Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

[How-To] How to Access Your FreeNAS Server Remotely (and Securely)

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE

andrewjs18

Member
Joined
Oct 19, 2014
Messages
132
I know this thread is a couple of months old but the OP's significant contribution is worth a look at again. It forces me to stop and think when I came across it today.

In my opinion, this approach however lowers the security a knot or two since the traffic is allowed to pass through the router and then authenticated at the FreeNAS box. This means other resources on your network/s, behind the router, are exposed to potential breach.

I'd argue that having OpenVPN server running on the router (i.e. the front gate to your whole network/s) is more secure. In this way, access to any authorized resources behind the router has to first pass the secured authentication on the router. Open VPN client is running on the remote host.

Which router offers you that feature (at an affordable price), try MikroTik. For US market, try this site: http://www.ispsupplies.com/brands/MikroTik-Reseller/

(I am not associated with this company in any way except I bought a book on MikroTik from them).
My two cents.
I'll bet most people do not have a router capable of running openvpn on it, especially if they're running this within their home LAN (myself included at the moment).
 

FNSeeker

Member
Joined
Jan 3, 2014
Messages
36
Your analogy isn't quite right.
Perhaps. The implicit assumption in your refined scenario however is that the front gate (router) has a robust inbuilt security to monitor and direct the delivery truck to the designated building only. Using the analogy from another angle, it's prudent to expect that the guard at the designated building regards security outside his area NOT his concerns. Typical.

Put together, if you have to have a good router, it makes more sense to have a robust VPN such as OpenVPN server running at router. In this way, you don't need to set up VPN for every device on your network in order to securely access them remotely.

Please remember security is a revolving feature. And without wanting to get into an argument unnecessarily, SSH is a poor man's VPN.

I'll bet most people do not have a router capable of running openvpn on it, especially if they're running this within their home LAN (myself included at the moment).
I suggest you give a MikroTik router a look. It's features rival Cisco at an affordable price. A 1GB USB key cost my uni A$500 at one stage. Nowadays, I can get one of 128GB for much less. Time changes.

I have an RB2011UiAS-2HnD-IN at home with openVPN server running on it. It is under US$150. Previously I have RB493G.

You'll need a bit of networking knowledge to set up MikroTik router. But I reckon if you can configure FreeNAS, I am sure you can handle MikroTik.
 
Last edited:

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,862
Port forwarding is very straightforward. And packets from the router can only get to the internal IP destination. So yes, my assumption is accurate.

I'm not sure if the Mikrotik comment was directed at me, but if so I'm using a Ubiquiti Edge Router that I'm very happy with.
 

FNSeeker

Member
Joined
Jan 3, 2014
Messages
36
Port forwarding is very straightforward. And packets from the router can only get to the internal IP destination. So yes, my assumption is accurate.

I'm not sure if the Mikrotik comment was directed at me, but if so I'm using a Ubiquiti Edge Router that I'm very happy with.
I understand that Ubiqiti is a good brand router. With revelations from ES, I'd say any assumption re security is limited to what we know. With respect.

My MikroTik referral was in response to andrewjs18.
 

lochnas

Newbie
Joined
Jun 22, 2015
Messages
3
Hi, thanks for the guide, but I'm having some trouble getting everything set up properly. I added my keys and I can tunnel while working locally. I have set up port forwarding on port 22 and duckdns as per the instructions, but when I attempt to login from my client (OS X) on a different network:

ssh username@<domain>.duckdns.org​

It gives me

Password for username@pfsense.local:
which doesn't make any sense. I have password auth disabled and I'm not using pfsense as far as I'm aware.
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,862
Looks like the forwarding isn't set up properly on your router and your pfsense is trying to authenticate the connection request.
 

lochnas

Newbie
Joined
Jun 22, 2015
Messages
3
I thought I had properly configured port forwarding on my router.



Could it be that my ISP is blocking port 22? How can I test this?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
7,288
I thought I had properly configured port forwarding on my router.



Could it be that my ISP is blocking port 22? How can I test this?
If your ISP was blocking port 22, then you would not get a login prompt for a pfsense box. Perhaps your dynamic dns isn't updating properly. Try forwarding a different public-facing port number to 22 on the FreeNAS box (for instance 443).

I assume you are testing from a network outside of your home network.
 

lochnas

Newbie
Joined
Jun 22, 2015
Messages
3
If your ISP was blocking port 22, then you would not get a login prompt for a pfsense box. Perhaps your dynamic dns isn't updating properly. Try forwarding a different public-facing port number to 22 on the FreeNAS box (for instance 443).

I assume you are testing from a network outside of your home network.
Yes, I'm testing from outside. What seems weird is that it says pfsense.local, which makes me think that it's the pfsense on my OS X machine not my router or my FreeNAS box.

I tried forwarding other ports, but http://www.yougetsignal.com/tools/open-ports/ can't see them so I'm assuming my ISP is blocking something or my router is being problematic. It's hard to figure out what exactly the problem is.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
7,288
Yes, I'm testing from outside. What seems weird is that it says pfsense.local, which makes me think that it's the pfsense on my OS X machine not my router or my FreeNAS box.

I tried forwarding other ports, but http://www.yougetsignal.com/tools/open-ports/ can't see them so I'm assuming my ISP is blocking something or my router is being problematic. It's hard to figure out what exactly the problem is.
Turn off the pfsense VM when you're testing. It's possible that you've misconfigured your router or that dynamic DNS isn't working properly. You might also have configured double NAT. Do you have a separate modem and wireless access point/router/whatever? ISPs don't typically block inbound traffic.
 

andrewjs18

Member
Joined
Oct 19, 2014
Messages
132
Yes, I'm testing from outside. What seems weird is that it says pfsense.local, which makes me think that it's the pfsense on my OS X machine not my router or my FreeNAS box.

I tried forwarding other ports, but http://www.yougetsignal.com/tools/open-ports/ can't see them so I'm assuming my ISP is blocking something or my router is being problematic. It's hard to figure out what exactly the problem is.
do you happen to have anything else within your LAN also running on port 22? if so, that could be the problem. if you're trying to ssh in and it's sending you to a different location than what you intended on getting to, that leads me to believe that you have 2 services using the same port number. try moving 1 to 2222. I don't know of many ISP's, if any, that block port 22. most block http ports and mail server ports, not ssh.

also note that that site you listed will only show open ports if there's a piece of software listening for incoming traffic on the port(s) you specified.
 
Last edited:

George51

Member
Joined
Feb 4, 2014
Messages
126
Okay - I'm stumped - I've tried googling/reading this forum to no avail.

I have successfully followed most of this guide - I've created keys (on windows via puttygen) added them to a new user I created called "SSH". I set it up using a high numbered port, added a port forwarding rule which forwards the same numbered port locally and externally (rather than a different one). Set up the duckdns and cron job etc.

I'm now outside the local network - I can get putty to connect to, and correctly authorise the keys, and this gives me the command line as SSH user. happy - means most of it is working. I can run cmds like "zpool status" etc etc.

What I can't do is the tunnelling bit, I tried on chrome adding "localhost" and the high numbered port. Log into the local ip addres that my freenas box is on i.e. "192.168.1.81" and I get proxy connection failed - googled that and played around for a while. Gave up installed firefox and used the setting as OP showed with my port number and this time I get "The proxy server is refusing connections"

Tried with a few different IP's on my local network aka router, a syncthing instance, IMPI all the same. Any advice?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
7,288
Okay - I'm stumped - I've tried googling/reading this forum to no avail.

I have successfully followed most of this guide - I've created keys (on windows via puttygen) added them to a new user I created called "SSH". I set it up using a high numbered port, added a port forwarding rule which forwards the same numbered port locally and externally (rather than a different one). Set up the duckdns and cron job etc.

I'm now outside the local network - I can get putty to connect to, and correctly authorise the keys, and this gives me the command line as SSH user. happy - means most of it is working. I can run cmds like "zpool status" etc etc.

What I can't do is the tunnelling bit, I tried on chrome adding "localhost" and the high numbered port. Log into the local ip addres that my freenas box is on i.e. "192.168.1.81" and I get proxy connection failed - googled that and played around for a while. Gave up installed firefox and used the setting as OP showed with my port number and this time I get "The proxy server is refusing connections"

Tried with a few different IP's on my local network aka router, a syncthing instance, IMPI all the same. Any advice?
I mostly use linux / BSD ssh client. Not much putty config experience. On *nix, you can type
Code:
ssh -D 8080 -p <port that SSH server is listening on> user@foo.com
Then I use foxy-proxy and add localhost:8080 as a socks5 proxy. Enable the proxy then you're good to go. IPMI may not fully work since sending UDP through socks proxy is a pain.

The "-D" option on a *nix SSH client specifies a local "dynamic'' application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.
 
Last edited:

George51

Member
Joined
Feb 4, 2014
Messages
126
I mostly use linux / BSD ssh client. Not much putty config experience. On *nix, you can type
Code:
ssh -D 8080 -p <port that SSH server is listening on> user@foo.com
Then I use foxy-proxy and add localhost:8080 as a socks5 proxy. Enable the proxy then you're good to go. IPMI may not fully work since sending UDP through socks proxy is a pain.

The "-D" option on a *nix SSH client specifies a local "dynamic'' application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.
Thank you - solved my issues - can get the full SSH stuff working now and access everything.

A further question - SO the user I have used to get SSH access to my FreeNAS box is one I called "SSH" and the home directory for that is within my only pool on the box. This pool is encrypted - therefore when I restart the box, I can no longer SSH into it - as the public key bit is all saved on the now locked encrypted disks - which I can't unlock until I SSH in to put the password... You see how this is a small circle.
Is it possible to move the home directory of my user to the boot pool? Which isn't encrypted and therefore upon a reset I could SSH in and unlock the pool?
 

Glorious1

Neophyte Sage
Joined
Nov 23, 2014
Messages
1,065
nevermind - someone answered it already
 

George51

Member
Joined
Feb 4, 2014
Messages
126
Thank you - solved my issues - can get the full SSH stuff working now and access everything.

A further question - SO the user I have used to get SSH access to my FreeNAS box is one I called "SSH" and the home directory for that is within my only pool on the box. This pool is encrypted - therefore when I restart the box, I can no longer SSH into it - as the public key bit is all saved on the now locked encrypted disks - which I can't unlock until I SSH in to put the password... You see how this is a small circle.
Is it possible to move the home directory of my user to the boot pool? Which isn't encrypted and therefore upon a reset I could SSH in and unlock the pool?
Going back on topic and ignoring the dodgy guide... Any one any ideas on how to get around my encryption problem?
 

SweetAndLow

Sweet'NASty
Joined
Nov 6, 2013
Messages
6,361
Going back on topic and ignoring the dodgy guide... Any one any ideas on how to get around my encryption problem?
You can ssh with root user I think. Roots home dir is in the OS drive.
 

George51

Member
Joined
Feb 4, 2014
Messages
126
As far as I know you can't reliably put anything on the boot pool. I understand the system takes everything for itself and doesn't share well. Maybe someone will correct me on that.
However, why couldn't you make another, very small pool to hold the home directory? Even just another USB flash drive or two?
Cheers - thats the route I went - bought two usbs and created a small mirrored pool - placed users home directory there and jobs a good'un. Thank you.
 

Glorious1

Neophyte Sage
Joined
Nov 23, 2014
Messages
1,065
Glad to help, although I think SweetAndLow's solution would be simpler if it works.
 
Top