TrueNAS Connect: Secure Remote Access Without VPN or Port Forwarding

Remote access to a home or business NAS is a common need — but the traditional approaches are either insecure (port forwarding) or complex (VPN). TrueNAS Connect offers a third path: a cloud-based relay service that establishes an encrypted connection between client and NAS without opening ports or configuring VPN tunnels.

The Problem with Traditional Solutions

Port Forwarding: Simple but Risky

Port forwarding routes external requests directly to the NAS. The result: the NAS is reachable from the entire internet.

Internet → Router (Port 443) → TrueNAS (Web GUI)
Internet → Router (Port 445) → TrueNAS (SMB) ← DANGEROUS!

Risks:

• Brute-force attacks on login pages
• Exploitation of zero-day vulnerabilities
• The SMB protocol was never designed for internet access
• Bot scanners find open ports within minutes

VPN: Secure but Complex

A VPN tunnel (WireGuard, OpenVPN) provides secure encryption but requires:

• Setting up and maintaining a VPN server (on router or separate device)
• Port forwarding for the VPN port itself
• Certificate or key management
• Client configuration on every device
• NAT traversal issues with CGNAT or double NAT

TrueNAS Connect: How It Works

TrueNAS Connect uses a cloud-based relay server operated by iXsystems as an intermediary. The NAS establishes an outgoing connection to the relay — no incoming ports need to be opened.

Architecture

┌──────────┐        ┌─────────────────┐        ┌──────────┐
│  Client   │◄──────►│ TrueNAS Connect │◄──────►│ TrueNAS  │
│  (App)    │  TLS   │  Cloud Relay    │  TLS   │  NAS     │
└──────────┘        └─────────────────┘        └──────────┘
                          ▲
                    Outgoing connection
                    (no port forwarding)

Flow:

1. TrueNAS establishes an outgoing TLS connection to the Connect relay
2. The client authenticates via the TrueNAS Connect app or browser
3. The relay server brokers the connection between client and NAS
4. Data transfer is encrypted (end-to-end)

No Incoming Port Required

Since the NAS establishes the connection to the relay outbound, TrueNAS Connect works even behind:

• CGNAT (Carrier-Grade NAT)
• Double NAT
• Restrictive firewalls
• Hotel and corporate networks

Setup

Prerequisites

• TrueNAS SCALE 24.04 (Dragonfish) or newer
• A TrueNAS Connect account (free from iXsystems)
• Internet access for the NAS (outbound, HTTPS)

Step 1: Create a TrueNAS Connect Account

1. Visit connect.truenas.com
2. Register an account (email + password)
3. Confirm the email address

Step 2: Link the NAS to Connect

In the TrueNAS web GUI:

System > TrueNAS Connect:
├── Status: Disconnected
├── Click "Link TrueNAS"
├── Enter Connect credentials
└── Configure permissions

After linking, the status shows Connected. The NAS now maintains a persistent connection to the relay server.

Step 3: Configure Access Services

TrueNAS Connect can make various services remotely accessible:

Service	Description	Default
Web GUI	TrueNAS management interface	Enabled
SMB	File shares (Windows/Mac)	Manual
NFS	File shares (Linux)	Manual
SSH	Command-line access	Manual
Apps	Installed TrueNAS apps	Manual

System > TrueNAS Connect > Services:
├── Web UI:    ✓ Enabled
├── SMB:       ✓ Enabled
├── SSH:       ✗ Disabled (enable only when needed)
└── Apps:      Individually configurable

Step 4: Set Up the Client

Mobile App (iOS/Android):

1. Install the TrueNAS Connect app from the App Store
2. Sign in with your Connect account
3. The linked NAS appears in the app
4. Browse files and upload/download

Browser Access:

1. Visit connect.truenas.com in your browser
2. Sign in
3. Click on the linked NAS
4. The TrueNAS web GUI opens in the browser

Security Model

Encryption

TrueNAS Connect uses TLS 1.3 for the connection between NAS and relay as well as between client and relay. Data is additionally encrypted at the application layer.

Client ←→ Relay:   TLS 1.3
Relay ←→ NAS:      TLS 1.3
Additionally:       Application-layer encryption

Authentication

• Multi-factor authentication (MFA): Optional but strongly recommended
• API keys: For programmatic access
• Session management: Sessions expire after inactivity

What Can iXsystems See?

A valid question: since traffic flows through iXsystems’ relay servers, the provider could theoretically see metadata:

• Visible: Connection timestamps, IP addresses, data volume
• Not visible: File contents (encrypted), file names (depending on protocol)

For highly sensitive environments, a self-hosted VPN remains the better choice since no third party is involved.

Recommended Security Configuration

System > TrueNAS Connect > Security:
├── MFA:                  ✓ Enabled (TOTP)
├── Allowed IP Ranges:    Restrict if needed
├── Session Timeout:      30 minutes
├── Services:             Enable only what is needed
└── SSH:                  Disabled (emergency only)

Comparison: TrueNAS Connect vs VPN vs Tailscale

TrueNAS Connect

Aspect	Rating
Setup	Very easy (5 minutes)
Port forwarding	Not required
CGNAT compatible	Yes
Performance	Good (relay overhead)
Cost	Free (basic features)
Control	Medium (relay at iXsystems)
Supported services	TrueNAS-specific

WireGuard VPN

Aspect	Rating
Setup	Medium (30–60 minutes)
Port forwarding	Required (1 port)
CGNAT compatible	No (without relay)
Performance	Very good (direct connection)
Cost	Free
Control	Full (self-hosted)
Supported services	All (full tunnel)

Tailscale / Headscale

Aspect	Rating
Setup	Easy (10–15 minutes)
Port forwarding	Not required
CGNAT compatible	Yes
Performance	Very good (P2P with DERP fallback)
Cost	Free (up to 100 devices) / Headscale free
Control	Medium (Tailscale) / Full (Headscale)
Supported services	All (IP level)

Recommendation by Use Case

Scenario	Recommendation
Home user, simple file access	TrueNAS Connect
Tech-savvy home user	Tailscale or WireGuard
Business, full control needed	WireGuard or Headscale
Behind CGNAT, no router access	TrueNAS Connect or Tailscale
Maximum performance	WireGuard (direct connection)

Tailscale as an Alternative on TrueNAS

For users who want more control and broader service access, Tailscale can be installed as an app on TrueNAS SCALE:

Apps > Available Applications > Tailscale:
├── Auth Key: tskey-auth-xxxxx (from Tailscale Admin Console)
├── Advertise Routes: 192.168.1.0/24 (local network)
├── Accept Routes: true
└── Hostname: truenas

Tailscale creates a WireGuard-based mesh network that prefers peer-to-peer connections and only falls back to DERP relay servers when NAT traversal fails.

Performance Considerations

Remote access speed depends on several factors:

Upload speed at the NAS location
    ↓
Latency to relay server / VPN endpoint
    ↓
Download speed at the client location
    ↓
Encryption overhead (minimal on modern CPUs)

Typical throughput values:

Method	Typical Throughput	Latency Overhead
TrueNAS Connect	50–200 Mbit/s	20–50 ms
WireGuard VPN	100–500 Mbit/s	5–15 ms
Tailscale (P2P)	100–400 Mbit/s	5–20 ms
Tailscale (DERP)	50–150 Mbit/s	30–80 ms

The limiting factor is almost always the upload speed of the internet connection at the NAS location.

Conclusion

TrueNAS Connect fills an important gap: it enables secure remote access without technical expertise. No port forwarding, no VPN setup, no certificate management. For home users and small offices, it is the simplest solution. Those who need maximum control, performance, or access to all network services should continue to use WireGuard or Tailscale. The good news: all three approaches can run in parallel — TrueNAS Connect for quick file access on the go, VPN for the full network tunnel when needed.