My intention is to setup a NFS / iSCSI share on TrueNAS and connect them to Proxmox hypervisor and it’s VMs in a Zero Trust Network (ZTN) manner.
Recently Zero Trust Networks have been on the rise. I agree with it’s principles and I want to set everything in a “zero trust” manner I.e. authentications for every internal services.
A P2P VPN services like TailScale feel abit of an overkill for NAS or SAN. They are a VPN, so of course they come with encryption, and I’m not sure if the overhead of encryption is significant on block level protocols like iSCSI, I assume they are. Even if they are not, ofcourse storage of a service is something that actually does require high availability, and I’m not sure if TailScale / NetBird’s lack of reliability is something you would want in storage/disk.
In the end, all I want to do is add authentication to them. in TrueNAS, which is what I’m using, they do allow you to add authentication via Keroberos for NFS and CHAP for iSCIS. However, my intention is to connect them to Proxmox, and Proxmox don’t seem to come with an `out of the box` solution for handling these authentication protocol. I have read online that if you don’t know much about them, you should stay away from them due to their complex nature.
So in the end, I still haven’t found a good ZTN solution for these NAS/SAN solutions. A lot of the solutions I see online are based on `perimeter defense` type concept, connecting them to a completely independent and separate network from the rest.
Anyhow, I know people are going to tell me to `google it` as if I haven’t done that already. But please tell me how you have setup your NAS/SAN.
You’re going to lose a lot of performance over Wireguard/Tailscale especially for something as performance sensitive as disk writes. I’d recommend for this just doing IP specific trusts with the usual authentication methods.
Tailscale is great for most applications but not for iSCSI.
When it comes to iSCSI, the best option is physical isolation. No routing, only switching, or direct nic to nic.
Proxmox > Wireguard > MCHAP > iSCSI
Your idea of ZeroTrust is great as an experiment, but you’ll find it massively impacts performance… network storage such as NFS, iSCSI and even SMB are extremely chatty, they generate a lot of back-and-forth, and iSCSI is broadcast happy.
The point is, this will increase latency, and the effect will be exponential because the chattyness, it will take longer to send receives responses, in addition VPN’s add overhead to the packet, so actual MTU is smaller…
In businesses we create a dedicated storage network, i.e. a pair of switches that the array is connected to, and each server NIC connected to the same switch,.but they have no uplink to the LAN… You can achieve a similar result using an isolated VLAN, then any NICs you connect to this, only give them layer 2 connectivity (i.e. set an IP address, but don’t set the gateway).
Though if test this, it’d be awesome to see a write up…
Zero trust is just the opposite of SSO. You could use cloudflare tunnels
Yes this is what I thought. But what do you mean by the ‘usual authentication method’ though. Do you mean no authentication method?
+1… including full disc encryption. Not much point to all the “zero trust” auth security without any physical security for data at rest.
I’ve googled MCHAP but all I got was MS-CHAP are they the same?
Also could you tell me why you went for wireguard+MCHAP instead of just tailscale?
Zero trust is just the opposite of SSO.
this can’t be more wrong. SSO is often if not always part of a zero trust system.
How are you so wrong? Is google blocked in your country?
However you would normally authenticate to mount an iSCSI share.
Yeah sorry MS-CHAP, typo on mobile, can happen 
. I would never use Tailscale. Why use third party crap when you can use the real deal?
Yes, although it’s continuous auth and posture checks that add the zero trust-iness for me.
Yes but what protocol do you use to authenticate your iSCSI?
. I would never use Tailscale. Why use third party crap when you can use the real deal?