Max

Posted on Apr 10 • Originally published at orthogonal.info

Secure TrueNAS Plex Setup for Your Homelab

#security #devops #linux #homelab

Learn how to set up Plex on TrueNAS with enterprise-grade security practices tailored for home use. Protect your data while enjoying smooth media streaming.

TrueNAS and Plex

The error message was cryptic: “Permission denied.” You just wanted to stream your favorite movie, but Plex refused to cooperate. Meanwhile, your TrueNAS server was humming along, oblivious to the chaos. If you’ve ever struggled with setting up a secure and functional Plex server on TrueNAS, you’re not alone.

TrueNAS is a powerful, open-source storage solution designed for reliability and scalability. It’s built on ZFS, a solid file system that offers advanced features like snapshots, compression, and data integrity checks. For homelab enthusiasts, TrueNAS is often the backbone of their setup, providing centralized storage for everything from personal files to virtual machines.

Plex, on the other hand, is the go-to media server for streaming movies, TV shows, and music across devices. Combining TrueNAS and Plex allows you to use enterprise-grade storage for your media library while enjoying smooth streaming. But here’s the catch: without proper security measures, you’re leaving your data—and potentially your network—vulnerable to attacks.

TrueNAS and Plex are popular choices for homelab setups because they complement each other perfectly. TrueNAS ensures your data is stored securely and efficiently, while Plex provides a user-friendly interface for accessing your media. However, combining these two requires careful planning to avoid common pitfalls such as permission issues, performance bottlenecks, and security vulnerabilities.

For example, many users encounter issues with Plex not being able to access their media files due to incorrect permissions on the TrueNAS side. This is often caused by a misunderstanding of how TrueNAS handles datasets and user permissions. Also, without proper network isolation, your Plex server could inadvertently expose your TrueNAS system to external threats.

💡 Pro Tip: Before starting, map out your homelab architecture on paper or with a tool like draw.io. This will help you visualize how Plex and TrueNAS will interact within your network.

Preparing Your Homelab for Secure Deployment

Before diving into the installation, let’s talk about the foundation: your homelab’s hardware and network setup. A secure deployment starts with the right infrastructure.

Hardware Requirements: TrueNAS requires a machine with ECC (Error-Correcting Code) RAM for data integrity, multiple hard drives for ZFS pools, and a CPU with virtualization support if you plan to run additional services. Plex, while less demanding, benefits from a CPU with good transcoding capabilities, especially if you stream to multiple devices simultaneously.

For example, if you plan to stream 4K content to multiple devices, a CPU with hardware transcoding support (such as Intel Quick Sync or an NVIDIA GPU) can significantly improve performance. On the storage side, using SSDs for your ZFS cache can speed up access to frequently used files.

Network Isolation: Your homelab should be isolated from your main network. This is where VLANs (Virtual LANs) come into play. By segmenting your network, you can ensure that devices in your homelab don’t have unrestricted access to the rest of your network.

For instance, you can configure your router or managed switch to create a VLAN specifically for your homelab. This VLAN can include your TrueNAS server, Plex server, and any other devices you use for testing or development. By applying firewall rules, you can control which devices can communicate with each other and with the internet.

⚠️ Security Note: Always configure your firewall to block unnecessary inbound and outbound traffic. Open ports are an open invitation for attackers.

Also, consider using a dedicated firewall like OPNsense to manage traffic between VLANs. This gives you granular control over what devices can communicate with your homelab. For example, you can allow Plex to access the internet for updates but block it from communicating with other devices outside its VLAN.

# Example: Creating a VLAN in OPNsense
vlan create 10
vlan set description "Homelab VLAN"
vlan assign interface em0

Installing and Configuring TrueNAS

With your hardware and network ready, it’s time to install TrueNAS. The process is straightforward, but there are a few critical steps to ensure a secure setup.

Step 1: Installation
Download the TrueNAS ISO from the official website and create a bootable USB drive using tools like Rufus or BalenaEtcher. Boot your server from the USB and follow the installation wizard. Choose a strong root password during setup—this is your first line of defense.

During installation, you’ll be prompted to configure your network settings. Make sure to assign a static IP address to your TrueNAS server. This makes it easier to access the web interface and ensures that your server remains accessible even if your router reboots.

Step 2: ZFS Pools
Once TrueNAS is installed, log into the web interface and navigate to the Storage section. Create ZFS pools using your hard drives. For Plex, it’s best to create a dedicated dataset for your media library. This allows you to set specific permissions and quotas.

# Example: Creating a dataset for Plex media
zfs create tank/plex_media
zfs set quota=500G tank/plex_media
zfs set compression=on tank/plex_media
zfs set acltype=posixacl tank/plex_media

Step 3: User Permissions
Create a dedicated user for Plex with restricted access. Assign this user permissions to the Plex dataset only. This prevents Plex from accessing other parts of your storage.

To do this, navigate to the Users section in the TrueNAS web interface and create a new user. Assign this user to a group specifically created for Plex. Then, use ACLs (Access Control Lists) to grant the group read/write access to the Plex dataset.

💡 Pro Tip: Use ACLs (Access Control Lists) for fine-grained permission control. TrueNAS makes this easy via its web interface.

If you encounter issues with permissions, check the dataset’s ACL settings and ensure that the Plex user has the necessary access. A common mistake is forgetting to apply changes after modifying ACLs.

Setting Up Plex with Enterprise Security Practices

With TrueNAS configured, it’s time to install Plex. While Plex is relatively simple to set up, securing it requires extra effort.

Step 1: Installation
TrueNAS SCALE users can install Plex via the built-in Apps section. For TrueNAS CORE, you’ll need to create a jail and install Plex manually.

# Example: Installing Plex in a TrueNAS jail
pkg install plexmediaserver
sysrc plexmediaserver_enable=YES
service plexmediaserver start

Step 2: Securing Plex
Enable SSL for Plex to encrypt traffic between your server and clients. You can use a self-signed certificate or integrate with Let’s Encrypt for a trusted certificate. Also, set a strong password for your Plex account and enable two-factor authentication.

⚠️ Security Note: Disable remote access unless absolutely necessary. If you must enable it, use a VPN to secure the connection.

Step 3: Minimizing Attack Vectors
Restrict Plex’s network access using firewall rules. For example, block Plex from accessing the internet except for updates. This reduces the risk of data leaks.

Another way to secure Plex is by using a reverse proxy like Nginx or Traefik. This allows you to manage SSL certificates and enforce additional security measures such as rate limiting and IP whitelisting.

# Example: Configuring Nginx as a reverse proxy for Plex
server {
    listen 443 ssl;
    server_name plex.example.com;

    ssl_certificate /etc/nginx/ssl/plex.crt;
    ssl_certificate_key /etc/nginx/ssl/plex.key;

    location / {
        proxy_pass http://localhost:32400;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Ongoing Maintenance and Security Monitoring

Setting up Plex and TrueNAS is only half the battle. Maintaining their security requires regular updates and monitoring.

Regular Updates: Both TrueNAS and Plex release updates to patch vulnerabilities. Schedule regular update checks and apply patches promptly. For TrueNAS SCALE, updates can be applied directly from the web interface.

Log Monitoring: TrueNAS and Plex generate logs that can help you identify suspicious activity. Set up log forwarding to a centralized logging solution like Graylog or ELK for easier analysis.

# Example: Forwarding logs from TrueNAS
syslogd -a graylog.local:514

Disaster Recovery: Automate backups of your Plex dataset and TrueNAS configuration. Store backups on a separate device or cloud storage to ensure recovery in case of hardware failure.

💡 Pro Tip: Test your backups periodically. A backup is useless if it doesn’t work when you need it.

Also, consider implementing a snapshot schedule for your ZFS pools. Snapshots allow you to roll back to a previous state in case of accidental data deletion or corruption.

Advanced Networking for Plex and TrueNAS

For users looking to take their homelab to the next level, advanced networking configurations can improve both security and performance.

Using VLANs: As mentioned earlier, VLANs are essential for network isolation. However, you can also use VLANs to prioritize traffic. For example, you can assign a higher priority to Plex traffic to ensure smooth streaming even during heavy network usage.

Implementing QoS: Quality of Service (QoS) settings on your router or switch can help manage bandwidth allocation. This is particularly useful if you have multiple users accessing Plex simultaneously.

# Example: Configuring QoS for Plex traffic
qos set priority high plex_vlan

💡 Pro Tip: Use tools like Wireshark to analyze network traffic and identify bottlenecks.

🛠️ Recommended Resources:

Tools and books mentioned in (or relevant to) this article:

Crucial 64GB DDR4 ECC SODIMM Kit — ECC RAM for data integrity in your NAS or hypervisor ($150-200)
WD Red Plus 8TB NAS HDD — CMR drive designed for 24/7 NAS operation with RAID support ($140-180)
Protectli Vault FW4B — Fanless mini PC perfect for pfSense/OPNsense firewall ($300-400)
UniFi Dream Machine Pro — All-in-one network appliance with IDS/IPS and VLAN support ($379-399)

main points

TrueNAS and Plex make a powerful combination for homelabs, but security must be a priority.
Isolate your homelab using VLANs and firewall rules to protect your main network.
Use ZFS datasets and ACLs to control access to your media library.
Secure Plex with SSL, strong passwords, and restricted network access.
Regular updates, log monitoring, and automated backups are essential for ongoing security.
Advanced networking configurations like VLANs and QoS can improve performance and security.

Have questions or tips about securing your homelab? Drop a comment or reach out on Twitter. Next week, we’ll explore setting up OPNsense with VLANs for advanced network segmentation. Stay tuned!