Help with accessing server remotely - advice

Status
Not open for further replies.

ironfelix717

Dabbler
Joined
Dec 19, 2017
Messages
11
Hi,

Just built my first home FreeNAS box. Successfully was able to set up all the basics, like data sets, users/groups, permissions and SMB shares, etc..... Cool! A good learning experience, as I'm new to servers/networking.

Now, I would like to learn about how to actually make this box useful... like remote connection. aka, 80% of the purpose of a NAS box IMO... I just purchased a VPN service to accommodate any remote security.

So it seems everyone in the community takes the following positions on remote freeNAS servers...

1.) Don't open up any ports.. ever (my response: what is the point of a server if you can't access it remotely)
2.) If you need to do remote access, do it with a VPN/Jail
3.) If you don't have a VPN, do it through SSH tunnel with keys

That leaves me with trying the VPN/Jail method. But I'll be honest, my networking knowledge is weak. And as to be expected, networking isn't a great beginner-friendly topic. So, I've thoroughly looked at the guide here: https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/
which has left me very unconfident. I don't quite understand OpenVPN/Jails and I'm not comfortable with a SSH terminal, but I can learn... I've also considered this guide:
https://forums.freenas.org/index.ph...r-freenas-server-remotely-and-securely.27376/
And once again, I'm very unconfident in what I'm doing.

Even if I could follow the first guide on VPN/Jail, I still don't understand it. So, I come here for some advice to first make sure what I am attempting to do is feasible and secure...

What I want to achieve is the following:
1) Secure remote connection: as secure as possible
2) The 5 users currently configured with SMB shares can access their datasets remotely via web browser, or client software.
3) No special client (like Putty) 'required' to access files
4.) Support for Mac and Windows machines - able to be mapped to a network drive, etc.

I will conclude with these questions... Is this feasible? Is this secure? Can you provide any resources to help me achieve this? Appreciative of any other tips on how these technologies work, such as Jail/VPN and why its secure.

Thank you for your time.
 

Zredwire

Explorer
Joined
Nov 7, 2017
Messages
85
I run VPN on my router. Is that an option for you? That can be an easier setup sometimes than trying to run it on Freenas.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,455
what is the point of a server if you can't access it remotely
To share files and other services on your LAN.

As @Zredwire says, really, the best way to do this is with your router acting as a VPN server. Some consumer routers include this capability out of the box; many others can be flashed with aftermarket firmware that will do it. A better option would be to use something like a Ubiquiti EdgeRouter or (what I use) a pfSense router. For this to be practical, you'd also need some sort of dynamic DNS set up, so that your connection will always go to a defined hostname.

Edit: Even with the VPN set up, CIFS doesn't work very well over a slow network. A better option might be to set up Nextcloud. Your users can access it directly though its web interface, or using client apps on their computers/phones/tablets. In that regard, it works a lot like Dropbox.
 

BigDave

FreeNAS Enthusiast
Joined
Oct 6, 2013
Messages
2,479
And once again, I'm very unconfident in what I'm doing.

Even if I could follow the first guide on VPN/Jail, I still don't understand it. So, I come here for some advice to first make sure what I am attempting to do is feasible and secure...
I too want to get where you are wanting to go, eventually... I'm still learning.
My intention is to go the VPN route but not in a jail. I will make this happen through my router. You need to understand that this is doable and is secure,
but the words in your posts tell readers of your post, that you (like me) have a long way to go before you should attempt this.
Don't be discouraged by my cautious tone but please realize I'm in no hurry,
and will practice patience every step of the way. This was recommended to
me three years ago when I began asking these very same questions then. I was
told back then that exposing your files to the internet without proper understanding and learned skills is like practicing Voodoo without knowing,
it will bring you Bad JuJu!
 

ironfelix717

Dabbler
Joined
Dec 19, 2017
Messages
11
Hello,

Thank you all for the replies...

Remote access is critical to a large percentage of consumer FreeNAS builders because home network client pools are small. Thus, the need to share files over LAN is quite low--why not get a dropbox service instead? Backup capabilities are one key advantage of having a LAN. However, most individuals would rather just throw another HDD in their client machine and call it done and completely skip building a NAS if it can only run on LAN securely... And looking at this issue from the commercial side, enterprises both small and large (at least the many I've been employed for in the industrial sector) offer remote access to their clients because its a more-than appropriate function of a server. Because of these realizations, I struggle to understand why there seems to be a lack of thorough support for remote FreeNAS services... Again, I am a newb, so perhaps my perspective is a bit skewed.

As for a remedy to my problem: I have a pretty darn nice router. Its large and has "5Ghz" wifi support, which I pretty much know nothing about lol..

So I will get into the gateway and see what it says about VPN. I've heard of FreeNAS plugins like Owncloud and others, but was told it was not secure. danb35, could you provide any links to tutorials/HOW TOs that might be of interest to me?

BigDave, thanks for the wisdom. Best of luck to you.


Regards
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,455
so perhaps my perspective is a bit skewed.
I think it probably is--I don't believe your perspective of "a large percentage of consumer FreeNAS builders" is correct, frankly. It's been relatively recently that the idea of "the cloud" (i.e., store your data on someone else's computer) has become popular; I expect that for many users, the idea of a NAS is to have a safe place to store LAN data, backups, media, etc. But whatever the numbers are, you're far from the only person who wants something like this (as is evident from several other threads on this or related issues).

Now, if media is any part of your use case, systems like Plex or Emby are designed for exactly that purpose. Plex, at least (I don't have any real experience with Emby) works well both locally and remotely.

AFAIK, Nextcloud is pretty secure. I hope so, anyway, as I'm running it on my home server (not my FreeNAS box, though) and it's exposed to the Internet. Installing it in a FreeNAS jail would probably be safer yet, since it would limit the exposure--though if an attacker were to gain control of that jail, it would still be an attack vector to the rest of your LAN. But there are guides here to installing Nextcloud and securing it with SSL.

I struggle to understand why there seems to be a lack of thorough support for remote FreeNAS services.
Security is going to be part of the reason--anything that exposes your server to the Internet (even a VPN server) is an attack vector. But I'd expect the larger reason has to do with the fact that this would require ongoing, Internet-accessible services. Someone (like iX) would need to provide DDNS, possibly port forwarding, and a variety of other services that would let you go to (say) yourname.freenas.com and reach your server. This is how the commercial NASs (Synology, Q-NAP, etc.) do it, and of course they get paid for it. And they aren't very concerned about security, based on what I've seen of how they operate.
 

Zredwire

Explorer
Joined
Nov 7, 2017
Messages
85
You can run the VPN on Freenas (or another server on your network) but it is more involved and arguably less secure. It is more involved as you will have to forward the VPN ports on your router to the Freenas box. The ports you forward will depend on the type of VPN you use. Sometimes it is several ports. Also if you do it this way you have to allow the outside traffic onto your LAN (to get to the Freenas box) before it is authenticated. Usually the best way to do VPN is to use your edge router. Another safe option is to use a VPN server in a DMZ but this is even more complicated.
 
Status
Not open for further replies.
Top