Messages

Hallo,

I had a running IPSEC connection.
After moving one location to an other place i changed the "Remote gateway (green arrow)" in the "tunnel settings" to the new external IP.

What happens:
No IPSEC connection. The Entry form, where i entered the "Remote geteway" has suddenly new fields (marked with red arrow)???
(see attachment)

Reboot, Load backup, Delete/Reenter IPSEC connection -> fields still there (NO ipsec connection)

Has anybody an idea, how to get rid of these fields ?

Yes, that solves the problem.

I'll try the following:
1. create a usergroup "service"
2. assign my remote "service-user" to this usergroup with (/bin/sh)
3. Assign "wheel, <new usergroup> to the ssh login group

I think this could solve my problem
But i have to wait for the weekend.

Hallo franco,

Thank's for your answer.

What we do since many years is to build ssh tunnels on our firewall to local werkstations. (A certain Authentication key gives access to a certain computer in the local network)
Inside this tunnel remote users (all with the samme user name, e.g. "servicessh") access their local computers from home by use of RDP. This is supported by all linux dispributions.
With oder words an ssh tunnel is not created based on the user name but on the Authentication key.

In the Authorized key file you have to enter one line per key and ip.
e.g.
permitopen="<my workstation-ip>:3389",no-pty,command="/bin/false" ssh-rsa <Authentication key>
....
....
....

for more details:
https://www.freebsd.org/cgi/man.cgi?sshd(8)
AUTHENTICATION

The difference between 18.1 and 18.7 must be in the configuration of ssh users or the ssh-server.

After additional search i have seen there is another additional field in 18.7/19.1 (Settings-> Administration-> "Login Group")
Maybe the problem is: if there is a user (in my case user:servicessh) which is not assigned to a group here, no ssh tunneling is possible at all.

I think the big difference between the 18.1 and 18.7/19.1 is:
18.1: If a user was not assigned to an OPNsense group (things have been handled by the operating system)
18.7: If a user is not assigned to the new "Login group", SSH login for this user is disabled by OPNsense at all.

There is a Login Group: WHEEL ?
But it is not possible to assign a user to this group. I think it would work, if i could assign a user to this WHEEL group --but how ?

regards
siegi

Hallo together,
We have changed our firewall from ipcop to OPNsense 18.1. Everything went smooth. Congratulation to the developers, realy good product.

But after updating to 18.7 following is no longer possible.
In Version 18.1.x
it was possible to "permitopen" ssh traffic to LAN ip's by use of the following settings:

1. create a user in OPNsense e.g. servicessh
2. do not assign this user to "Member Of"
3. under "Authorized keys" enter a list with users who have direct ssh access from outside to their workstations in the company.
permitopen="10.0.5.24:3389",no-pty,command="/bin/false" ssh-rsa .......t5eTCBiypz56eyQ............== rsa-key-20180708
......
......
......
4. Create a correseponding rule WANaddress (8022) -> LAN

------------------------------------------------------------
now in 18.7.x
there is a new field "shell login"
and whatever you select there (/sbin/noligin,/bin/csh,....) the above mentioned functionality is no longer possible.

And as we need this, i had to go back to 18.1.13.

Has anybody an idea how this can be done in 18.7 ?
I would realy appreciate any help.