Setting up a DDNS client

[djdwosk97]

So I'd like to set up a DDNS client in order to virtualize a static IP to enable remote access to the server but I'm not exactly sure how to go about doing that. I know I have to register a domain (does anyone know if a domain from namecheap.com will work with FreeNAS's built in DDNS client?) and then add a host that directs to the internal IP of the server. and after that I'm not really sure what to do.

I'll be accessing the files (mostly video/pictures) from OSX and Windows, but would like to make it accessible from Android, iOS, and whatever AppleTV uses.


And a second issue/question (so I don't have to make another thread), what would be the best way to test some new HDDs?

 

[ovizii]

It seems you didn't even had a look at the DDNS settings under freenas dashboard => services => Dynamic DNS?
This should answer all your questions: http://doc.freenas.org/9.3/freenas_services.html?highlight=ddns#dynamic-dns

 

[danb35]

If you want to access your media remotely, the easiest way has nothing to do with DDNS. Install the Plex plugin, possibly (if your router doesn't support UPnP) forward port 32400 to the Plex plugin, and install Plex clients on your mobile devices (that isn't necessary on the computers, as you can access everything through your web browser). Problem solved.

 

[ovizii]

I'll be accessing the files (mostly video/pictures) from OSX and Windows,

I took that to mean he wants read/write access not only play stuff

 

[djdwosk97]

If you want to access your media remotely, the easiest way has nothing to do with DDNS. Install the Plex plugin, possibly (if your router doesn't support UPnP) forward port 32400 to the Plex plugin, and install Plex clients on your mobile devices (that isn't necessary on the computers, as you can access everything through your web browser). Problem solved.

Wouldn't I need to know the IP of the server in order to connect through plex too? But I would also like read/write access, so plex wouldn't work for me.

I took that to mean he wants read/write access not only play stuff :)

The FAQ says nothing about setting up a resource record however. But yes I would also like to have read/write access.

 

[ovizii]

Do you really want/need your own domain? If you're happy with free public services of this kind just use what the GUI offers, i.e. noip.me?
If you confirm that you want/need your own domain I can give you further pointers too.

 

[djdwosk97]

Do you really want/need your own domain? If you're happy with free public services of this kind just use what the GUI offers, i.e. noip.me?
If you confirm that you want/need your own domain I can give you further pointers too.

If I can remotely access the server's settings/contents without registering for a domain than that's fine too.

 

[ovizii]

In that case this is all you need:

freenas dashboard => services => Dynamic DNS
This should answer all your questions: http://doc.freenas.org/9.3/freenas_services.html?highlight=ddns#dynamic-dns

 

[danb35]

But really, dynamic DNS is only a small part of the issue. Yes, you need to have a known address (either numeric or a FQDN) to connect to the outside, and DDNS will take care of mapping the FQDN to your frequently-changing external IP address, but there are a number of other issues. To name a few:

• FreeNAS is not designed or hardened to be directly exposed to the Internet, so it needs to be behind a router/firewall.
• Once you've put it behind the router/firewall, you need a way to let you through the firewall to the NAS, but keep others out.
• Once you've solved those problems, you'll find that the common file-sharing protocols (particularly SMB/CIFS) don't work very well over a slow network.

FreeNAS can handle the dynamic DNS piece, but that's better handled by your router, since that's the device that will actually have the external IP address. The best solution to the first and second bullet points is a VPN connection, which once again is better handled by your router. Many consumer-grade routers can be upgraded with third-party, open-source firmware that will provide both features. Or you can set up pfSense (www.pfsense.org) on a spare computer and use that as your router.

As to the third bullet point, I'm not sure what the best answer would be. Something like Owncloud would be my guess.

 

[djdwosk97]

In that case this is all you need:

So what would I need to do on no-ip.com? Add a host with the internal IP of the server or the external IP? or do I do something else?

But really, dynamic DNS is only a small part of the issue. Yes, you need to have a known address (either numeric or a FQDN) to connect to the outside, and DDNS will take care of mapping the FQDN to your frequently-changing external IP address, but there are a number of other issues. To name a few:

• FreeNAS is not designed or hardened to be directly exposed to the Internet, so it needs to be behind a router/firewall.
• Once you've put it behind the router/firewall, you need a way to let you through the firewall to the NAS, but keep others out.
• Once you've solved those problems, you'll find that the common file-sharing protocols (particularly SMB/CIFS) don't work very well over a slow network.

FreeNAS can handle the dynamic DNS piece, but that's better handled by your router, since that's the device that will actually have the external IP address. The best solution to the first and second bullet points is a VPN connection, which once again is better handled by your router. Many consumer-grade routers can be upgraded with third-party, open-source firmware that will provide both features. Or you can set up pfSense (www.pfsense.org) on a spare computer and use that as your router.

As to the third bullet point, I'm not sure what the best answer would be. Something like Owncloud would be my guess.

I have an old WNDR4500 lying around somewhere, which supports ddwrt, but I'm still not exactly sure how to go about setting up a VPN. I don't really have much experience when it comes to networking.

 

[djdwosk97]

But really, dynamic DNS is only a small part of the issue. Yes, you need to have a known address (either numeric or a FQDN) to connect to the outside, and DDNS will take care of mapping the FQDN to your frequently-changing external IP address, but there are a number of other issues. To name a few:

• FreeNAS is not designed or hardened to be directly exposed to the Internet, so it needs to be behind a router/firewall.
• Once you've put it behind the router/firewall, you need a way to let you through the firewall to the NAS, but keep others out.
• Once you've solved those problems, you'll find that the common file-sharing protocols (particularly SMB/CIFS) don't work very well over a slow network.

FreeNAS can handle the dynamic DNS piece, but that's better handled by your router, since that's the device that will actually have the external IP address. The best solution to the first and second bullet points is a VPN connection, which once again is better handled by your router. Many consumer-grade routers can be upgraded with third-party, open-source firmware that will provide both features. Or you can set up pfSense (www.pfsense.org) on a spare computer and use that as your router.

As to the third bullet point, I'm not sure what the best answer would be. Something like Owncloud would be my guess.

Well, in the process of getting DD-WRT on the router it looks like I bricked it since after 30+ minutes of waiting after updating the firmware it hadn't turned green, so I reset it and tried again....with no luck.

So right now I have the router I have from Optimum (AC1750 iirc), and I'd rather not screw around with replacing the firmware on it, and I don't have an extra computer lying around that I could install PFsense onto. So short of buying a new computer/router to run pfsense/dd-wrt, what would you recommend doing in terms of allowing remote read/write access to my FreeNAS files?

 

[danb35]

Assuming your FreeNAS is behind your router, there are three basic methods that I know of to access services on it from outside your LAN:

• Set up port forwarding on your router to forward to the appropriate ports for whatever services you want to use
• Set up a VPN connection
• Use SSH tunneling

The first is terribly insecure--the entire Internet can see your services and hammer away at whatever authentication mechanism you have set up. If you use this option for anything other than SSH or OpenVPN, or perhaps to a well-hardened web server in a jail, expect @RussianMafia to pay you an electronic visit.

The second is my preference. It's secure, and gives you access to anything on your LAN from the outside. I believe it's best implemented at the router (and that's how my network is set up), but a VPN server can also be installed in a FreeNAS jail. There are threads here for installing OpenVPN server in a jail, which is probably what you'd want to do if you can't do it at the router.

SSH tunneling is also secure, and doesn't require much in the way of configuration on your router or FreeNAS system--the router just needs to forward port 22 to the FreeNAS system*, and your FreeNAS box just needs to have SSH enabled (and should be set up to use public key authentication for security). You can then tell your clients, when you connect, which ports to tunnel through the SSH connection.

OpenVPN can take a bit of doing to get set up on the server end, but once that's done, you just have to tell your client where to connect and give it the authentication parameters (which should be a keypair). Clients are available for all major OSs and mobile devices. SSH tunneling requires very little setup at the server end, but you need to configure each client for every port and destination you want to use.

* Many folks advocate changing SSH to use a non-standard port. I consider that a form of security through obscurity and don't practice it (since an attacker is likely to run a portscan anyway, they'll find what services you have available on which ports). I have, however, disabled password logins to SSH, so an attacker would need one of two private keys to be able to connect. If you're especially paranoid, you could probably add two-factor authentication with Google Authenticator (so you'd need both the private key and the ever-changing auth code), but I don't think that's necessary or even particularly beneficial if you're using public key authentication.

 

[djdwosk97]

Assuming your FreeNAS is behind your router, there are three basic methods that I know of to access services on it from outside your LAN:

• Set up port forwarding on your router to forward to the appropriate ports for whatever services you want to use
• Set up a VPN connection
• Use SSH tunneling

The first is terribly insecure--the entire Internet can see your services and hammer away at whatever authentication mechanism you have set up. If you use this option for anything other than SSH or OpenVPN, or perhaps to a well-hardened web server in a jail, expect @RussianMafia to pay you an electronic visit.

The second is my preference. It's secure, and gives you access to anything on your LAN from the outside. I believe it's best implemented at the router (and that's how my network is set up), but a VPN server can also be installed in a FreeNAS jail. There are threads here for installing OpenVPN server in a jail, which is probably what you'd want to do if you can't do it at the router.

SSH tunneling is also secure, and doesn't require much in the way of configuration on your router or FreeNAS system--the router just needs to forward port 22 to the FreeNAS system*, and your FreeNAS box just needs to have SSH enabled (and should be set up to use public key authentication for security). You can then tell your clients, when you connect, which ports to tunnel through the SSH connection.

OpenVPN can take a bit of doing to get set up on the server end, but once that's done, you just have to tell your client where to connect and give it the authentication parameters (which should be a keypair). Clients are available for all major OSs and mobile devices. SSH tunneling requires very little setup at the server end, but you need to configure each client for every port and destination you want to use.

* Many folks advocate changing SSH to use a non-standard port. I consider that a form of security through obscurity and don't practice it (since an attacker is likely to run a portscan anyway, they'll find what services you have available on which ports). I have, however, disabled password logins to SSH, so an attacker would need one of two private keys to be able to connect. If you're especially paranoid, you could probably add two-factor authentication with Google Authenticator (so you'd need both the private key and the ever-changing auth code), but I don't think that's necessary or even particularly beneficial if you're using public key authentication.

So I guess OpenVPN would be my best option. Could you link me to any necessary guides to help me set it up, or what I should actually be looking for and I can find them myself. Like I said, networking isn't my strong suit.

 

[danb35]

This thread seems to be active and up-to-date. I can't personally vouch for it since (as I mentioned) I run it on my router/server rather than on my FreeNAS box.

 

[djdwosk97]

This thread seems to be active and up-to-date. I can't personally vouch for it since (as I mentioned) I run it on my router/server rather than on my FreeNAS box.

So in the first step, the configuration window has changed a bit. Where would I want to put the Jail Root? Under /mnt/one of the volumes (mnt is the main freeNAS server/directory, and inside of that I have the difference volumes/arrays/shares I've created)?

I attached an image of what the config menu looks like for me.

Edit: Oh, wait, I think I've got something.

 

[danb35]

The jails should be in a dataset on your pool. Some folks set up a separate pool for their jails on an SSD (or a mirrored pair of SSDs), otherwise it would be on your main pool. The path would be something like /mnt/tank/jails/. The manual makes it sound like you'd need to create that dataset first.

 

[djdwosk97]

The jails should be in a dataset on your pool. Some folks set up a separate pool for their jails on an SSD (or a mirrored pair of SSDs), otherwise it would be on your main pool. The path would be something like /mnt/tank/jails/. The manual makes it sound like you'd need to create that dataset first.

So like this? (see two screenshots)
And then, do I need to add any storage to the jail? or?

 

[danb35]

No, jail root is where all the jails live, and each jail has a directory under that. In your case, the jail root would be /mnt/RAID1/jails, and when you create the openvpn jail, that directory will be created for you.

As to whether to add storage, it's not something that's required for the jail to work, but I believe the guide I linked to tells you to do so. Check back with it to be sure, though. Again, I have no experience with that guide, so I can't help much with that procedure.

 

[djdwosk97]

No, jail root is where all the jails live, and each jail has a directory under that. In your case, the jail root would be /mnt/RAID1/jails, and when you create the openvpn jail, that directory will be created for you.

As to whether to add storage, it's not something that's required for the jail to work, but I believe the guide I linked to tells you to do so. Check back with it to be sure, though. Again, I have no experience with that guide, so I can't help much with that procedure.

Gothcha

When I try to SSH in I get an error: "Sorry, user root is not allowed to execute '/usr/sbin/jexec 2 tcsh' as root on freenas.local."
Who should I be trying to connect as if not root?

 

[pirateghost]

Gothcha

When I try to SSH in I get an error: "Sorry, user root is not allowed to execute '/usr/sbin/jexec 2 tcsh' as root on freenas.local."
Who should I be trying to connect as if not root?

You're already root. You don't sudo