Access your FreeNAS server remotely via SSH

After finally getting my FreeNAS and ZFS-based file server up and running, Ive been looking at ways to access its services from remote locations outside of my home network. There are numerous ways to achieve such a feat, such a creating a VPN between your remote computer and the server. However, VPNs typically require either special software installed on the server (which FreeNAS lacks, like Hamachi) or dedicated hardware running on the network (such as a machine running OpenVPN (http://openvpn.net/)), which I lack. FreeNAS, however, does contain SSH, allowing you to create a sudo-VPN called an SSH tunnel. An SSH tunnel is a secure, encrypted connection between the remote computer and the file server for a specific port. Each service running on the server uses different ports, thus it is necessary to create numerous tunnels once for each service you which to access remotely. After reading a number of online tutorials, most of which were geared towards Windows or the CLI, I discovered a very easy way to set up tunnels between a Mac OS X remote machine and the FreeNAS server, which Ill describe here in detail. On the server/local network: 1. First, enable SSH on FreeNAS through the FreeNAS Web interface. Also, make sure allow tunneling is checked and that SSH is using port 22 (you can use another port, but Ill be using the default port 22 in this tutorial). Finally, I enabled enable root login, but for security purposes, this can remain unchecked and you can login as a local user account (assuming one has been created on the FreeNAS server). http://www.jwaddell.dreamhosters.com/blog/?p=31 2. If you have a dynamic IP address, its a tremendous help to use a dynamic IP service (such as dyndns or no-ip) to provide a static host name to your ever-changing IP address. This is built-into FreeNAS, and can be enabled under Services on the FreeNAS web interface. 3. Prepare your router: Youll need to open up the SSH port 22 to outside access on your router. On the Remote Mac OS X-based Computer: 1. Download two applications, SSH Tunnel Manager (http://sourceforge.net/projects/gstm/) and Network Beacon (http://www.macupdate.com/info.php/id/11315/network-beacon), which will be used to graphically configure the SSH tunnels. 2. In SSH Tunnel Manager, we need to configure the different tunnels required for the services we want to access. For example, suppose you want to access Samba file shares on your FreeNAS server:

o o

Fill in your username and password, your static host name, and SSH port (22) Than, you need to forward a local port on your Mac to the Samba-port (usually 445) on your FreeNAS server. Under Local redirections, you can pick any port number on your Mac (I used 5445), the LAN Host of localhost and remote port of 445. You can leave remote redirections blank. Then, make sure your newly created tunnel is enabled and open.

Network Beacon allows reporting of the local port redirections to the system via bonjour, so for example, the SSH tunnel we created above for Samba shares will appear auto-magically in the Finder. In Network Beacon, create a New Beacon containing the following information:

For Samba, use Service Type _smb._tcp. and enter the local port redirection you created above (ex. 5445). Next, enable the host proxy with the host name of localhost and IP address of 127.0.0.1. Finally, click OK and enable the new beacon. If everything was performed correctly, your FreeNAS share should now show up under Shared machines in the Finder, and you can connect and browse files as if you were on your local network. Other Services: You can also enable other service besides Samba, such as iTunes sharing. As I add more tunnels for remote services to my remote connection, Ill update this tutorial with the required ports and information.

iTunes Shares: First, you need to have the daap service running on your FreeNAS machine. For this, you need to redirect the remote port of 3689 to a local port of your choice (I just reused 3689), and then set up a Beacon with the service type _daap._tcp. with your local port redirect (3689) and the same local host proxy as above. Then, open up iTunes and your remote iTunes server should appear under Shared. Optional: Finally, with SSH, you can enable the use of secure certificates between your Mac and FreeNAS server to allow logging in via SSH without having to enter a password for the FreeNAS user account. I may add the instruction on how to do this to the tutorial, but for now, there are numerous tutorials on the internet about how to do this. Note, youll need to use the command line to accomplish this completely optional feature.