VPN and Freenas

[Bruce Wilfong]

Hello all,

I have read over several VPN and Freenas threads and just wanted a bit of clarity before I make the move. From what I am reading it is better to setup VPN on a router than in jails on FreeNas (I get PFsense is better but I dont want to go that route). I have an ASUS router that does support OpenVPN. I mainly want VPN to 1) access files and IOCages remotely, 2) for my downloading programs IP to be hidden. Running Freenas 11.2. My questions:

1. I run Deluge, Sonar, Radarr and Lidnarr, will running OpenVPN on the router keeps my IP private and secure ?
2. If I run VPN on my router, do I need to do anything special on the FreeNas server or IOCAGES ?
3. Any recommended VPN services I should go with ?

Thanks

 

[1kokies]

I have read over several VPN and Freenas threads and just wanted a bit of clarity before I make the move. From what I am reading it is better to setup VPN on a router than in jails on FreeNas (I get PFsense is better but I don't want to go that route). I have an ASUS router that does support OpenVPN. I mainly want VPN to 1) access files and IOCages remotely, 2) for my downloading programs IP to be hidden. Running Freenas 11.2. My questions

i OpenVPN from my router however it is limited to 5, as a security and in the event Freenas server powers down i still can access management BMC etc. i use a Linksys WRT1900AC.

 

[NASbox]

@Bruce Wilfong do yourself a favour and go the pfSense route!

These "consumer" routers are a security problem waiting to happen (closed source/no oversight/slow or non-existant firmware updates). Just an example: ASUS Routers Overflow with Vulnerabilities - this isn't meant to single out ASUS, it's just the way it is with the big box store consumer grade stuff.

One company which will remain nameless ignored a very serious vuln on one of their high end products for many months. The issue was responsibly disclosed, but the company kept ignoring the issue until the researcher made it public and created a degree of embarrassment.

The pfSense devs take security seriously, and stuff generally gets found/reported fairly quickly, and when that does happen it gets patched very quickly if it is serious.

Putting a security product like OpenVPN into FreeNAS is just asking for trouble.

 

[1kokies]

1. I run Deluge, Sonar, Radarr and Lidnarr, wil

Putting a security product like OpenVPN into FreeNAS is just asking for trouble.

thumbs up !

 

[thepixelgeek]

@NASbox As for the pfSense route, what would be the ideal setup and config to have a home network, including FreeNAS box, safe/disguised and going through a VPN?

I'm looking to purchase SG-3100 Netgate. Thoughts?

 

[NASbox]

@NASbox As for the pfSense route, what would be the ideal setup and config to have a home network, including FreeNAS box, safe/disguised and going through a VPN?

Ideal setup? Not sure what you mean. Are you talking remote acesss or something else? What do you want/need to do?

A few of the things I do are:

I use the OpenVPN Server, setup for UDP with a TLS key, and a personal ID certificate and password. AFAIK, unless you have the TLS key, the port is going to ignore any pings/probes/connection attempts. (GRC.com port scan can't see it.) If you have the TLS key, then the port will respond and you have the ability to log in - which requires the use of an ID certificate. You also need a password (provides some protection if the keys or mobile device are lost/stolen). AFAIK it's pretty much best practices for remote access VPN--unless you have a sophisticated adversary conducting a targeted attack you should be pretty safe. (I also turn off the server when I don't need it as well just to make things even more secure.) I can use it from my Android phone to surf privately over public WiFi, or access files remotely.

I currenlty run pfBlockerNG, which filters out a lot of ad networks/trackers and IP ranges of know botnets and cyber crimials. I have pfBlokerNG subscribed to a number of lists, and it keeps itself up to date by downloading updates. Like a piHole on steroids! Not foolproof, but way better than the majority of the masses are using, which I hope is good enough (for now). DNS over https, and the increase in the number https connections everywhere is making security much more difficult. With all the #$@ cdns/cloud storage like cloudflare, 1E100, amazon etc, it is making filtering very, very hard. is djfkdfjlsdjf.cloudflare.com a legitimate use of a CDN used to serve content provided by the website developer, or was it "added by a hacker." Either way cloudflare can log/track you if that is part of their business model.

I also have a managed network with multiple VLANs that allows me to split my WiFi traffic into Media (No Internet), Secure (Access core network with internet acdess), and Guest network (which uses a commercial VPN service for a bit of anonymity and light firewall/ad blocking). Since I don't really trust phones/tablets (some don't even have root access), I use them on the guest network or the media network. The guest network also has less restrictive security that doesn't break NFL.com etc. which lately has so many ad/spyware networks that my core securtity breaks it and makes my wife very unhappy. If your network is small enough you could likely do that without a switch, but it would put much more load on pfSense.

I'm looking to purchase SG-3100 Netgate. Thoughts?

If you just want a remote gateway, I would think it should be fine. If you want to run IDS like snort/suricata, pfBlockerNG and a ton of other packages then it might be a bit light. Since I have no experience with this device I am just guessing.

I am running a small 4 NIC, J1900 box with a 120GB mSATA so I can do lots of Packet capture/logging and run a bunch of packages, I'm not sure I did the best job, but it works and I've been happy with my choice-I've been running it for abour 4-5 years since I happily waved byebye to DD-WRT.

I would go to the pfSense forum and see what people are saying based on how you plan to use your device.[/USER][/QUOTE]

 

[thepixelgeek]

@NASbox Haha, just a "few" things. Thanks for that write-up. It sounds like a direction I'd like to head towards. I'm just now starting to learn about pfSense, and about FreeNAS for that matter. I finally just finished building my 48TB freenas box. I've been busy setting up jails, etc.. Started to do cert stuff via cloudflare, but ran into issues with my current router not being about to dns host override actions. Which led me to pfSense.

Your small 4 NIC, is something like this? https://www.amazon.com/dp/B07G9NHRGQ/ref=psdc_13896591011_t1_B07FKMJGD6

If I go that route, how's the setup/installation of pfsense software. Looks to be the better avenue given the cost difference. Especially comparing to the SG-5100 ($699)!

Also looking at USG, but not sure how it compares.

 

[NASbox]

@NASbox Haha, just a "few" things. Thanks for that write-up. It sounds like a direction I'd like to head towards. I'm just now starting to learn about pfSense, and about FreeNAS for that matter. I finally just finished building my 48TB freenas box. I've been busy setting up jails, etc.. Started to do cert stuff via cloudflare, but ran into issues with my current router not being about to dns host override actions. Which led me to pfSense.

@thepixelgeek very nice build! Please tell me more... I'd love to know a bit more about what you are doing with that beautiful box.

What are you doing with cloudflare?

Your small 4 NIC, is something like this? https://www.amazon.com/dp/B07G9NHRGQ/ref=psdc_13896591011_t1_B07FKMJGD6
https://www.amazon.com/dp/B07G9NHRGQ/ref=psdc_13896591011_t1_B07FKMJGD6

https://www.amazon.com/dp/B07G9NHRGQ/ref=psdc_13896591011_t1_B07FKMJGD6
Mine is about 4-5 years old, so that one is better than mine since it has the AES-NI. At a glance that looks like it should be a great choice. Specs are very similar to mine otherwise and it is well sized for the task.

You may want to ask around in the pfSense hardware forum to see if anyone is using it just to double check on build quality or other unforseen problems.

If I go that route, how's the setup/installation of pfsense software. Looks to be the better avenue given the cost difference. Especially comparing to the SG-5100 ($699)!

Also looking at USG, but not sure how it compares.

Don't know much about the USG, but personally I prefer a well supported open source project. Hardware vendors eventually abandon support for products and then you are SOL. I could likely buy a new minipc, install pfSense, import my config and be right back where I started, but with new hardware. Like to try that with proprietry software? As an asside I decided to upgrade my 5 year old phone to lineage OS because I don't like the sealed batteries and disappearing headphone jacks, and my securtity patch level is more recent than the $1400 S10s in the store... and I don't have to put up with all the bloatware, I can back up my phone properly, and cut down on a lot of the privacy invasion... and save $1400! God bless the open source communities.

As a home user I couldn't afford to pay the premium for pfSense hardware (in a business in makes sense because you have to pay someone to assemble hardware), but a home user is likely doing it becuase they like to do it (and/or get advantages of customization/control by doing it).

If you can build that FreeNAS box, trust me you can install pfSense. A monkey can install it. It takes moderate ability to use it in place of a consumer firewall, and depending on what you want to accomplish you might need to be a guru... but then you use pfSense to replace very high end cisco products in large installations with appropriately sized hardware - it does high availability/failover, multiple WANS, and a whole host of things a small installation doesn't need.

If you want a firewall, a remote access VPN, and some filtering/blocking, then you have a few hours of reading to do, but it's very doable as long as you have some basic networking backaground. If you are asking "What's a subnet? What's a broadcast address? DNwhat?, then you are going to have some major poblems.

Most of my issues were I had zero experience with a managed switch and VLANs.... which was a difficult learning curve. Very hard to find good educational material.... most of the training stuff I looked a got into a lot of very elaborate concepts for multi floor/location office buildings with hundreds of users.... or way too simple. Finding something for an advance home/very small business user is almost impossible.

TLDR; Watch Tom Lawrence's videos on pfSense on Youtube, and download the manual and have a look... You will have a tool you will likely never outgrow.

AFAIK, you don't get a lot in the way of support with the hardware, you have to buy a separate support package--double check, I may be wrong. So either way you are going to have to understand how to set things up. Plugging in the hardware and installing pfSense is a no brainer, and it's good to get some experince setting it up, breaking things and fixing them before you put the thing into service. That way if something does go wrong you know how to fix it.

If you get into filtering, depending on how far you want to go, a lot of work may have to go into deciding what lists to subscrible to and tuning those lists. I went looking for as much malware blocking as I could find, and I llkely need to repeat that exercise since I haven't updated my choice of lists for about 2 years (the lists pull fresh updates every few hours depending on the list). Again, unless you get a turnkey choice made by a vendor, you are going to have to do that yourself.

I haven't upgraded my pfSense box yet, (I still have a UFS root file system) but pfSense has moved to a ZFS root file system, which means you have snapshots/boot enviroments/rollback just like FreeNAS which will be a big relief if you run into an incompatable package or a bad update (in over 4 years it hasn't happened).

I'm sure you won't regret going the pfSense route. I wouldn't want to run a home network without it (even without the VLANs) becaise you can monitor and control what is going in and out and you get quick security patches by people who are passionate and know what they are doing!

Hope that is helpful... best of luck.

 

[thepixelgeek]

Thank you! Definitely helps.

@thepixelgeek very nice build! Please tell me more... I'd love to know a bit more about what you are doing with that beautiful box.

It's mainly a Plex server, with sonarr, nzbget, radarr, transmission, etc, and It'll be used as my file server for all my digital crap. All in one place, finally. Would be nice to allow family to tap into it for movies, etc..

In the future, maybe use it for camera surveilance, not sure though since the drives may not be up to snuff for that task. And I'm sure as I learn more, I'll do more.

If you want a firewall, a remote access VPN, and some filtering/blocking, then you have a few hours of reading to do, but it's very doable as long as you have some basic networking backaground.

Sounds about right.

Watch Tom Lawrence's videos on pfSense on Youtube

Just stumbled on his videos. Wishing I was Neo downloading simulations/knowlege into my brain. So much out there.

Most of my issues were I had zero experience with a managed switch and VLANs.... which was a difficult learning curve.

Same...slow learning process for me.

I'm sure you won't regret going the pfSense route. I wouldn't want to run a home network without it (even without the VLANs) becaise you can monitor and control what is going in and out and you get quick security patches by people who are passionate and know what they are doing!

Agreed. I like a challenge and all this stuff is new and fun.