External unRAID access and VPN questions


Recommended Posts

I have another related question and maybe it justifies its own thread, but I'll ask here first since we're on the subject.  At work we use certificate authentication for most of our access, with some systems only requiring basic auth (username/password), and others requiring both.  Is there a way to set up my home network to be exposed to the outer world (scary, I know), but be protected behind both certificate and basic authentication (two-factor authentication)?

 

Seems like there could be an easier, yet still secure, way to gain access to my home network, other than VPN.  Admittedly, there isn't much info on this thought, so I'm guessing many people much smarter than I would have done this already, if it were "remotely possible" (haha nerd puns).

 

Thoughts?

 

Thanks again.

Link to comment

I have another related question and maybe it justifies its own thread, but I'll ask here first since we're on the subject.  At work we use certificate authentication for most of our access, with some systems only requiring basic auth (username/password), and others requiring both.  Is there a way to set up my home network to be exposed to the outer world (scary, I know), but be protected behind both certificate and basic authentication (two-factor authentication)?

 

Seems like there could be an easier, yet still secure, way to gain access to my home network, other than VPN.  Admittedly, there isn't much info on this thought, so I'm guessing many people much smarter than I would have done this already, if it were "remotely possible" (haha nerd puns).

 

Thoughts?

 

Thanks again.

 

VPN is the way to do this.  The reasoning being that in theory you could expose single services and add authentication to them, but this requires that each exposed service be properly secured (and many do not support strong security. There's no safe way to expose many services that we take for granted as being "safe" inside our internal networks). VPN does the same thing but allows you to control authentication of all services via a single exposed port without needing to secure every port individually.

 

If the server needs to have something generally accessible to the public (web service or something) then you expose it and secure it. If it's something you never want the public accessing, VPN is far safer than trying to corral multiple potential security holes.

Link to comment

VPN is the way to do this.  The reasoning being that in theory you could expose single services and add authentication to them, but this requires that each exposed service be properly secured (and many do not support strong security. There's no safe way to expose many services that we take for granted as being "safe" inside our internal networks). VPN does the same thing but allows you to control authentication of all services via a single exposed port without needing to secure every port individually.

 

If the server needs to have something generally accessible to the public (web service or something) then you expose it and secure it. If it's something you never want the public accessing, VPN is far safer than trying to corral multiple potential security holes.

 

Fair enough, thanks.  If VPN is the obvious, easiest, borderline only right choice, then I'm all for it.  I'm not opposed to VPN, it's just that there's an appeal to being able to use any internet-connected device, and route to https://www.mydomain.com/myProperlyRoutedService without having to deal with a VPN client first.  Just wishful thinking.

 

I also ran across this reddit thread that has a lot of useful information intertwined with the bickering between a couple posters:  https://www.reddit.com/r/usenet/comments/2fevzc/nzb_360_users_how_have_you_configured_your_setup/#bottom-comments

 

I guess it's just my pathetically simple-minded attitude that keeps getting in my way.  At a high level, it just seems like you could have something between your router and the outside world (or be built into the router), that would provide robust authentication before allowing access to anything within your internal network, without having to rely on client software.

 

Internet-connected device -> hit external ip or ddns url -> authenticate with home network firewall/authentication service with user and/or certificate authentication -> access to the goodies.  I wouldn't think the goodies would need to be individually secured, because we've already determined authentication.

 

Again, this thought process MUST be naive because if it were that easy, everyone would be doing it!

Link to comment

Also within the reddit post I linked to, there was mention of using the Microsoft RDP protocol.  I have a W10 Pro VM running 24/7 at home, so if there's a way to use RDP for remote access, that is secure, that could be an option as well.  Of course, that would also require client software as well, so I don't know what I'm really buying myself at that point.  Just another thing to research I guess.

Link to comment

What is your goal when it comes to remote access? Do you just want to access your Windows 10 VM or are you after network access. VPN stands for Virtual Private Network, see the Network part? So a VPN and accessing a computer remotely, are not the same thing, one gives you a whole lot more than the other. If your goal is to simply access your Windows 10 VM, then look into something like team viewer, or Go to my PC, there are plenty of variants, some free, some not. If your goal however is to access your network or your unRAID server remotely, then VPN is what you want.

Link to comment

What is your goal when it comes to remote access? Do you just want to access your Windows 10 VM or are you after network access. VPN stands for Virtual Private Network, see the Network part? So a VPN and accessing a computer remotely, are not the same thing, one gives you a whole lot more than the other. If your goal is to simply access your Windows 10 VM, then look into something like team viewer, or Go to my PC, there are plenty of variants, some free, some not. If your goal however is to access your network or your unRAID server remotely, then VPN is what you want.

 

Great point, I probably should have been more clear.  I want access to all the web ui content, from the unRAID webfront, to sickbeard, sab, deluge, etc.  I don't necessarily need "direct", or "command line" access to unRAID, but correct me if I'm wrong, if I have access to my Windows VM, what would keep me from opening up a putty session from there and logging into my unRAID machine?  Seems like giving myself access to my Windows VM would be giving me access (in one form or another) to EVERYTHING.

Link to comment

Precisely, with access to your Windows 10 VM you would have access to everything you need from the sounds of it.

 

This is where I just want to bang my head against a wall.  I never even thought to use a service like Go To PC, Citrix, etc to connect to my Win10 VM, vs direct access to the network.  The most pathetic thing is we use services like these at work every friggin day, so yeah, I feel a bit dumb right now.  Seems like these services might not be quite as secure, but maybe that isn't a deal-breaker as long as I have a reasonable amount of confidence that my home network won't get compromised.

Link to comment

Let me point out a distinction between something like Go to My PC, Teamviewer and RDP or citrix access.

 

Go to my PC or Teamviewer, are commercially available secure services, you don't have to open ports on your firewall and they are secured by password.

 

RDP or Citrix, usually require you to poke a hole in your firewall and are then secured by password. Now you can choose whatever port you want, you don't have to use the default port, but these methods and services are inherently less secure (my opinion) then something like Go to my PC or Teamviewer.

Link to comment

Let me point out a distinction between something like Go to My PC, Teamviewer and RDP or citrix access.

 

Go to my PC or Teamviewer, are commercially available secure services, you don't have to open ports on your firewall and they are secured by password.

 

RDP or Citrix, usually require you to poke a hole in your firewall and are then secured by password. Now you can choose whatever port you want, you don't have to use the default port, but these methods and services are inherently less secure (my opinion) then something like Go to my PC or Teamviewer.

 

Yeah I was realizing that as I was googling just now, but thanks for the clarification.  I think I'm going to play around with both OpenVPN, and with a free PC remote access program (even if it's a Go To PC free trial), and decide between the 2.  The one thing I don't want to do, for all the reasons I already knew, along with the ones provided by you guys, is having to expose ports at the router level, and trust my applications to handle security.

Link to comment

It really comes down to what you're trying to do.

 

One of my friends has unraid set up with a subsonic docker that's exposed to the public (password protected) so he can stream his music to his phone/car/whatever.

 

Having a VPN set up is good for accessing your network, accessing files as if they were on the local net, etc but of course requires you to have the VPN set up on every device that needs access.  A split tunnel VPN should let you access your shares more or less exactly as if you were at home.

 

I use TeamViewer personal for assisting friends/family with computer issues and I've found it to be a nice, secure way of accessing PCs but you wouldn't want to, for example, watch video over it. But for doing general maintenance, transferring small files around, etc, it's easy enough.

Link to comment

It really comes down to what you're trying to do.

 

One of my friends has unraid set up with a subsonic docker that's exposed to the public (password protected) so he can stream his music to his phone/car/whatever.

 

Having a VPN set up is good for accessing your network, accessing files as if they were on the local net, etc but of course requires you to have the VPN set up on every device that needs access.  A split tunnel VPN should let you access your shares more or less exactly as if you were at home.

 

I use TeamViewer personal for assisting friends/family with computer issues and I've found it to be a nice, secure way of accessing PCs but you wouldn't want to, for example, watch video over it. But for doing general maintenance, transferring small files around, etc, it's easy enough.

 

That's a good way to describe the two scenarios/methods.  Right now I have no desire to do things like watch video, stream audio, transfer large files, etc, so the TeamViewer option is appealing, and I'll play with that a bit.  I'm still going to get the VPN set up and play with it as well, just because, well, I can.  I'll be using pfSense as soon as the NIC I bought comes in, and it'll be fun to play with and learn about.

 

Again thanks to everyone for all the info.  My picture is much clearer now.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.