A while back, I wrote a post about building an OpenVPN server inside a FreeNAS jail for a friend who has a small FreeNAS device, but doesn't have a firewall that will let him run an OpenVPN server directly. Much to my surprise, this article seems to have gotten some traction, so I'm posting an update to it (leaving the old one in place for posterity's sake).
Since I wrote the previous article, a few things have changed. The most important change that the diligent reader will need to be aware of is that I've upgraded my FreeNAS from the 9.3 train to the 9.10 train. The UI looks the same, but there is the added benefit of being able to use FreeBSD 10 as the jail template.
You know how when you use your debit card at an ATM or at a point of sale, you have to provide your PIN before your transaction can be completed? It makes perfect sense, right? With out the PIN, anyone who find yours debit card would be able to use it as if they were you. No good. Who wants that?
Ten years ago, I was very much into IPv6. I had two different tunnels, and all of my home network had v6 IP addresses -- all statically assigned, with working reverse DNS. Even the Windows XP machines. Then I got lazy. I swapped out my hand-crafted OpenBSD router for an off-the-shelf wireless router. That old homemade router was old enough that I couldn't put a Wifi card in it, and I just wanted some wifi.
For a couple of years now, I've noticed that Comcast has been giving me an IPv6 address, but I haven't really been able to figure anything out with it. When I was using an Apple AirPort Extreme, turning on IPv6 would break everything. So I just left it off. Even when I was running pfSense, I saw it, but I spent so much time accidentally breaking pfSense that I never got to look into it any further.
Since I'm a few months into OPNSense now, and things seem to be rock solid, I decided to have another go at IPv6. What follows are the steps that I took to get IPv6 up and running as expected on my home network.
I've been running OPNSense as my firewall for a few months now. I really dig it. I switched from PFSense, which I had been running for a couple of weeks at the time. Prior to that I was using my Apple AirPort Extreme as my firewall / router.
With the switch away from the consumer grade firewall / router, I really reveled in the expanded control that I got. In particular, I really enjoyed the easy set up of an OpenVPN back into my home network. I could not do any of that stuff with the AirPort extreme as easily as I did with OPNSense.
However, there was always one thing that had been very easy to get working with the Airport Extreme that I could never seem to get quite right: OpenDNS. Today, with the help of PiBa-NL in the #OPNSense IRC room on Freenode, I finally got it all sorted out.
I recently converted my home firewall from pfSense to OPNSense. The reasons for the change are pretty much all outlined in the reasons why OPNSense forked. Those are some pretty solid reasons, in my opinion.
A VPN allows us to connect to our private home network from anywhere on the Internet. This means that if we are in a remote location, and need to retrieve a file from our FreeNAS, or want to play some music from our internal music server, we can use the VPN to make that happen. In essence, a VPN extends our private network by creating a tunnel between our private network and our client(s) out there on the internet.
Update 6/18/2016: New version of this tutorial added. If you are using EasyRSA version 3, then you should use the new tutorial. If you are still on version 2, then this tutorial is probably the one you want.
Edit 11/1/2015: Updated the Diffie Helman bit length to 2048 so that newer installs will not break with more recent installations of easy-rsa.
If you have an up to date FreeNAS server (9.3 stable at the time of this writing), then this guide should walk you through building a jail and installing an OpenVPN server inside of it. The beauty of this system is that it is all being done inside a jail, so the odds of making a mistake that could take down your entire NAS is slim. If something goes awry, you can just delete the jail, and start over again.
After you finish, you will end up with an certificate based OpenVPN server. Each user will need to have their own certificate to go along with their username and password. In essence, we'll be implementing a two factor authenticated VPN.
One of the great things about FreeBSD is its long standing support for jails. A jail is a way to run a process or set of processes in an environment that is isolated from the host system. Processes created inside a jail cannot access files outside of that jail.
There are a host of reasons why you might want to run your services in jails, but the primary reason is that it allows you to run disparate services without having to worry about a flaw in one service allowing access to another service. For example, jails will allow you to run a mail server and a web server on the same Droplet without having to be overly concerned that a vulnerability in your web site could expose the data in your mail server.
Over the course of this article, you will take a newly minted FreeBSD Droplet, do some initial configuration, set up a jail, and install a simple web server inside the jail.
In the end, you will be setting up a firewall to protect the host system. This tutorial will be using the PF firewall that is included in FreeBSD. Aside from configuring a firewall, you will also be making some tweaks to the default shell as well as making some changes to the configuration of some of the default services.
At work we develop an enterprise iOS application -- which is to say one that is listed on the Apple App Store. As such, we have a sales team which periodically has a need to demo the software. I used to go through quite the rigmarole to get the sales team set up for be able to demo the app remotely -- say via WebEx or GoToMeeting.
With the release of Yosemite & iOS 8, Apple introduced a new way to do it.
Step 1: Build the server
The other day, for giggles, I decided to see if I could convert a virtual private server (VPS) into a desktop and access it remotely. Seems to have worked, so I've decided to do it again, in case anyone else ever wanted to. At the end of this, you'll have a server at Digital Ocean running Ubuntu MATE that you can access from almost any platform with X2Go.
Start out by going to Digital Ocean and spinning up a new droplet. I chose Ubuntu 14.04 x64, but it shouldn't bee too much work to get this working with Ubuntu 14.10. Wait your requisite 57 seconds (mine only took 44 seconds!!), and connect to the machine. While completely optional, Digital Ocean has some great recommendations with what to do after you build your droplet. At the very least, configure yourself a firewall, leaving port 22 (or whatever port you choose) open. Our remote desktop will only need SSH to connect. It's probably also a good idea to run some updates:
A while back, I dropped Wordpress as my blogging platform in favor of Ghost. At the time I was looking for something simpler to manage than Wordpress, and something new to play with. Ghost seemed like a pretty good candidate -- it is still kind of the new hotness. Node.js seemed like a potential interesting new thing to learn. So I went for it.