I currently subscribe to NordVPN and presume they have a *nix app. But I don't understand how it would allow a server to be reachable with a separate IP address. My usage has always been trying to reach a URI via a domain server with communications being routed through a VPN server. If this kind of VPN service would work, can someone please explain how?
You are confusing two different services here that are named the same because the underlying technology is the same. In corporate IT this is called the "road warrior" scenario in contrast to a permanet office-to-office connection. A mobile user connecting to resources at a fixed location. Most of the times your office LAN. In most enterprise cases this also redirects your routing so all your Internet access goes
through the VPN and out of your office firewall. This is the technology we are talking about.
Now NorthVPN and other providers offer a service that lets you connect to
their network via "road warrior" setup so you are visible to the rest of the Internet as if you were at their location. Mostly used for privacy reasons or to circumvent geoblocking.
What we suggested you do is setup a VPN server at your home network and then connect to that by essentially the same technology you use with NorthVPN. One of the most established and robust products would be OpenVPN which can be run in a jail on FreeNAS. Although the best location to put a VPN server would be the router at home that you use for your Internet connection. You might want to check if your model supports anything like this.
Does this mean I'd have to run my own VPN server on the NAS drive? Again, unless it would know the IP addresses from which all remote requests would come, how would it distinguish illegitimate requests from legitimate ones?
Not on the NAS drive per se but on the NAS machine, yes. Or on your router.
Regarding Plex-in-a-jail, mine is in a jail, but I believe the standard installation does not use a jail. (They may have changed this. But I use Plex Pass, so I can't use the standard installation in any case, so I wouldn't know.)
I don't know what you mean by "standard installation". If you want to run additional applications on FreeNAS that do not come with FreeNAS out of the box, they always go into jails or VMs. You cannot install software on FreeNAS.
Still, if a hacker cracked into the jail, wouldn't they still have access to the media Plex uses? If so, might they not pirate the media or access personal photos, etc.?
Yes, of course. So the question is: is this Plex thing an application that is supposed to be Internet facing, i.e. reasonable hardened, audited and with regular updates? Is there a security check website by the vendor that lets you audit your installation?
I don't know. I do know an application that is supposed to be run like that and that's what I use: Nextcloud. For example here's their security audit tool:
https://scan.nextcloud.com
How bulletproof are jails? I know they're supposed to be, but aren't they at least subject to DOS attacks? And if Plex used writable media storage, wouldn't it be at risk.
Well the jail itself I consider as bulletproof as software comes. It's technology that is 20 years old and constantly being worked on.
As for DoS attacks: there's not much you can do to protect a simple home line. I could flood your uplink and essentially cut you off the net if I knew your public IP address. I would not worry about that.
As for access: everything you put up for public access is at risk. There are different things one can do to mitigate that:
- use a trustworthy application
- encrypt the traffic - HTTPS and Letsencrypt make that easy nowadays
- use strong authentication, SSH public keys, two factor authentication, ...
- use multiple layers - no exposure at all, VPN connection first, then access to the services
- only read-only exposure for public access, read-write from your LAN
- ...
Does this mean all other kinds of remote access, e.g. WebDAV, should be in their own jails?
Remote access to WebDAV has to be writable for my applications. So if the jail were cracked, wouldn't all the data be at risk?
1. Yes.
2. And yes. If you use insecure software for DAV, your data will be at risk. That is really not rocket science. Nextcloud (i'm repeating myself) is a DAV service that is considered reasonably trustworthy. Or use a VPN ...
Summary: if you put up services on the public Internet you have the responsibility and need the skills of a professional system administrator (like I am) who does precisely this - run hundreds of customer servers on the public Internet for a living.
Kind regards,
Patrick