TrueNAS 13 remote access from outside the network

[NAVI]

I'm new to the whole project and this quickly went over my understanding I'm hoping to either receive the information or links that can further my understanding without jumping from essentially "learning the alphabet to writing a thesis on a rocket science."

To start I'm running TrueNAS 13 stable, and I would like to be able to access it from anywhere outside of my network. Initially I started with trying to setup a Remote desktop connection which I quickly found out my version of windows 10 doesn't allow. After a bit of looking, I found an article about potentially using port forwarding. Unfortunately, it didn't go in great detail other than mentioning it as a potential option and pointing out the need for security.

I went into my router and confirmed where port forwarding's settings were but not knowing how to ensure the security aspect thought it would be best to reach out. In my router I assume I just need to click for FTP and then enter the server ip address (the ip I'd use to get to the TrueNAS webpage)

From here I assume I need to go into TrueNAS webpage under services (ftp is turned on), click configure. Currently it's set as default so port 21, certificate is blank (freeNAS_default) is the only option im not sure if that's good/ideal or what I would do to get a different/better certificate.

Under Advance options only thing selected aside from file/directory permissions is "Always Chroot" under access.


So again, to clarify I'm looking for a secure way to access my TrueNAS server from outside of the network it is on. Currently the only two methods I am aware of are potentially Port forwarding and mapping the drive on the computers that would need access. Any and all assistance in the right direction is appreciated.

 

[Samuel Tai]

There are no quick & easy ways of accomplishing what you ask, because security is hard. There are multiple dimensions to security you have to worry about:

• Protecting the data you intend to make available externally. What happens if this gets stolen? What happens if this gets subtly corrupted and you don't discover it until months later? What happens if you let in ransomware that encrypts the data? What happens if you get a copyright claim for media you think you own?
• Protecting the server itself where the data will reside. What happens if root gets compromised on this system? What accounts exist on this system with admin or potential admin rights?
• Protecting the client where you'll consume the data. How do you protect it from keyloggers and other malware floating around outside?
• Protecting the transmission channel in between. Is the encryption here good enough? How do you know?

You also have to consider why you need external access, and what types of data you intend to expose. How do you make that data available internally?

 

[mircsicz]

And BTW: you're Posting your question regarding TrueNAS13 in the Legacy FreeNAS Section of the Forum...

Regarding your question: I'ld highly suggest you don't forward any ports from a machine your just starting to learn handling!!!

If you need access from outside setup a VPN...

 

[NAVI]

And BTW: you're Posting your question regarding TrueNAS13 in the Legacy FreeNAS Section of the Forum...

Regarding your question: I'ld highly suggest you don't forward any ports from a machine your just starting to learn handling!!!

If you need access from outside setup a VPN...

Oops I do now see at the top of my post where it says I'm posting under legacy; is there a way to move my post or would I need to delete and create a new one in the correct spot? Admittedly I may not need to repost as VPN is probably the most Ideal for a while until I as you stated get a better handling.

 

[NAVI]

There are no quick & easy ways of accomplishing what you ask, because security is hard. There are multiple dimensions to security you have to worry about:

• Protecting the data you intend to make available externally. What happens if this gets stolen? What happens if this gets subtly corrupted and you don't discover it until months later? What happens if you let in ransomware that encrypts the data? What happens if you get a copyright claim for media you think you own?
• Protecting the server itself where the data will reside. What happens if root gets compromised on this system? What accounts exist on this system with admin or potential admin rights?
• Protecting the client where you'll consume the data. How do you protect it from keyloggers and other malware floating around outside?
• Protecting the transmission channel in between. Is the encryption here good enough? How do you know?

You also have to consider why you need external access, and what types of data you intend to expose. How do you make that data available internally?

In terms of physically protecting the machine from someone just walking up and attempting something malicious its at my house and someone works from home so its almost guaranteed someone is aware of any guest on the property along with a dog. As for accounts mine and root would be the only two admins as I plan to currently use it for cloud storage for extended family and potentially some VM. the rest is definitely apart of my learning curve.

 

[danb35]

If you need access from outside setup a VPN...

Ding ding ding...

@NAVI, this is the way to do it. Ideally you'd set it up on your router--configure it as a VPN server (and likely as a dynamic DNS client), and set up suitable VPN client software on whatever device(s) you'd be using remotely. Failing that, you can set up TrueNAS as an OpenVPN server and forward that port (and only that port) to your NAS. Or set up the VPN server elsewhere on your network. But on the router is the best place to do it, if possible (or if you can make it possible, e.g., by changing the router).

 

[NAVI]

There are no quick & easy ways of accomplishing what you ask, because security is hard. There are multiple dimensions to security you have to worry about:

• Protecting the data you intend to make available externally. What happens if this gets stolen? What happens if this gets subtly corrupted and you don't discover it until months later? What happens if you let in ransomware that encrypts the data? What happens if you get a copyright claim for media you think you own?
• Protecting the server itself where the data will reside. What happens if root gets compromised on this system? What accounts exist on this system with admin or potential admin rights?
• Protecting the client where you'll consume the data. How do you protect it from keyloggers and other malware floating around outside?
• Protecting the transmission channel in between. Is the encryption here good enough? How do you know?

You also have to consider why you need external access, and what types of data you intend to expose. How do you make that data available internally?

I think you maybe excited to know since I replied last I've spent my time making lots of changes by following a fairly impressive and among the first guides I've followed for this. https://www.truenas.com/community/t...ure-remote-access-to-files-and-web-gui.89229/ I've made it upto the security including some neat apps

• Brute-force settings
• Ransomware protection
• Suspicious login
• Two-Factor TOTP Provider
• GeoBlocker

It's going on 11:15pm my time and I gotta say I'm almost as excited now as I was when I started and began to make some real progress. In terms of understanding what I've been doing it's still not 100% but I have been making and effort as I get lost to spend a few minutes at least scratching the surface of what it is I'm doing.

 

[xness]

Do not expose RDP to the internet. Please; it's a sin.

Web interfaces should also not necessarily be exposed publicly. Even megacorps like Microsoft or security vendors like Cisco have unauthenticated remote code execution vulnerabilities in their web interfaces.

The only way to make it safe (and very easy!) to access remotely is to use SSH forwarding aka a SSH tunnel with public key authentication. It makes remote ports available locally and kind of acts like a VPN, even though it's way easier to setup.

 

[danb35]

kind of acts like a VPN, even though it's way easier to setup.

SSH tunneling "way easier to setup" than a VPN? How so? I mean, I guess if you have to start by installing the VPN server from scratch it might be, but...

 

[xness]

SSH tunneling "way easier to setup" than a VPN? How so? I mean, I guess if you have to start by installing the VPN server from scratch it might be, but...

All you have to do is set AllowTcpForwarding yes in sshd_config, configure NAT for the SSH port and then use ssh -L <custom-port>:<truenas-ipv4>:<truenas-port> <remote ipv4/dns name of WAN at home> from anywhere in the world. Seems pretty easy to me.

And also certainly much easier than the pitfalls you'll encounter as a beginner setting up OpenVPN and struggling with not redirecting all your traffic over your tun-interface.

 

[danb35]

Seems pretty easy to me.

Sure, if you leave out:

• Forward whatever port you want to use for SSH to the NAS
• Set up public-key authentication to have a hope of keeping it secure
• Figure out which services you want to use over this tunnel
  • and which ports they need
  • and add each of those ports to the ssh command
  • and whatever other LAN services you may need access to (e.g., local DNS?)
  • and port numbers for those
  • and...
• ...and probably other steps I'm forgetting

But my comparison assumes a moderately-featureful router (pfSense in my case) that can act as an OpenVPN server--and in that case, the setup is largely a point-and-click affair, and you download a configuration file for whatever client device(s) you're using.

Now, if you have a brain-damaged router that can't act as a VPN server, you may be stuck with trying to do that on the NAS--and while I haven't set that up, I have set up TrueNAS as an OpenVPN client. And that is a royal PITA, so I'd be surprised if the server configuration is any better.

 

[xness]

Sure. But our guy here tried to NAT RDP to the internet. So I went ahead and assumed he has a consumer router and little knowledge to setting up + managing a firewall.

While a VPN is better in almost every single aspect feature wise – not gonna argue with that – I simply tried to offer an easy alternative to directly exposing the web interface to the internet, that doesn't need a lot of setup.

 

[NAVI]

Do not expose RDP to the internet. Please; it's a sin.

Web interfaces should also not necessarily be exposed publicly. Even megacorps like Microsoft or security vendors like Cisco have unauthenticated remote code execution vulnerabilities in their web interfaces.

The only way to make it safe (and very easy!) to access remotely is to use SSH forwarding aka a SSH tunnel with public key authentication. It makes remote ports available locally and kind of acts like a VPN, even though it's way easier to setup.

My version of windows can't but I did fortunately hear lots of people advising against it the more I looked into it

 

[NAVI]

All you have to do is set AllowTcpForwarding yes in sshd_config, configure NAT for the SSH port and then use ssh -L <custom-port>:<truenas-ipv4>:<truenas-port> <remote ipv4/dns name of WAN at home> from anywhere in the world. Seems pretty easy to me.

And also certainly much easier than the pitfalls you'll encounter as a beginner setting up OpenVPN and struggling with not redirecting all your traffic over your tun-interface.

I attempted to do SSH Connection in the truenas webpage but their is currently a bug where when you click to save it spins never moving forward. They do have a fix but i'm currently having issues implementing the fix through midcli

 

[NAVI]

Sure, if you leave out:

• Forward whatever port you want to use for SSH to the NAS
• Set up public-key authentication to have a hope of keeping it secure
• Figure out which services you want to use over this tunnel
  • and which ports they need
  • and add each of those ports to the ssh command
  • and whatever other LAN services you may need access to (e.g., local DNS?)
  • and port numbers for those
  • and...
• ...and probably other steps I'm forgetting

But my comparison assumes a moderately-featureful router (pfSense in my case) that can act as an OpenVPN server--and in that case, the setup is largely a point-and-click affair, and you download a configuration file for whatever client device(s) you're using.

Now, if you have a brain-damaged router that can't act as a VPN server, you may be stuck with trying to do that on the NAS--and while I haven't set that up, I have set up TrueNAS as an OpenVPN client. And that is a royal PITA, so I'd be surprised if the server configuration is any better.

I believe this is what I was doing initially I used putty to create an SSH-RSA key but when I went to SSH Connection in the webpage it has a bug not allowing you to save. I'm currently having issues with the fix and have posted on that page to get a potential resolution of why "name does not resolve" In the commands that were suggested I used the ip of my truenas and I believe the port I set in the ssh settings under services.

 

[NAVI]

Sure. But our guy here tried to NAT RDP to the internet. So I went ahead and assumed he has a consumer router and little knowledge to setting up + managing a firewall.

While a VPN is better in almost every single aspect feature wise – not gonna argue with that – I simply tried to offer an easy alternative to directly exposing the web interface to the internet, that doesn't need a lot of setup.

I'm using a netgear nighhawk r7000p , but to be honest networking is not my most knowledgeable subject so I couldn't confirm just how good or bad this router is.

 

[unseen]

I'm using a netgear nighhawk r7000p , but to be honest networking is not my most knowledgeable subject so I couldn't confirm just how good or bad this router is.

It's a fine router once you kick out the original Netgear firmware and install DD-WRT on it instead, which is how I run mine (which is the non P version).

However, I would counsel you to fully research and understand all of the potential issues regarding exposing your Truenas server and internal network to the outside world before you enable any kind of remote access. Within hours of you opening any external access, it will be discovered by various legitimate companies who index the Internet and appear on their sites. As soon as this happens, criminals will immediately start trying to break in, normally via a completely automated process.

Brute-force detection and geo-blocking is useless against these people as they use huge networks of compromised machines around the world to automatically change the IP address they are using every few attempts. If you have made any kind of error in the configuration of your remote access, you WILL be compromised within hours.

Blindly following any remote access guide as a script is a very good way to have your network compromised. There are no short cuts to securely enabling any kind of remote access.

Samuel's reply at the start of this thread is a very wise summary and contains the first question you have to answer for yourself:

Why do you need remote access?

If you really, really need remote access and there is absolutely no way you can live without it, then you must have the knowledge to answer the other questions in his post and to fully understand the possible implications of implementing remote access.

I do have the skills and knowledge to set up secure remote access to my network but when I asked myself why I needed remote access, the answer was "I don't really need it and the security of my home network and data is far more important than the convenience of occasionally being able to access it remotely." So I don't have remote access. Most of my effort goes into securing devices within my own network so that smart-TVs and other consumer devices can't be used to break in or be able to spy on me and report back to their makers.

Lastly, security is never absolute: all software has bugs. What is secure today can be an open door tomorrow. Even if you implement a remote access system which is seemingly watertight today, are you totally confident in your ability to become aware of a newly discovered weakness in that system and be able to close the hole within hours? Even if you are, sooner or later you will get broken into. If you have not taken into consideration how you can limit the amount of damage which can be caused when this happens, the consequences can be very unpleasant.

 

[NAVI]

It's a fine router once you kick out the original Netgear firmware and install DD-WRT on it instead, which is how I run mine (which is the non-P version).

However, I would counsel you to fully research and understand all of the potential issues regarding exposing your Truenas server and internal network to the outside world before you enable any kind of remote access. Within hours of you opening any external access, it will be discovered by various legitimate companies who index the Internet and appear on their sites. As soon as this happens, criminals will immediately start trying to break in, normally via a completely automated process.

Brute-force detection and geo-blocking are useless against these people as they use huge networks of compromised machines around the world to automatically change the IP address they are using every few attempts. If you have made any kind of error in the configuration of your remote access, you WILL be compromised within hours.

Blindly following any remote access guide as a script is a very good way to have your network compromised. There are no shortcuts to securely enabling any kind of remote access.

Samuel's reply at the start of this thread is a very wise summary and contains the first question you have to answer for yourself:

Why do you need remote access?

If you really, really need remote access and there is absolutely no way you can live without it, then you must have the knowledge to answer the other questions in his post and fully understand the possible implications of implementing remote access.

I do have the skills and knowledge to set up secure remote access to my network but when I asked myself why I needed remote access, the answer was "I don't really need it and the security of my home network and data is far more important than the convenience of occasionally being able to access it remotely." So I don't have remote access. Most of my effort goes into securing devices within my own network so that smart TVs and other consumer devices can't be used to break in or be able to spy on me and report back to their makers.

Lastly, security is never absolute: all software has bugs. What is secure today can be an open door tomorrow. Even if you implement a remote access system that is seemingly watertight today, are you totally confident in your ability to become aware of a newly discovered weakness in that system and be able to close the hole within hours? Even if you are, sooner or later you will get broken into. If you have not taken into consideration how you can limit the amount of damage that can be caused when this happens, the consequences can be very unpleasant.

Yeah and that's something I'm working on as well(security). In terms of finding out, I realize this is a topic that could go on for a while but. . .
I may be off on the wording as I am not able to access my router from where I'm at currently but"

Confirming if you've been breached:
it shows the number of devices connected and the IP/mac address (so the familiarity of who is on the network)

actively watching something like Wireshark and watching what's coming in/out which would require a good understanding of what you're seeing while using a packet analyzer. (I could definitely improve where I stand on this one)

Possibly the most obvious reason would be malware(ransomware, new programs, losing control of mouse/keyboard).

abnormally slow machine

checking haveibeepwned



preventing the breach:
run antivirus regularly (I've always heard antivirus is like a guard dog having more than one can often be better in case one misses something.)

I assume VPN since it's concealing your IP making it more difficult to identify the actual network (like 70% sure I explained this right)

complex password &, changing regularly

cautious when checking unknown emails(you don't have to be hacked if a store is and you have the information in their database they will check those login credentials elsewhere)


Is there anything else I should consider for the above 2 or if I've misinterpreted the who/what/why/etc. of what I've mentioned

 

[unseen]

Yeah and that's something I'm working on as well(security). In terms of finding out, I realize this is a topic that could go on for a while but. . .
I may be off on the wording as I am not able to access my router from where I'm at currently but"

Confirming if you've been breached:
it shows the number of devices connected and the IP/mac address (so the familiarity of who is on the network)

That's showing you what devices are on your network. An attacker is not a device so there will not be any changes there.

actively watching something like Wireshark and watching what's coming in/out which would require a good understanding of what you're seeing while using a packet analyzer. (I could definitely improve where I stand on this one)

You will rapidly get bored looking at a Wireshark capture and if you do identify malicious traffic in it, then it is probably already too late. There's also no way that you could evaluate a Wireshark capture in real time - it's simply more information per second than a human could hope to process.

Possibly the most obvious reason would be malware(ransomware, new programs, losing control of mouse/keyboard).

abnormally slow machine

Seeing as a server is something you don't actively sit in front of (and most of the time does not even have a screen and keyboard), you won't see if someone has compromised your server that way. Of course, if your server or PC starts misbehaving it could be a sign of a compromise, but at that point, it is too late; you have already been compromised.

checking haveibeepwned

This will tell you if your password on a compromised web site has been cracked. Of course, you would not even dream of using the same password for more than one site would you? Any web site that you use that can spend or steal your money should use two factor authorisation so that just your password on that site is not sufficient to gain access.

preventing the breach:
run antivirus regularly (I've always heard antivirus is like a guard dog having more than one can often be better in case one misses something.)

From the point of view of protecting your network from being compromised by a remote access breach, an anti-virus package will not protect you as the compromise may not involve the attacker running any software on your systems. Also, it's important to remember that anti-virus software can only protect you against *known* malware. If you are hit by something that is not yet known, all it gives you is a false sense of security.

I assume VPN since it's concealing your IP making it more difficult to identify the actual network (like 70% sure I explained this right)

The topic of the discussion is about the dangers of enabling remote access to your network. Although it is possible to connect to a VPN through your router (depending on what router it is and what firmware it is running) and put your entire network behind a VPN, doing so would make it very difficult indeed to implement any kind of remote access.

It's also important to point out that a VPN does not really hide your IP address. For a VPN to work, the VPN server has to know your IP address so that it can send packets back to you. If you are doing something incredibly illegal behind a VPN, the VPN provider is able to tell law enforcement what your IP address is as long as they are given the port number on the VPN server that was assigned to you when you connected. For trivial crimes like copyright infringement, then as long as your VPN provider does not keep logs, you are safe as the request to unmask you will come long after the crime has taken place. However, if you are doing something much more serious which prompts an 'as is it happening' response from law enforcement, they will simply call your VPN provider, tell them what they are investigating and will immediately find out what your IP address is.

complex password &, changing regularly

cautious when checking unknown emails(you don't have to be hacked if a store is and you have the information in their database they will check those login credentials elsewhere)

Although good password hygiene and sensibly avoiding phishing e-mail is standard good practice, it does not have anything to do with enabling remote access to your network.

Is there anything else I should consider for the above 2 or if I've misinterpreted the who/what/why/etc. of what I've mentioned

Let's just keep the discussion relevant to the topic of whether you should even think about enabling any form of remote access to your network. As I said already, if you can't answer all the questions that Samuel posed in his post, you should really think long and hard about whether you need to take the risk of enabling remote access in the first place. Looking at the questions you have asked here, it's obvious that you don't currently have enough knowledge about networking and IT security to answer them. My advice to you is therefore that you don't enable any kind of remote access and that you work on learning much more about how the Internet and the technology that it runs on works. That depth of knowledge is not something you can just pick up over a weekend; we are talking about degree level computer science studies.

Interestingly the "Similar threads" section under this discussion lists several threads where people are asking about how to enable FTP access to their Truenas server. That's a perfect example of how not understanding networking fully can lead you into doing something which is a security disaster. The FTP protocol sends your user name and password unencrypted in plain text over the network allowing anyone who can observe the network traffic along the way to read them.

Anyway, that's my advice, for what it's worth. I wish you the best of luck in your journey and hope that you never have to deal with having your network or machines compromised. There is some really nasty malware out there which cannot be eradicated even by formatting all your hard disks! Even worse is the kind of malware which just quietly makes your IP address available for criminals to use so that it looks like you are the one doing something bad. As they say, "Be careful out there.".

 

[Samuel Tai]

The topic of the discussion is about the dangers of enabling remote access to your network. Although it is possible to connect to a VPN through your router (depending on what router it is and what firmware it is running) and put your entire network behind a VPN, doing so would make it very difficult indeed to implement any kind of remote access.

It's also important to point out that a VPN does not really hide your IP address. For a VPN to work, the VPN server has to know your IP address so that it can send packets back to you. If you are doing something incredibly illegal behind a VPN, the VPN provider is able to tell law enforcement what your IP address is as long as they are given the port number on the VPN server that was assigned to you when you connected. For trivial crimes like copyright infringement, then as long as your VPN provider does not keep logs, you are safe as the request to unmask you will come long after the crime has taken place. However, if you are doing something much more serious which prompts an 'as is it happening' response from law enforcement, they will simply call your VPN provider, tell them what they are investigating and will immediately find out what your IP address is.

@unseen, you need to distinguish between public VPNs and private VPNs. You're referring to a public VPN, like NordVPN, which has the goal of disguising your network's external traffic. OP is referring to a private VPN, for remote access to his internal network. The 2 use similar technology, but are distinct in their operations and security concerns.