You might try Tailscale or Wire Guard. Either can be used to create a mesh VPN that can include any device you want. Connect your devices to the VPN then you just access it like it is on your local network. Of the two I use Tailscale. Dead simple to setup on pretty much any device.

I looked into Nextcloud, but that requires paying for a domain

Depending on what installation method you choose to go with, you don’t need a domain. It’s just very much helpful to have one. Especially if you decide to have it public facing. Plus domains are cheap. A bigger issue for us self hosters is dealing with dynamic IPs. Most of the time you can buy a static IP from your ISP, but if that is not an option, most domain providers provide a way to deal with variable IP addresses.

And yes, Tailscale does ignore dynamic IP addresses. I think Wire Guard does as well as Tailscale is built on Wire Guard.

but that requires paying for a domain

You say that as if (normal) domains are expensive. You’re gonna be paying a lot more for electricity for your NAS than a domain. If you don’t need anything recognizable which you just want to use for yourself, you can even get a 1.111B class domain (000000.xyz - 999999999.xyz) which are just $1 per year. It’s a much better option than a dyndns service because you can actually do whatever you need to with the domain.

VPN

Yes it’s easy, install WireGuard in a container, port forward to it and copy the profile to your other devices.

When you connect to the WireGuard network on the second device, you’ll have access to your internal network and hence your nas.

I also use a reverse proxy so I can remember computer names rather than ip.

You don’t need to own a domain, what you most likely need is some kind of dynamic DNS service.

https://freedns.afraid.org/ is one of them, they’ll give you a subdomain you can pick and the client will update the IP to which the domain point whenever it changes.

This is what you need, assuming you’ve a public IP from your ISP and you can go into your router and port forward ports to your TrueNAS server.

Now regarding software, since you’re using Syncthing already I would suggest you stay away from the complexities and vulnerabilities of Nextcloud and simply use FileBrowser, this is way easier to setup and use. I believe there’s even something on TrueNAS to get it running.

How if you’re about to expose your NAS/setup to the internet you’ve to consider a few things for your own safety.

Quick check list for outward facing servers:

1. Only expose required services (web server nginx, game server, program x) to the Internet. Everything else such as SSH, configuration interfaces and whatnot can be moved to another private network and/or a WireGuard VPN you can connect to when you want to manage the server;
2. Use custom ports with 5 digits for everything - something like 23901 (up to 65535) to make your service(s) harder to find;
3. Disable IPv6? Might be easier than dealing with a dual stack firewall and/or other complexities;
4. Use nftables / iptables / another firewall and set it to drop everything but those ports you need for services and management VPN access to work - 10 minute guide;
5. Use your firewall to restrict what countries are allowed to access your server. If you’re just doing it for a few friends only allow incoming connection from your country (https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching)

Realistically speaking if you’re doing this just for you / a few friends why not require them to access the server through WireGuard VPN? This will reduce the risk a LOT and won’t probably impact the performance. This is a decent setup guide https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-debian-11 and you might use this GUI to add/remove clients easily https://github.com/ngoduykhanh/wireguard-ui

With WireGuard you’ll only need to port forward the WG port reducing the attack surface. After you connect to the VPN you get access to the server as if you were on the local network. This mean you’ll even get SMB/Samba access to the files and/or access to any other service the server might me providing, you don’t need anything else or change your current workflow, simply connect to the VPN and access your data as if you were home.

Another advantage of going with WireGuard is that you can more safely ignore the step (4) and (5) because only exposing the VPN through a port forward in your router won’t create much of an attack surface / anything that can be bruteforced. Your setup will be easier to deploy and maintain.

Note that WireGuard is designed with security in mind and it won’t even be visible in typical IP scans / will ignore any piece of traffic that isn’t properly encrypted with your keys.

I use SSH with port fowarding to securely access my services running on my server to anywhere I have internet. Its easy to setup, just expose any device running a ssh server like openssh to the internet, probably on a port that isnt 22, and with key only authentication.

Then on whatever device you want to get your services on you can do like

ssh -p 8022 -L 8010:192.168.75.111:80 user@serverspublicip

Where 8022 is the port of the ssh server exposed to the internet (default is 22), 8010 is the port its gonna bind to on the device you are using the client (it will bind to 127.0.0.1 by default), 192.168.75.111:80 is the address/hostname and the port of where your services are on your local network, and user@serverspublicip is your username and the ip address of where your ssh server is.

You can also use ssh to make a SOCKS proxy in your network like this

ssh -g -D 1080 user@serverspublicip

This will make a socks proxy into your network on your device at 127.0.0.1:1080. All of this can also be done on just about any mobile phone running android by using termux.

I use Wireguard VPN with DuckDNS. No need to buy a domain, I just made a name for local use like nextcloud.rudee.com. Even though domains are not expensive (can be 10-20$ a year, but there are also free otions like rudeenextcloud.duckdns.org). You might need reversy proxy like Nginx Proxy Manager unless you want to type IP:PORT

Domains can be free and several of them works flawlessly with DDNS for home hosting. You can set up a completely free Nextcloud. Self-signed certs and direct IP access works as well.

Somebody else mentioned setting up a VPN to your home LAN, that works fine too.

If you have a public IP and can forward ports, exposing SSH (with key-based login) is quite safe. You can browse the server storage and copy files to/from your phone.

If you can’t open ports you will need something that punches out of NAT and intermediates a connection to your phone. Simplest way is to use a service like Tailscale, you install and start it on both the server and your phone and they will see each other from wherever they are.

Nextcloud is simply software that runs on something. You might use DNS to find the something that your Nextcloud runs on … or not. A domain can cost as little as say £10/year (no details given - loose costing provided!) but you say you don’t want one.

You could do some weird stuff involving something like this: Your clients update a database on the server with their current IP address(es) and the server reciprocates in kind regularly.

For an internets conversation, both sides need to know IP address, protocol, and optionally port; for both ends. For example, a webby conversation might involve:

My end: 192.168.100.20/24, tcp port 2399 -> NAT -> 33.22.4.66, tcp port 2245 Remote web server: 99.22.33.44/37, tcp port 443

Now, provided both sides are warned off about changes to addresses and port numbers on a regular basis, then comms will still work.

Say, your home external IP address changes, then your browser writes that new address to the remote server and comms continue. Provided one end knows all the details of the other end at any point in time and can communicate local changes then we are good.

000000000000000000000000000000000000000000000000000000000000000000

Maybe not. Lookup: Dynamic DNS.