[SOLVED] Advice: How should I setup a VPN for remote work (UniFi, TrueNAS, or other)?

I wanna setup a secure VPN for a few reasons:

1. ZFS data replication to offsite backup from TrueNAS to TrueNAS over SSH.
2. Remote video editor to work with files over Samba on to my NAS.

I’m wondering if I should use:

1. UniFi’s built-in site-to-site or L2TP.
2. OpenVPN via TrueNAS.
3. An off-the-shelf solution I can purchase.

Also, do I need Dynamic DNS to get this working?

Offsite Backups

I could do direct SSH, but I’m not sure if that’s very secure or if it’d be better to use a VPN because I’d have to have a TrueNAS box’s SSH exposed publically.

Both locations have a UniFi controller, but not a gateway.

Remote Video Editor

I was thinking VPN + Samba for ease-of-use. TrueNAS has OpenVPN, and that looks pretty simple to setup. It also directly connects to the NAS box and nothing else in my network.

UniFi built-in wireguard VPN seems like the best option to me.
You only need Dynamic DNS if your work doesnt have a static IP (often costs $10-20 a month extra to get one on a basic business plan from Frontier, Spectrum, etc)

I ended up doing it through TrueNAS because it has OpenVPN, and I only want to give access to TrueNAS either way.

The setup wasn’t simple, but now that I know how to make it work, I can do it again in minutes.

wg-easy in Docker is a very easy solution too

I don’t think openVPN supports cpu acceleration (at least it didn’t on pfsense when I looked and both truenas and pfsense are FreeBSD) so I’d just use general
IPsec Ike v2, which does.

May or may not be an issue for you depending on your replication bandwidth needs, but for me with 1000 odd users I figured acceleration would be important.

If it got you what you wanted then that is great

Depending on what CPU your NAS is running you might not have great performance with OpenVPN running in the NAS. You should run a bandwidth test through the remote connection and see what you can do. Wireguard VPN is known to be faster than OpenVPN, but none of the UniFi products have great CPUs either

Wireguard looks good. Never heard of it. At this point, I’ve really only ever used OpenVPN because it was more secure than PPTP 15 years ago.

OpenVPN is working for me, but Wireguard looks a lot nicer. If I could install a jail for it, that’d be easier than setting up a Docker container. While I have an Eypc, my other host has an Intel Atom CPU.

Not sure how to do speed tests from FreeBSD, but if performance is bad, I’d definitely want to find a better solution.

I also setup WireGuard today. I found out its already part of TrueNAS: Docs Hub | Enabling WireGuard

Locally, I’m able to get ~30-60MB/s which is pretty slow considering I have a 1Gb/s up and down fiber Internet connection.

For my editor, he’s getting 0 to 5MB/s on both OpenVPN and WireGuard. Is there something I need to be doing to make it faster?

I might be wrong about the speed I was getting over VPN.

Testing it now, I’m only seeing up to 12MB/s. Not sure why it’s limited to 100Mb.

TrueNAS to TrueNAS using OpenVPN:

image860×368 13.9 KB

Windows to TrueNAS using WireGuard:

image835×332 12.2 KB

These are both to the same TrueNAS server; and all of these machines are on the same network connecting through the Internet over VPN.

I know it’s using the VPN because this is what I get from that same Windows machine using an in-LAN address:

Even with these ~100MB/s stats, both the read and write speeds are limited to 12MB/s over both FTP + TLS and Samba.

I tried this using two zpools. One filled with 10 mirrors + optane cache + optane log + optane metadata. The other was made up of 3 mirrors of 2TB SATA SSDs.

There’s gotta be some trick to it.

Update

I upgraded to TrueNAS SCALE and switched to Tailscale. Everything’s been significantly faster. I’m getting near-gigabit speeds.

Looks like the issue was TrueNAS Core.

I also found out that latency heavily affects Samba transfers:

While that wasn’t my issue, it will be a longer-term issue I’ll wanna address.