being largely inaccessible via the GUI to a user when the system is installing an application, to a slight clunky feeling of their deployment, users who are familiar with the commercial OS design and UX of Synology and QNAP are going to find adding new and executing services dealt with a little more friction. Most of this stems from the TrueNAS platform being more ‘hands on’ in its maintenance, but ultimately being designed to be part of a larger setup silently in the background, rather than the primary interface on a regular basis.
Range of Applications Available out the Box Still Seems a Little Thin
Given the scale and years of history in the development of TrueNAS, it still seems rather odd that further development towards first-party applications and services remains comparatively short. New service support is regularly added, as are verified 3rd party applications in the add-on list, but TrueNAS proprietary applications still seem pretty thin on the ground. I understand the reasoning behind this – TrueNAS wants to focus on making the very best data storage solution it can be, leaving other tailored data specializations to those that produced popular tools, which it can then add support for in its platform. However, even simple areas such as 1st party tools for file management, local client synchronisation/backup tools that support file pinning/streaming natively in shared folders or a mobile application for allowing administrators to quickly access, configure or troubleshoot the system more conveniently would be appreciated I am sure. This is all very possible with 3rd party tools that support TrueNAS, as well as the platform themselves recommending specific tools in places. However, many might feel that with each service requiring at best a sign-up and at worse subscription plans, it still seems odd that after all these years TrueNAS Core (aka FreeNAS) has still opted to overlook this.
Review of TrueNAS – Conclusion & Verdict
It will come as absolutely no surprise to anyone that when it comes to TrueNAS is a fantastically capable software for managing your storage. It even manages to swerve the downfall of being ‘too enterprise’ but arriving as an open-source free software platform to be enjoyed by businesses and storage enthusiasts. There is no avoiding that it IS quite a technical mountainous learning curve if you are arriving at it from a position of zero storage or network experience, but the last few big TrueNAS system updates have gone a long way to update some UI elements to be more intuitive, software wide help notes available at all times and the community support is as on-point at it has ever been. If you are a home user looking for a hurdles setup or a day-1 deployable system for your small business, then TrueNAS may be too big a jump for you and you would be better off with a traditional off-the-shelf NAS system. However, if you have the know-how, you have the willingness to get your hands dirty and already have the hardware in mind/in-house, then TrueNAS stands in a class of it’s own and thanks to some very unique architecture choices that are almost utterly unique to this platform, it’s pretty unparalleled in its scope.
|Who is TrueNAS for||Who is TrueNAS NOT for|
|Those with unique storage requirements in terms of workflow or data structure
Users who are happy with/prefer community Support
Those Who Prefer an analytic GUI
Though who demand performance and happy to tweak things till they get it
Those who would rather spend their allocated budget on hardware, not software
Those with a dedicated IT Team/Individual
Users who like to fine-tune
Anyone that has ever built a PC
Anyone that prefers the power and customization of PC Gaming
Users who prefer a smaller but more concise number of plugins
|Those who want to purchase a complete hardware/software solution to replace Google/DropBox etc
Users who prefer commercial-grade support
Those Who Prefer a graphic GUI
Users who want a 1st party ecosystem of hardware, software, add-ons and tools
Those who would rather spend their allocated budget on software/services, not hardware
The less tech-savvy that want the system to arrive ready to go (turn-key)
Users who want a system to do X thing X way without friction
Users who want simplified Warranty
Users who prefer Console Gaming as it is much more convenient and easy to deploy and enjoy
Users who prefer a wider variety of plugins
Remember, you can head back over to part 1 and part 2 of my TrueNAS review below:
Part I of the TrueNAS Review Can be found HERE
Part II of the TrueNAS Review is HERE
Alternatively, you can read the (LONG) FULL Review of TrueNAS is available HERE. Thanks for reading!
📧 LET ME KNOW ABOUT NEW POSTS 🔔
Get an alert every time something gets added to this specific article!
This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below
SEARCH IN THE BOX BELOW FOR ANY OTHER NAS