Assuming your FreeNAS is behind your router, there are three basic methods that I know of to access services on it from outside your LAN:
- Set up port forwarding on your router to forward to the appropriate ports for whatever services you want to use
- Set up a VPN connection
- Use SSH tunneling
The first is terribly insecure--the entire Internet can see your services and hammer away at whatever authentication mechanism you have set up. If you use this option for anything other than SSH or OpenVPN, or perhaps to a well-hardened web server in a jail, expect
@RussianMafia to pay you an electronic visit.
The second is my preference. It's secure, and gives you access to anything on your LAN from the outside. I believe it's best implemented at the router (and that's how my network is set up), but a VPN server can also be installed in a FreeNAS jail. There are threads here for installing OpenVPN server in a jail, which is probably what you'd want to do if you can't do it at the router.
SSH tunneling is also secure, and doesn't require much in the way of configuration on your router or FreeNAS system--the router just needs to forward port 22 to the FreeNAS system*, and your FreeNAS box just needs to have SSH enabled (and should be set up to use public key authentication for security). You can then tell your clients, when you connect, which ports to tunnel through the SSH connection.
OpenVPN can take a bit of doing to get set up on the server end, but once that's done, you just have to tell your client where to connect and give it the authentication parameters (which should be a keypair). Clients are available for all major OSs and mobile devices. SSH tunneling requires very little setup at the server end, but you need to configure each client for every port and destination you want to use.
* Many folks advocate changing SSH to use a non-standard port. I consider that a form of security through obscurity and don't practice it (since an attacker is likely to run a portscan anyway, they'll find what services you have available on which ports). I have, however, disabled password logins to SSH, so an attacker would need one of two private keys to be able to connect. If you're especially paranoid, you could probably add two-factor authentication with Google Authenticator (so you'd need both the private key and the ever-changing auth code), but I don't think that's necessary or even particularly beneficial if you're using public key authentication.