[How-To] How to Access Your FreeNAS Server Remotely (and Securely)

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
After I set up FreeNAS and got comfortable with it, I began to explore accessing it remotely over the internet. Not being a computer professional, I was surprised to find out how often people were sniffing around trying to get in. If you want to see for yourself, just give yourself a super-secure password and forward port 22 on your router to the server, and keep an eye on /var/log/auth.log. You’ll get lots of visitors, and if you don’t shut down that port pretty soon, eventually the contents of your server will probably be in strangers’ hands and you’ll be mining bitcoins for someone and acting as a proxy server for child pornography or something. And of course a visit from @RussianMafia is a distinct possibility :eek: HTTP access is less secure, and even HTTPS access relies entirely on your password, which can eventually be cracked if someone is determined.

For common mortals, the best approach is to put all remote access to your server over SSH with public key authentication. This gives you encrypted communication AND a secure authentication scheme. This means a private key on your client computer must correspond to a public key on the FreeNAS server. The keys are not even sent between the machines. The client provides a single-use, randomized derivation that proves it has the private key, but which can’t lead to the key by an inverse operation, except with the public key. It’s all very cool and mysterious. The private key is (at least should be) encrypted with a passphrase. If your client computer is stolen or hacked, thieves will have to crack the passphrase, hopefully giving you time to remove the public key from the server.

These instructions are from the point of view of a Mac or other unix-like client computer. Windows operations should be readily translatable. It is recommended that you do not attempt this until your FreeNAS setup is otherwise fully configured and working well, and you are familiar with managing it and can comfortably use SSH over the local network.

Setting Up Keys
A key pair is normally generated on the client computer. First see if there is a ~/.ssh folder on your client. Some implementations of ssh-keygen (such as Mac OS X) will create the folder for you while generating the keys. If unsure, make one with “mkdir -m 700 ~/.ssh”. Generate the keys with ssh-keygen. This will generate an RSA key pair by default (although some have reported they only had success after specifying the type with ssh-keygen -t rsa; guess it can't hurt). Press Enter to accept the default location and filename (~/.ssh/id_rsa). Then you will be prompted to create a passphrase for unlocking the private key. The corresponding public key will be stored in the same place and same name with “.pub” appended. Here's what the key generation looks like:
Code:
tmpuser$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/tmpuser/.ssh/id_rsa):
Created directory '/Users/tmpuser/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/tmpuser/.ssh/id_rsa.
Your public key has been saved in /Users/tmpuser/.ssh/id_rsa.pub.
The key fingerprint is:
f5:81:22:91:20:c2:af:2d:b7:47:16:a9:14:37:6a:2b tmpuser@Jims-MacBookPro.local
The key's randomart image is:
+--[ RSA 2048]----+
|o . ....         |
| o o o..   .     |
|  . + + . o .    |
|   = o . o . .   |
|  = o . S   .    |
| E = o           |
|  + +            |
|   . .           |
|    .            |
+-----------------+
tmpuser$ 

Now copy the public key into the file ~/.ssh/authorized_keys on the server:
  1. Easiest is to:
    1. Open id_rsa.pub on the client computer, and copy the ENTIRE contents of the file.
    2. In the FreeNAS WebGUI, open 'Account > Users', and double-click on your username (the one you will SSH with) to open the dialog.
    3. Then paste the text into the field 'SSH Public Key' and save; OR
  2. You can just copy over id_rsa.pub and rename it authorized_keys; OR
  3. If the file already exists and has a key in it, just make a new line and paste the contents there.
No matter which approach you use, there's a good chance it won't work at first. Go to the Troubleshooting section at the end and check ownership/permissions on all the directories and files.

SSH Settings
In the FreeNAS WebGUI, go to Services > SSH > Settings.
  • Set the FreeNAS SSH port. If you use an outward-facing port number that is arbitrary and high (1024–65535), you will log few to no break-in attempts, but it is questionable whether it actually adds security. The “key” thing is that you are using key authentication and an encrypted channel rather than plain-text communication and/or a password that can be picked up en route or cracked. In some modems, you can forward the high port number to port 22, and that's fine; in others the outward and inner port numbers have to be the same.
  • Make sure “Login as Root with password” is unchecked. You can still log in via SSH as root (if you add the public key to /root/.ssh/authorized_keys), but it is generally not necessary as you can sudo or su from your user.
  • Also uncheck “Allow Password Authentication”. Now only public key authentication can be used to log in.
  • Check "Allow TCP Port Forwarding". This is apparently necessary for tunneling (below).
  • You may need to stop and start the SSH service for settings to take effect.
SSH settings.png

Now you can SSH into the server locally with “ssh <you>@<IPaddress>:<port number>” (If you haven't changed the SSH port on FreeNAS, leave out the colon and port number; it will default to 22). You will be prompted for the passphrase to unlock your private key. Depending on your system, the key will subsequently be provided by ssh-agent without entering the passphrase until you log out of the client.

Dynamic DNS
To SSH remotely over the internet, you need either a permanent IP address or a domain name that is updated to point to the IP address when it changes. The latter requires a dynamic domain name service. A good free one is DuckDNS (duckdns.org). First, use one of the sign-in options such as Google. In the domain line enter your preferred subdomain name. If it is available, that’s it; you will see a token (long sequence of random characters). Copy it.

Then you need to tell FreeNAS how to update the dynamic DNS server at DuckDNS. FreeNAS has a Dynamic DNS service that can take care of this if your service is listed (DuckDNS isn’t), but doing it yourself is easy. As outlined nicely by RoboKaren:
  1. Login to your Freenas server GUI
  2. Go to Task > Cron Jobs > Add Cron Job
  3. Set up the new cron job:
    1. Set it to run as 'nobody'
    2. You can have it at 1 minute past the hour, every 12 hours (or less), every day of the week.
    3. The command to run is:
      /usr/local/bin/curl https://www.duckdns.org/update/<subdomain>/<token>
      where <subdomain> is your subdomain in subdomain.duckdns.org
      and <token> is the long sequence of random characters from DuckDNS.
    4. Note, if you set this up before and then it broke, you must now specify their domain as www.duckdns.org, not duckdns.org.
CronJob.png

And that's it. You may want to run:
/usr/local/bin/curl https://www.duckdns.org/update/<subdomain>/<token>
from your user account first to make sure that the command actually works. If it does, it should return “OK”. If there is some sort of a problem, it'll return “KO”.

Port Forwarding
Now you need to forward the SSH port from your router to the server. Find instructions for your router. As an example, for a Motorola SurfBoard SBG6580, go to Advanced > Forwarding, click “Create IPv4”, and enter as in the left figure (using something different for the external port, and your server’s local IP). In this modem, you can forward the external port number to a different-numbered local port. The second figure shows settings for a Zyxel C3000Z (accessed via Advanced Setup > Security: Port Forwarding). In that modem, local and external ports must be the same (as the port set above in FreeNAS SSH settings).
portforward.png
modem_settings.png

If you choose to use the same port number externally and locally, you will need to put that port number in the FreeNAS GUI in the SSH Settings. Then, accessing your server via SSH remotely would be “ssh -p 52739 <you>@<subdomain>.duckdns.org”.

SSH Tunneling – web access
It seems you can tunnel just about anything through SSH, though I haven’t tried sending a pizza through yet. I haven’t figured out a single SSH command that will set up tunneling for everything, so I’ve divided it into two parts. The following services can be accessed remotely by tunneling web access through SSH
  • WebGUI
  • IPMI
  • Transmission web interface
  • WebDAV
IF YOUR CLIENT HAS A UNIX-LIKE INTERFACE:
First open the SSH tunnel: ssh -D 15443 -p 52739 <subdomain>.duckdns.org

-D 15443” specifies an arbitrary, high-numbered local port that listens for any local traffic. “-p 52739” specifies where that traffic will be forwarded: the external port on your server’s router that you have set to forward to the designated SSH port on your FreeNAS box.

IF NOT, AND YOU ONLY HAVE PUTTY:
A lot of people are having trouble setting up the equivalent command in Putty. I won't go through the whole Putty setup (you have to point it to your key file), but here are the two key screens to get the same effect as the ssh command above:
Putty_tunnel_session.PNG
Putty_tunnel_tunnel.PNG


The first time, Firefox must be configured:
  • Go to Preferences (or Options) > Advanced > Network > Settings
  • Check “Manual proxy configuration (or settings)”
  • For “SOCKS Host” enter “localhost” and port “15443”
  • Hit OK
firefox.png

When you’re finished accessing your server, change Firefox’s proxy settings back to System. It will remember the manual proxy settings, so next time all you have to do is switch it back to the manual settings.

While operating through the tunnel, Firefox will behave as if you are on the local network with the server. So you can access the WebGUI, IPMI, WebDAV, and jails with the exact same URLs as you would on the local network. You can even control your router remotely the same way. For example, on my system the following URLs are used:
WebGUI https://192.168.0.2
IPMI https://192.168.0.3
Transmission http://192.168.0.4:9091/transmission/web
WebDAV https://192.168.0.2:51415/<share_name>

Although you can set up most of those services in FreeNAS as HTTPS, as I have, it probably isn’t necessary because it’s all going through an encrypted channel anyway.

Secure FTP (SSH File Transfer Protocol)
If you want to use an FTP client and access your files that way, you can set up an SFTP connection in one step. WinSCP, Cyberduck, and other programs can do the public key authentication and set up the SSH tunnel themselves. However you must be sure to choose the proper options. In Cyberduck for example, you must make sure you choose the connection type SFTP (SSH File Transfer Protocol). You should also choose “Use Public Key Authentication” in the connection dialog and enter the location for your private key, although Cyberduck is smart enough to use public key authentication if necessary, as it should be, and to get the private key from ssh-agent, if available.

To enable SFTP for various users that allows access specific to each user, generate a new key pair for each user and put the public key in the user’s ~/.ssh/authorized_keys file on the server. Each user should then have access corresponding to their established permissions.

Regular File Browsing and Manipulation
But who needs SFTP when you can connect to your shares on the server as if they were local volumes? This works with AFP and I’m sure it can be done with CIFS/SMB as well. To set up the tunnel:
Code:
ssh -L 15548:localhost:548 -p 52739 <you>@<subdomain>.duckdns.org sleep 120

This connects to your account on your server through your router’s external SSH port 52739. Any local traffic sent to port 15548 will be sent through the tunnel and then, in the server, will be sent to the AFP port 548. The “sleep 120” ensures that the tunnel will be automatically closed if at least 2 minutes have elapsed since it was opened and it is not in use (meaning server volumes are not mounted).

Now in the Finder choose Go > Connect to Server, and enter “afp://localhost:15548", simply saying to open an AFP connection to port 15548 on your local computer. Tell it to remember the URL for future use.

I know: it’s so nice to browse and edit your FreeNAS files over the internet this way, you feel a little uneasy, like there must be something wrong with it. Just enjoy!

Aliases
To make it easier to open SSH connections, you can set up aliases in your shell profile. For example, the command “sss” opens a straight-up SSH session, “ssw” opens a tunnel for web access, and “ssa” opens a tunnel for AFP (or CIFS, if you adjust the port numbers) access:
Code:
alias sss='ssh -p 52739 <you>@<subdomain>.duckdns.org'
alias ssw='ssh -D 15443 -p 52739 <subdomain>.duckdns.org'
alias ssa='ssh -L 15548:localhost:548 -p 52739 <you>@<subdomain>.duckdns.org sleep 120'

Troubleshooting
SSH is somewhat picky about permissions when it comes to key authentication, surely for good reason. If you have trouble, check these things.
  1. At least on the server, the user's home directory should not have write permission for group or other.
  2. On both server and client, the .ssh directory and files in it must be owned by the user
  3. On both server and client, the .ssh directory should have permissions 700
  4. The authorized_keys file should have permissions 644
  5. The private key (id_rsa) should have permissions 600
 

Attachments

  • SSH settings.png
    SSH settings.png
    36.5 KB · Views: 28,887
Last edited:

BigDave

FreeNAS Enthusiast
Joined
Oct 6, 2013
Messages
2,479
I'm curious, so if you don't mind my asking, how many hours of study has it taken
you to get to this point? For someone who does not make their living with computers
you seem to have come a very long way, in a very short amount of time. :cool:
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
Ha! Thanks. I've spent way too much time on it for sure. The secret to success was, I had almost a month off work over the holidays, which was largely devoted to playing with the new server and learning. (I think my wife would have preferred a trip though - I owe her ;) )

Oh, and I should add, a lot of people on this forum have helped tremendously.
 
Last edited:

BigDave

FreeNAS Enthusiast
Joined
Oct 6, 2013
Messages
2,479
The secret to success was, I had almost a month off work over the holidays, which was largely devoted to playing with the new server and learning.
:eek: :eek: :eek:
Based on that time line, with the number of free hours I have each week, I should be well on my way to learning this in approx three to four years. Bahahahaha
 

DrKK

FreeNAS Generalissimo
Joined
Oct 15, 2013
Messages
3,630
So I've been doing all this for quite some time, but I can't get the remote desktop via IPMI to display back to me via ssh tunnel. Note sure why---I have verified the Java is set to use the port forward, etc., and everything works great until I try to see the remote desktop. That fails, for no obvious reason. Anyone have any insight on that?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
So I've been doing all this for quite some time, but I can't get the remote desktop via IPMI to display back to me via ssh tunnel. Note sure why---I have verified the Java is set to use the port forward, etc., and everything works great until I try to see the remote desktop. That fails, for no obvious reason. Anyone have any insight on that?
It's using UDP?
 

DrKK

FreeNAS Generalissimo
Joined
Oct 15, 2013
Messages
3,630
It's using UDP?
Now, that's what *I* thought the problem was, but Cyberjock told me he gets this to work "all the time". So I assumed I was wrong. Are the video frames, in fact, transmitted UDP? (I don't know if your question mark was a legitimate question, or if it was more mocking, lol).
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
So I've been doing all this for quite some time, but I can't get the remote desktop via IPMI to display back to me via ssh tunnel. Note sure why---I have verified the Java is set to use the port forward, etc., and everything works great until I try to see the remote desktop.
Do you mean the web IPMI client, the Java IPMI client, or the Java iKVM thing that lets you monitor and interact with the boot process? I guess now that you mention it, I've only tried the first one.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
Now, that's what *I* thought the problem was, but Cyberjock told me he gets this to work "all the time". So I assumed I was wrong.
That may not be a safe assumption. Cyberjock is prone to hyperbole. Pics or it didn't happen!

The question mark was because it seemed like a fairly obvious explanation, which you probably already considered. But that being said, feel free to take it as mocking you. :D
 
Last edited:

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,525
I never said I got IPMI remote console access to work "all the time". I said I do ssh tunneling all the time. I've never tried to do the remote console remotely because I've never had a reason to try either. I VPN to my home as necessary and I use Teamviewer otherwise.
 

DrKK

FreeNAS Generalissimo
Joined
Oct 15, 2013
Messages
3,630
Do you mean the web IPMI client, the Java IPMI client, or the Java iKVM thing that lets you monitor and interact with the boot process? I guess now that you mention it, I've only tried the first one.
The Java iKVM thing.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
Hmm, no luck here either with the Javi IPMI app at all. I tried changing my system proxy settings to use the tunnel. It worked for web access with a browser using default settings, but not for the Java app. I also changed the Java proxy settings, but it seemed to have no effect. I also tried a variety of ssh commands to set up the tunnel, but nothing I did seemed to work.

I did find these pages which seem to shed light on it, though I don't fully understand. I don't have socat. The second solution may work. Let us know if you get anywhere DrKK.
http://yannramin.com/2012/12/21/supermicro-ipmi-remote-kvm-annoyances/
http://serverfault.com/questions/327255/using-supermicro-ipmi-behind-a-proxy
 
Last edited:

DrKK

FreeNAS Generalissimo
Joined
Oct 15, 2013
Messages
3,630
Hmm, no luck here either with the Javi IPMI app at all. I tried changing my system proxy settings to use the tunnel. It worked for web access with a browser using default settings, but not for the Java app. I also changed the Java proxy settings, but it seemed to have no effect. I also tried a variety of ssh commands to set up the tunnel, but nothing I did seemed to work.

I did find these pages which seem to shed light on it, though I don't fully understand. I don't have socat. The second solution may work. Let us know if you get anywhere DrKK.
http://yannramin.com/2012/12/21/supermicro-ipmi-remote-kvm-annoyances/
http://serverfault.com/questions/327255/using-supermicro-ipmi-behind-a-proxy
Well, if I'm reading it right, the second link is pretty much worthless, as it does not address the UDP issue.

The first link---using socat to do it---it's a clever hack. socat does exist on the FreeBSD ports tree (of course), so it can be easily installed in a jail.

It dawns on me though---why would I need the IPMI console? If I were having serious trouble with booting the system. If I were having serious trouble booting the system? Then the ssh tunnel would not be operating anyway, rendering the whole question moot as the snake eats its own tail.

Since I can no longer think of a scenario in which I would turn out to obviously require this, my interest in making it work using a displeasing hack job has decreased proportionally ;)
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
Well I do believe you are correct. I hadn't thought it through that far. :rolleyes:
 

Hisma

Explorer
Joined
Mar 23, 2013
Messages
87
Why is this favorable over just setting u openvpn access?
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,525
It dawns on me though---why would I need the IPMI console? If I were having serious trouble with booting the system. If I were having serious trouble booting the system? Then the ssh tunnel would not be operating anyway, rendering the whole question moot as the snake eats its own tail.

Since I can no longer think of a scenario in which I would turn out to obviously require this, my interest in making it work using a displeasing hack job has decreased proportionally ;)[/QUOTE]

You know, I woke up last night and thought EXACTLY this. I was going to talk to you about this today and give you some lead-up discussion and see if you figured it out, but you already did. Haha.

Why is this favorable over just setting u openvpn access?

Not everyone has a machine that can act as a VPN server. The SSH tunnel is a "good alternative" if you don't actually need total access to the whole network. In the scenario DrKK is working in, a VPN really isn't an option, and as running a VPN server in a jail involves not only more moving parts that can go bad but also isn't recommended for security reasons, he's doing what really is the best option... ssh tunnel.
 

derekzchu

Dabbler
Joined
Dec 5, 2014
Messages
23
Hi Glorious,

nice post. i'm trying to setup my private/public key but i ran into a permissions issue I was wondering if you could help me with. My user has a homedir of /mnt/vault and that directory has the group "admin" which is my user's primary group. I get "Permission denied (publickey)." on my client when I try to ssh and when I look at /var/log/auth.log, I see "Authentication refused: bad ownership or modes for directory /mnt/vault"

Am i doing this correctly? I verified my authorized_keys matches my id_rsa.pub. Thanks in advance.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
The permissions denied error when looking /var/log/auth.log is expected. You would have to be root or sudo to see that. So that's unrelated to the key problem.

Do you have the user as the owner of the keys and /mnt/vault, and have all permissions as described in the troubleshooting section at the end of the post? Please check each condition carefully.

If so, and actually even if not, I suggest you try putting the user's home directory UNDER the root directory, /mnt/vault. So it would be /mnt/vault/<user>. Once you get in you can still cd to the root directory if you want. I'm not sure that is the problem, just a suspicion. As far as I understand, you should not change ownership or otherwise mess around with the root directory, it can mess things up. Just work with directories under it. So if you have changed the root directory, make sure you change it back to the default owner and group (root:wheel) and permissions.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
Hi Glorious,

nice post. i'm trying to setup my private/public key but i ran into a permissions issue I was wondering if you could help me with. My user has a homedir of /mnt/vault and that directory has the group "admin" which is my user's primary group. I get "Permission denied (publickey)." on my client when I try to ssh and when I look at /var/log/auth.log, I see "Authentication refused: bad ownership or modes for directory /mnt/vault"

Am i doing this correctly? I verified my authorized_keys matches my id_rsa.pub. Thanks in advance.
Your permissions are probably too lax. Your home directory should be writable only by your user.
 

diedrichg

Wizard
Joined
Dec 4, 2012
Messages
1,319
Thank you, op.
 
Top