Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
webGUI access & VPNs
« previous
next »
Print
Pages: [
1
]
Author
Topic: webGUI access & VPNs (Read 6519 times)
seamus
Jr. Member
Posts: 80
Karma: 1
webGUI access & VPNs
«
on:
February 13, 2018, 02:32:11 am »
I've just upgraded my firewalls from pfSense to OPNsense. I'm struggling with two items, one of which I struggled with using pfSense also. Without further ado:
Requirement 1. I need to do remote administration of my firewalls. I understand there is some risk associated with this, but I simply have no (practical) choice.
Requirement 2. I need to be able to use the VPN feature to actually connect to hosts behind my firewall... this is the only real value of the VPN for me in this context.
Question #1: Can I use the VPN to connect to the webGUI via the LAN port (instead of a direct connect ot the WAN port)?
Question #2: Alternatively, could/should I use SSH to access the webGUI through an "SSH tunnel"?
Question #3: Once I have the VPN (OpenVPN) working, what other steps must I take to gain access to my internal hosts?
Logged
elektroinside
Hero Member
Posts: 574
Karma: 51
Re: webGUI access & VPNs
«
Reply #1 on:
February 13, 2018, 06:14:12 am »
I also remotely manage my firewalls, also directly or via VPN.
Question #1: yes, via VPN
Question #2: why?
Question #3: Nothing, that's the point in using VPNs. Just follow this:
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
If you are setting up VPN, you can secure authentication with 2FA and also security certificates. If you want to further enhance security, make yourself a
DDNS for the VPN client
, with
https://www.duckdns.org/
for example. Create an alias in the firewall for it and allow access to the webgui and/or the VPN port only for that alias (don't forget to verify the alias update/resolving interval in OPNsense). Whenever you need access, fire up the duckdns updater on the client, wait a bit for the firewall to resolve the new ip (the frequency you configured in OPNsense), then connect. I am assuming that wherever you need access from (the client), there are no static public IPs and that's why you need DDNS and aliases
«
Last Edit: February 13, 2018, 06:48:40 am by elektroinside
»
Logged
OPNsense v18
| HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s
Team Rebellion Member
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: webGUI access & VPNs
«
Reply #2 on:
February 13, 2018, 09:01:33 am »
To clarify upon #2: you only ever want SSH port forwarding through WAN if your VPN fails in order to bring it back.
Cheers,
Franco
Logged
elektroinside
Hero Member
Posts: 574
Karma: 51
Re: webGUI access & VPNs
«
Reply #3 on:
February 13, 2018, 09:17:19 am »
Indeed, but he is talking about SSH tunneling (if I'm not mistaken, he refers to making a SOCKS proxy out of the SSH connection) and that's definitely not the same as a VPN
Logged
OPNsense v18
| HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s
Team Rebellion Member
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: webGUI access & VPNs
«
Reply #4 on:
February 13, 2018, 09:27:01 am »
Sure, it can mean different things. SSLH is also interesting.
Cheers,
Franco
Logged
Julien
Hero Member
Posts: 666
Karma: 33
Re: webGUI access & VPNs
«
Reply #5 on:
February 13, 2018, 11:35:30 pm »
Quote from: franco on February 13, 2018, 09:27:01 am
Sure, it can mean different things. SSLH is also interesting.
Cheers,
Franco
SSLH is a SSL Franco ?
I have been thinking to use this in order to get the firewall up in case the VPN tunnel failed.
Logged
OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023
seamus
Jr. Member
Posts: 80
Karma: 1
Re: webGUI access & VPNs
«
Reply #6 on:
February 14, 2018, 08:59:30 am »
Following the "HOW-TO" for "Setup SSL VPN Road Warrior"... Everything was progressing as expected, until the step called "Adding a User"; specifically these instructions:
Click Save and you will be redirected to the User page. Now we will activate your newly created seed with Google Authenticator. To do so click in the (i) symbol on the left of OTP seed now you will see a link to the google authenticator image.
Unfortunately, clicking the 'i' symbol specified does nothing! No link is presented. I've attached a partial screen shot of the relevant area.
Any ideas??
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
webGUI access & VPNs