Remote accessible share - and user friendly - how to?

[Jack Naisbett]

Hi there,

I'm trying to find a way to share a dataset remotely, but keeping it secure and user-friendly. Intended audience is family members who aren't tech savvy at all! Ideally I want in essence a remote network drive, rather than a third party client like FileZilla.

Owncloud works, but the issue is that the dataset I want to share contains all manner of files, and I only want the users to see the files ending in .mp4, for example.

While I can export a CIFS share and veto the files I don't want, I don't want to expose a CIFS share over the WAN. However, I have recently subscribed to PIA, could I run OpenVPN client in a jail and allow access to a CIFS share that way?

 

[DrKK]

If you are mostly sharing out movies (you said .mp4), then probably the safest thing for a novice to do is set up "plex", and then invite your friends to your plex account.

Sharing out a NAS share, itself, over the internet, is very pungently dis-recommended, sir. You would have a 50% chance of mining bitcoins for Russian hackers within 24 hours.

 

[Jack Naisbett]

Hence why I was considering securing it with a VPN and appropriate firewall settings so that it is only accessible if the vpn is running, that would add to security somewhat wouldn't it?

 

[DrKK]

Hence why I was considering securing it with a VPN and appropriate firewall settings so that it is only accessible if the vpn is running, that would add to security somewhat wouldn't it?

Yes of course, if you have done it properly with a VPN, you are in pretty good shape. There are some posts in the forum vis-a-vis setting up OpenVPN to accomplish this, including some step-by-step guides.

 

[Jack Naisbett]

Thanks, I've found a few and will be giving it a go.

 

[Jack Naisbett]

Am I right in thinking I can't use a 3rd party VPN to make it so only VPN users can access a NAS? i.e. I'd need to run my own VPN server in jail so that only people with the certificate can access?

If I use a provider such as AirVPN, I guess I'd have to do port forwarding so that the service is accessible, but that would mean anyone on the WAN could get to the share, and only my NAS -> WAN would be on the VPN. Clients wouldn't need to use a VPN to gain access, which isn't what I'm after. Am I understanding that correctly?

 

[Nick2253]

Owncloud works, but the issue is that the dataset I want to share contains all manner of files, and I only want the users to see the files ending in .mp4, for example.

While I can export a CIFS share and veto the files I don't want, I don't want to expose a CIFS share over the WAN. However, I have recently subscribed to PIA, could I run OpenVPN client in a jail and allow access to a CIFS share that way?

If you are sharing only some of your files, it might be prudent to put those files in a separate dataset. That would make it much easier to secure and control.

I think you're almost there on the VPN concept. Basically, at a high level, a VPN connection is an encrypted tunnel with a little bit of routing magic thrown in. The routing magic is what allows you to network between clients on either side of a VPN tunnel.

When you use a service like PIA, what happens is that network traffic on your network (or seedbox, etc) is forwarded over the VPN tunnel to the services remote end, where it subsequently is dumped out to the internet. Basically, all these service provides are providing is an encrypted tunnel to the Internet that doesn't let ISPs or casual observers know what you are up to. Since they connect you directly to the WAN, anyone on the WAN can get in.

However, what you are trying to do with your family is very different. You are trying to connect a trusted client(s) to a trusted network. It's the same technology, but a different application. You'll want to set up a VPN server (like OpenVPN) on your network. I'd also recommend configuring it so that it only connects to your share. If you're paranoid (and rightfully so), you'll also want to set up multifactor authentication of some sort (for example, certs for each user in addition to their password).

Now, configure the OpenVPN client on your family members' computers to connect to your network. If you have a dynamic IP, you'll probably want to look in to a Dynamic DNS solution to make things more user friendly. You might also look into setting up TeamViewer or some other remote support programs on their computers to make this process easier.

Like @DrKK said, there are lots of guides here and elsewhere on setting up OpenVPN. And if you don't want to set up a separate machine/jail, you probably have OpenVPN (or similar) available on your router.

 

[Jack Naisbett]

Router is an ISP one - Virgin Superhub - aka pile of shit that doesn't even do DHCP/Static IP properly. Don't have the money to replace it, nor do I want all traffic going through VPN so would probably run VPN server in a jail on the FreeNAS box. Jail would have a read only mount of the dataset. I'd create a couple of users in the jail, and give them SSH access (I'm thinking SFTP is going to be the best bet, with Filezilla, I'll show them how it works its easy enough!). I'd generate keypairs for each users for SSH and then disable password login, so the passphrase encrypted cert would be the only way in for each user. The main freenas box is set to update a dynamic dns service, and I'd set up a port forward on the router for the OpenVPN server in the jail.

I'll still use PIA VPN but keep that to my downloader jails (transmission and sab) - or would you recommend I also run Sonarr and CouchPotato through them too? I've been looking at AirVPN as it seems much better than PIA, but limited to 3 connections simultaneously rather than 5, and I'd rather not need 2 accounts!

 

[Nick2253]

...nor do I want all traffic going through VPN so would probably run VPN server in a jail on the FreeNAS box

When you say "all traffic" are you talking about all traffic for your family share? Or do you mean all of your traffic? If the latter, having OpenVPN on your router does not mean that you must have all your traffic move across your VPN. You could do that if you set up all the routing rules to do it, but just because the service is on your router, does not mean it's taking all traffic. Most likely, the default configuration would just allow VPN clients, and would only pass traffic back and forth from the clients to whatever allowed devices on your network.

I'm thinking SFTP is going to be the best bet, with Filezilla, I'll show them how it works its easy enough!

Since you're connecting over a VPN, which is already an encrypted channel, you could simply use CIFS shares, which would make everything easy to use (which I thought was one of your original goals.) If you're willing to show everyone how to use FileZilla, then you could skip the VPN, change the SSH port to some random high port, and only allow login with certs. I'd recommend the VPN+CIFS route over the latter, especially since OpenVPN expects to be internet facing, whereas you usually don't want SSH to be internet facing if you can avoid it.

I'll still use PIA VPN...

I would recommend divorcing PIA from the conversation here. Just because they use the same underlying technology does not mean they relate to one another at all in this use case. As far as you are concerned, your use of PIA (or any other VPN service) is completely independent of you using VPN to allow remote users to securely connect to your network.

 

[danb35]

whereas you usually don't want SSH to be internet facing if you can avoid it.

Um... why not? OpenSSH is as secure and hardened for Internet exposure as OpenVPN is, possibly more so. Disable root logins and require public key authentication, and you should be fine. You can change to a nonstandard port if desired, but I don't tend to see a lot of value in that.

 

[Nick2253]

Um... why not? OpenSSH is as secure and hardened for Internet exposure as OpenVPN is, possibly more so. Disable root logins and require public key authentication, and you should be fine. You can change to a nonstandard port if desired, but I don't tend to see a lot of value in that.

To be honest, I've never really thought through it, more than: if I have VPN available, why would I want to allow SSH to be internet facing?

The big thing, in my view, is that VPN adds another layer of security. Assume you have your VPN configured to allow you access to SSH after you log in, and your VPN is breached, you're no worse off than if you had SSH internet facing in the first place.

So I was wrong to imply that OpenSSH is less hardened than OpenVPN.

Also, the benefit of a nonstandard port isn't so much about security, as it is logging and connection noise. So many script kiddies are scanning and attempting brute-force login on port 22 that you'll get hits all the time in your logs. By moving it to a nonstandard port, you'll still get hits, but you won't get nearly as many, which makes it feasible to review the logs and check if the login attempts are by real users trying to do something they're not supposed to, or just more advanced brute-force attackers.

 

[danb35]

if I have VPN available, why would I want to allow SSH to be internet facing?

It's a fair question. A counter-question would be that if SSH will do what you need, why would you bother setting up a VPN? Or maybe you just need to ssh in and run a few commands, and starting up the VPN connection would be an unnecessary extra step. Not to mention that SSH tunneling can in many cases eliminate the need for a VPN entirely.

I'm not saying you have to leave SSH open, but I thought you overstated "you don't want SSH to be internet-facing", as it's specifically designed for that.