[How-To] How to Access Your FreeNAS Server Remotely (and Securely)

Drew Burritt

Cadet
Joined
Nov 4, 2016
Messages
1
Hey guys,
I think I setup everything correctly. I can open the tunnel but I am unable to mount my smb share.
I am connecting using
Code:
 ssh -l user -L 5000:localhost:139 serveraddress  

I am on a mac and just get "unable to connect" when trying to mount my share using smb://localhost:5000
Is there a way to test that the tunnel is actually forwarding the port to my server? or am I doing something wrong?

EDIT: Solved it. Didn't realize Allow TCP port forwarding had been turned off under SSH settings
 
Last edited:

Austin Denny

Cadet
Joined
Jul 12, 2017
Messages
1
This was an awesome write-up and still very helpful in 2017. Thanks so much for the effort behind it. A trouble spot I ran into was repeated `permission denied (publickey)` errors. Spent a long time fiddling with permissions, but really the solution was to create `~/.ssh/config` and pass in the necessary arguments through the file. Now everything works :)
 

Ziggy

Contributor
Joined
Oct 7, 2015
Messages
157
UPDATE:
While I can ssh within the LAN into Freenas, I still can't do it from outside it. Research so far strongly suggests it's a router/ISP issue that's blocking it. Even tho a port forward tab is available for adjustment within the ISP router settings, it does not work and in a call to tech support my ISP said they don't support/allow port forwarding. When I pointed out that it was therefore unhelpful to have the settings accessible - e.g. not greyed out - there was a distinct lack of comment at the other end of the line. I am currently trying to find a way to either bridge the ISP's modem for use with a second router, or replace the ISP modem altogether with the second router/modem. My ISP does not support bridging or non-ISP modem/routers, hence getting the correct setup parameters and login credentials is difficult - tho I'm on that trail.
Since attempting to setup external access, I have a security related question. Not sure if it belongs in this chain, but it follows from what I'm attempting to do, so I'm posing it here. If it's considered extraneous, I'll move it to a separate question. This morning my security log output at 03:00 - emailed - sent me this:

freenas.local changes in mounted filesystems:
13c13
< freenas-boot/ROOT/11.0-RC3 / zfs rw,noatime,nfsv4acls 0 0
---
> freenas-boot/ROOT/11.0-RC4 / zfs rw,noatime,nfsv4acls 0 0

freenas.local kernel log messages:
> FreeBSD 11.0-STABLE #0 r313908+f4b711d1be8(freenas/11.0-stable): Mon Jun 5 23:11:22 UTC 2017
> root@gauntlet:/freenas-11-releng/freenas/_BE/objs/freenas-11-releng/freenas/_BE/os/sys/FreeNAS.amd64 amd64
> SMP: AP CPU #6 Launched!
> SMP: AP CPU #7 Launched!
> SMP: AP CPU #4 Launched!
> SMP: AP CPU #5 Launched!
> Timecounter "TSC-low" frequency 1200029760 Hz quality 1000
> Trying to mount root from zfs:freenas-boot/ROOT/11.0-RC4 []...
> arp: 192.168.1.1 moved from d0:7a:b5:38:51:bd to 02:10:18:01:00:01 on igb1
> arp: 192.168.1.1 moved from 02:10:18:01:00:01 to d0:7a:b5:38:51:bd on igb1

-- End of security output --


I updated to 11.0-RC4 yesterday morning - June 7 - but the output above in the 7th line refers to June 5. Worryingly I see a "root@gauntlet" entry in the 8th line. My root login is "root@freenas", so my first question is, is this an attempt - successful or otherwise - at a security breach, or does this refer to something within the system that I'm simply not familiar with?
Second question: I've seen the 'arp' lines 16 & 17 a number of times in recent weeks. What do they mean?
Thanks, as always.
UPDATE:
Ok, think I have figured out my problem and hope that it may be of help to others in the same situation. Firstly I discovered that my ISP does not support port forwarding, even tho the port forwarding tab is available and apparently configurable - except it simply doesn't work, as per my attempts. This is since fibre broadband was introduced a couple of years ago and everything runs on VDSL2. They don't support, either, the use of customer bought modems/routers. I'm based in Ireland (Republic of) and word on various fora is that my provider does not want the hassle of supporting troublesome connections (noise?) that may be introduced by customers' own modems/routers and port forwarding. I did a bit of research and it looks like other ISPs in the Irish market do not support port forwarding or customer routers either. I'm currently paying for a static WAN IP so I may as well drop that as I can't use it.
Thus, the only solution I've found so far is I've installed a CentOS VM, installed Teamviewer within that and use that for external access. No Machine is another option - with configurable SSL I think - but I haven't got round to testing it outside the LAN yet.
Appreciate all the offered help, so thanks people.
 

urdel62

Explorer
Joined
Nov 27, 2016
Messages
53
Hi,

Does someone manage to make it work on Windows ? (SSH tunnelling)
Cause I tried a few months earlier and I didnt

Thanks,
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211

urdel62

Explorer
Joined
Nov 27, 2016
Messages
53
Hi,
I finally managed to set this up on windows without what's explained by Ascotg.
I Just followed Glorious tutorial. THe thing which wasn't OK is that "Allow TCP port forwarding wasn't checked on SSH settings on Freenas. And now it's OK. I can access my Gui's using local addresses.
And it's working also pretty well for Android smartphone using SSHTunnel + Firefox.
Thanks,
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
THe thing which wasn't OK is that "Allow TCP port forwarding wasn't checked on SSH settings on Freenas.
I also had to check that option in order to get it working for me as well. Thanks for the great tutorial @Glorious1!
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
I also had to check that option in order to get it working for me as well. Thanks for the great tutorial @Glorious1!
I have that setting also, but didn't realize it was necessary for this. I edited the tutorial to include that. Thanks.
 

ManuMCoupe

Dabbler
Joined
Jun 9, 2017
Messages
17
Thanks so much for the tutorial

I make it all working, almost everything...

I can't connect from internet

I have a Freenas 11 server, and an Asus AC66-B1 Router

Everything seems well configured (SSH, DDNS, etc...), and it works locally (FileZilla SFTP Connection) but on Internet it doesn't work

Any idea?

Thanks
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
Any idea?

Some common problems that I have found when trying to set this up or that I have encountered myself:

1) make sure you don't have your ports backwards. It is easy to do this on some routers if the fields for port forwarding aren't labeled "external" and "internal"

2) ensure you have "enable TCP forwarding" checked in the SSH settings within FreeNAS

3) see the type of error it is giving you. if you can SSH in locally, then you know it is something with your DNS or your router. start from there.

Try to go through these and let us know. If you still am stuck, if would be helpful if you provide exactly what error you get when you try and SSH in from outside. Does it time out? Does it say "permission denied"?
 

ManuMCoupe

Dabbler
Joined
Jun 9, 2017
Messages
17
Some common problems that I have found when trying to set this up or that I have encountered myself:

1) make sure you don't have your ports backwards. It is easy to do this on some routers if the fields for port forwarding aren't labeled "external" and "internal"

2) ensure you have "enable TCP forwarding" checked in the SSH settings within FreeNAS

3) see the type of error it is giving you. if you can SSH in locally, then you know it is something with your DNS or your router. start from there.

Try to go through these and let us know. If you still am stuck, if would be helpful if you provide exactly what error you get when you try and SSH in from outside. Does it time out? Does it say "permission denied"?

Wow, what a quick answer. Thanks!

1) I have source target on blank, external port 52739, my freenas local IP, local port 22 and TCP protocol only.

2) It's checked

3) I've got timeout error on internet connection.

I've tried with ddns on freenas directly (duckdns) and ddns on my Asus router (asuscomm.com)

Enviado desde mi ONEPLUS A3003 mediante Tapatalk
 

ManuMCoupe

Dabbler
Joined
Jun 9, 2017
Messages
17
Problem solved!

It was a very stupid thing. The freenas didn't have the gateway to the router configured :tongue:

Thanks again!

Enviado desde mi ONEPLUS A3003 mediante Tapatalk
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
Problem solved!

It was a very stupid thing. The freenas didn't have the gateway to the router configured :p

Thanks again!

99% of the time it is! We have all been there, glad you got it working!
 

artimess

Cadet
Joined
Nov 6, 2017
Messages
7
I do appreciate some hand holding to get my issue resolved. All I want is to be able to do is through tunneling access freenas webgui, keeping getting;
Code:
open failed: connect failed: Connection refused

my key generation and set up is fine, tcp forzqrding and the rest of the details are done as it is explained in the forum.
the address I use is https://192.168.0.39
1) My router is configured to forward from external port 52739 to my Freenas at 192.168.0.39 port 22.
2) my ssh command works fine and establishes the connection, my firefox is configured as it is shown in the forum, the following is part of debug messages captured by -v to show you the connection is done correctly
Code:
channel 6: open failed: connect failed: Connection refused
debug1: channel 6: free: direct-tcpip: listening port 15443 for 192.168.0.39 port 443, connect from 127.0.0.1 port 35632 to 127.0.0.1 port 15443, nchannels 7
debug1: client_input_channel_req: channel 2 rtype keepalive@openssh.com reply 1
debug1: Connection to port 15443 forwarding to socks port 0 requested.
debug1: channel 6: new [dynamic-tcpip]
debug1: Connection to port 15443 forwarding to socks port 0 requested.
debug1: channel 7: new [dynamic-tcpip]
debug1: Connection to port 15443 forwarding to socks port 0 requested.
debug1: channel 8: new [dynamic-tcpip]
debug1: channel 7: free: direct-tcpip: listening port 15443 for 192.168.0.39 port 80, connect from 127.0.0.1 port 35636 to 127.0.0.1 port 15443, nchannels 9
debug1: Connection to port 15443 forwarding to socks port 0 requested.
debug1: channel 7: new [dynamic-tcpip]
debug1: channel 4: free: direct-tcpip: listening port 15443 for clients6.google.com port 443, connect from 127.0.0.1 port 35626 to 127.0.0.1 port 15443, nchannels 9
debug1: channel 3: free: direct-tcpip: listening port 15443 for clients6.google.com port 443, connect from 127.0.0.1 port 35624 to 127.0.0.1 port 15443, nchannels 8

the command to establish connection is
ssh -v -D 15443 -p 52739 id@mystaticdomain
Thanks
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
@artimess are you referring to the first line in your 2nd code box? the "channel 6: open failed: connect failed: Connection refused?"

Can you provide some screenshots of your Firefox settings? Are you SSHing from a Windows box or a Mac?

It doesn't seem to be a router problem. Try running this in command:

ssh -D 15449 -p 52739 id@mystaticdomain
 

NazNageer

Cadet
Joined
Mar 23, 2018
Messages
2
Hello, The instructions where very easy to follow but I don't think my Public/Private keys are working. I can SSH on local LAN and remotely via duckdns and port forwarding. Using MacOS as my client. Still being prompted for my user password not the passphrase I created when ran 'ssh-keygen'. Please help.

Thanks,
Naz
 

Yusuf Limalia

Patron
Joined
Apr 5, 2016
Messages
234
Hello, The instructions where very easy to follow but I don't think my Public/Private keys are working. I can SSH on local LAN and remotely via duckdns and port forwarding. Using MacOS as my client. Still being prompted for my user password not the passphrase I created when ran 'ssh-keygen'. Please help.

Thanks,
Naz


I’ve had this before there’s a parameter you need to use when using the Terminal keygen. Can’t remember what it is

Try on your Mac:
ssh-keygen -t rsa

Then paste your newly generated public key in FreeNAS and try connecting again
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
Hello, The instructions where very easy to follow but I don't think my Public/Private keys are working. I can SSH on local LAN and remotely via duckdns and port forwarding. Using MacOS as my client. Still being prompted for my user password not the passphrase I created when ran 'ssh-keygen'. Please help.

Thanks,
Naz
Did you:
In the FreeNAS WebGUI, go to Services > SSH > Settings.
  • Make sure “Login as Root with password” is unchecked.
  • Also uncheck “Allow Password Authentication”. Now only public key authentication can be used to log in.
 

NazNageer

Cadet
Joined
Mar 23, 2018
Messages
2
Did you:
In the FreeNAS WebGUI, go to Services > SSH > Settings.
  • Make sure “Login as Root with password” is unchecked.
  • Also uncheck “Allow Password Authentication”. Now only public key authentication can be used to log in.

I had these items correct. Decided to start over and use ssh-keygen -t rsa. All is working now. I also noticed that I had to stop and start the SSH service to make my setting changes take affect. Thanks for your help.
 

Yusuf Limalia

Patron
Joined
Apr 5, 2016
Messages
234
I had these items correct. Decided to start over and use ssh-keygen -t rsa. All is working now. I also noticed that I had to stop and start the SSH service to make my setting changes take affect. Thanks for your help.
Cool man!

Glad you got it sorted.

@Glorious1 consider a minor edit to your original post to caveat that command for macOS users :)
 
Last edited:
Top