[How-To] How to Access Your FreeNAS Server Remotely (and Securely)

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
This is exactly the right way to do it. If you open the standard public facing port, you will draw the incessant fire of countless Russian and Chinese hackers; even if they can't get anywhere, it's still annoying.

Also, if you're using Windows, you might take a look at "Bitvise" rather than putty. It makes handling all of this business rather simple, graphical, and intuitive.
There are some cases where it's useful to run the actual SSH server on a non-standard port.

For instance, if you:
  • extensively use SFTP in a jail
  • don't want your SFTP server to be constantly hammered at
  • have a domain name pointing to the network where the SSH server is located
  • access the SFTP server from WAN and LAN
  • don't want to have separate SFTP client configs based on where you are located.
  • wish to avoid configuring NAT reflection by configuring split DNS on the LAN where the SFTP server is located.
Hell, that list of qualifications is pretty long. I guess I'm probably just being pedantic.
 

Ascotg

Dabbler
Joined
Sep 26, 2016
Messages
19
These commands are for the client when trying to access the server remotely (i.e., they may not work on the local network). I have limited experience with Putty, but did get terminal and web access to work via Putty on a Windows machine at work. As far as I can tell, Putty does not allow you to enter Unix commands as such; you have to set settings in the panes to match the meaning of the commands. I can give the details if I get to work today.

A Google search seems to indicate that CIFS/SMB uses port 445. I have not tested file browsing via Windows, as I have no SMB shares on my server.


I found a solution to my first problem using Putty. Under SSH => Tunnels => I filled in port 15443 selected Dynamic and then Add. Save it. Open. And it seems to work just fine now. Is this a good solution or would you change something?

As to my second problem, I'm still in the dark.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I found a solution to my first problem using Putty. Under SSH => Tunnels => I filled in port 15443 selected Dynamic and then Add. Save it. Open. And it seems to work just fine now. Is this a good solution or would you change something?

As to my second problem, I'm still in the dark.
For web access, that sounds right.

For file browsing over SMB, as said, I have not done that. But study the command as explained in the original post, and see how you might replicate that in the Putty interface.

ssh -L 15548:localhost:548 -p 52739 <you>@<subdomain>.duckdns.org sleep 120

Of course, you want to change 548 to the SMB port 445, and instead of 15548, use 15443, the internal client port you set above to send things to the server. 52739 should be changed to the external SSH port on your server, presumably forwarded to the server by your router.

Maybe this?
Putty_Tunnels-SMB.png
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210

stallspin

Cadet
Joined
Oct 5, 2016
Messages
6
I feel like I've followed everything here to a tee but I still can't manage to get this to work completely. I CAN ssh into freenas remotely, but it seems to be the tunnel and SOCKS setup that I'm failing at so I can't access the webgui. Here's my setup. Disclaimer: I've tried various combinations of these numbers, mostly ip/port combos and what I've read in this thread, but I'm not going to try to list everything. Also note that I'm not using any of the encryption yet, I just have a currently empty freenas box at work that I'd like to be able to manage from home in the future. Thanks for the guide OP, and thanks for any assistance anyone can give.

Freenas internal ssh port: 22
Modem set to forward external port 1099 to freenas_local_ip:22
Modem has static external IP
etc/ssh/ssh_config -> AllowTcpForwarding yes
ssh -D 15000 -p 1099 root@static_ip
works as intended since I've mostly been using the new bash console for Windows

I've tried through Putty as well:
Source: 15000
Destination: freenas_local_ip:80

I've set FireFox as instructed:
SOCKS Host: localhost
Port: 15000

I ssh into freenas and when I try to access anything in the browser, I get "Unable to connect" and (in the console): channel 2: open failed: administratively prohibited: open failed

So it looks like the request is going through but the server is rejecting it, which makes me think there's some setting I haven't flipped on the server but I don't know what.
 
Last edited:

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I feel like I've followed everything here to a tee but I still can't manage to get this to work completely. I CAN ssh into freenas remotely, but it seems to be the tunnel and SOCKS setup that I'm failing at so I can't access the webgui. . . .

Freenas internal ssh port: 22
Modem set to forward external port 1099 to freenas_local_ip:22
Modem has static external IP

ssh -D 15000 -p 1099 root@static_ip works as intended since I've mostly been using the new bash console for Windows

I've tried through Putty as well:
Source: 15000
Destination: freenas_local_ip:80

I've set FireFox as instructed:
SOCKS Host: localhost
Port: 15000

I ssh into freenas and when I try to access anything in the browser, I get "Unable to connect" and (in the console): channel 2: open failed: administratively prohibited: open failed

So it looks like the request is going through but the server is rejecting it, which makes me think there's some setting I haven't flipped on the server but I don't know what.
I'm a little unclear on what the situation is. It sounds like you're saying that tunneling works when you do it from a bash shell, but not from Putty?

In Putty, you should not set the destination to the freenas_local_ip:80. That will mean nothing on the client. Actually, you don't set a destination in the Tunnel pane of Putty. Here's what I think will work for you (the two key putty screens; ignore my saved sessions in the first one):
Putty_Tunnel_poster1_Session.PNG
Putty_Tunnel_poster1.PNG


A couple of other things come to mind. Is Putty set to access your key file for authentication (Connection > SSH > Auth) ? On FreeNAS, is the SSH service set to use port 22?
 
Last edited:

stallspin

Cadet
Joined
Oct 5, 2016
Messages
6
Yes the tunnel works from the shell or Putty, I can run commands and log in and all that. I can't get the http forwarding to work through firefox like you showed. I am trying to use the webgui from home.

I do not have a key file, I set up the ssh on FreeNAS before I ran across your guide and I have not gone back to the server location since. I did not think that that could be an issue since I'm already able to connect.

I have tried the settings you show (and again just now) and while it still logs in (through putty or bash) I just get a "connection was reset" error in FF when trying to visit any freenas-local ip. I get the "channel 2: open failed: administratively prohibited: open failed" error in the bash shell if that's open while trying to use the browser.

Thank you for taking the time to assist me.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
Yes the tunnel works from the shell or Putty, I can run commands and log in and all that. I can't get the http forwarding to work through firefox like you showed. I am trying to use the webgui from home.

I do not have a key file, I set up the ssh on FreeNAS before I ran across your guide and I have not gone back to the server location since. I did not think that that could be an issue since I'm already able to connect.

I have tried the settings you show (and again just now) and while it still logs in (through putty or bash) I just get a "connection was reset" error in FF when trying to visit any freenas-local ip. I get the "channel 2: open failed: administratively prohibited: open failed" error in the bash shell if that's open while trying to use the browser.

Thank you for taking the time to assist me.
Are you testing this at a remote location, not on the same local network as the server?
If you are able to access the server without a key file on the client computer, you are doing something very wrong and your connection is not secure. I'm having trouble putting all this information together. I hope "Login as root with password" is disabled on the FreeNAS.

Can you do the first, basic kind of ssh tunnel, where you just access the FreeNAS directly in the Putty (or bash) console? Please post the command line or Putty settings you use to do that.
 
Last edited:

stallspin

Cadet
Joined
Oct 5, 2016
Messages
6
From the remote location: ssh -D 15000 -p 1099 user@static_ip

It then asks for user password

Obviously I can leave out the -D 15000 to get a connection but that command is exactly what I've been using.

I want to reiterate that I intentionally did not create a key file when I set this up. I set up ssh on the testing server on my own, before I discovered your guide. I am aware that it is insecure, but I just want to get it to work. I will generate keys when I'm back on site.
 
Last edited:

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
OK, I get it. You're not using key authentication at all, which of course is what the original post is about.

That said, I honestly don't know if the tunneling web access (where you would need the -D 15000) should work without key authentication, or why it does not work. All that comes to mind is open a new tab in Firefox after you do the manual proxy settings. Or try it on a different computer. Obviously there are a lot of things to check on the server, and you may not be able to sort it out until you get in touch with it.

However - you should not need physical access to the server to set up the keys. The keys are normally built on the client, as I described. You could use scp or something similar to copy it to the server using the location/filename as in method 2 of the original post. Make sure the permissions are set right as described in the Troubleshooting section at the end.
 
Last edited:

stallspin

Cadet
Joined
Oct 5, 2016
Messages
6
However - you should not need physical access to the server to set up the keys. The keys are normally built on the client, as I described. You could use scp or something similar to copy it to the server using the location/filename as in method 2 of the original post.

Yeah I was just looking through the post again and realized I misread that. I'll go back and set up some keys and try again.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
Yeah I was just looking through the post again and realized I misread that. I'll go back and set up some keys and try again.
And don't forget to check/change permissions - I added that in an edit after you replied.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
And don't forget to check/change permissions - I added that in an edit after you replied.

In the meantime, I hope you have a strong password. It might help that you are using an arbitrary external port, which by the way I would advise changing once you get the keys set up.
 

stallspin

Cadet
Joined
Oct 5, 2016
Messages
6
And don't forget to check/change permissions - I added that in an edit after you replied.

I saw that you added it. I was able to run over to the server location and start setting up keys but I couldn't get anything to work. I ran into a bunch of problems setting permissions...when I tried to change my user's permissions it wouldn't save. I think my share or users were set up wrong or something so I pretty much deleted everything to start from scratch.

I do have a decent password but I'm not terribly concerned with security at the moment because there's nothing on the server or network yet and it will all be reset/disassembled/moved soon. I'm just playing around with all this to get a feel for it (and the ability to work from home) before I start doing any real work.


Anyway, after I reset everything I went to change the SSH settings and found that Allow TCP Forwarding was not checked, even though it was set to yes in the config file. I checked it and then I got home I was able to ssh in and go right to the webgui in firefox. Can't be certain that deleting something else didn't fix it, but that seems to have been what the problem was.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
Anyway, after I reset everything I went to change the SSH settings and found that Allow TCP Forwarding was not checked, even though it was set to yes in the config file. I checked it and then I got home I was able to ssh in and go right to the webgui in firefox. Can't be certain that deleting something else didn't fix it, but that seems to have been what the problem was.
Great!
 

HeloJunkie

Patron
Joined
Oct 15, 2014
Messages
300
This was a fantastic write-up and hopefully, this is the place to share another approach that has worked very well for me and others.

I have a friend that decided to move his business office into his house. As a result, he had several computers that he wanted to connect to a NAS and then wanted to access that same data from the road. I currently manage about 500TB of FreeNAS space (40Tb of that being my own server) so I encouraged him to install a small FreeNAS server and use that for his shares. We spun up two small servers, one primary and one backup and copied his business data from his computers to the FreeNAS servers.

Having designed, engineered and maintained large IP networks and huge internet data centers for most of my adult life, I didn't want to mess with (what I considered) a casual approach to security for his home (now business) network. By casual, I mean the small NAT based devices that many people think are actually true firewalls. When I think of a firewall, I think of deep packet inspection, deep flow inspection, locally terminated SSL for inspection of encrypted sessions, basically every single packet gets stopped at the edge, opened up, inspected for policy and other rules, viruses, phishing, ads, etc - and then either allowed or dropped based on those network rules. This was now his business and he needed more.

In this case, he had an older Dell desktop computer he wasn't using that was a small, mini desktop. I installed the free version of untangle on it and dropped it between his home cable modem and his little internal wireless/switch he had. I removed the wireless/switch device (which he was having trouble with anyway), installed a small Ubiquiti AP in its place and put in a new little 8 port gig switch. Not counting the FreeNas hardware, I think he had $250.00 in new gear he purchased which included the brand new AP and a second ethernet card we needed for his dell.

I setup the OpenVPN server on the firewall, set up his VPN credentials on his laptop and his work machine and within the hour we had everything up and running without changing a single thing on his FreeNAS box, dealing with SSH, etc. Now no matter what network he is on, he can VPN into his network, access all of his data via shares right on his laptop (albeit a little slower than being at home) and get his work done. In his case, the only caution I had for him was losing his laptop with his VPN credentials on it, so we encrypted it and I told him to make sure he shut it off after every use. (Paranoid setting).

I guess the long and short of it is (for me) pretty simple. If you have the know-how to run a FreeNAS server, installing an actual firewall device with edge VPN support is not that complicated and having simple VPN access to your entire network just makes life easier sometimes.

BTW - I don't work for Untangle or Dell :)
 
Last edited:

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
This was a fantastic write-up and hopefully, this is the place to share another approach that has worked very well for me and others.
Thanks. I've heard about that approach in general but don't know any details. It would be great if you could write a detailed how-to. I also wonder if, instead of requiring a separate computer to host the VPN, could you put it in a FreeNAS jail?
 

HeloJunkie

Patron
Joined
Oct 15, 2014
Messages
300
Thanks. I've heard about that approach in general but don't know any details. It would be great if you could write a detailed how-to. I also wonder if, instead of requiring a separate computer to host the VPN, could you put it in a FreeNAS jail?

I would be happy to write it up, it is just one more approach to access network resources.

As far as running it on your freenas box, I am sure there are ways to get openvpn (for example) running in a jail, but in this case the Untangle software that I use sits on a dedicated box/appliance. Within its guts are the OpenVPN server so I don't need to worry about installing it on something else.

I have not even considered if their software would run in a jail...I doubt it since it is designed to be stand alone, but I have heard of people running it as a VM, so maybe it would be possible.
 
Top