Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
SSH Proxy / Jump Host
« previous
next »
Print
Pages: [
1
]
Author
Topic: SSH Proxy / Jump Host (Read 3533 times)
SkeelKat
Newbie
Posts: 30
Karma: 0
SSH Proxy / Jump Host
«
on:
January 23, 2023, 01:22:40 pm »
Has anyone ever attempted to use OPNsense as a SSH Proxy / Jumphost?
Currently I forward port 22 from my GEO Location to a Linux server on the network and then jump the SSH session from there to other hosts in the network. But if I have active SSH connections via this server and I bounce that server, all other connections are lost.
Would be great if OPNsense itself could be the Jumphost.
Logged
user_with_name
Newbie
Posts: 12
Karma: 0
Re: SSH Proxy / Jump Host
«
Reply #1 on:
February 05, 2023, 08:29:07 pm »
isn't this what tailscale or zerotier plugin or vpn config enanles opnsense to act as jump host ?
Logged
SkeelKat
Newbie
Posts: 30
Karma: 0
Re: SSH Proxy / Jump Host
«
Reply #2 on:
February 06, 2023, 12:42:05 pm »
Can be done via VPN yes.
However, I want to allow SSH access to Linux hosts behind the firewall without VPN, and restrict them in the firewall rules using the source directive in the rule.
I managed to get this going by simply allowing SSH to "This Firewall" on the WAN Rule, using SSH Key, I connect to the Firewall and then connect to the Linux host on the LAN.
Logged
user_with_name
Newbie
Posts: 12
Karma: 0
Re: SSH Proxy / Jump Host
«
Reply #3 on:
February 07, 2023, 10:56:16 am »
I would be hesitant to have ssh to the firewall from wan without a lot restrictions. Instead, i would setup a tightly controlled management device behind opnsense and allow ssh to this device and use it as a jumphost only via ssh keys.
But, since the setup which you have implemented already works for you, you can keep track of it and try out for few weeks.
Logged
SkeelKat
Newbie
Posts: 30
Karma: 0
Re: SSH Proxy / Jump Host
«
Reply #4 on:
February 07, 2023, 12:42:40 pm »
I did not take the decision lightly. But the connection on TCP/22 is controlled via GeoIP source only from my country, which is quite small and does not have a lot of people that know what SSH is.
Access to Firewall is done via 4096bit RSA Key & all machines behind it uses its own 4096bit RSA key, with password auth disabled.
Confident that this setup is secure enough for my setup
Logged
Patrick M. Hausen
Hero Member
Posts: 6854
Karma: 575
Re: SSH Proxy / Jump Host
«
Reply #5 on:
February 07, 2023, 12:50:49 pm »
What's the problem with open SSH access? I could not manage my data centre without.
Disable password authentication.
Disable root login (default).
Enable public key authentication only.
If you are paranoid about your key being stolen, use e.g. a Yubikey.
As secure as any VPN technology. Only no access at all I would consider "more secure". See:
http://www.ranum.com/security/computer_security/papers/a1-firewall/index.html
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
SSH Proxy / Jump Host