OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: SkeelKat on January 23, 2023, 01:22:40 pm
-
Has anyone ever attempted to use OPNsense as a SSH Proxy / Jumphost?
Currently I forward port 22 from my GEO Location to a Linux server on the network and then jump the SSH session from there to other hosts in the network. But if I have active SSH connections via this server and I bounce that server, all other connections are lost.
Would be great if OPNsense itself could be the Jumphost.
-
isn't this what tailscale or zerotier plugin or vpn config enanles opnsense to act as jump host ?
-
Can be done via VPN yes.
However, I want to allow SSH access to Linux hosts behind the firewall without VPN, and restrict them in the firewall rules using the source directive in the rule.
I managed to get this going by simply allowing SSH to "This Firewall" on the WAN Rule, using SSH Key, I connect to the Firewall and then connect to the Linux host on the LAN.
-
I would be hesitant to have ssh to the firewall from wan without a lot restrictions. Instead, i would setup a tightly controlled management device behind opnsense and allow ssh to this device and use it as a jumphost only via ssh keys.
But, since the setup which you have implemented already works for you, you can keep track of it and try out for few weeks.
-
I did not take the decision lightly. But the connection on TCP/22 is controlled via GeoIP source only from my country, which is quite small and does not have a lot of people that know what SSH is.
Access to Firewall is done via 4096bit RSA Key & all machines behind it uses its own 4096bit RSA key, with password auth disabled.
Confident that this setup is secure enough for my setup ;)
-
What's the problem with open SSH access? I could not manage my data centre without.
- Disable password authentication.
- Disable root login (default).
- Enable public key authentication only.
- If you are paranoid about your key being stolen, use e.g. a Yubikey.
As secure as any VPN technology. Only no access at all I would consider "more secure". See:
http://www.ranum.com/security/computer_security/papers/a1-firewall/index.html