SOLVED Samba/CIFS over SSH (& OpenVPN)

[Wisdom]

EDIT: Final Solution in my last post in the thread.

TL;DR: OpenVPN worked instead, quick guide included.

Original:

Hey ya'll,

I've been looking into how to remotely mount my CIFS shares over SSH, and have been running into some issues. From what I've been able to see, from both the similarly named post from 2011 (https://forums.freenas.org/index.php?threads/samba-cifs-shares-remotely.2906/), our very own post about external access for the web-based GUIs (https://forums.freenas.org/index.ph...r-freenas-server-remotely-and-securely.27376/) and some other guides from the broader internet (https://www.nikhef.nl/~janjust/CifsOverSSH/Win8Loopback.html) it seems possible, but it's been slow going.

Following the Nikhef guide, I've gotten as far as successfully opening a tunnel and attempting to mount the share, but I've run into a rather frustrating issue right at the very end: FreeNAS doesn't seem like play nice with my duckdns static external web address, leading to CIFS and FreeNAS missing each other.

Here is what my PuTTY log has to say:

Code:

2017-06-28 11:52:08   Opening connection to wfreenas.duckdns.org:445 for forwarding from 10.255.255.1:51798
2017-06-28 11:52:17   Forwarded connection refused by server: Connect failed [Operation timed out]

And FreeNAS, a la the web GUI:

Code:

Jun 28 11:53:06 W_FreeNAS sshd[25763]: error: connect_to wfreenas.duckdns.org port 445: failed.
Jun 28 11:53:26 W_FreeNAS sshd[25763]: error: connect_to wfreenas.duckdns.org port 445: failed.

Thoughts? I've made sure to direct 44445 to 445 for FreeNAS on my router, and am able to successfully navigate the webGUI and all the other browser-accessible parts of FreeNAS without much trouble while on the go, but haven't been able to mount a share for file access. If there's anything else I can provide to clear this up, just let me know!

 

[Spearfoot]

Hey ya'll,

I've been looking into how to remotely mount my CIFS shares over SSH, and have been running into some issues. From what I've been able to see, from both the similarly named post from 2011 (https://forums.freenas.org/index.php?threads/samba-cifs-shares-remotely.2906/), our very own post about external access for the web-based GUIs (https://forums.freenas.org/index.ph...r-freenas-server-remotely-and-securely.27376/) and some other guides from the broader internet (https://www.nikhef.nl/~janjust/CifsOverSSH/Win8Loopback.html) it seems possible, but it's been slow going.

Following the Nikhef guide, I've gotten as far as successfully opening a tunnel and attempting to mount the share, but I've run into a rather frustrating issue right at the very end: FreeNAS doesn't seem like play nice with my duckdns static external web address, leading to CIFS and FreeNAS missing each other.

Here is what my PuTTY log has to say:

Code:

2017-06-28 11:52:08   Opening connection to wfreenas.duckdns.org:445 for forwarding from 10.255.255.1:51798
2017-06-28 11:52:17   Forwarded connection refused by server: Connect failed [Operation timed out]

And FreeNAS, a la the web GUI:

Code:

Jun 28 11:53:06 W_FreeNAS sshd[25763]: error: connect_to wfreenas.duckdns.org port 445: failed.
Jun 28 11:53:26 W_FreeNAS sshd[25763]: error: connect_to wfreenas.duckdns.org port 445: failed.

Thoughts? I've made sure to direct 44445 to 445 for FreeNAS on my router, and am able to successfully navigate the webGUI and all the other browser-accessible parts of FreeNAS without much trouble while on the go, but haven't been able to mount a share for file access. If there's anything else I can provide to clear this up, just let me know!

Interesting...

Have you considered using a VPN solution instead of tunneling over SSH? I use OpenVPN with good results.

 

[Wisdom]

Interesting...

Have you considered using a VPN solution instead of tunneling over SSH? I use OpenVPN with good results.

No, that isn't something I've looked into much. The only application I have experience running OpenVPN with is Transmission, so I haven't run it as a dedicated application (I'm assuming it lives on its own in another jail...?)

As an aside, and perhaps this is too broad, but given the choice between running OpenVPN in a jail on FreeNAS or on a router (probably through pfSense?), which would be more sensible? Or are those two things accomplishing fundamentally different tasks (allowing file sharing vs pushing all your network traffic through a VPN)?

 

[melloa]

through pfSense?)

YES to that. Will be safer also. That's how I got my OpenVPN setup and access my LAN from everywhere, from any device.

 

[Wisdom]

YES to that. Will be safer also. That's how I got my OpenVPN setup and access my LAN from everywhere, from any device.

Mmm, well thanks for chiming in. I've been putting off throwing together a box for pfSense for a while, but maybe it's time I put some effort into that project. I got some stuff up and running on my laptop for a while, but I had issues getting the VLANs working through the single port, so I set it aside.

 

[danb35]

I also vote for the VPN solution, ideally run on your edge device rather than a jail. I found it easy to set up on my pfSense box once I stopped trying to use my Let's Encrypt certificate in the OpenVPN configuration. It also looks like the Ubiquiti EdgeRouter series supports acting as a VPN server, so you may not even need to set up your own router OS.

 

[nojohnny101]

Can you share the relevant port forwarding rules you have setup to make this happen. I followed the "access server remotely" thread you linked to in order to access my shares over SSH. Works as expected.

To me, the error messages seem to indicate the correct port forwarding rules are not setup.

 

[Wisdom]

Can you share the relevant port forwarding rules you have setup to make this happen. I followed the "access server remotely" thread you linked to in order to access my shares over SSH. Works as expected.

To me, the error messages seem to indicate the correct port forwarding rules are not setup.

I'm using port 60000 rather than 52739, but it's the remote port I'm forwarding to 22 internally via TCP. That's all.

Can I ask how you're accessing your shares? I have been able to browse through the GUI, but it hasn't actually given me access to any of the files (and I suppose I might be able to use some kind of FTP program to pull them off instead, but that seems a little clunky?).

 

[nojohnny101]

Can I ask how you're accessing your shares?

Sure. I have port forward setup on my router to routes from the external port 1432 to the internal port of 22 for the internal IP address of 10.0.1.33 (the static IP of my freenas box).

On the FreeNAS side, you have to make sure you have your DNS service setup properly. I setup a cron job and use the free service duckdns.org. (see screenshots below). NOTE: i changed out the "token ID", but you can easily get when you login to your duckdns account. it is obviously unique to your account.

NOTE: the full "curl" command is:

Code:

/usr/local/bin/curl "https://www.duckdns.org/update?domains=mysubdomain&token=my_unique_token="

I am on a mac so it might be a little different for you but then I just follow the commands in the thread you linked and run this command in mac os X terminal:

Code:

ssh -L 15448:localhost:548 -p 1432 user@mysubdomain.duckdns.org

The port 548 is what is used for AFP protocol and if I want to connect to SMB shares, I similarly use:

Code:

ssh -L 15448:localhost:139 -p 1432 user@mysubdomain.duckdns.org

NOTE: -p 1432 specifies the port and matches up with the external port you set in your port forwarding rules in your router. the "user" is a local user you setup within FreeNAS.

Then I connect to the shares by mounting the shares like this:
afp://localhost:15448 OR smb://localhost:15448

Ask if you have any more questions. It is a bit to setup but once you have it setup, it has never failed me and has been maintenance free.

LASTLY: Make sure you have this checked:

in your SSH settings under "services" in FreeNAS. I was stuck for a while and couldn't get it to connect until I checked that box.

Hope this helps.

 

[Wisdom]

I am on a mac so it might be a little different for you but then I just follow the commands in the thread you linked and run this command in mac os X terminal:

Thank you, first of all, this really is helpful. However, it looks like the differences between mounting remote files shares like they're local is actually kind of substantial when looking at mac and windows. Because it doesn't work nearly as smoothly, I ended up following the Nikhef tutorial (link in OP), which guides me right back to where I am right now. I'm going to keep on poking around to see if I can't figure out why this isn't working, and I certainly appreciate your detailed explanation for what worked for you, it helps to see a success using this process.

 

[nojohnny101]

Hmmm, bummer. Well hopefully from the windows side that mounts their shares as if they were local after opening an SSH tunnel will chime in. VPN does seem to be quite popular around here but I have just stuck with what has worked for me.

Maybe someone outlined steps for windows users in @Glorious1 thread?

 

[Wisdom]

That's actually where I started - I've contributed a bit towards the more recent posts, but besides some people claiming to have had success with the Nikhef tutorial, it's been very quiet. Hence, the post here.

Edit:

So while an SSH tunnel was my first approach to this issue, when I started running into issues I wasn't sure how to diagnose, I started working on OpenVPN access as well.

I've just managed to successfully get my shares mounted remotely via OpenVPN following @robles guide, along with a fair few hours of banging my head into my keyboard and trying just about everything under the sun suggested in the remainder of the thread. My cliffnotes solution is as follows, for anyone else that stumbles over this thread in the future with a similar issue:

Internal Network: 192.168.0.0
Internal Router: 192.168.0.1
OpenVPN Internal IP: 192.168.0.147
OpenVPN Network 172.16.8.0
OpenVPN Network IP 172.16.8.1

Follow the guide here to the letter: https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/

On the router: forward 10011 to 443 over UDP to avoid getting hammered.

Serverside:
openvpn.conf

Code:

port 443
topology subnet
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key
dh dh.pem
server 172.16.8.0 255.255.255.0
ipconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
route 192.168.0.147 255.255.255.0 172.16.8.1
tls-auth ta.key 0
keepalive 10 120
cipher AES-256-CBC
auth SHA256
client-to-client
group nobody
user nobody

Clientside:

Make sure you have all your keys (ca.crt, ta.key, NAME.crt, NAME.key) and know the paths to them. For Windows, you'll need to write your path "C://like//this//in//order//for//it//to//work.crt"

FreeNAS.ovpn

Code:

client
dev tun
proto udp
remote YOUR.PERSISTENT.DNS.SERVER.HERE 10011
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
ca "C://PATH//TO//ca.crt"
cert "C://AGAIN//NAME.crt"
key "C://AGAIN//NAME.key"
remote-cert-tls server
tls-auth "C://AGAIN//ta.key" 1
auth SHA256
dhcp-option DNS 192.168.0.1
redirect-gateway def1
comp-lzo
verb 5

Once this is up and running in the OpenVPN remote client of your choice, you'll find that your regularly mapped network drive is still dark. That's okay, it's part and parcel of how this is going to run. Rather than using a mapped network drive, add a new network location. Drop in the IP of your storage (\\POINT.TO.YOUR.STORAGE\FreeNAS) and you're off to the races.

Enjoy!

 

[HateTheDrake]

Vpn would be far easier, though for fun I was trying to get this working as well.

At the moment I'm trying something similar to the below guide. No luck yet, but think I'm close.

https://www.nikhef.nl/~janjust/CifsOverSSH/Win7Loopback.html

 

[Wisdom]

If you check my original post, you can see that I was giving that a shot for a while.

 

[nojohnny101]

Glad you got it working!