OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: seamus on February 13, 2018, 02:32:11 am

Title: webGUI access & VPNs
Post by: seamus on February 13, 2018, 02:32:11 am

I've just upgraded my firewalls from pfSense to OPNsense. I'm struggling with two items, one of which I struggled with using pfSense also. Without further ado:

Requirement 1. I need to do remote administration of my firewalls. I understand there is some risk associated with this, but I simply have no (practical) choice.

Requirement 2. I need to be able to use the VPN feature to actually connect to hosts behind my firewall... this is the only real value of the VPN for me in this context.

Question #1: Can I use the VPN to connect to the webGUI via the LAN port (instead of a direct connect ot the WAN port)?

Question #2: Alternatively, could/should I use SSH to access the webGUI through an "SSH tunnel"?

Question #3: Once I have the VPN (OpenVPN) working, what other steps must I take to gain access to my internal hosts?

Title: Re: webGUI access & VPNs
Post by: elektroinside on February 13, 2018, 06:14:12 am

I also remotely manage my firewalls, also directly or via VPN.
Question #1: yes, via VPN
Question #2: why?
Question #3: Nothing, that's the point in using VPNs. Just follow this: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

If you are setting up VPN, you can secure authentication with 2FA and also security certificates. If you want to further enhance security, make yourself a DDNS for the VPN client, with https://www.duckdns.org/ for example. Create an alias in the firewall for it and allow access to the webgui and/or the VPN port only for that alias (don't forget to verify the alias update/resolving interval in OPNsense). Whenever you need access, fire up the duckdns updater on the client, wait a bit for the firewall to resolve the new ip (the frequency you configured in OPNsense), then connect. I am assuming that wherever you need access from (the client), there are no static public IPs and that's why you need DDNS and aliases :)

Title: Re: webGUI access & VPNs
Post by: franco on February 13, 2018, 09:01:33 am

To clarify upon #2: you only ever want SSH port forwarding through WAN if your VPN fails in order to bring it back.


Cheers,
Franco

Title: Re: webGUI access & VPNs
Post by: elektroinside on February 13, 2018, 09:17:19 am

Indeed, but he is talking about SSH tunneling (if I'm not mistaken, he refers to making a SOCKS proxy out of the SSH connection) and that's definitely not the same as a VPN :)

Title: Re: webGUI access & VPNs
Post by: franco on February 13, 2018, 09:27:01 am

Sure, it can mean different things. SSLH is also interesting. :D


Cheers,
Franco

Title: Re: webGUI access & VPNs
Post by: Julien on February 13, 2018, 11:35:30 pm

Quote from: franco on February 13, 2018, 09:27:01 am

Sure, it can mean different things. SSLH is also interesting. :D


Cheers,
Franco

SSLH is a SSL Franco ?
I have been thinking to use this in order to get the firewall up in case the VPN tunnel failed.

Title: Re: webGUI access & VPNs
Post by: seamus on February 14, 2018, 08:59:30 am

Following the "HOW-TO" for "Setup SSL VPN Road Warrior"... Everything was progressing as expected, until the step called "Adding a User"; specifically these instructions:

Click Save and you will be redirected to the User page. Now we will activate your newly created seed with Google Authenticator. To do so click in the (i) symbol on the left of OTP seed now you will see a link to the google authenticator image.

Unfortunately, clicking the 'i' symbol specified does nothing! No link is presented. I've attached a partial screen shot of the relevant area.

Any ideas??