Has anyone ever attempted to use OPNsense as a SSH Proxy / Jumphost?
Currently I forward port 22 from my GEO Location to a Linux server on the network and then jump the SSH session from there to other hosts in the network. But if I have active SSH connections via this server and I bounce that server, all other connections are lost.
Would be great if OPNsense itself could be the Jumphost.
isn't this what tailscale or zerotier plugin or vpn config enanles opnsense to act as jump host ?
Can be done via VPN yes.
However, I want to allow SSH access to Linux hosts behind the firewall without VPN, and restrict them in the firewall rules using the source directive in the rule.
I managed to get this going by simply allowing SSH to "This Firewall" on the WAN Rule, using SSH Key, I connect to the Firewall and then connect to the Linux host on the LAN.
I would be hesitant to have ssh to the firewall from wan without a lot restrictions. Instead, i would setup a tightly controlled management device behind opnsense and allow ssh to this device and use it as a jumphost only via ssh keys.
But, since the setup which you have implemented already works for you, you can keep track of it and try out for few weeks.
I did not take the decision lightly. But the connection on TCP/22 is controlled via GeoIP source only from my country, which is quite small and does not have a lot of people that know what SSH is.
Access to Firewall is done via 4096bit RSA Key & all machines behind it uses its own 4096bit RSA key, with password auth disabled.
Confident that this setup is secure enough for my setup ;)
What's the problem with open SSH access? I could not manage my data centre without.
- Disable password authentication.
- Disable root login (default).
- Enable public key authentication only.
- If you are paranoid about your key being stolen, use e.g. a Yubikey.
As secure as any VPN technology. Only no access at all I would consider "more secure". See:
http://www.ranum.com/security/computer_security/papers/a1-firewall/index.html