How to make server accessible outside home network?

mathboy3141 · Jan 22, 2019

Hello, FreeNAS community!

I am completely new to FreeNAS, file servers, forums, building and understanding computers, and pretty much everything that I need to understand how to use this software. (So you are going to have to explain everything to me in very simple terms, I probably know what you are talking about, but don't presume that.)
Yay!
So, anyway, I have been reading how to make a file server accessible within my home network and as of this moment I have 34 mins left to go to download the FreeNAS .iso bootable (I have very slow internet).
I was wondering if it is possible for an amateur like me to be able to make a web server that I can access from anywhere across the globe.
Is this at all possible, and is it simple to do, or am I going to have to change hidden configuration files and all that jazz?

Thanks!
mathboy3141, the kid who wanted to know

P.S. I have a static IP, don't know if that matters. I also have a No-IP account for computers that don't have dynamic. Cheers!

Chris Moore · Jan 22, 2019

It is possible, but not simple and it puts the NAS at risk of being hacked by bad people on the internet.

melloa · Jan 22, 2019

mathboy3141 said:
I was wondering if it is possible for an amateur like me to be able to make a web server that I can access from anywhere across the globe.

Do you mean access your files/server from the internet or a actual web server? They are two different things. As @Chris Moore said, expose your server and files directly to the internet is not recommended.

Solutions like Owncloud, Nextcloud, etc, are good way to access some of your files;
Web server? See Apache, nginx or applications like WordPress, ISPConfig, etc.

rvassar · Jan 24, 2019

Assuming you have the typical DSL/router combination... You could punch a hole in your router's firewall, and allow port 80 access to a jail running on FreeNAS that hosts web server. It's not a very good idea, here's why:

1. You have a static IP. But you very likely do not have control of the reverse DNS resolution for that IP, or have the ability to publish a domain record for your web site. All access would be "http://<yourIPAddress>/", with no easy to remember name.

2. Any all all access to said web server would consume and compete for your local bandwidth. Publish one hit meme, and the whole world could arrive on your home DSL line.

3. Security... Your router blocks everything inbound for a reason. Once you start opening up access, you have to consider all the consequences. You may be putting other people in your household at risk.

If you really want to host a public facing web server, not just a site, but the whole server. Take a look at some of the cloud computing resources offered near you. Here in the US I can lease a single-core 512mb virtual machine running Linux in a colocated datacenter for about $5 a month. That's about the cost of a cheap sandwich. That VM can host a real domain name, DNS server, and a web server. If something happens to it, I just cancel & delete it.

danb35 · Jan 24, 2019

rvassar said:
But you very likely do not have control of the reverse DNS resolution for that IP, or have the ability to publish a domain record for your web site.

Why wouldn't he have the ability to publish a domain record? He'd need a domain, of course, but given that, getting DNS service is trivial (I like Cloudflare, but there are plenty of others).

rvassar · Jan 24, 2019

danb35 said:
Why wouldn't he have the ability to publish a domain record? He'd need a domain, of course, but given that, getting DNS service is trivial (I like Cloudflare, but there are plenty of others).

He could certainly obtain a domain, and even publish A and CNAME records that point at his IP address, and possibly even host his own domain's zone using Bind if his ISP allows inbound port 53. But the reverse DNS assignment, would remain with his ISP. This isn't the end of the world, but it has repercussions that might get his fledgling site blocked by a variety of services. See: Forward Confirmed Reverse DNS

I've heard of Cloudflare, but have no experience with it. I host my own zone using Bind.

mathboy3141 · Jan 26, 2019

melloa said:
Do you mean access your files/server from the internet or a actual web server? They are two different things. As @Chris Moore said, expose your server and files directly to the internet is not recommended.

Solutions like Owncloud, Nextcloud, etc, are good way to access some of your files;
Web server? See Apache, nginx or applications like WordPress, ISPConfig, etc.

Hello!
Thanks for replying.
It would be fine for to just access my files from the internet, but the problem is that I need multiple people to access these files from a range of devices. The group of people I'm working with want to be able to access the data from any device with an internet connection at any point across the globe, which is why I thought I would have to make a web server for them to visit in a web browser.
Is there a secure way of doing this, as some information may be sensitive?

Thanks,
mathboy3141

mathboy3141 · Jan 26, 2019

rvassar said:
Assuming you have the typical DSL/router combination... You could punch a hole in your router's firewall, and allow port 80 access to a jail running on FreeNAS that hosts web server. It's not a very good idea, here's why:

1. You have a static IP. But you very likely do not have control of the reverse DNS resolution for that IP, or have the ability to publish a domain record for your web site. All access would be "http://<yourIPAddress>/", with no easy to remember name.

2. Any all all access to said web server would consume and compete for your local bandwidth. Publish one hit meme, and the whole world could arrive on your home DSL line.

3. Security... Your router blocks everything inbound for a reason. Once you start opening up access, you have to consider all the consequences. You may be putting other people in your household at risk.

If you really want to host a public facing web server, not just a site, but the whole server. Take a look at some of the cloud computing resources offered near you. Here in the US I can lease a single-core 512mb virtual machine running Linux in a colocated datacenter for about $5 a month. That's about the cost of a cheap sandwich. That VM can host a real domain name, DNS server, and a web server. If something happens to it, I just cancel & delete it.

1. I can easily set a dynamic IP because nothing is relying on my IP at the moment, and I can use noip.com to create an easy to remember domain address for that IP. However, as I said I do not understand many terms so, what is reverse DNS resolution and what is publishing a domain record?

2. The files that would be accessed by a small group of max 10 people using a computer program. The files on the server would be the data for a (basic) program and the program itself (written on the not very demanding Python 2). So, no hit memes unfortunately.

3. I'm not very keen on punching a hole in my firewall, or opening it up to the internet... Thinking about it, is there a way that I could access the data on only recognized, preregistered devices? Or make a certificate that can be installed on any device, so long as the people in my group have the certificate file?

I also am unable to lease anything, and live in the UK.

Thanks!
mathboy3141

dknm · Jan 26, 2019

For external access, you will need to open a port in your firewall regardless.
The argument here is that opening up a sandboxed jail is less dangerous (if compromised) than opening up your server's web-ui (which could lead to full control). It is good to be aware of what resources you're exposing, but you'll be fine if you prepare.

For a SSL connection this would be LAN port 443. Forward it (WAN) to something random and this way you'll be safe from rudimentary port scans.

Like melloa said...
If you've got 10 people passing files around, consider something like a self hosted cloud - nextcloud. It's accessible from anywhere, has a mobile app, end to end encryption between the sync client and server since you mentioned sensitive info (enabled manually), version control (it's great when working on projects) and a WebDAV to upload files through (for tasks like an auto-sync).

There are some further security measures if you do go this way, you can read more in this guide: https://www.samueldowling.com/2018/...n-freenas-iocage-jail-with-hardened-security/ (install v15 instead if you decide to follow it)

If you really want to do it by the book, you can then look at something like the Cloudflare web firewall (it's free for non business use, AFAIK) / Argo tunnel to sit in between your domain. I wouldn't stress on this, though.

Snow · Jan 26, 2019

Why Not set up the FTP server in FreeNas then just have them download a client like File Zilla? You can still setup Mydns or Noip just point it to the FTP. I know Android and Mac IOS has support for FTP you can pretty much make a user in Free Nas and its the same user that is tied in to the FTP you do have to set it up so the user can access the ftp. The nice thing about FTP is you can set what directory the Users can get into. Also your not opening up your FreeNas to the World. I would suggest setting up TLS & Certificate for security. Just make your life easier to go out and buy a block of Static IP's they do not cost that much. There are a couple of ways you could do what you're asking.

#3 could be done by setting up user's and strong Passwords along with Pass key & pass phrase.

#1 Reverse DNS Resolution is just like it sounds, how we get website info when we type a website in, it goes to the DNS then the DNS say's hey its at this IP then we get the info and it loads. Its just doing this in reverse so you are sending your info (Domain Name = This IP Address) to the DNS services so when some client looks up your Domain it gives them your Ip info and then they can connect.

garm · Jan 26, 2019

Do. Not. Expose. FTP. To. Internet!
https://www.ssh.com/ssh/ftp/server

rvassar · Jan 27, 2019

mathboy3141 said:
3. I'm not very keen on punching a hole in my firewall, or opening it up to the internet... Thinking about it, is there a way that I could access the data on only recognized, preregistered devices? Or make a certificate that can be installed on any device, so long as the people in my group have the certificate file?

I also am unable to lease anything, and live in the UK.

Thanks!
mathboy3141

It's not a "lease", more like tool rental. Just rent by the hour, and it can be literally less than 1 penny an hour. Linode has a London NOC. Spin up, deploy workload using Ansible & scripts launched from your NAS at home, when done, spin it down and delete it. Save all data & state on your NAS. This is the way the world works these days. It's called "Cloud Computing".

Linode Pricing

The secure way is to run OpenVPN, perhaps in a jail on your NAS, and have your users connect to that. That requires pre-configured cryptographic certificates, and gives you per-client control. It's not without risk, but it's manageable. But you would be getting into trade college level networking configuration. Since you seem to have limited knowledge of DNS, I'm going to suggest you hit the books before you try. Don't take that as discouragement, just a suggestion. All of us here started at the beginning...

And yes, you can combine the two ideas, and have the Linode connect to the NAS over OpenVPN...

rvassar · Jan 27, 2019

garm said:
Do. Not. Expose. FTP. To. Internet!
https://www.ssh.com/ssh/ftp/server

FTP should be considered, for all intents and purposes... To be a dead relic of a protocol. I know people still use it, and it's variant TFTP. But really. It's dead. It was insecure (and great fun!) back in the 1980's when I first used it. But consider... The original (pre TCP/IP) RFC describing it was RFC114 way back in 1971!

Snow · Jan 27, 2019

Oh I know it is old Just seems like op's Lack of knowledge and how easy they are to configure. Now I know it is out dated and has some security problems he could impalement a TFTP/SFTP. Then learn how to go the cloud route later when he has more knowledge under his belt. You can also setup a SFTP, TFTP or FTP. over a VPN but that comes back to the advanced part of setting it up in a jail and some advanced networking. Or using some thing like pfsense to set up the VPN. The could route does work and is the way every thing is heading.

Apollo · Jan 27, 2019

OpenVPN hosted on pfsense works. Why does everything needs to run on Freenas after all.

rvassar · Jan 28, 2019

Apollo said:
OpenVPN hosted on pfsense works. Why does everything needs to run on Freenas after all.

Agreed. But some people have a minimal hardware footprint.

Before I got 1gig fiber, I ran it on a Raspberry Pi...

Important Announcement for the TrueNAS Community.

How to make server accessible outside home network?

mathboy3141

Cadet

Chris Moore

Hall of Famer

melloa

Wizard

rvassar

Guru

danb35

Hall of Famer

rvassar

Guru

mathboy3141

Cadet

mathboy3141

Cadet

dknm

Dabbler

Snow

Patron

garm

Wizard

rvassar

Guru

rvassar

Guru

Snow

Patron

Apollo

Wizard

rvassar

Guru

Similar threads