This was a fantastic write-up and hopefully, this is the place to share another approach that has worked very well for me and others.
I have a friend that decided to move his business office into his house. As a result, he had several computers that he wanted to connect to a NAS and then wanted to access that same data from the road. I currently manage about 500TB of FreeNAS space (40Tb of that being my own server) so I encouraged him to install a small FreeNAS server and use that for his shares. We spun up two small servers, one primary and one backup and copied his business data from his computers to the FreeNAS servers.
Having designed,
engineered and maintained
large IP networks and huge internet data centers for most of my adult life, I didn't want to mess with (what I considered) a casual approach to security for his home (now business) network. By casual, I mean the small NAT based devices that many people think are actually true firewalls. When I think of a firewall, I think of deep packet inspection, deep flow inspection, locally terminated SSL for inspection of encrypted sessions, basically every single packet gets stopped at the edge, opened up, inspected for policy and other rules, viruses, phishing, ads, etc - and then either allowed or dropped based on those network rules. This was now his business and he needed more.
In this case, he had an older Dell desktop computer he wasn't using that was a small, mini desktop. I installed the free version of
untangle on it and dropped it between his home cable modem and his little internal wireless/switch he had. I removed the wireless/switch device (which he was having trouble with anyway), installed a small Ubiquiti AP in its place and put in a new little 8 port gig switch. Not counting the FreeNas hardware, I think he had $250.00 in new gear he purchased which included the brand new AP and a second ethernet card we needed for his dell.
I setup the OpenVPN server on the firewall, set up his VPN credentials on his laptop and his work machine and within the hour we had everything up and running without changing a single thing on his FreeNAS box, dealing with SSH, etc. Now no matter what network he is on, he can VPN into his network, access all of his data via shares right on his laptop (albeit a little slower than being at home) and get his work done. In his case, the only caution I had for him was losing his laptop with his VPN credentials on it, so we encrypted it and I told him to make sure he shut it off after every use. (Paranoid setting).
I guess the long and short of it is (for me) pretty simple. If you have the know-how to run a FreeNAS server, installing an actual firewall device with edge VPN support is not that complicated and having simple VPN access to your entire network just makes life easier sometimes.
BTW - I don't work for Untangle or Dell :)