Yeah I moved to the 2 NAS approach. I use a thincentre m910q as live system for frequent use and 1TB of SSD storage and my old NAS as Cold storage with 40TB, which is not that frequently used and only turned on to backup active data and retrieving data which I need again

Please keep your systems up to date. :)

I have no issue at all on Android. I don’t use iOS, so I cannot verify on there.

But I meant client certificates in this context. What I do:

1. Use a public domain, pointing A and AAAA *.domain.tld to an traefik lb/reverse proxy. I use it on Kubernetes.
2. use LE for that *.domain.tld, instead of direct domain certs to be more private (as all public CAs disclose the signed certs (https://crt.sh/))
3. create a own CA for Client authentication
4. set the own CA as trust anchor for clients in traefik for domains which require authentication
5. create client certificates + keys for my users. (I don’t use the CSR way, as that makes it complicated for them). I use the pfx format, as this widely accepted by the browsers and systems. p12 should also work
6. Add the client certificate on the devices. But I don’t but the CA as trust anchor on them. This would lead to warnings on the devices, as that would allow MITM attacks.

They make the local device setup more complicated and in some networks, you don’t have a chance to connect.

I like to go with HTTPS and mTLS. On mobile and in general browsers, you can easily install them and the I can access them everywhere HTTPS is allowed.