Custom SSH Reverse Tunnel Configuration ??

Started by dazz, March 28, 2022, 02:23:02 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 28, 2022, 02:23:02 AM
Hi
I am aiming to migrate to opnsense from an obsolete Linux based firewall software.  I had a custom ssh setup to allow headless clients to initiate reverse ssh tunnels that ended in the firewall.  The comms links are slow, unreliable and with low traffic budgets.    VPNs and stunnel do not meet my requirements.

I have looked through the opnsense documentation, and done a search on the forum.  I think I should be able to do what I need to do, but I am not sure. I do not want to spend time/effort trying things out if there is reason (that I don't yet know about) why it won't work on opnsense.

The steps I need to complete are summarized below:

  • Add a new user with a specific configuration.
  • Configure the SSH server on the opnsense firewall
  • Configure dynamic dns service for the firewall
  • Add a new rule that forwards traffic from a port (Ideally only ssh traffic) to the user "tunnel"
As far as I can tell, I can do all of this on opnsense, but I don't want to go down the rabbit hole without being reasonably confident I can make the changes I need to make.

Some details (not all) of the basic setup required on the firewall are included below.      My full record of instructions exceed 10 pages.

Add Crippled User
Add a user in the firewall that can't do anything.  This user exists to define a Tunnel end point.
Code Select
# useradd tunnel -m -d /home/tunnel -s /bin/true
with options:
-m       create the user's home directory
-d      home directory of the user account
-s      login shell of the account.  –s /bin/true          gives no shell access
https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut
disable password-based access to the tunnel account while allowing SSH access with:
Code Select
$ usermod -p '*'  tunnel

Create SSH Keys for the user "tunnel"
Remote clients setup a ssh Tunnel that connects with and ends at user "tunnel"
# keygen  and then root copies keys into /home/tunnel/ssh/

Add Dynamic DNS
Configure a dynamic DNS service to allow remote devices to find the correct IP address.

Configure Firewall SSH

Configure SSH
In the  file /etc/ssh/sshd_config:
Add the port numbers, different for each remote device:
Code Select
# port number for ssh access.
Port 8022
# port for remote box
Port 12345
# The server disconnects after this time if the user has not
# successfully logged in.  Default is 120s
LoginGraceTime 30s
RSAAuthentication yes
PubkeyAuthentication yes
AllowTcpForwarding yes

  # to allow remote hosts to connect to local forwarded ports.
GatewayPorts yes 

# Specifies whether ssh(1) should terminate the connection if it cannot set up the port forwarding connection. 
ExitOnForwardFailure yes

# Specifies whether tun network device forwarding is allowed. Not used for MyBox. 
PermitTunnel no   

# Set passwordless logon after confirming key-pair authentication is confirmed to be working
PasswordAuthentication no

# Set the time for a dead connection to terminate for 4 x 45s = 180s = 3min
ClientAliveCountMax 4
ClientAliveInterval 45




Firewall Rule for Pin hole
Create a pin hole in the firewall to accept and forward all traffic from (say) Port 12345 to user "tunnel".    Note that this single pin hole allows for multiple ssh Tunnels from the local/remote client. 
I setup a reverse Tunnel from the remote client to the firewall.

Local Client Connects to tunnel
Terminating the Tunnel inside the firewall allows me to create an ssh Tunnel from any local machine behind the firewall to the Tunnel connection point.  I create a Tunnel from the local machine to the Tunnel entrance in the firewall.  That gives me an continuous Tunnel from the local machine to the remote machine.

I use puTTY to SSH connect with user "tunnel" and the data Tunnel end point in the firewall.
I use puTTY to then SSH from the local user right through to the CLI of the remote device.   


With autossh running on the remote devices, reverse tunnels are automatically initiated and maintained over unreliable, low grade comms links.    This setup specifically allows me to communicate with remote devices connected via a mobile wireless network.  These mobile networks have firewalls to keep unsolicited internet traffic out of the wireless networks. 






Print
Go Up Pages1
User actions