security concerns with openvpn client running in jail

[wonho]

Hi,

I am trying to set up a freeNAS box which will act as an off-site backup for a freeNAS running at local site. Current plan is to set up a openVPN client in off-site freeNAS box in jail with static route. The off-site freeNAS box will be connecting to openVPN server at the local site and back up storage server. The off-site freeNAS box will be placed in personal home network, where other home devices will be on the network.

Are there any security concerns with this setup? Rather than openVPN's own vulnerabilities?

I have been trying to research on this topic, but I am very new to all this and hard to find something that matches my keywords. I did have read that it is generally recommended to separate freeNAS box from firewalls or VPN server/clients somewhere. I am also considering purchasing a separate mini-firewall device if the current plan is not sufficient enough in terms of security.

Please enlighten me!

 

[garm]

There are several routes to take when considering placing a FreeNAS box in a alien network. But it all boils down to the fact that just like in your own home, you want control after the first interface. You don’t want to rely on the NAT, DNS or NTP of the alien network. Treat it as WAN and you are on a good way to success. Jails are problematic as they initiate after the network stack on the host, but it can be done. Virtualizating FreeNAS and pfSense and thus creating a datacenter-in-a-box is another route, but it has its own challenges. The one I have opted for in the past is having a dedicated hardware pfSense firewall, NTP and DHCP server velcroed to the NAS.

Whatever route you take there are plenty of resources on how to accomplish the individual components on this forum and on the all mighty Google

 

[Patrick M. Hausen]

Possibly this product fits your requirements?
https://www.netgate.com/solutions/pfsense/sg-1000.html

It can be powered via USB from the FreeNAS server, it seems.

HTH,
Patrick

 

[gt2416]

Lol Patrick before I even clicked on the thread I wanted to suggest that. pfSense is 100% the true answer if you dont want to worry about all this. DNS leaks etc are a thing of the past with a powerful firewall, really worth researching it.

 

[wonho]

Thanks everyone for the tips and recommendation.

Possibly this product fits your requirements?
https://www.netgate.com/solutions/pfsense/sg-1000.html

This was actually what I have been considering. I've read some reviews that this device is quiet under-powered. I am not sure if it is enough for the operation which will be mirroring of the on-site backup through fiber connection. I guess I will perform some testing once I get the hands on the device.

I have also came across some bug reports considering static route via openVPN jail, that FreeNAS drops the connection to the static routes.

I think I will be testing both options, since pfsense microfirewall is quiet cheap.