Can a FreeNAS VPN to a Sonicwall?

Status
Not open for further replies.

steve.long

Dabbler
Joined
Jun 14, 2016
Messages
41
I am attempting to figure out how to get two FreeNAS units to talk to each other over the WAN. I'd like to create replication tasks from my onsite FreeNAS to my offsite FreeNAS. The onsite sits behind a Sonicwall and has a static public IP address. The offsite has none of that stuff.

Obviously it would be easiest if i could just use my existing VPN, but I haven't seen anyone else post about doing that.

Is there any way to do this?

What other ideas could I explore?
 

tvsjr

Guru
Joined
Aug 29, 2015
Messages
959
Existing VPN? If you already have a tunnel in place between the two locations, there's no reason you can't use that for your ZFS replication.
 

steve.long

Dabbler
Joined
Jun 14, 2016
Messages
41
Existing VPN? If you already have a tunnel in place between the two locations, there's no reason you can't use that for your ZFS replication.
You're right, but I misled you. I don't have the tunnel, I just a VPN capability with my Sonicwall. I'm wondering if a FreeNAS can establish a VPN connection to a Sonicwall.
 

tvsjr

Guru
Joined
Aug 29, 2015
Messages
959
You should be able to run something in a jail.

Now, for the religious argument. I personally feel that running a VPN, potentially exposing a box to the public Internet (depending on your config), on top of FreeNAS is a Bad Idea. In my corporate world, such a configuration would get you excoriated (by me, heh). Rather than running something on the FreeNAS, I'd suggest running the VPN tunnel on an upstream network appliance designed for the task. Another Sonicwall, a pfSense box, etc.
 

steve.long

Dabbler
Joined
Jun 14, 2016
Messages
41
If I put OpenVPN on both FreeNAS boxes and both of them were sitting behind firewalls, would you approve of that security?
 

tvsjr

Guru
Joined
Aug 29, 2015
Messages
959
From a corporate perspective, probably not... we tend to like things to be single-purpose. A server shouldn't be a NAS and be a VPN server/client at the same time.

That said, as long as your firewall was configured to only allow the traffic to/from approved destinations, I wouldn't have too much heartburn with it. And it should only be used for FN-to-FN traffic... I wouldn't want it acting as a VPN router. I would suggest doing other simple stuff like changing the default port (don't use 1194), etc. Yes, it's security by obscurity, but it will keep you somewhat hidden from the automated scanners out there.
 

steve.long

Dabbler
Joined
Jun 14, 2016
Messages
41
And it should only be used for FN-to-FN traffic... I wouldn't want it acting as a VPN router.

Right, the only purpose of the VPN would be for replication. The only route the OpenVPN would handle is to and from the other FreeNAS.
 

PhilipS

Contributor
Joined
May 10, 2016
Messages
179
I wouldn't want to have to try to support a Sonicwall client on a FreeBSD machine - it just isn't supported well (at all?).

My recommendation would be to have a separate boxes handle the VPN connection between the two locations. Single purpose appliances are much easier to deal with. Imagine an update breaking your VPN jail on the remote machine - how do you fix it?

pfSense makes OpenVPN setup fairly easy - nice GUI for certificate management as well. I don't use this, but check out a netgate SG-1000 - would probably work well for your use case. If you really need to keep the price down, you could check out a Ubiquiti EdgeRouterX - it supports OpenVPN as well - harder to setup than pfSense (IMO) though - they have their own command line language that drives me nuts and you will need to use it to configure OpenVPN - but I use this at my house because it was cheap, low power usage, and no one was paying me for my time.
 

tvsjr

Guru
Joined
Aug 29, 2015
Messages
959
BTW, pfSense works great on just about anything, but the Netgate stuff is purpose built and usually sips power. I run pfSense on a 4-core E3 here as my main firewall/router, and also have pfSense running on a VPS providing static public IPs across a tunnel to my systems at home. You may have something laying around that would be sufficient to run it.
 

c32767a

Patron
Joined
Dec 13, 2012
Messages
371
I wouldn't want to have to try to support a Sonicwall client on a FreeBSD machine - it just isn't supported well (at all?).

My recommendation would be to have a separate boxes handle the VPN connection between the two locations. Single purpose appliances are much easier to deal with. Imagine an update breaking your VPN jail on the remote machine - how do you fix it?

pfSense makes OpenVPN setup fairly easy - nice GUI for certificate management as well. I don't use this, but check out a netgate SG-1000 - would probably work well for your use case. If you really need to keep the price down, you could check out a Ubiquiti EdgeRouterX - it supports OpenVPN as well - harder to setup than pfSense (IMO) though - they have their own command line language that drives me nuts and you will need to use it to configure OpenVPN - but I use this at my house because it was cheap, low power usage, and no one was paying me for my time.

Sonicwall supports and interoperates with IPSec and other firewalls. There are lots of google hits for doing IPSec tunnels between sonicwall and other devices. No need to replace a perfectly good firewall on one end.. Just get an inexpensive pfsense box for the other site and set up an ipsec tunnel between the two.
 
Status
Not open for further replies.
Top