External unRAID access and VPN questions

[De1taE1even]

Hey guys and gals, I've been wanting to set up external unRAID access for a while now, but I wanted to do it in a secure fashion (no risky port forwarding).  I have some spare parts laying around so I'm going to build a pfSense box and run OpenVPN.  I'm completely new to VPNs so I need some "VPN 101" schooling, and I know many of you have a similar setup, so I'm hoping you can help me out.

 

This is how dumb I am with this stuff.  The way I understand it, my work machine, using the OpenVPN client software, would securely tunnel through to my home network's OpenVPN server.  Yet, when I research the other direction (using a VPN at home for anonymizing traffic out), I see that you need to pay for a VPN service that all your traffic routes through.  Seems like I'm getting mixed up with different uses of VPNs.  Also, my ISP (Centurylink) doesn't give me a static IP.  How do I go about setting up DDNS with pfSense/OpenVPN?  I currently have an ASUS Router that has built-in DDNS using the asuscom.com domain.  I don't trust ASUS, and it's slow as well.  Will I need to pay for a DDNS service?

 

Bottom line is, this is what I'd like to be able to do:

 

1. I'd like to access my home network from my work machine, my android phone, and possibly other devices as well, but let's start with the work machine, which is actually just a zero client connected to Amazon workspaces running Windows.  As I understand it, I'll need to install OpenVPN on the work machine.  After I do that, will all my traffic then flow through the VPN?  I simply want the VPN to ONLY be used when accessing my home network.  I'd like all other traffic to be direct connect mode.

 

2. I'd like to have the ability to anonymize my home network's outbound traffic.  I promise I'm not doing anything illegal or shady, but I want to at least have the ability, and play around with it a bit.

 

 

[ashman70]

VPN's are designed to do a couple of basic things. One is to provide a secure tunnel to route traffic to, this tunnel is usually between two networks, such as your home network and a VPN provider. As for you connecting from work, you may want to talk to your IT department as they may not permit such connections, or you can simply try, it may work it may not. In your case, without a static IP at home, it becomes a little harder to do. For anonymizing your outgoing traffic at home, I would think you would need to pay a VPV provider for that service, but because its not something I do, perhaps someone else can chime in with advice.

[De1taE1even]

VPN's are designed to do a couple of basic things. One is to provide a secure tunnel to route traffic to, this tunnel is usually between two networks, such as your home network and a VPN provider. As for you connecting from work, you may want to talk to your IT department as they may not permit such connections, or you can simply try, it may work it may not. In your case, without a static IP at home, it becomes a little harder to do. For anonymizing your outgoing traffic at home, I would think you would need to pay a VPV provider for that service, but because its not something I do, perhaps someone else can chime in with advice.

 

Ok cool, so I wasn't completely on the wrong track, thank you.  I'm actively researching the topic, and have found that pfSense supports DDNS similar to my ASUS router, and has pre-configured providers like easyDNS and freeDNS.  I wonder if Centurylink has a static IP option for a reasonable price.  Probably not since they'd want me to sign up as a business, but I'll research that as well.  Otherwise, I'll look into the DNS providers a bit more.

 

I could also look into running some sort of cron'd command that saves my current external IP address to a google drive-accessible file.  Seems a little like duct tape, but I don't have to access my home network externally too often.

[SnickySnacks]

It's probably not worth spending the money on a static IP if you don't need 100% reliability.

 

A free dynamic DNS provider generally uses a program on a computer inside the network to update the external DNS every hour or so, then you connect to your external ip with like myname.freedns.com or whatever, which will return your current IP. 

 

Your home IP address generally doesn't change all that often so this works fine for personal use.

 

As Ashman70 mentioned, it's a good idea to verify with your work whether or not outgoing VPN connections are permitted as unmonitored outgoing connections are often considered a security risk in a corporate environment and may be a security violation. This, of course, is dependent on your specific workplace rules.

[De1taE1even]

A free dynamic DNS provider generally uses a program on a computer inside the network to update the external DNS every hour or so, then you connect to your external ip with like myname.freedns.com or whatever, which will return your current IP. 

 

The more I read about it, the more this route seems like the way to go.  Now I'll just have to research which DNS provider I want to go with.

[De1taE1even]

Coincidentally, I see that my ASUS router supports a few DDNS providers, as well as having their own.  I'll start there just to play around.  I'll still probably go with a more fully-featured provider, where I can do things like use my own domain, have subdomains, etc.

 

Technically this means that I wouldn't need pfSense either (my ASUS router has some DNS provider and VPN functionality), but I'm going to do that anyways, because I have the spare hardware, and hey, why not? 

 

WRT VPN from work, I've mentioned it to IT and I don't think it'll be a problem.

 

[JonathanM]

Technically this means that I wouldn't need pfSense either (my ASUS router has some DNS provider and VPN functionality), but I'm going to do that anyways, because I have the spare hardware, and hey, why not? 

Typically the CPU and RAM in a router are going to be WAY underpowered compared to even a basic pfSense build.

 

That may not mean much until you actually start transferring decent amounts of data over the VPN, and a pfSense box will give you MUCH better throughput.

 

Plus, with pf you can run other services as well, such as an outward facing nginx proxy for any services you really do want to expose to the outside without vpn protection.

 

Really depends on what exactly you want to do, and how much you enjoy learning and tinkering vs just using the end product.

[De1taE1even]

Technically this means that I wouldn't need pfSense either (my ASUS router has some DNS provider and VPN functionality), but I'm going to do that anyways, because I have the spare hardware, and hey, why not? 

Really depends on what exactly you want to do, and how much you enjoy learning and tinkering vs just using the end product.

 

I enjoy tinkering much more than using the end product, often to a fault. 

[JonathanM]

Technically this means that I wouldn't need pfSense either (my ASUS router has some DNS provider and VPN functionality), but I'm going to do that anyways, because I have the spare hardware, and hey, why not? 

Really depends on what exactly you want to do, and how much you enjoy learning and tinkering vs just using the end product.

 

I enjoy tinkering much more than using the end product, often to a fault. 

Then build a pfSense box, learn a bunch, and have fun doing it. 

[De1taE1even]

Then build a pfSense box, learn a bunch, and have fun doing it. 

Exactly!

[S80_UK]

Coincidentally, I see that my ASUS router supports a few DDNS providers, as well as having their own.  I'll start there just to play around. 

For what it's worth, I have the Asus RT-AC68U and I use no-ip.com which is one of the providers supported by the Asus firmware.  It works well enough for my needs, which are mainly remote access to home when travelling or sometimes from work.

[De1taE1even]

Coincidentally, I see that my ASUS router supports a few DDNS providers, as well as having their own.  I'll start there just to play around. 

For what it's worth, I have the Asus RT-AC68U and I use no-ip.com which is one of the providers supported by the Asus firmware.  It works well enough for my needs, which are mainly remote access to home when travelling or sometimes from work.

 

I have the RT-AC66R, so we're using the same firmware I'm sure.  That doesn't make you nervous from a security standpoint?  I thought opening up external access to unraid wasn't considered a good idea, which is why I was looking into VPNs.

[S80_UK]

Coincidentally, I see that my ASUS router supports a few DDNS providers, as well as having their own.  I'll start there just to play around. 

For what it's worth, I have the Asus RT-AC68U and I use no-ip.com which is one of the providers supported by the Asus firmware.  It works well enough for my needs, which are mainly remote access to home when travelling or sometimes from work.

 

I have the RT-AC66R, so we're using the same firmware I'm sure.  That doesn't make you nervous from a security standpoint?  I thought opening up external access to unraid wasn't considered a good idea, which is why I was looking into VPNs.

I think you have perhaps not quite grasped what the VPN does in this case.  Opening up access without a secure VPN is a very bad idea.  Opening up access via a third party VPN provider to access the internet with an untraceable IP address (as some might use for accessing content which is otherwise inaccessible due to location, for example) is also a very bad idea since at the far end of the third party connection you are completely exposed to the internet.  On the other hand, providing restricted access only to known clients when the VPN is in the home router is arguably even safer than a VPN running on another device installed behind the router. 

 

The fact that the firmware between multiple routers is similar is irrelevant.  Many Asus router firmwares are derived from the open dd-wrt software.  Asus also do a good job in providing frequent firmware updates for their routers to take advantage of security updates (in packages such as openssl for example).  The use of OpenVPN requires that any remote OpenVPN client be given a token (a small file) which is generated by my router for my VPN.  So unless someone has that token, and the VPN username and 16 character password which I have specified, and the (very different) 16 character password to access my unRAID server, then it is safe.  In the years I have been using unRAID I have never seen any unexpected log-in attempts. 

 

I hope this helps...

[NeoDude]

I run an OpenVPN server within my pfSense VM using a FreeDNS dynamic IP service. Works perfectly. I can't recommend pfSense enough, it's a steep learning curve but you'll learn a lot about networking and there's a good community for support.

[Uroth]

Are you sure your ISP is updating and changing your external IP often? In most cases that shouldn't be the case.

 

I have a dynamic IP from my ISP but I have had the same IP for the last 2 years. I only lost my old one when I had a major power outage in my area that lasted longer than 24 hours which meant my lease time for my IP expired and when I got my power back again I was assigned a new IP.

 

So if you have a stable environment and dont turn off your router for more than a few hours when doing some tinkering you shouldn't lose your external IP and shouldn't have a need for sites like no-ip.com. You just need to install OpenVPN server either in your router, or in your unRAID machine and configure it properly and generate the certficates for your user/users you want to be able to connect.

 

 

 

But in the case you want to mask all your own traffic then you must use a anonymous vpn service, you cannot run your own VPN for that purpose.

 

[De1taE1even]

I think you have perhaps not quite grasped what the VPN does in this case.  Opening up access without a secure VPN is a very bad idea.  Opening up access via a third party VPN provider to access the internet with an untraceable IP address (as some might use for accessing content which is otherwise inaccessible due to location, for example) is also a very bad idea since at the far end of the third party connection you are completely exposed to the internet.  On the other hand, providing restricted access only to known clients when the VPN is in the home router is arguably even safer than a VPN running on another device installed behind the router. 

No no, I'm grasping, but it's good to get confirmation.  I always knew opening up access to unRAID without a secure VPN was a bad idea, which was what I was eluding to in my previous comment.  Seems like that's what S80_UK is doing, unless I missed something, which is why I asked about it.  He very well may be running a VPN server and just didn't mention it.  Regarding third party VPN user for untraceable IP, that was just a thought, nothing I'll be getting very far into for now.  I figured it wasn't the most secure concept, but good looking out, I'll be careful if I end up finding a use for it.

 

The fact that the firmware between multiple routers is similar is irrelevant.  Many Asus router firmwares are derived from the open dd-wrt software.

I was simply saying that I bet I have the same firmware in my ASUS router that S80_UK is using, so I could set mine up similar to his.  I plan to use ASUS's firmware to run OpenVPN and a DNS provider, just to get me started.  I'll also be diving into pfSense in the mean time.

 

The use of OpenVPN requires that any remote OpenVPN client be given a token (a small file) which is generated by my router for my VPN.  So unless someone has that token, and the VPN username and 16 character password which I have specified, and the (very different) 16 character password to access my unRAID server, then it is safe.  In the years I have been using unRAID I have never seen any unexpected log-in attempts. 

This is what I'll be playing with.  I got the router set up to use OpenVPN, and have my config token ready.  Tying back to my original question(s), where I'm ignorant is how (and when) the VPN is doing what it's doing.  Getting it set up and working is easy enough, but I was curious, at the client end, what's going on when you set up the secure connection to the VPN server, ie, is the VPN connection ONLY used for routing traffic to/from my VPN server, or is all traffic being routed through that connection.

 

I hope this helps...

It absolutely does. 

[De1taE1even]

Jeez, I'm an idiot.  I spent all that time putting that post together, only to realize that S80_UK, you're the ONE THAT REPLIED!  Here I am, quoting you, then mentioning you in my reply, like you're two different people.  Ugh, I need some coffee.  Hope you can navigate through my idiocy, and thanks again for the info.

[De1taE1even]

I run an OpenVPN server within my pfSense VM using a FreeDNS dynamic IP service. Works perfectly. I can't recommend pfSense enough, it's a steep learning curve but you'll learn a lot about networking and there's a good community for support.

Yes!  I know my way around computers and electronics pretty well for the most part, but I'm pretty ignorant with networking protocols, traffic monitoring, security, etc.  I'm looking forward to changing that, at least a little bit.

[De1taE1even]

Are you sure your ISP is updating and changing your external IP often? In most cases that shouldn't be the case.

 

I have a dynamic IP from my ISP but I have had the same IP for the last 2 years. I only lost my old one when I had a major power outage in my area that lasted longer than 24 hours which meant my lease time for my IP expired and when I got my power back again I was assigned a new IP.

 

So if you have a stable environment and dont turn off your router for more than a few hours when doing some tinkering you shouldn't lose your external IP and shouldn't have a need for sites like no-ip.com. You just need to install OpenVPN server either in your router, or in your unRAID machine and configure it properly and generate the certficates for your user/users you want to be able to connect.

 

Right!  I always thought that if my stuff ran 24/7, that my dynamic IP wouldn't change, but I've seen in the past that it does.  Admittedly, I haven't paid close attention to it, and maybe it hasn't changed in a while.  I do still like the appeal of having my own domain though!

[Uroth]

I also have my own domain and yes it is nice.   But even with your own domain you will still have the issue IF your ISP is changing your IP often as you need either a program that updates your domain provider with the new IP or if you do update it manually. (Which I will have to do the next time I have a major power outage and lose my IP)

[S80_UK]

Getting it set up and working is easy enough, but I was curious, at the client end, what's going on when you set up the secure connection to the VPN server, ie, is the VPN connection ONLY used for routing traffic to/from my VPN server, or is all traffic being routed through that connection.

.

.

.

It absolutely does. 

Thanks.

 

I use OpenVPN on a mixture of iPhone, Android tablet, and Windows 10 laptop clients.  To answer your question - When the VPN is connected through, then all of the network traffic to of from the remote client will go through the VPN connection to your home router.  Traffic to and from the outside world then goes straight from your router via its own NAT (network address translation) and firewall to the internet as provided by your ISP.  The remote client will be given an IP address based on how you've set up the VPN in the OpenVPN advanced Settings in the router.  So that address may be something like 10.8.0.2.  To access your server, you could access it by it's local IP address on your home network (192.168.0.xx, for example), and that connection is then not exposed to the internet.

 

Another way to look at is is that the remote VPN connection is almost just like any other device plugged into one of the Ethernet ports on your router, and it can see everything else on your home network.

[De1taE1even]

Getting it set up and working is easy enough, but I was curious, at the client end, what's going on when you set up the secure connection to the VPN server, ie, is the VPN connection ONLY used for routing traffic to/from my VPN server, or is all traffic being routed through that connection.

.

.

.

It absolutely does. 

Thanks.

 

I use OpenVPN on a mixture of iPhone, Android tablet, and Windows 10 laptop clients.  To answer your question - When the VPN is connected through, then all of the network traffic to of from the remote client will go through the VPN connection to your home router.  Traffic to and from the outside world then goes straight from your router via its own NAT (network address translation) and firewall to the internet as provided by your ISP.  The remote client will be given an IP address based on how you've set up the VPN in the OpenVPN advanced Settings in the router.  So that address may be something like 10.8.0.2.  To access your server, you could access it by it's local IP address on your home network (192.168.0.xx, for example), and that connection is then not exposed to the internet.

 

Another way to look at is is that the remote VPN connection is almost just like any other device plugged into one of the Ethernet ports on your router, and it can see everything else on your home network.

 

AWESOME, thank you.  This is exactly what I was unsure about.  Thanks for the clear explanation.  It sure would be nice if you could somehow configure the VPN to only route certain requests through the VPN, like how you can specify a proxy connection with whitelists/blacklists, but I get how this concept wouldn't really work with a VPN.

[Frank1940]

Tek-Thing (A weekly online tech show) has had several shows where they discussed VPN.  This is one where they were talking about the various VPN services.  You might want to watch it and the notes include a link to a site which compares the various services.

 

    http://www.tekthing.com/blog/2016/3/16/4jdpi784njs26vhmv9l64x7mqh7f7o

[SnickySnacks]

AWESOME, thank you.  This is exactly what I was unsure about.  Thanks for the clear explanation.  It sure would be nice if you could somehow configure the VPN to only route certain requests through the VPN, like how you can specify a proxy connection with whitelists/blacklists, but I get how this concept wouldn't really work with a VPN.

 

While I can't tell you how to do this anymore (it's been too long since I've used a setup like this), it is possible to set it up to only route traffic intended for your internal network into the VPN. Main benefit is you don't pass all your internet traffic over the VPN (which isn't necessary if all you're doing is trying to access your home network) so you get the performance benefit of normal internet traffic going out directly from your client and only traffic intended to hit your home network over your VPN. (this also lets you do things like access your home network and your work network at the same time, otherwise all traffic gets routed over your home network and you lose access to your internal corporate network)

 

Google "vpn split tunneling" to look up information on this topic.

[De1taE1even]

AWESOME, thank you.  This is exactly what I was unsure about.  Thanks for the clear explanation.  It sure would be nice if you could somehow configure the VPN to only route certain requests through the VPN, like how you can specify a proxy connection with whitelists/blacklists, but I get how this concept wouldn't really work with a VPN.

 

While I can't tell you how to do this anymore (it's been too long since I've used a setup like this), it is possible to set it up to only route traffic intended for your internal network into the VPN. Main benefit is you don't pass all your internet traffic over the VPN (which isn't necessary if all you're doing is trying to access your home network) so you get the performance benefit of normal internet traffic going out directly from your client and only traffic intended to hit your home network over your VPN. (this also lets you do things like access your home network and your work network at the same time, otherwise all traffic gets routed over your home network and you lose access to your internal corporate network)

 

Google "vpn split tunneling" to look up information on this topic.

 

YES, this would be great, I'll research it for sure, thanks!