FreeNAS jail vs Synology NAS as VPN server?

[EvanVanVan]

I know FreeNAS is not intended to be accessible from the internet. But I'm not sure if it's any better (although it's marketed and supported as though it is) if a Synology NAS is accessible?

As far as running a VPN server goes, it is preferable to use a FreeNAS jail (https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/) or the Synology VPN Server package?

Thank you

 

[FreeNASftw]

It makes no quantifiable difference if it's run on an off the shelf NAS or FreeNAS.
'I know FreeNAS is not intended to be accessible from the internet', this isn't really correct in any sense.

 

[EvanVanVan]

this isn't really correct in any sense.

I think you're incorrect, but I'm too drunk to find any links to dispute you. lol

Is the fact that my FreeNAS server is exponentially more powerful than my off the shelf Synology going to make much of a difference?

 

[melloa]

I think you're incorrect, but I'm too drunk to find any links to dispute you. lol

It is a matter of philosophy and security. You can expose whatever you want to the internet, just a bad decision.

Best practice is to keep to a minimum the ports you have exposed and, in cases you can, use non-standard ports for your services.

Set your FreeNAS GUI to port 80 and NAT your public IP to it? Possible. Recommended? Not on my end.

 

[Ericloewe]

'I know FreeNAS is not intended to be accessible from the internet', this isn't really correct in any sense.

You're absolutely wrong.

FreeNAS is not hardened for internet exposure. The only appropriate way of accessing it remotely is either via a VPN or properly-secured SSH session.

It makes no quantifiable difference if it's run on an off the shelf NAS or FreeNAS

Are you kidding me? VPN is not exactly a trivial workload. Even with hardware acceleration, its performance is well below line speed.

 

[EvanVanVan]

You're absolutely wrong.

FreeNAS is not hardened for internet exposure. The only appropriate way of accessing it remotely is either via a VPN or properly-secured SSH session.

Are you kidding me? VPN is not exactly a trivial workload. Even with hardware acceleration, its performance is well below line speed.

Hahah thank you for confirming.

I'm still curious about my question even in the more general sense. Synology devices are marketed so heavily for their cloud features, is DSM really that much better developed for internet exposure then FreeNAS? Or is it just smoke and mirrors that they're more secure?

 

[Ericloewe]

I suspect the truth is somewhere in the middle. A VPN is always safest.

 

[pirateghost]

Hahah thank you for confirming.

I'm still curious about my question even in the more general sense. Synology devices are marketed so heavily for their cloud features, is DSM really that much better developed for internet exposure then FreeNAS? Or is it just smoke and mirrors that they're more secure?

They probably proxy everything through their servers, and proxy your connection to your server. All through their "cloud"

 

[FreeNASftw]

Whether or not the statement is correct or not depends on exactly what the statement means. If FreeNAS is intended to mean the services running on the appliance then how is it not designed to be accessed via the internet, assuming the correct procedures are in place.
If the statement assumes that FreeNAS is the GUI, then it is fairly obvious that out of the box, it is not designed to be exposed directly to the internet.

DSM, WD my cloud etc do exactly what pirateghost said.

 

[FreeNASftw]

You're absolutely wrong.

...

Are you kidding me? VPN is not exactly a trivial workload. Even with hardware acceleration, its performance is well below line speed.

Who said anything about line speed? Any off the shelf NAS you would compare to FreeNAS (I don't know how you compare anything that is off the shelf to something that has infinite build configurations anyway) in terms of VPN ability, they have hardware acceleration just like a decent FreeNAS build... I don't really know what your comment is even supposed to mean given that no scenario was given in the original post. I would expect more from moderators than completely unquantified and argumentative answers really.

If you want massive VPN concentration then a storage appliance isn't the place for it.

 

[EvanVanVan]

Whether or not the statement is correct or not depends on exactly what the statement means. If FreeNAS is intended to mean the services running on the appliance then how is it not designed to be accessed via the internet, assuming the correct procedures are in place.
If the statement assumes that FreeNAS is the GUI, then it is fairly obvious that out of the box, it is not designed to be exposed directly to the internet.

DSM, WD my cloud etc do exactly what pirateghost said.

Less drunk now so I took 5 minutes to find some of CyberJock's posts on the subject. Maybe his more pointed condescension (jk CyberJock :D) will convince you lol.

Remote access best practices
Suspected Hack - Need advice on security

And that's what I meant by "FreeNAS is not intended to be accessible from the internet"...

Who said anything about line speed? Any off the shelf NAS you would compare to FreeNAS (I don't know how you compare anything that is off the shelf to something that has infinite build configurations anyway) in terms of VPN ability, they have hardware acceleration just like a decent FreeNAS build... I don't really know what your comment is even supposed to mean given that no scenario was given in the original post.

If you want massive VPN concentration then a storage appliance isn't the place for it.

You're right I didn't give as much information as I should have. I was wondering about a server for 2-3 VPN users, not two to three hundred.

Anyway I think my question was answered fully enough.

Thank you

 

[Ericloewe]

Who said anything about line speed? Any off the shelf NAS you would compare to FreeNAS (I don't know how you compare anything that is off the shelf to something that has infinite build configurations anyway) in terms of VPN ability, they have hardware acceleration just like a decent FreeNAS build... I don't really know what your comment is even supposed to mean given that no scenario was given in the original post. I would expect more from moderators than completely unquantified and argumentative answers really.

If you want massive VPN concentration then a storage appliance isn't the place for it.

High-end NAS boxes use i3s. Many use mid-range atoms. A Xeon E3 is not unusual in a FreeNAS server, which would destroy the lower-end chips in VPN performance.

My gripe with your comment is that it suggests that VPN is a trivial thing, which it isn't.

 

[FreeNASftw]

High-end NAS boxes use i3s. Many use mid-range atoms. A Xeon E3 is not unusual in a FreeNAS server, which would destroy the lower-end chips in VPN performance.

My gripe with your comment is that it suggests that VPN is a trivial thing, which it isn't.

This is ridiculous, maybe you should check out modern NAS units. If you think a NAS under $1000 AU is "high end" then... that's the end of the conversation isn't it. Synology and QNAP (I assume others too) offer quad core x86 processors that support AES-NI in their sub $1000AU NAS's. That is a fair comparison to the majority of FreeNAS builds in homes and SMB... Like, oh... you know... YOURS.

 

[EvanVanVan]

For the record, the Synology NAS I was asking about is a DS213air that has a single core Marvell Kirkwood lol. So yeah, I guess my FreeNAS server is significantly more powerful. Of course, if I had gone with the DSM VPN Server it may have been up and running in two clicks instead of me sitting here for a day and a half struggling to get it set up in a jail!

But yeah, this thread needs to be closed lol.