Access to LAN from WAN

[rancid-lemon]

Guys,

      I would appreciate some advice on how to access my NAS (my network in general I suppose) from outside my LAN, more specifically how to securely access it from outside my LAN. What do you guys recommend?

 

Background info:

What?

I would like to enable access to my NAS web interface, files and a few of the programs that run on it.

 

Who?

Access from phone (blackberry/android/iphone), as well as mac and windows computers (personal/relatives). I would also like it to be possible for me to give friends/whoever some login details/instructions on how to connect as well.

 

Currently running pfSense on a VM for my router/firewall. NAS is an old QNAP.

 

I have followed tutorials and read around to get to where I am today and by no means would I say i am particularly knowledgable in this area, hence the question I suppose!

I am just nervous about opening up ports on the firewall and want to make sure I am not exposing my home network to abuse!

 

Hope this is a clear enough explanation.

 

Cheers,

 

rancid

 

 

[+BudMan]

I access my home network from work with a pfsense openvpn connection pretty much every day.. On it now ;)

Pretty much just run through the wizard on pfsense, export the config and or client and config and your ready to rock.

You can see from the status client is connected, and yes you access your pfsense gui through the connection, etc. I can access any of my segments on my home network remotely.

C:\>ping unifiac.local.lan

Pinging unifiac.local.lan [192.168.2.2] with 32 bytes of data:

Reply from 192.168.2.2: bytes=32 time=121ms TTL=63

Reply from 192.168.2.2: bytes=32 time=114ms TTL=63

Notice the 192.168.2 segment, the ping times are a bit high since the internet connection go out in jax, fl through a proxy. Yes the openvpn can even go over a http proxy, setup a tcp sort of connection. listen on say 443, since that pretty much always open vs the default 1194 port that openvpn uses.

edit: To your concern with installing.. if you can instruct the user how to click the button they can install the openvpn client, like I said the export feature will have it all in a neat package they just run. Also there is support for PC, MAC and android or ios. I use it on my iphone and my ipad and my sons nexus can access it as well.

If you want them to just access the nas web gui, then just forward the port and give them the url and username and password and away you go - not very secure mind you!!

Since your running pfsense, one thing you could do if you just want to port forward to your nas is lock down the rule so that only your friends and family IPs are allowed. This would work for say their home connection.. Just have them go to something like whatsmyip and tell you what the IP is, then you could lock it down so only those IPs can be forwarded to your web gui of your nas.

But really a vpn is not that difficult to setup, and is heads and way more secure. In your vpn rules you can lock them to only be able to go to your nas on whatever ports you want to lock it too. While you for example on the road could go anywhere you want.

[sc302]

to securely access you should create a vpn and have remote users access it through that. 

https://doc.pfsense.org/index.php/VPN_Capability_OpenVPN

[rancid-lemon]

Cheers for the reply sc302. I had looked at that as an option, and I wouldn't mind doing that myself. I think the problem would come when I would like others to connect as not everyone that would want to connect would even know what a VPN is!

Another barrier is that OpenVPN also requires installing third party software to use (correct me if I am wrong here!). I would like if possible to use only native methods to access.

 

Ultimately if using a VPN is the only secure way then I will go that route, but if there are any simpler ways they would be preferrable. I suppose the simpler you go the less secure you get...

[rancid-lemon]

Right I've had a bit more of a look and it seems blackberry does not support openvpn! Bah. Not 100% a deal breaker but that is my primary and it would be useful to be able to access using it.

 

Blackberry supports the following but all look alien to me (or proprietary)

• Check Point? Software Technology
• Cisco? VPN Gateway Type 3000
• Cisco Secure PIX Firewall VPN
• Cisco IOS with Easy VPN Server
• Cisco ASA
• Juniper IPSec VPN (SRX Series)
• Juniper IPSec VPN (NetScreen Series)
• Microsoft IKEv2 VPN Server
• Generic IKEv2 VPN Server

I'm assuming from my limited research this evening that generic IKEv2 might be the only option with pfsense. But I dont understand that, it seems to be something to do with IPSec and even then that support isnt coming until v2.2.

 

Since I would prefer security and from the sounds of it openvpn shouldnt be too hard for me to share I think I will give that a go.

I doubt any of my friends family are on a static IP and that I presume will make rules a pain in the @rse!.

 

 

This completely lost me: "Notice the 192.168.2 segment, the ping times are a bit high since the internet connection go out in jax, fl through a proxy. Yes the openvpn can even go over a http proxy, setup a tcp sort of connection. listen on say 443, since that pretty much always open vs the default 1194 port that openvpn uses." I have no idea what jax or fl is!

I think I will take the time to do a little more research before I ask too many questions!

 

Cheers for the replies

 

rancid

[sc302]

The rules will be simple, use a dynamic dns provider and you will be set.  Just point everything to that friendly name that will be constantly updated with your ip.  You don't need to know the ip on their end, you are going to make a client based vpn, not a site to site. 

[rancid-lemon]

I already use a dynamic dns address for my ip, I think bud man was suggesting to restrict to a specific (hope I get the terminology right) source address ie my friends/relatives ip with an allow rule. If their ip then changes I would have to update the rule. I would need a dynamic dns for their address as well if my understanding is right. Note I don't believe budman was talking about vpns at this point. I do understand what you are saying though re client based vpn.

Cheers,

rancid

[sc302]

Once the vpn is established between the client and your site, it is as if they are internal on your network.  You can specify a certain ip pool (think dhcp for vpn connected users) range and anyone in that range only has access to your nas.  That has absolutely nothing to do with the outside IP's of the remote clients. 

[+BudMan]

Correct I was talking about restricting access to your friends/family public IP if you want the port forwarding option of access to your web gui, just so you don't have to worry about some exploit to the gui that some bot or script kiddy my leverage to access your stuff.

With pfsense you could setup an alias on this, so if they setup dynamic dns you would be good to go even if their IPs change.

As to openvpn blackberry support - pretty much nothing is supported on those ;) Best place for that device would be the trash can ;) Does BB even support ipsec or pptp? If so you could setup that sort of vpn as well.. Again supported out of the box on pfsense and not very difficult to setup. But not your talking more protocols and ports that have to be open from the client side not just single port you run openvpn on.

Other option for poor mans vpn is simple ssh tunnel. There are ssh clients for ios and android, and something as simple as putty works on a desktop running windows.

[rancid-lemon]

I'm going to give OpenVPN a go this weekend.

 

Yeah, I am getting frustrated with the BB. As a phone and OS I can't fault it really, its superb. I just frequently come up with barriers when trying to do other things on it, like vpn, apps etc. Tried android, ended up wasting to much time messing about with it. Might try iPhone next but I think I might find that frustrating too. Anyway, I digress.

 

I will have a play and probably report back here when I get stuck! :P

 

Cheers all.

[rancid-lemon]

So, I am writing this to you from my mac which is connected to my netowork from my mobile hotspot via OpenVPN! Sucess!

 

For anyone trying this themselves, I used the following links as well as the info in this thread to set everything up, these helped a lot.

https://doc.pfsense.org/index.php/VPN_Capability_OpenVPN

https://www.highlnk.com/2013/12/configuring-openvpn-on-pfsense/

 

I have a couple of questions to improve things if anyone has any ideas on them do shout.

 

1. My external IP appears to be a virtual one, why is my external IP not the same as the WAN address?

2. DNS doesn't seem to be working, I put down the internal IP os my dns server during the set up but not sure how else to go about trouble shooting this one. nslookup fails to resolve IP's that I can connect directly to. Any ideas?

 

cheers,

 

rancid

[sc302]

Your external ip should be the same as what www.ipchicken.com produces.

Possibly a rule not allowing you to access your dns servers.