Advice networking setup + remote access

[Yakje]

Currently i am running the latest version of FreeNAS 11.2-U3 and have most of the jails i want up and running (locally) except for Nextcloud (see signature for details).
Now i am trying to figure out what would be the best network setup for me too be able to access my Plex / Nextcloud / Organizr and Nzb360 remotely in the most secure manner possible for a home situation.

Current situation:
At the moment i am living in a house were we share 1 modem/router, which is a "KPN Xperia box V10". This modem is then connected to my own cheap ass router "TP-Link router WR841N", which is connected to my own cheap ass switch "TP-link switch TL-SG1005D", which is connected to my FreeNAS system.

Modem <-> Router <-> Switch <-> FreeNAS

At the moment Both the modem and my own router have DHCP enabled (double NAT situation)
All my jails have there own VNET IP address.

What i am considering:
I have read quite a few topics about the different aspects of setting up a network infrastructure and remotely accessing it in a "secure" manner. From what i understand it's best to (correct me if i'm wrong):
1.) Not open up any ports.
2.) Do it with OpenVPN through ur router.
3.) If you don't have a VPN, do it through SSH tunnel with keys

What I want to achieve is the following:
1) Secure remote connection: as secure as possible for a SOHO situation
2) Plex & Nextcloud remote access for multiple users
3) Organizr & Nzb360 remote access just for me

I was thinking about going down the VPN (i have an active PIA subscription) on my router road, which means i will have to buy a new router (my current router does not support setting up a VPN) I have been looking around and was thinking about buying a Qotom Q355G4 and running Pfsense on it. Would this be a good choice? should i change anything else about my networking setup? I know it is not rlly conveniënt to have a double NAT situation, but since other people are dependent on the modem, i am not sure what setup would be best? Should i change anything about the modem (which is used by multiple people in the house) or my "future" router to get rid of the double NAT for example? I also read about setting up a DMZ, but not sure if this would be suitable for my situation?

I also bought a few domains, for easy access to nextcloud and plex, have not configured them though. Since i am not sure what would be the best approach? Should i setup reverse proxies + SSL for my jails or is this not something i would need, if i take care of the remote access through VPN'ing?

I hope you guys could help me figure out the best setup for my situation, any advice will be greatly appreciated!

 

[sretalla]

If your use-case allows for all parties accessing your stuff to run a VPN client, then do that, since it's much simpler to get right.

Reverse proxy will also get you to the results you're after (plex even does it for you, but requires a dedicated port-forward), but making it work properly and getting to proper security is complex.

Consider employing a two- or multi-factor authentication option as part of your implementation to ensure just a password is not enough to get past your security.

 

[Yakje]

If your use-case allows for all parties accessing your stuff to run a VPN client, then do that, since it's much simpler to get right.

Reverse proxy will also get you to the results you're after (plex even does it for you, but requires a dedicated port-forward), but making it work properly and getting to proper security is complex.

Consider employing a two- or multi-factor authentication option as part of your implementation to ensure just a password is not enough to get past your security.

Thanks for ur reply!

Yea, most people will be able to connect over a VPN client. Was also planning to install a client on the router, so i don't have to install a client on all the devices. But that's only usefull when @ home i guess?

From what i understand, it is either the VPN or the reverse proxy way? Would doing both not be a good idea?

The idea to employ a two- or multi-factor authentication sounds like a good plan, how and where would i go about setting it up?

 

[sretalla]

The idea to employ a two- or multi-factor authentication sounds like a good plan, how and where would i go about setting it up?

You could look at something like this which claims openvpn support and is free for personal use as far as I can tell: https://saaspass.com/

Otherwise, search google for 2FA or MFA, open-source and the technology you want to protect (like nginx for a reverse-proxy).

From what i understand, it is either the VPN or the reverse proxy way? Would doing both not be a good idea?

Both can work together, but that means you have to handle the complexity of having and managing both. It also means 2 points of entry for malicious folks rather than one... I guess you're not holding national secrets, so shouldn't make enough of a difference either way.

Was also planning to install a client on the router, so i don't have to install a client on all the devices. But that's only usefull when @ home i guess?

I'm not sure what you would hope to connect to with that client... your own VPN server? This won't help.
If you meant you wanted to use a VPN service to secure your browsing data from your ISP, then OK, but that's nothing at all to do with this and may interfere with the routing for the other services, so be careful to think about that when planning what you're doing.

 

[Yakje]

You could look at something like this which claims openvpn support and is free for personal use as far as I can tell: https://saaspass.com/

Otherwise, search google for 2FA or MFA, open-source and the technology you want to protect (like nginx for a reverse-proxy).

Thanks, i will have a look around at what is currently available :)

Both can work together, but that means you have to handle the complexity of having and managing both. It also means 2 points of entry for malicious folks rather than one... I guess you're not holding national secrets, so shouldn't make enough of a difference either way.

I am wondering if i would apply both, would it also make my connection slower? Since it would have to go through vpn + ssl encryption or would this not rlly be that significant. And will i have to open up ports if i would like to access for example my nextcloud installation @ my own domain "www.mynextcloud.com" or is there no need if i connect over VPN?

I'm not sure what you would hope to connect to with that client... your own VPN server? This won't help. If you meant you wanted to use a VPN service to secure your browsing data from your ISP, then OK, but that's nothing at all to do with this and may interfere with the routing for the other services, so be careful to think about that when planning what you're doing.

I was thinking about maybe routing some of my home wifi traffic through VPN, but i guess that is not rlly convenient speedwise and since i am not holding any national secrets it's not needed aswell ^^

Do you also have some advice for me looking at the hardware setup? I am not sure what would be the best setup in my situation, since i am sharing the modem with multiple users. At the moment i have a double NAT situation, should i disable DHCP in my own router for example or?

 

[sretalla]

Double NAT is OK (but not what you want in a perfect setup where you own all the parts).

As long as you can get the port forwards you need to your router and then handle it from there like you would directly, all is good.

If you connect using a VPN, all the services work like the VPN client is connected to your router directly, so no need to advertise any domains (except maybe one for the VPN itself if that's required to make setup a bit simpler).