Home NAS Access
The problem
Section titled “The problem”Home NAS devices like Synology, TrueNAS, and Nextcloud are built for always-on access to your files, photos, and media. But they sit behind your home router, invisible to the internet. If your ISP uses carrier-grade NAT (CGNAT), you cannot forward ports even if you wanted to. Many users do not have access to their router configuration at all.
The traditional workarounds each have drawbacks. Port forwarding exposes your NAS directly to the internet and breaks under CGNAT. Dynamic DNS services are fragile, suffer from TTL propagation delays, and still require an open port. VPNs work but demand client software on every device you want to connect from, and mobile clients are unreliable. Airdress gives your NAS a stable public URL that works from any browser on any device, with no router changes.
Architecture
Section titled “Architecture”flowchart LR
A[Phone / Laptop] -->|HTTPS| B[Relay PoP]
B -->|WireGuard| C[Operator]
C --> D[NAS Web UI]
Your phone or laptop connects to your *.a.airdr.es name over HTTPS.
The relay PoP forwards the traffic through a WireGuard tunnel to the
operator running on (or next to) your NAS. The operator hands it to the
NAS web interface.
Walkthrough
Section titled “Walkthrough”-
Install the operator
Install on the NAS itself (if it supports Linux binaries) or on a companion device like a Raspberry Pi on the same local network:
Terminal window curl -fsSL https://get.airdress.co/operator | shConfirm it installed:
Terminal window airdress-operator --version -
Start the operator exposing the NAS web UI
Point the operator at your NAS web interface port. The port depends on your NAS platform:
Synology DSM listens on port 5000 (HTTP) or 5001 (HTTPS) by default.
Terminal window airdress-operator serve --bind 0.0.0.0:5001If DSM is configured to use non-default ports, substitute your custom port number.
TrueNAS serves its web UI on port 80 (HTTP) or 443 (HTTPS).
Terminal window airdress-operator serve --bind 0.0.0.0:443Nextcloud typically runs on port 80 (HTTP) or 443 (HTTPS) behind Apache or nginx.
Terminal window airdress-operator serve --bind 0.0.0.0:443If you run Nextcloud in Docker with a mapped port (e.g. 8080), use that port instead.
Wait for the tunnel to establish:
INFO wireguard handshake complete relay=ams latency=12msINFO operator ready wg_port=51820 -
Verify remote access
From your phone or any device outside your home network, open a browser and navigate to:
https://your-name.a.airdr.esYou should see your NAS login screen. Log in with your NAS credentials as usual.
-
Set up as a systemd service
For the operator to survive reboots and run unattended, create a systemd unit:
Terminal window sudo tee /etc/systemd/system/airdress-operator.service > /dev/null <<'EOF'[Unit]Description=Airdress OperatorAfter=network-online.targetWants=network-online.target[Service]ExecStart=/usr/local/bin/airdress-operator serve --bind 0.0.0.0:443Restart=alwaysRestartSec=5[Install]WantedBy=multi-user.targetEOFEnable and start it:
Terminal window sudo systemctl daemon-reloadsudo systemctl enable --now airdress-operatorCheck that it is running:
Terminal window sudo systemctl status airdress-operator
Production considerations
Section titled “Production considerations”-
TLS is preserved. If your NAS serves HTTPS natively (Synology DSM on port 5001, TrueNAS with a certificate), TLS passthrough on the relay keeps the connection encrypted end to end.
-
Run as a systemd service. The operator should start automatically on boot. The systemd unit in step 4 handles this, including automatic restarts on failure.
-
Bandwidth. All traffic flows through the relay. This is well-suited for file browsing, photo viewing, and media streaming. Multi-gigabyte file transfers will work but are limited by relay throughput. For bulk transfers, consider a direct local connection.
-
Keep the operator updated. Re-running the installer picks up the latest stable release safely:
Terminal window curl -fsSL https://get.airdress.co/operator | sh