[How-To] How to Access Your FreeNAS Server Remotely (and Securely)

Ascotg

Dabbler
Joined
Sep 26, 2016
Messages
19
@Glorious1 , @Ascotg
Thanks, but it is still not working with Firefox (even when I remove localhost from "No proxy".
Actually there might be an error with duckdns cause it is not responding when I ping it. I attach posts of my putty and firefox settings to see if there is any mistakes. Thanks,
PS : it's in french but I think you wouldn t have any difficulties to translate :)

I'm guessing the problem lies with duckdns. You could replace the host name with the IP code for the server and see if that works. If it does, you can be sure it's a problem with your duckdns setup.
 

urdel62

Explorer
Joined
Nov 27, 2016
Messages
53
I'm guessing the problem lies with duckdns. You could replace the host name with the IP code for the server and see if that works. If it does, you can be sure it's a problem with your duckdns setup.
You mean replacing host name in putty by current ip adress of duckdns server ? If so yes it is working for putty connection but the proxy is not
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
@urdel62, In your PuTTY 'SSh_tunnel' settings, basic options pane, I assume the port number that you painted over is the same one set on your router as the external port, and you have the corresponding internal port set as your SSH port in FreeNAS?

Also, in the second PuTTY settings pane, I know there is a 'D' in front of your port number, but please try also selecting the 'Dynamic' radio button. I'm not sure how PuTTY behaves in this regard.

Otherwise, maybe there is some system setting in Windows that is preventing the proxy? I don't know enough about Windows to what what it might be.
 

urdel62

Explorer
Joined
Nov 27, 2016
Messages
53
@Ascotg
I tried accessing my plex server remotely using duckdns: port and directly ipaddress: port and both way are working. So I suppose duckdns is working.
By the way it seems that my IP address hasn't changed since I m working on the freenas (approximately 2 months). Does it mean than I have a fix IP address ? In my router interface it is written dynamic IP address but ...

@Glorious1
Yes you assumed well it is setup exactly as you said. I tried by picking dynamic button but it isn't working either.

So I don't know what to do now to make the ssh tunnel work ... I can't try assuming I have a fix IP address and configuring SSH tunnel like that but I would need some help ! :)
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
You probably do NOT have a fixed IP address. It may stay the same for a few months and then change. But it doesn't really matter as the duckdns part of it doesn't seem to be the problem.

Again, I would look for Windows settings that might be preventing the proxy settings from working.
 

Wisdom

Explorer
Joined
Oct 15, 2016
Messages
71
@Glorious1 Allow me to be yet another to thank you for your awesome guide. Your continued work has been very helpful.

Now, let me run through the list of what's working:

I'm able to SSH on my local network.
Cronjob/DuckDNS is working fine
I can "see" my FreeNAS box remotely... but I can't connect.

Although I've tried a few different iterations of public/private keys, and changed things in the GUI pretty much every which way, I get as far as reaching out remotely to FreeNAS before getting shut down for "No supported authentication methods available (server sent: publickey)"

I'm inclined to believe this has something to do with permissions. However, one problem I have yet to see tackled is how accessing FreeNAS remotely with a window's shared account is able to work: my windows share account, the one I would like to be able to reach out and connect with (as this is how my storage is configured, as windows shares), has all of the permission boxes checked by default. Once an account or a subfolder in /tank is specified as being a windows share, the write permissions are automatically set for both group and other, meaning (I think) that putty is getting mad about the connection being unsecure?

That said, even when I tried to make an additional account that was not a windows share, I still had to put the home directory inside of my larger windows share, as that is where the files I would like to be able to access are located, which leads to basically the same problems.

Since I can't change the windows share permissions without compromising my ability to access all my files locally, how should I go about trying to set up a secure remote SSH?

Many thanks for your time!
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I'm able to SSH on my local network.
Cronjob/DuckDNS is working fine
I can "see" my FreeNAS box remotely... but I can't connect.
Can you clarify exactly what you mean by the last sentence? What does "see" mean in this context, and after what actions exactly, and what is the symptom of not connecting?

Did you go through all the troubleshooting stuff at the end of the post?

Although I've tried a few different iterations of public/private keys, and changed things in the GUI pretty much every which way, I get as far as reaching out remotely to FreeNAS before getting shut down for "No supported authentication methods available (server sent: publickey)"
I guess this is the symptom. Is this PuTTY telling you this?

I'm inclined to believe this has something to do with permissions. However, one problem I have yet to see tackled is how accessing FreeNAS remotely with a window's shared account is able to work: my windows share account, the one I would like to be able to reach out and connect with (as this is how my storage is configured, as windows shares), has all of the permission boxes checked by default. Once an account or a subfolder in /tank is specified as being a windows share, the write permissions are automatically set for both group and other, meaning (I think) that putty is getting mad about the connection being unsecure?
Are you talking about simply SSHing into your machine? You don't need or use shares for that.

That said, even when I tried to make an additional account that was not a windows share, I still had to put the home directory inside of my larger windows share, as that is where the files I would like to be able to access are located, which leads to basically the same problems.
It's possible the problem has something to do with Windows; I don't have any Windows share so am not too knowledgeable about them.

However. When you SSH in, you go to your home directory of course. If you create a new test account where the home directory is not in a Windows share, see if you can get in and manipulate things in that home directory. If you can, you should then be able to navigate anywhere in the machine. You don't need to start where the files of interest are located.
 

Wisdom

Explorer
Joined
Oct 15, 2016
Messages
71
Can you clarify exactly what you mean by the last sentence? What does "see" mean in this context, and after what actions exactly, and what is the symptom of not connecting?

I can connect to the server enough to get rejected. As an analogy, I can get to the GUI login page, but then it's not taking my password. (Obviously, this isn't the case, but the best way I can describe what it's like to be able to reach the server successfully, but then be turned down for security reasons).

After firing up putty and pointing it to User@FreeNAS.duckdns.org: port (example, clearly), and associating the connection with the private key I have locally, generated in a pair with the public key associated with the user on FreeNAS, the connection starts, but immediately gives me the error I mentioned before. According to putty (or my interpretation of the error) I've sent a public key to the server, which is then being rejected? Provided that I associated the session with the private key, as directed in the guide, I'm not sure why this is the case. Initially, I thought this had something to do with generating an odd pair of public and private keys, but after making a couple different sets and having them all look the same (in terms of file configuration, not content), I think I'm doing it right.

I end up with one .ppk private key, and one just "file" with no extension. It's a plaintext file I can open with notepad and just copy into the SSH part of the user on FreeNAS, so I think that's right. My cause for concern, however, stems from this looking different than the configuration I use to locally SSH into my box, with a private.ppk and a pair.ppk. My saved session points to the pair.ppk, rather than the private key, but putty won't let me point to just the plaintext file (public key) with the new pairs I've generated.

Did you go through all the troubleshooting stuff at the end of the post?

As I mentioned, yes, but I can't change some of the permissions on windows shares.

I guess this is the symptom. Is this PuTTY telling you this?

Yes.

Are you talking about simply SSHing into your machine? You don't need or use shares for that.

I'll give this a shot and see how it turns out. I had created a test user, but besides my jail storage, my whole box is pretty much a windows share (From the top, I've made tank/NAS, which is a windows share, and then there's just jail storage at tank/jails, but I'll throw something else up there and see what sticks).

However. When you SSH in, you go to your home directory of course. If you create a new test account where the home directory is not in a Windows share, see if you can get in and manipulate things in that home directory. If you can, you should then be able to navigate anywhere in the machine. You don't need to start where the files of interest are located.

This is good to know. I'm not particularly adept at looking for files with just putty, but some access is better than none. At the end of this whole process, I would like to be able to (safely) browse my remote windows shares, either through firefox or something that looks like windows explorer, but we'll see what comes together.

I appreciate your quick response, and I'll keep you posted on how things develop!
 
Last edited:

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I end up with one .ppk private key, and one just "file" with no extension. It's a plaintext file I can open with notepad and just copy into the SSH part of the user on FreeNAS, so I think that's right. My cause for concern, however, stems from this looking different than the configuration I use to locally SSH into my box, with a private.ppk and a pair.ppk. My saved session points to the pair.ppk, rather than the private key, but putty won't let me point to just the plaintext file (public key) with the new pairs I've generated.
If I'm understanding you correctly, you can successfully SSH into your NAS locally using key authentication, no passwords allowed. If so that is important information, and a big step.
Did you create those key files with PuTTYgen? Those are different file extensions than I have (as noted in the post). It sounds like the ones you are trying to use for remote access are messed up. If you have a pair that work locally, you can use the same ones to log in remotely. I suggest you use those. From what you say, it sounds like 'private.ppk' is the public key, which makes no sense. It should be clear when you generate them.

. . . but I can't change some of the permissions on windows shares. . . .
I had created a test user, but besides my jail storage, my whole box is pretty much a windows share (From the top, I've made tank/NAS, which is a windows share, and then there's just jail storage at tank/jails, but I'll throw something else up there and see what sticks).
If you can SSH locally with the keys, this may not be your main problem. But it is important that the permissions be set correctly for the files and directories noted in the Troubleshooting section. It can mess you up otherwise.

When you look at the Storage window of the FreeNAS webGUI, does it show the volume 'tank', then another line indented under it, also named 'tank', then 'NAS' below that? The second 'tank' line is your root dataset, which I think should not be shared or edited in any way. If it's set this way, you can easily create another dataset, child of 'tank' dataset and sister to 'NAS'. Set it for unix permissions. Do not share it via Windows. Create a user with the home directory in that dataset. Put the public key that works in there as you did before. Verify the permissions are set as in the Troubleshooting section. Make sure you can log in LOCALLY via PuTTY using key authentication. Then try it remotely.

Keep in mind, PuTTY is just a Windows program that can get you networking via SSH. Once you're logged into FreeNAS, your command-line environment is unix. You use unix commands to navigate and search. Don't try to use shares or web access remotely until you get simple SSH working.[/QUOTE]
 

Wisdom

Explorer
Joined
Oct 15, 2016
Messages
71
If I'm understanding you correctly, you can successfully SSH into your NAS locally using key authentication, no passwords allowed. If so that is important information, and a big step.
Did you create those key files with PuTTYgen? Those are different file extensions than I have (as noted in the post). It sounds like the ones you are trying to use for remote access are messed up. If you have a pair that work locally, you can use the same ones to log in remotely. I suggest you use those. From what you say, it sounds like 'private.ppk' is the public key, which makes no sense. It should be clear when you generate them.

When you look at the Storage window of the FreeNAS webGUI, does it show the volume 'tank', then another line indented under it, also named 'tank', then 'NAS' below that? The second 'tank' line is your root dataset, which I think should not be shared or edited in any way. If it's set this way, you can easily create another dataset, child of 'tank' dataset and sister to 'NAS'. Set it for unix permissions. Do not share it via Windows. Create a user with the home directory in that dataset. Put the public key that works in there as you did before. Verify the permissions are set as in the Troubleshooting section. Make sure you can log in LOCALLY via PuTTY using key authentication. Then try it remotely.

Keep in mind, PuTTY is just a Windows program that can get you networking via SSH. Once you're logged into FreeNAS, your command-line environment is unix. You use unix commands to navigate and search. Don't try to use shares or web access remotely until you get simple SSH working.

I pulled together all the advice from the last several posts on here, and managed to get things working smoothly (minus SMB shares, but I've looked over the links offered in this thread to some how-tos for that, and it'll be a bit before I get all that underway). Here was my process:

I generated (yet another) pair of keys. They were, again, a plaintext and a .ppk file, but this ended up being okay. Turns out the .ppk is the private key, like I suspected, and the plaintext is the public.

I added another user, and another (unix) dataset through the webGUI. With reference to the file structure on my box, from the top, it sits alongside /tank/tank/NAS, at /tank/tank/TestShare. The new user now lives in TestShare. Because it's configured as a unix share rather than a windows one (as NAS is), it allowed me to fix the permissions issues that seemed to be the root of the problem.

The new user got the new public key, my laptop got the new private key.

Putty went together smoothly, following the guide (user@example.duckdns.org : port). I added in the portforwarding to 15443, configured firefox accordingly, and now have webGUI access remotely. Furthermore, all my plugins (notably Plex and Maraschino) work swimmingly.

TL;DR for future people with a similar issue: it's permissions. It's FreeNAS, so it's always permissions. Drop the user into a home that you can deny write permissions to (for group and other) and you'll be all set.

Thanks again Glorious1!

---

EDIT: I've seen a lot of people having issues with not being able to get SSH access while on the same local network, while trying to route through duckdns. My initial testing of this process (above) was done on my local network (LAN, even!), and I was able to SSH successfully through duckdns, despite sitting on the same local network. It can be done, even if there's no real reason to do it. That being said, the ideal test is still to make sure things work from a remote network, as if it breaks down remotely but worked at home, you're still SOL.
 

urdel62

Explorer
Joined
Nov 27, 2016
Messages
53
Hello again everyone,

So since last time, I gave up the idea of setting up ssh tunneling on a windows client.
And I m now trying on another laptop with linux.
Everything is working fine until firefox configuration.
I can open my ssh connection but after firefox configuration when I try to access my server GUIs I get this message : connexion has been refused by proxy.
Do you have any ideas ?

Thanks in advance,
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
Everything is working fine until firefox configuration.
I can open my ssh connection but after firefox configuration when I try to access my server GUIs I get this message : connexion has been refused by proxy.
What is 'everything' that is working fine? I need all the details to know what is going on. I gather you can do a straight SSH session, and interact with the server via shell command line?

Do you know that you can't then go into Firefox and set up the proxy and expect it to work? The SSH command/PuTTY settings are different between regular SSH and tunneling your browser through it.
 

urdel62

Explorer
Joined
Nov 27, 2016
Messages
53
What is 'everything' that is working fine? I need all the details to know what is going on. I gather you can do a straight SSH session, and interact with the server via shell command line?

Do you know that you can't then go into Firefox and set up the proxy and expect it to work? The SSH command/PuTTY settings are different between regular SSH and tunneling your browser through it.
Thanks,

I can do a straight SSH session to interact with the server.
I can open a SSH tunnelling session with that kinf od command :
ssh <subdomain>.duckdns.org -D 15443 -p 52739
The result is that I can access my server and interact too. I let that connection opened and configure firefox using the D random port number . But then I can't acess any application using local address IP.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I don't know. Try putting the options right after 'ssh', so ssh -D 15443 -p 52739 <subdomain>.duckdns.org. Check your SSH settings on FreeNAS and proxy settings in Firefox to make sure they match the screenshots.

The error message in your previous post, about connexion being refused by proxy, makes me wonder if there are some system settings on your laptop that prevent the proxy from working. I don't know what those might be, but if all else fails I would investigate that.

EDIT
You might also try using Chrome, because it does proxy setting much differently. Go to Settings > Advanced Settings > Network. Click on Change Proxy Settings. On my Mac, that takes you to the system/OS Network Preferences. There I choose the WiFi or Ethernet service > Advanced Settings, and choose the Proxies tab. I put a checkmark by SOCKS Proxy, then enter localhost where it says SOCKS Proxy Server, and then enter the -D port from the SSH command. Obviously it will be different on your Windows or Linux, but there should be some analogue. You might get lucky. And you might find something in those system settings that is messing you up.
 
Last edited:

Ziggy

Contributor
Joined
Oct 7, 2015
Messages
157
Hi Glorious1. I feel I may be tantalisingly close, having read all 9 pages of this thread and taken copious notes, but I'm still not managing to connect remotely. I even reset my FreeNAS to factory settings on the basis of the advice here so that I could be as sure as possible the nothing in the setup is preventing me connecting - and that's not saying I still haven't messed it up somewhere. For the record, I was also doing it after the failure of Corral to make it to full maturity and had reverted to the 9 train and now the 11 stable line. I'm attempting to access from a Mac.
So, having set up a user with a home directory, and an smb share underneath that, and checked and double checked permissions etc in the troubleshooting section of your guide - and before generating a public/private key from the Mac - I ssh'd in while still connected on my LAN and connected without a problem. As soon as I generated a key, I was getting 'permission denied (public key)' error messages. However, I realised I wasn't doing this via a remote connection so I wondered, as read within these pages, if that was the problem, so I then used my phone to create a personal hotspot network on 4G - so that I was attempting to connect from outside the LAN - and joined my Mac to that network and then attempted connection via the Terminal without success.
At this point I see I don't fully understand your instructions for the code/command line instructions at the end of the Port Forwarding section that I'm trying to use via the Mac's terminal.
First, I have an external static ip (and a static internal ip for FreeNAS) so I don't need the duckdns part. What, then, should the code/command line syntax be? Is it "sss -p [external port that is forwarded on the router?] user@my.external.static.ip or user@my.internal.static.ip" or what should I be using here? Using either or gives me an "operation timed out" response.
Much appreciate your massive input on this topic and all others who have contributed. This is one issue I really want to crack. Networking sure is an arcane science, and I'm only beginning to understand small bits of it.
 

Tartan88

Dabbler
Joined
Oct 4, 2016
Messages
24
Hello,

I am trying to get this going following the original steps and am running into problems. I have created a RSA public/private key and saved them on my Windows laptop. I have also copied/pasted the OpenSSH version of the key into a document/text file and saved in the same folder on my Windows machine. I copied and pasted the OpenSSH version of the key into the user I want to use for SSH in the "SSH Public Key" portion. I have disabled password authentication for SSH settings. When I try to unselect Group Write permissions, it rechecks it when I go back into the user?

When I load the private key into WinSCP and try to connect locally, I get a "Disconnected: No supported authentication modes available (server sent:publickey) Server refused our key Authentication failed."

I am somewhat stuck and was hoping someone could steer me in the right direction. Thanks.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
So, having set up a user with a home directory, and an smb share underneath that, and checked and double checked permissions etc in the troubleshooting section of your guide - and before generating a public/private key from the Mac
You should check all the permissions AFTER you set up the keys, because the key and parent folder permissions are critical.

- I ssh'd in while still connected on my LAN and connected without a problem. As soon as I generated a key, I was getting 'permission denied (public key)' error messages. However, I realised I wasn't doing this via a remote connection
So you generated the key - did you install the public key on the server? Had you turned off password login? What command did you try to login with?
It doesn't matter if you connect locally or remotely; the keys work both ways.

At this point I see I don't fully understand your instructions for the code/command line instructions at the end of the Port Forwarding section that I'm trying to use via the Mac's terminal.
First, I have an external static ip (and a static internal ip for FreeNAS) so I don't need the duckdns part. What, then, should the code/command line syntax be? Is it "sss -p [external port that is forwarded on the router?] user@my.external.static.ip or user@my.internal.static.ip" or what should I be using here? Using either or gives me an "operation timed out" response.
Here you will have to use the correct IP - the internal one locally and the external one remotely.
The port number in the command depends also. If the external and internal ports are the same (in other words, you change the SSH port in FreeNAS from the default 22 to the same external port that your router is forwarding, then that is the number you use in the command either way. Otherwise, locally you have to use the SSH port on FreeNAS; remotely you have to use the router's external port number that is being forwarded.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
Hello,

I am trying to get this going following the original steps and am running into problems. I have created a RSA public/private key and saved them on my Windows laptop. I have also copied/pasted the OpenSSH version of the key into a document/text file and saved in the same folder on my Windows machine. I copied and pasted the OpenSSH version of the key into the user I want to use for SSH in the "SSH Public Key" portion. I have disabled password authentication for SSH settings. When I try to unselect Group Write permissions, it rechecks it when I go back into the user?

When I load the private key into WinSCP and try to connect locally, I get a "Disconnected: No supported authentication modes available (server sent:publickey) Server refused our key Authentication failed."

I am somewhat stuck and was hoping someone could steer me in the right direction. Thanks.
I don't know what an "OpenSSH version" of the keys is, but my first guess is that having two key versions is fouling you up. I would obliterate the one you're not using completely, or generate only one version.
 

Ziggy

Contributor
Joined
Oct 7, 2015
Messages
157
Glorious1, please see attached for further response and investigation. Long story but it was initially created in Notes, but then wouldn't paste in her properly, hence the pdf. Hope that's ok.
 

Attachments

  • Remote & Secure FreeNAS Access Issue.pdf
    196.6 KB · Views: 866
Top