Best way to access FreeNAS without port-forwards?

[MaLaCoiD]

I'm deploying a FreeNAS which is behind a consumer-grade NAT router and don't have access to forward the SSH or web port for administration.

I'm thinking the easiest way to administer the box is with reverse SSH. I would like to SSH into one or two servers on startup from the FreeNAS. I could also rely on OpenVPN to a server for access.

I've tried executing variations of:
ssh -R 9000:localhost:22 user@remote.host.com -p 22 -i /mnt/z3/jails/j1/.ssh/id_rsa -o UserKnownHostsFile=/mnt/z3/jails/j1/.ssh/known_hosts
... they all work from the shell, but not from an init script or init command configured with the GUI. I've tried with 'screen'. I've tried with -f and &, but never do I see it connect or create the screen session.

When I was trying with OpenVPN, but a client can't run in a jail because it can't make tun interfaces or control routing, and OpenVPN can't connect with auth info in a file because it is not compiled that way by default, and portsnap is not installed to reconfigure the package.

Even better if there's a utility that can check the status of the tunnel and reconnect if necessary.

 

[sremick]

Do you have the option to replace the router with a better one, one that supports OpenVPN? That's what I did.

 

[MaLaCoiD]

sremick,
Thanks for the response. If I could administer the router, I'd just open up a port forward for SSH. I can't replace the router... I need an automated way for FreeNAS to phone home.

 

[Tywin]

sremick,
Thanks for the response. If I could administer the router, I'd just open up a port forward for SSH. I can't replace the router... I need an automated way for FreeNAS to phone home.

I've used this approach before in an academic setting and it worked wonders for me. Sorry, can't help you with the specifics of auto-running it from FreeNAS. My equivalent was a Linux workstation; I just left a terminal window with the SSH connection open.

 

[MaLaCoiD]

I got it working!

My commands above assume the files under .ssh are owned by the user executing the startup script. It my case it was root, rather than the j1 user, in whose home folder .ssh resides. So instead of the command directly, I use this script:

Code:

[root@freenas] /mnt/z3/jails/j1# cat hacks.sh
#!/bin/sh
su j1
ssh -f -N -R 9000:localhost:22 user@remote.host.com -p 22 -i /mnt/z3/jails/j1/.ssh/id_rsa -o UserKnownHostsFile=/mnt/z3/jails/j1/.ssh/known_hosts

... and call it via Post Init startup script.

That's great if FreeNAS starts up with network connectivity and maintains it. So I wrote this script to check for the tunnel and redial. It uses a random port 56000-56999 instead of 9000 in case something gets messed up:

Code:

[root@freenas] /mnt/z3/jails/j1# cat keepalive.csh
#!/bin/csh
set process=remote.host.com
set number=`ps ax | grep -v grep | grep -c $process`
set port=`jot -r 1 56000 56999`

if ($number == 1) then
  echo "$process is alive."
  else if ($number == 0) then
  echo "$process is dead, but will be launched."
  su j1
  ssh -f -N -R $port\:localhost:22 user@remote.host.com -p 22 -i /mnt/z3/jails/j1/.ssh/id_rsa -o UserKnownHostsFile=/mnt/z3/jails/j1/.ssh/known_hosts
  endif
endif

I call keepalive.csh every 15 minutes using root's Cron Jobs under the GUI.

 

[rm-r]

As a note - this works great - only snatch i found was you have to enable "Allow TCP Port Forwarding:" under the SSH service setting - otherwise you get an from the script being unable to forward the ports