The most boring threat model wins. I needed a place to drop large files between machines, sometimes between countries, without trusting Google Drive, Dropbox, or whatever else routes my data through someone else's server first. The whole project is built around a single idea: nothing on the internet can talk to this machine.
Why ZeroTier instead of port-forwarding
The classic approach is "open port 22 on the router, change the default port, fail2ban for brute force." It works, technically. It also leaves you exposed to every internet-wide scanner that has ever existed, and the ssh CVE drumbeat means there's always a chance the next zero-day will land before your patch does.
ZeroTier flips this. The Pi joins a private mesh network. The mesh has its own private subnet (10.144.0.0/24). The Pi has no incoming firewall rules from the public internet at all. The only way to reach it is to first authenticate to the ZeroTier mesh — which itself uses elliptic-curve keys, not passwords.
[ AUTH LAYERS ] layer 1 → ZeroTier mesh (curve25519 device key) layer 2 → ZT network ACL (admin must approve device) layer 3 → UFW (only allow ZT subnet to 22/445) layer 4 → SSH key auth (no passwords, ed25519) layer 5 → fail2ban (catch anything weird anyway)
Samba + SFTP, both behind the mesh
SFTP is what I use from Linux/macOS — fast, scriptable, works with rsync. Samba is what I use from a Windows machine when I want to drag-and-drop. Both run on the same Pi, both are bound to the ZeroTier interface only, both refuse to accept connections from the LAN or the internet.
# /etc/samba/smb.conf — bind to ZT interface only
[global]
interfaces = lo zt+
bind interfaces only = yes
server min protocol = SMB3
client min protocol = SMB3
# SMB3 is the floor — no SMB1/2 ever
If I was ever to plug the Pi into a coffee shop network or a relative's router, I do not want it to start serving SMB to that LAN. Binding to the ZeroTier interface only means the moment the Pi is off the mesh, it serves nothing. Defense in depth.
Chrooted SFTP shares
Each user has an account. Each account is jailed to a directory. They can't see other users' files. They can't escape the share into the rest of the filesystem. Standard Match User and ChrootDirectory from sshd_config — nothing exotic, just enforced.
# /etc/ssh/sshd_config
Match User sujit
ChrootDirectory /srv/shares/sujit
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
PasswordAuthentication no
The 2TB USB drive trick
The Pi has a 32GB SD card. Not enough. The 2TB external USB drive is mounted at /srv/shares with noexec, nosuid, and nodev — meaning even if a user uploads a malicious binary it can't execute from the share. The drive is encrypted with LUKS so if it ever walks away physically, it's a brick.
Most "self-hosted file servers" you see online are basically NextCloud with port 443 open to the world. That works until it doesn't — and when it doesn't, the failure mode is everything you have. ZeroTier turns "everything I have" into "everything I have, behind two layers of crypto and an admin-approved device list."
Reality check
This setup is not zero-trust. ZeroTier itself is a third-party service and if their root infrastructure was compromised, mesh members could in theory be impersonated. For the threat model I'm operating under (keep my files off cloud providers, prevent random internet scans from being able to even try to break in), it's the right balance.