Over the course of the last 18 months, a number of peope have asked me to document my weight loss journey. What you are about to read is probably the first of at least 2 articles that I'm going to write on this topic. The first of these will kind of outline the history -- what I did, and when (more or less). The second (and perhaps more) will kind of cover the things that I learned along the way; things about diet and dieting, as well as things about myself.
FreeNAS 11 was recently released, so I'm going to continue my series on running OpenVPN servers from FreeNAS jails. In theory these instructions could be followed on any old FreeBSD 11 jail, but FreeNAS provides a friendly UI, so why not use it?
For giggles, I'm taking screenshots for this with the new FreeNAS UI. So far it's nice. You should definitely try it.
Update the Jail config
The first thing I had to do was to fix the jails config. I did this by going to Jails -> Configuration (in the left hand nav menu). Under advanced mode, there is an option for "Collection URL". The value that was in there by default (http://download.freenas.org/latest/RELEASE/x64/jails) didn't work for me, but I managed to figure out that it should probably be something more like this one http://download.freenas.org/jails/11/x64/.
A while back, I wrote a post about building an OpenVPN server inside a FreeNAS jail for a friend who has a small FreeNAS device, but doesn't have a firewall that will let him run an OpenVPN server directly. Much to my surprise, this article seems to have gotten some traction, so I'm posting an update to it (leaving the old one in place for posterity's sake).
Since I wrote the previous article, a few things have changed. The most important change that the diligent reader will need to be aware of is that I've upgraded my FreeNAS from the 9.3 train to the 9.10 train. The UI looks the same, but there is the added benefit of being able to use FreeBSD 10 as the jail template.
You know how when you use your debit card at an ATM or at a point of sale, you have to provide your PIN before your transaction can be completed? It makes perfect sense, right? With out the PIN, anyone who find yours debit card would be able to use it as if they were you. No good. Who wants that?
Ten years ago, I was very much into IPv6. I had two different tunnels, and all of my home network had v6 IP addresses -- all statically assigned, with working reverse DNS. Even the Windows XP machines. Then I got lazy. I swapped out my hand-crafted OpenBSD router for an off-the-shelf wireless router. That old homemade router was old enough that I couldn't put a Wifi card in it, and I just wanted some wifi.
For a couple of years now, I've noticed that Comcast has been giving me an IPv6 address, but I haven't really been able to figure anything out with it. When I was using an Apple AirPort Extreme, turning on IPv6 would break everything. So I just left it off. Even when I was running pfSense, I saw it, but I spent so much time accidentally breaking pfSense that I never got to look into it any further.
Since I'm a few months into OPNSense now, and things seem to be rock solid, I decided to have another go at IPv6. What follows are the steps that I took to get IPv6 up and running as expected on my home network.
I've been running OPNSense as my firewall for a few months now. I really dig it. I switched from PFSense, which I had been running for a couple of weeks at the time. Prior to that I was using my Apple AirPort Extreme as my firewall / router.
With the switch away from the consumer grade firewall / router, I really reveled in the expanded control that I got. In particular, I really enjoyed the easy set up of an OpenVPN back into my home network. I could not do any of that stuff with the AirPort extreme as easily as I did with OPNSense.
However, there was always one thing that had been very easy to get working with the Airport Extreme that I could never seem to get quite right: OpenDNS. Today, with the help of PiBa-NL in the #OPNSense IRC room on Freenode, I finally got it all sorted out.
I recently converted my home firewall from pfSense to OPNSense. The reasons for the change are pretty much all outlined in the reasons why OPNSense forked. Those are some pretty solid reasons, in my opinion.
A VPN allows us to connect to our private home network from anywhere on the Internet. This means that if we are in a remote location, and need to retrieve a file from our FreeNAS, or want to play some music from our internal music server, we can use the VPN to make that happen. In essence, a VPN extends our private network by creating a tunnel between our private network and our client(s) out there on the internet.
Update 6/18/2016: New version of this tutorial added. If you are using EasyRSA version 3, then you should use the new tutorial. If you are still on version 2, then this tutorial is probably the one you want.
Edit 11/1/2015: Updated the Diffie Helman bit length to 2048 so that newer installs will not break with more recent installations of easy-rsa.
If you have an up to date FreeNAS server (9.3 stable at the time of this writing), then this guide should walk you through building a jail and installing an OpenVPN server inside of it. The beauty of this system is that it is all being done inside a jail, so the odds of making a mistake that could take down your entire NAS is slim. If something goes awry, you can just delete the jail, and start over again.
After you finish, you will end up with an certificate based OpenVPN server. Each user will need to have their own certificate to go along with their username and password. In essence, we'll be implementing a two factor authenticated VPN.
One of the great things about FreeBSD is its long standing support for jails. A jail is a way to run a process or set of processes in an environment that is isolated from the host system. Processes created inside a jail cannot access files outside of that jail.
There are a host of reasons why you might want to run your services in jails, but the primary reason is that it allows you to run disparate services without having to worry about a flaw in one service allowing access to another service. For example, jails will allow you to run a mail server and a web server on the same Droplet without having to be overly concerned that a vulnerability in your web site could expose the data in your mail server.
Over the course of this article, you will take a newly minted FreeBSD Droplet, do some initial configuration, set up a jail, and install a simple web server inside the jail.
In the end, you will be setting up a firewall to protect the host system. This tutorial will be using the PF firewall that is included in FreeBSD. Aside from configuring a firewall, you will also be making some tweaks to the default shell as well as making some changes to the configuration of some of the default services.
At work we develop an enterprise iOS application -- which is to say one that is listed on the Apple App Store. As such, we have a sales team which periodically has a need to demo the software. I used to go through quite the rigmarole to get the sales team set up for be able to demo the app remotely -- say via WebEx or GoToMeeting.
With the release of Yosemite & iOS 8, Apple introduced a new way to do it.