Building a NAS

Step 5: Plex (If building a Media Center)

Add Plex Repo Key curl https://downloads.plex.tv/plex-keys/PlexSign.key | sudo gpg --dearmor -o /usr/share/keyrings/plex-archive-keyring.gpg Add Plex Repo echo "deb [signed-by=/usr/share/keyrings/plex-archive-keyring.gpg] https://downloads.plex.tv/repo/deb public main" | sudo tee /etc/apt/sources.list.d/plexmediaserver.list nstall Plex sudo apt update sudo apt install plexmediaserver Ensure Plex is Running sudo systemctl status plexmediaserver 📌 Confirms Plex is active (should show active (running)). Allow Plex in Firewall 📌 Port 32400/tcp = Plex's web interface & remote access. sudo ufw allow 32400/tcp - Restart ufw - Optional Find your Local IP and Open Plex Web: http://<your-NAS-IP>:32400/web - Claim your server, Name your server, Add you libraries Tailscale (Remote) 100.0.0.0"32400/web

Step 8: Create AutoStart Service

Add VPN's to /etc/systemd/system/openvpn-failover.service Create a custom systemd service file - sudo vim /etc/systemd/system/openvpn-failover.service -[Unit] Description=OpenVPN Failover Client After=network-online.target Wants=network-online.target [Service] Type=simple ExecStart=/usr/sbin/openvpn --config /etc/openvpn/protonvpn-failover.ovpn --auth-user-pass /etc/openvpn/login.txt Restart=always RestartSec=5 KillSignal=SIGINT [Install] WantedBy=multi-user.target Unblock ports for the VPNS: sudo ufw allow out to any port 1194 proto udp --> VPN port could be differnet sudo ufw allow out to any port 443 proto udp sudo ufw allow out to any port 4569 proto udp sudo ufw allow out on tun0 from any to any sudo ufw allow out on eth0 to any port 53 proto udp sudo ufw allow out on eth0 to any port 53 proto tcp sudo ufw reload Reload systemd and start it sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable openvpn-failover sudo systemctl start openvpn-failover - sudo systemctl status openvpn-failover - curl ifconfig.io or curl --interface tun0 ifconfig.io

Step 7: AutoStart VPN (Optional)

Firewall Set up Back up current config --> sudo ufw status numbered > ~/ufw-backup.txt # Allow SSH over Tailscale sudo ufw allow in on tailscale0 to any port 22 proto tcp # Allow SSH over your LAN subnet (optional redundancy) sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp # Deny everything by default sudo ufw default deny outgoing sudo ufw default deny incoming # Allow all traffic over VPN tunnel (tun0) sudo ufw allow out on tun0 sudo ufw allow in on tun0 # Allow localhost loopback (important for internal services) sudo ufw allow out to 127.0.0.1 sudo ufw allow in from 127.0.0.1 # Allow LAN access for SSH (from 192.168.x.x subnet) sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp # Allow Tailscale (in/out over interface tailscale0) sudo ufw allow in on tailscale0 sudo ufw allow out on tailscale0 # Allow SSH over Tailscale (if not already covered) sudo ufw allow from 100.64.0.0/10 to any port 22 proto tcp # Allow SMB access from LAN sudo ufw allow from 192.168.1.0/24 to any port 445 proto tcp # Allow Plex ONLY from LAN and Tailscale (no WAN) sudo ufw allow from 192.168.1.0/24 to any port 32400 proto tcp sudo ufw allow from 100.64.0.0/10 to any port 32400 proto tcp Autostart sudo mv /mnt/mediassd/share/nl-free-1.protonvpn.udp.ovpn /etc/openvpn/protonvpn.ovpn sudo vim/etc/openvpn/auth.txt --> Put this inside your_openvpn_username your_openvpn_password sudo chmod 600 /etc/openvpn/auth.txt sudo nano /etc/openvpn/protonvpn.ovpn auth-user-pass /etc/openvpn/auth.txt sudo systemctl enable openvpn@protonvpn sudo systemctl start openvpn@protonvpn systemctl status openvpn@protonvpn

Step 9: VPN/Killswitch Rules

Here's the order you should add them so nothing locks you out mid-setup: UFW Kill Switch + NAS/Tailscale Rules (in order) Loopback sudo ufw allow in on lo sudo ufw allow out on lo Allow ProtonVPN server sudo ufw allow out on eth0 to <VPN_IP> port 1194 proto udp sudo ufw allow out on eth0 to <VPN_IP> port 443 proto tcp Allow VPN tunnel sudo ufw allow out on tun0 Allow Tailscale sudo ufw allow in on tailscale0 sudo ufw allow out on tailscale0 Allow SSH (LAN + Tailscale) sudo ufw allow in on eth0 from 192.168.1.0/24 to any port 22 proto tcp sudo ufw allow in on tailscale0 to any port 22 proto tcp Allow Plex (LAN + Tailscale) sudo ufw allow in from 192.168.1.0/24 to any port 32400 proto tcp sudo ufw allow in on tailscale0 to any port 32400 proto tcp Allow SMB (LAN + Tailscale) sudo ufw allow in from 192.168.1.0/24 to any port 445,139 proto tcp sudo ufw allow in on tailscale0 to any port 445,139 proto tcp Allow Sonarr/Radarr/qBittorrent UIs (LAN + Tailscale) sudo ufw allow in from 192.168.1.0/24 to any port 8989,7878,8080 proto tcp sudo ufw allow in on tailscale0 to any port 8989,7878,8080 proto tcp Set Kill Switch sudo ufw default deny outgoing sudo ufw default deny incoming Enable UFW sudo ufw enable

Permanent NIC Name Change

Here's the short version under 1900 chars: Permanent NIC Rename to eth0 0) PrepCheck NIC & MAC: ip link show Copy MAC (e.g. 8c:ec:4b:57:1f:8a). Ensure Tailscale/console access. 1) udev Rule sudo tee /etc/udev/rules.d/10-network-rename.rules >/dev/null <<EOF SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="8c:ec:4b:57:1f:8a", NAME="eth0" EOF Replace MAC if different. 2) GRUB Settings sudo sed -i 's/^GRUB_CMDLINE_LINUX.*/GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"/' /etc/default/grub sudo update-grub 3) NetplanEdit /etc/netplan/*.yaml:Change enp0s31f6: → eth0: (keep IP/gateway). sudo netplan apply 4) Initramfs sudo update-initramfs -u 5) Reboot & Verify sudo reboot ip link show # should show eth0 6) UFW Check sudo ufw status numbered Re-add old rules for eth0 if needed, delete enp0 ones. 7) Test VPN: curl -4 ifconfig.io → ProtonVPN IP Tailscale: tailscale status SMB: \\192.168.1.x\Share and \\<tailscale-ip>\Share RollbackIf broken, from console: sudo mv /etc/udev/rules.d/10-network-rename.rules ~/ # revert Netplan to old name sudo netplan apply sudo update-initramfs -u sudo update-grub sudo reboot If you want, I can now give you the exact UFW rule list that will work with eth0 permanently.

Step 3: Network Share

Install Samba 📌 This installs the Samba service (smbd), which allows your NAS to share files with Windows, macOS, and Linux clients using the SMB protocol. sudo apt update sudo apt install samba -y Create Shared Folders sudo mkdir -p /mnt/mediahdd/share sudo mkdir -p /mnt/mediassd/share sudo chown -R username:username/mnt/mediahdd/share sudo chown -R username:username/mnt/mediassd/share mkdir creates the folders you'll share. chown gives ownership to your main NAS user (nasadmin), so you don't need sudo for file access. Adjust paths depending on your drive mount points. Backup & Edit Samba Config sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak sudo vim /etc/samba/smb.conf - Scroll to the bottom of the file and add: [MediaHDD] path = /mnt/mediahdd browseable = yes read only = no guest ok = yes force user = Username(Same if have more than 1 Drive) path → Folder being shared. browseable = yes → Makes it visible when browsing network shares. read only = no → Allows write access (upload/modify files). guest ok = yes → Lets anyone connect without credentials (can disable for security). force user = nasadmin → Ensures all file operations are executed as nasadmin, preventing permission issues. Restart Samba sudo systemctl restart smbd sudo systemctl enable smbd sudo ufw allow 'Samba' restart smbd → Reloads the Samba service with your new config. enable smbd → Ensures Samba auto-starts on boot. ufw allow 'Samba' → Opens firewall ports (137-139, 445). (Optional) Set a Samba Login Password sudo smbpasswd -a username Access from Windows On your Windows PC → Open File Explorer → In the address bar, type: LAN access: \\192.168.1.235 --> (replace with your NAS local IP) VPN access via Tailscale: (If using Tailscale) Ex.\\100.73.219.100 ✅ Your NAS share (Drive) are visible across your LAN.

Step 6: Add a VPN (Optional)

Move your opvn file with SMB download the file (On PC) -🔹 1. Go to the official site: https://account.protonvpn.com/login 🔹 2. Log in to your ProtonVPN account 🔹 3. In the sidebar, click: Downloads → then scroll all the way down to "Manual Configurations" 🔹 4. Under Manual Configurations, click: OpenVPN tab (not IKEv2, not WireGuard) 🔹 5. Fill out the options: Platform: Linux (or OpenVPN) Protocol: UDP or TCP (choose UDP for speed) Server: Pick a specific country/server (e.g., US, NL, etc.) Make sure these options are selected: Platform: GNU/Linux Protocol: UDP (faster for torrenting; TCP is more stable but slower) Config type: Standard server configs (✔️ this is selected in your image) 2. Pick a country/server Choose a country with a high server count for faster and more reliable connections. Recommended: 🇳🇱 Netherlands (popular for privacy/torrenting) 🇨🇦 Canada 🇩🇪 Germany 🇺🇸 USA (if you want local routing) Click the arrow icon next to the country → download one .ovpn file. Once downloaded move it with the file sharing. Got to the network drive and move it where you want Install VPN sudo apt update sudo apt install openvpn -y sudo mv ~/Downloads/proton-us.ovpn /etc/openvpn/protonvpn.ovpn --> location will be different follow your path on you NAS Run VPN sudo openvpn /etc/openvpn/protonvpn.ovpn *IMPORTANT* Enter your ProtonVPN credentials: For Auth Username, use your ProtonVPN OpenVPN credentials, not your email or account login. These are separate credentials you must generate: Go to ProtonVPN Dashboard Navigate to: Account > OpenVPN / IKEv2 username Click Show and Copy the username and password Return to the terminal and enter them when prompted

Step 4: Tailscale Set up - For Remote

On Main PC (Windows) Open PowerShell as Administrator Add firewall rules to allow Tailscale traffic: New-NetFirewallRule -DisplayName "Tailscale Outbound" ` -Direction Outbound -Protocol Any ` -RemoteAddress 100.0.0.0/8 ` -Action Allow New-NetFirewallRule -DisplayName "Tailscale SSH Replies" ` -Direction Inbound -Protocol TCP ` -LocalPort Any -RemotePort 22 ` -RemoteAddress 100.0.0.0/8 ` -Action Allow Explanation 100.0.0.0/8 → Private IP range used by Tailscale. First rule → Allows all outbound traffic through Tailscale. Second rule → Ensures replies to SSH (port 22) requests are allowed from your NAS → PC. On NAS (Ubuntu) Install Tailscale: curl -fsSL https://tailscale.com/install.sh | sh Start & link device: sudo tailscale up Will output a login link (open in browser, sign in). Once authenticated, your NAS joins your Tailscale network. (Optional) Enable SSH via Tailscale:sudo tailscale up --ssh 📌 This allows direct SSH between devices in your Tailscale network (no extra port forwarding needed). Verify Connection tailscale ip on your NAS → it will return its Tailscale IP (example: 100.73.219.100). From your PC: ping 100.73.219.100 You should see replies ✅ Add PC to Tailscale Network Go to your Tailscale Admin Console (link from sudo tailscale up). Approve your PC → It now joins the same virtual private network. ✅ At this point: Your PC and NAS are securely connected over Tailscale. You can SSH into the NAS with: ssh [email protected]

Step 6: Install VPN (Continued)

Run VPN sudo vim /etc/openvpn/credentials.txt your_openvpn_username your_openvpn_password sudo vim /etc/openvpn/protonvpn.ovpn Find this line auth-user-pass | ADD this --> /etc/openvpn/credentials.txt sudo chmod 600 /etc/openvpn/credentials.txt Start VPN sudo openvpn /etc/openvpn/protonvpn.ovpn to verify: curl ifconfig.me sudo systemctl enable openvpn@protonvpn sudo systemctl start openvpn@protonvpn Run in Background sudo vim /etc/openvpn/login.txt Paste your ProtonVPN OpenVPN credentials (NOT your email/password): Name: Example SecurePassword: Example sudo mv /etc/openvpn/protonvpn.ovpn /etc/openvpn/protonvpn.conf Check that it's running ip a | grep tun0 --> tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 inet 10.96.0.15/16 scope global tun0 --If tun0 is there you are good or curl ifconfig.io --> should give a IP - 217.23.3.171

Jackett (Optional)

Step 1: Installation wget https://github.com/Jackett/Jackett/releases/latest/download/Jackett.Binaries.LinuxAMDx64.tar.gz tar -xvzf Jackett.Binaries.LinuxAMDx64.tar.gz sudo mv Jackett /opt/Jackett sudo chown -R nasadmin:nasadmin /opt/Jackett Step 2: Create systemd service sudo vim /etc/systemd/system/jackett.service - [Unit] Description=Jackett Daemon After=network.target [Service] User=nasadmin Group=nasadmin Type=simple ExecStart=/opt/Jackett/jackett --NoUpdates WorkingDirectory=/opt/Jackett Restart=always [Install] WantedBy=multi-user.target sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable --now jackett Step 3: Web Access 3. Tailscale Access (No Port Needed) Web UI accessible at: http://100.x.x.x:9117

Sonarr (Optional)

Step 1: Sonarr Installation (PC Download + SMB Transfer) Downloaded Sonarr on your PC You manually downloaded Sonarr.main.4.0.15.2941.linux-x64.tar.gz from the official site. Reason: The Sonarr install script failed due to missing APT support on Ubuntu 24.04. Transferred via SMB You placed the file in the mounted share:\\192.168.1.235\MediaHHD\Software Downloads\ cd /mnt/mediahhd/Software\ Downloads tar -xvzf Sonarr.main.4.0.15.2941.linux-x64.tar.gz sudo mv Sonarr /opt/Sonarr sudo chown -R nasadmin:nasadmin /opt/Sonarr Step 2. Create systemd service sudo vim /etc/systemd/system/sonarr.service - [Unit] Description=Sonarr Daemon After=network.target [Service] User=nasadmin Group=nasadmin Type=simple ExecStart=/opt/Sonarr/Sonarr WorkingDirectory=/opt/Sonarr Restart=on-failure [Install] WantedBy=multi-user.target sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable --now sonarr Step 3: Web access Web UI at: http://100.x.x.x:8989

Step 1: Server Creation + Hardening Guide

Update sudo apt update && sudo apt upgrade -y 🔹 Keeps the OS and all installed packages up to date. 🔹 Always do this before installing/configuring services. Harden SSH Server Open the SSH config: sudo vim /etc/ssh/sshd_config Set the following options: PermitRootLogin no # Block root login PasswordAuthentication no # Require SSH keys only UsePAM yes AllowUsers nasadmin # Replace 'nasadmin' with your username Save and restart SSH: sudo systemctl restart ssh ✅ Test: From another machine ssh [email protected] --> Your uname ⚠️ Don't close your existing SSH session until you verify the new one works. Configure Static IP First, find your default gateway: ip route Look for a line like: default via 192.168.1.1 dev enp0s31f6 192.168.1.1 = Gateway enp0s31f6 = Interface name Edit netplan config: sudo vim /etc/netplan/00-installer-config.yaml Example config: network: version: 2 ethernets: enp0s31f6: # Use your actual interface name dhcp4: no addresses: - 192.168.1.150/24 # Static IP gateway4: 192.168.1.1 # Gateway from `ip route` nameservers: addresses: [1.1.1.1, 8.8.8.8] # Cloudflare & Google DNS Apply changes: sudo netplan apply sudo systemctl restart systemd-networkd Test Check assigned IP: ip a Test connectivity: ping -c 3 google.com Verify SSH Access From another client: ssh [email protected] ssh = secure shell nasadmin = your NAS username 192.168.1.150 = your static IP Enable Firewall (UFW) Allow essential services: sudo ufw allow OpenSSH sudo ufw allow 32400/tcp # Plex s udo ufw allow 6881/tcp # qBittorrent sudo ufw allow 6881/udp # qBittorrent Enable firewall:sudo ufw enable Check status:sudo ufw status ✅ Only necessary ports should be open. 📌 Notes Replace nasadmin with your actual user. Replace 192.168.1.150 with your chosen static IP. Replace enp0s31f6 with your actual network interface

Step 2: Mount Drives - Fresh drives

Wipe Disk sudo wipefs -a /dev/<DISK> Removes all old data/partitions. Example: /dev/sda. ⚠️ Irreversible. Create GPT Table sudo parted /dev/<DISK> -- mklabel gpt Modern layout, required for >2TB drives. Make Partition sudo parted /dev/<DISK> -- mkpart primary ext4 0% 100% Fills the disk → /dev/<DISK>1. Format Partition sudo mkfs.ext4 /dev/<DISK>1 -L <LABEL> Makes ext4 filesystem, adds a label like MediaHDD. Make Mount Point sudo mkdir -p /mnt/<MOUNTNAME> Folder where drive attaches. Example: /mnt/mediahdd. Add to fstab sudo vim /etc/fstab Append line: /dev/<DISK>1 /mnt/<MOUNTNAME> ext4 defaults,nofail 0 2 Boots automatically with safe defaults. Mount All sudo mount -a Activates entries in /etc/fstab. Set Ownership sudo chown -R <USER>:<USER> /mnt/<MOUNTNAME> Ex: nasadmin. Lets your user read/write without sudo . 📌 Variables <DISK> = Drive name (sda, sdb) → find with lsblk or fdisk -l. <LABEL> = Friendly drive name (MediaHDD/MediaSSD). <MOUNTNAME> = Mount folder under /mnt/. <USER> = Main account (ex: nasadmin). 💡 After mounting, confirm with: lsblk -f Shows drives, labels, and mountpoints → match the one you added to /etc/fstab.