[How-To] How to Access Your FreeNAS Server Remotely (and Securely)

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
Right. Assuming the owner is you, look up chmod to see how to change permissions.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
By the way, @nojohnny101 , I've looked into DMZ a bit and it sounds dangerous. It basically opens up the computer to the internet, removing the protection you are working to provide. I've seen it called a "honeypot" for hackers. Here is from dslreports.com:

11. The DMZ should be totally avoided on most NAT routers.

A DMZ is not normally required, provided you know your software. Check the software vendor's website, or email their support area, or search here in BBR, to find out what ports you need to set as trigger ports for which ports, or which ports to forward.

If you really do need a DMZ, use a device that treats the computer in the DMZ as though it was an untrusted computer outside your local network. Ordinary NAT routers do not normally provide this type of DMZ; they normally just forward all unsolicited traffic to the machine in the DMZ, leaving it with no NAT protection.
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
@Glorious1

Oh, I didn't know it opened it up to the whole internet! Yikes! Ok that has been changed back. I went back through on the server and my mac and made sure the permissions were correct and if they weren't, I changed them to what you suggested.

But again, after changing the DMZ setting back to what it was before, attempting to SSH in through the domain service (duckdns) times out again. It seems when the DMZ setting is changed and the NAT is bypassed, it gets further along in the process. So i'm back a step now in progress :(

I have checked to see if possibly my ISP is blocking port 22 but they aren't. I have also tried from an external network and that didn't work either, still times out.

I'm out of ideas, seems I have tried everything....
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
Well, one problem solved I think. Now look at your complete external SSH command to see what port it is trying to use. On your router, set up port forwarding for that external port, and make sure the internal port on the forwarding is the same as what the FreeNAS SSH is set up to use.
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
Hello,
@Glorious1 sorry for the delay, had some things I had to take care of. Ok so I went back through your very detailed instructions and checked everything. Here is what I have:

Router
- Forwarding the IP address of the freeNAS from the local port of 22 to external port 1277

FreeNAS
- SSH service successfully on
- have the following CRON job running on 01 minutes every 4 hours and day of the month (everyday), month (every month), day of week (everyday) with redirect stdout (true), redirect stderr (false), enabled (true)
- curl command on CRON job is: /usr/local/bin/curl https://www.duckdns.org/update/mysubdomain/mytoken
- curl command is run as "nobody"

duck DNS
- ensured my IP address is updated and synched with my subdomain.

Thoughts
so the command times out when i try connecting through duckdns while on the internal network and even if i try with the external IP address from outside the network specifying with -p 1277
- the command is successful if i connect directly to the internal ip address of the freenas box.

does this narrow it down to a problem with the router? i have though about this but have tried two different routers (an airport extreme and dlink) but the results haven't changed. is there a way to confirm the curl command is running? maybe that is it?

i really appreciate the help!
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
Hello,
@Glorious1 is there a way to confirm the curl command is running? maybe that is it?
Couple of possibilities.
  1. Cron task. To answer your question, yes. Copy the command out of the cron task and run it manually on the command line. See if you get back OK or KO or neither.
  2. Router
    1. Since you are using different external and internal ports at your router, make sure you don't have them backwards in your forwarding assignment.
    2. Also, the IP in the forward must be the IP of your FreeNAS.
  3. Under FreeNAS, you don't mention what port is assigned to the SSH service. If your router is forwarding external 1277 internal 22, it should be 22.
  4. External port. You may need to use a higher number port. Try something in the 50xxx range. Of course this has to be changed in the router forward and your ssh command.
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
Router
- Forwarding the IP address of the freeNAS from the local port of 22 to external port 1277
If this is accurate, your forwarding is backwards. You need to forward external port 1277 to internal freenas IP port 22.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
If this is accurate, your forwarding is backwards. You need to forward external port 1277 to internal freenas IP port 22.
Should look something like this (replacing the IP address with yours:
Screen Shot 2016-02-07 at 10.44.56 AM.png
 

UncleFester

Explorer
Joined
Feb 8, 2016
Messages
53
I have just noticed something which I find quite strange about the private key file (.ppk) as used by the terminal program PuTTY and was hoping someone could explain.

I created a public and private key in PuTTYGen and then saved the private key for use later in PuTTY. I discovered that I can open the private key file in a text editor (e.g. Notepad) and read the contents :eek:.
Is this correct? Surely it should not be possible to read the contents of such a file so easily?

Have I missed something here or have I done something wrong :confused:.

I can't delete the file because it is needed for a saved session in PuTTY.
 

TheSunKing

Dabbler
Joined
Feb 5, 2016
Messages
23
Glorious,

First off - thank you for taking the time to write a concise tutorial on how to set all of this up. It's already helped me immensely. Unfortunately, I'm getting hung up on the last 10% or so.
An important obstacle I'm facing: I set this server up over a weekend trip home right before getting back on a plane and am now quite far away from the server.

What is working
  • SSH access by private key
  • SFTP access
  • Other services (subsonic and transmission)
What isn't working
  • SSH tunnel into the FreeNAS GUI

The parts of the tunnel that are set up
  • SSH access (as mentioned above)
  • Port forwarding on home router (external port 55555 is forwarded to FreeNAS_LocalIP:22)
  • Tunnel set up in putty (forwarding local port 44444 to domain.duckdns.org:55555)
  • Side note: dynamic DNS is confirmed as working, since I use the same url to connect to SSH
  • Firefox proxy (sending traffic through 127.0.0.1:44444 to be then sent through the tunnel)

So, it would seem I have all the parts there. However, trying to connect to FreeNAS_LocalIP just gives me a 'connection was reset' page in Firefox.
Rereading your post, it's possible I do not have "Allow TCP Port Forwarding" box checked under the SSH settings (although I can't recall for sure).
Would that break everything? If so, is there a way to check and/or update that setting from the shell, since I have access to that?

Thanks for the help!
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
  • Tunnel set up in putty (forwarding local port 44444 to domain.duckdns.org:55555)
So your tunnel (which I presume is for the webGUI access) is forwarding traffic that lands on your freenas back out to the external port of your router, which then forwards to your internal ssh port. Sounds like you need to change the destination of the putty tunnel to be the local freenas ip and webGUI port.
 

TheSunKing

Dabbler
Joined
Feb 5, 2016
Messages
23
So your tunnel (which I presume is for the webGUI access) is forwarding traffic that lands on your freenas back out to the external port of your router, which then forwards to your internal ssh port. Sounds like you need to change the destination of the putty tunnel to be the local freenas ip and webGUI port.

The tunnel is on my laptop, listening on 44444 and forwarding traffic to the external port (55555) of my home router, which is then forwarding that traffic to the FreeNAS.
Or at least that was my intent. Does that sound right?

As an update: I found the ssh config file through the terminal at /etc/ssh/ssh_config and was able to edit it. However, because ssh was running, my changes were reset once the server was rebooted (despite confirming that the config file had indeed been updated before rebooting). Is there a way to edit config files (of services that are running) and force the service to use the updated config file?
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
Your laptop config doesn't make sense. Port 44444 (which I assume you are using for the web gui) will eventually get forwarded to the SSH port of the freenas which won't give you webgui.

Your laptop is the one you have with you outside your home network right? So once you've connected from it via ssh to freenas, your tunnel should be configured to go directly to the internal ip address and port of the freenas webgui. Then you access the gui on your laptop with http://127.0.0.1:44444.
 

TheSunKing

Dabbler
Joined
Feb 5, 2016
Messages
23
Your laptop config doesn't make sense. Port 44444 (which I assume you are using for the web gui) will eventually get forwarded to the SSH port of the freenas which won't give you webgui.
Yes, my goal is to get to the webgui.

Your laptop is the one you have with you outside your home network right?
Yes.

So once you've connected from it via ssh to freenas, your tunnel should be configured to go directly to the internal ip address and port of the freenas webgui. Then you access the gui on your laptop with http://127.0.0.1:44444.
Okay. So I think I understand a little more now. Or, at the very least, I have a better idea of what I don't understand.
Because my router is forwarding 55555 to SSH (22) on the FreeNAS, I'm not getting the webgui when connecting through 55555. So I need to connect to the webgui through port 80 via the tunnel.
How do I configure the tunnel on my laptop (using putty currently) to connect to a local IP on my home network?

Attempting to follow along with your post, I tried the following: SSH connection information as before (domain.duckdns.org:55555) with a local tunnel from port 44444 to FreeNAS_LocalIP:80. Trying to connect to http://127.0.0.1:44444 gives me the same connection reset page. I would think that forwarding a port from my home router to port 80 on the FreeNAS would work, but that seems... unwise.
Do I need to set up a remote tunnel on the FreeNAS to provide me a port to connect to from my laptop?

Thanks for the help, @depasseg - I appreciate it.
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
This should work:
  • Configure port forwarding on home router (external port 55555 is forwarded to FreeNAS_LocalIP:22)
  • SSH to domain.duckdns.org:55555 (the Tunnel should be set up in putty prior to connecting (forwarding local port 44444 to destination 127.0.0.1:80))
  • open web browser on remote end of tunnel and go to http://127.0.0.1:44444
 

TheSunKing

Dabbler
Joined
Feb 5, 2016
Messages
23
  • Configure port forwarding on home router (external port 55555 is forwarded to FreeNAS_LocalIP:22)
  • SSH to domain.duckdns.org:55555 (the Tunnel should be set up in putty prior to connecting (forwarding local port 44444 to destination 127.0.0.1:80))

Okay, just tried this. No go - same 'connection was reset page'. Pinging 127.0.0.1:44444 from my laptop gives me a 'could not find host'. Checked, double checked, and then checked again that my putty matches what you have written. Still no go.

I was able to confirm when accessing the ssh_config earlier that I am indeed missing the entry for AllowTcpForwarding. Is this kind of tunneling forbidden by missing that setting?
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874

TheSunKing

Dabbler
Joined
Feb 5, 2016
Messages
23
yes. you need allowtcpforwarding enabled.
Ah, alright. There's my problem then. Is there a way other than editing the ssh_config file to enable that setting from the terminal? Otherwise, it would seem that I would have to stop the ssh service in order to update the config file. And I can't edit the config file after it's stopped if I can't access it via ssh.
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
You should be able to edit the file while connected and then in a separate window restart the sshd process via cli without affecting your 1st connection. Google has some examples of this working and I just did a quick test on my box and it worked. (service sshd restart)
 
Top