OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: SkeelKat on January 23, 2023, 01:22:40 pm

Title: SSH Proxy / Jump Host
Post by: SkeelKat on January 23, 2023, 01:22:40 pm

Has anyone ever attempted to use OPNsense as a SSH Proxy / Jumphost?

Currently I forward port 22 from my GEO Location to a Linux server on the network and then jump the SSH session from there to other hosts in the network. But if I have active SSH connections via this server and I bounce that server, all other connections are lost.

Would be great if OPNsense itself could be the Jumphost.

Title: Re: SSH Proxy / Jump Host
Post by: user_with_name on February 05, 2023, 08:29:07 pm

isn't this what tailscale or zerotier plugin or vpn config enanles opnsense to act as jump host ?

Title: Re: SSH Proxy / Jump Host
Post by: SkeelKat on February 06, 2023, 12:42:05 pm

Can be done via VPN yes.

However, I want to allow SSH access to Linux hosts behind the firewall without VPN, and restrict them in the firewall rules using the source directive in the rule.

I managed to get this going by simply allowing SSH to "This Firewall" on the WAN Rule, using SSH Key, I connect to the Firewall and then connect to the Linux host on the LAN.

Title: Re: SSH Proxy / Jump Host
Post by: user_with_name on February 07, 2023, 10:56:16 am

I would be hesitant to have ssh to the firewall from wan without a lot restrictions. Instead, i would setup a tightly controlled management device behind opnsense and allow ssh to this device and use it as a jumphost only via ssh keys.
But, since the setup which you have implemented already works for you, you can keep track of it and try out for few weeks.

Title: Re: SSH Proxy / Jump Host
Post by: SkeelKat on February 07, 2023, 12:42:40 pm

I did not take the decision lightly. But the connection on TCP/22 is controlled via GeoIP source only from my country, which is quite small and does not have a lot of people that know what SSH is.

Access to Firewall is done via 4096bit RSA Key & all machines behind it uses its own 4096bit RSA key, with password auth disabled.

Confident that this setup is secure enough for my setup  ;)

Title: Re: SSH Proxy / Jump Host
Post by: Patrick M. Hausen on February 07, 2023, 12:50:49 pm

What's the problem with open SSH access? I could not manage my data centre without.

• Disable password authentication.
• Disable root login (default).
• Enable public key authentication only.
• If you are paranoid about your key being stolen, use e.g. a Yubikey.

As secure as any VPN technology. Only no access at all I would consider "more secure". See:
http://www.ranum.com/security/computer_security/papers/a1-firewall/index.html