ownCloud - Outside Network Access

[Blaccko]

Hi everyone,

I’ve installed FreeNAS (9.3) on a machine at home and I’ve installed the ownCloud module (8.0.0) on my FreeNAS machine. I would like to be able to access ownCloud from outside my network.

I can access FreeNAS and ownCloud from inside my network via wifi at “myinternalIP/owncloud”. Also, I port forwarded port 8099 and 4443 (my ISP blocks ports 80, 8080, and 443) to my internal IP. With that setup, I can access FreeNAS from outside my network at “myexternalIP:8099”. However, when I try to connect to ownCloud from outside my network at “myextarnalIP:8099/ownCloud”, I get an error (404) from my browser.

I must say my ownCloud module is installed in a jail in FreeNAS. I tried to access ownCloud via “myextarnalIP:8099/ownCloudjail’sIP” instead of “myexternalIP:8099/owncloud”, but, again, it didn’t work.

As I can access FreeNAS from outside my network, but not ownCloud, I’m gessing my network settings are ok (correct me if I’m wrong). So, I think my problem must be linked to something in FreeNAS or onwCloud and I’m asking your help to try and access ownCloud from outside my network. Do you have any suggestions for me?

Thank you very much and have a great day,

Blaccko

 

[danb35]

The jail acts as a different computer on your LAN. Thus, if you want to be able to access it using port forwarding (which I wouldn't recommend; I'd suggest setting up a VPN connection to your router instead), you'll need to forward some port to owncloudjailIP:80 and/or owncloudjailIP:443. Which port you use for that is up to you.

I'd strongly discourage doing any port forwarding to the freeNAS IP, with the possible exception of port 22 (ssh). FreeNAS is not designed or hardened to be directly exposed to the Internet, which port forwarding does. Again, the safe way to do this is to set up a VPN connection to your router. I wouldn't be surprised if @RussianMafia dropped by to explain this a bit further.

 

[Jailer]

Just because you can doesn't mean you should.

Having said that if you insist on exposing your jail to the internet you better do a LOT of research on server hardening and other security measures that need to be undertaken to keep your jail from being owned within hours of exposing it. If you're not up to that task then a VPN as danb35 has suggested is an absolute MUST if you have to have remote access.

 

[Blaccko]

Hi danb35 and Jailer, thank you for your answers.

If i port forwarad to my jail (ownCloud module) instead of my FreeNAS itself, is the risk limited as the only access is to my jail which is separate from my entire FreeNAS installation?
Otherwise, if you still suggest me to use a VPN connection:
1. Does that mean that I will have to be connected via VPN all the times if I want live sync of ownCloud between my phone and my FreeNAS (ownCloud client on my phone)?
2. Does that mean that I will have to be connected via VPN to remotely access my ownCloud, even via a web browser?

3. Also, I read that there is sometimes difficulties with a phone to connect through a VPN connection. Is that right?

4. I’m not really familiar with VPN connections. Is there a service I can install on my FreeNAS and on my device to use a VPN connection? Do you have one to suggest?
Thank you very much!

Blaccko

 

[adrianwi]

I access my owncloud jail externally and port forward from the router to the jail IP address. Probably worth installing a SSL certificate (which you probably have if using port 443) and looking at installing Fail2Ban (which is pretty straight forward, and adds another level of security)

VPN is pretty straight forward to do in a jail too, but I use that for getting back to the network and not really to access owncloud.

 

[danb35]

If you port forward only to the jail and not to the FreeNAS IP, then you're in better shape. You still need to be concerned about the security of your owncloud installation, but it's mostly isolated from the rest of your server. A malicious process inside that jail could still bring down the server by consuming excessive resources, but it's unlikely it could read or harm data not mounted to that jail as storage. If you set up encryption in owncloud, it's also very unlikely that an attacker could read the user data from your owncloud installation unless he got an account password.

If you set up a VPN connection, you'd need to have that connection active before you could communicate with anything on your LAN. No doubt there are "sometimes" problems connecting phones to VPNs, but I've not heard of there being any kind of regular, persistent problems. I expect that would depend on a number of factors, including the VPN app/protocol, the phone OS, the stability of the VPN server, etc. FWIW, once I had the configuration set up correctly, I haven't had trouble connecting to an OpenVPN server on my iPhone or iPad.

I believe that a VPN, at least for this purpose, is best set up at the router. My router/firewall/NAT is a Linux server, and I've installed OpenVPN on it. Many folks here are FreeBSD folks and prefer pfSense for a router/firewall, and that also supports running an OpenVPN server. Many consumer-grade WiFi routers are supported by third-party firmware like Tomato or dd-wrt, which can act as an OpenVPN server. Do not use PPTP as a VPN protocol--it's insecure enough to be pretty much worthless. In any case, you'll also probably want to set up some form of dynamic DNS so that you can browse to a fixed hostname, rather than to a constantly-changing IP address.

 

[Nigel]

I access my owncloud jail externally and port forward from the router to the jail IP address. Probably worth installing a SSL certificate (which you probably have if using port 443) and looking at installing Fail2Ban (which is pretty straight forward, and adds another level of security)

VPN is pretty straight forward to do in a jail too, but I use that for getting back to the network and not really to access owncloud.

This is what I do too, but whilst this worked fine with Owncloud 7.x, it doesn't work with 8.x. I have tried creating a self signed certificate, which works for Internet explorer (if you ignore all of the security warnings) but does not work with Firefox, or the Windows Owncloud client. The problem for me is that I don't often get the chance to access my network externally for long enough to do any diagnostics.