PfSense default install to phone home for remote access - anything built-in?
-
Hi,
I would like my pfSense boxes to phone home (over SSL) so I can have access to them even if they are behind firewall - something similar to Teamviewer or even Webui and SSH access would do. I can have a box in default configs on customer site so I need this to be part of default configuration (not vpn etc as that comes secondary).
Anything like that - or close to that - built into pfsense?
If not, what is the most basic way to approach this? I am thinking of having a server that would like to TCP SSL requests and simply keep a connection ON all the time for me to connect to the box. This will be only a shell script so it can be easily added to default image. What do you think?
Thanks,
-
I usually put a LogMeIn agent on a customer machine to provide that kind of remote support. Much easier to set and forget.
-
I usually put a LogMeIn agent on a customer machine to provide that kind of remote support. Much easier to set and forget.
Yes, that works for me as well. However, I have few of these in the field now and it would be nice to get some sort of control over them for various functions including grapahs, uptime, and controls like this. But mostly, I am looking for Webui access.
Sometimes, the customer doesn't know anything about cables and where to plug things and it becomes very time consuming when pfSense is downstream to an ISP modem.
-
No good answer for fixing users.
I've shot myself in the foot by reconfiguring or updating a router and not being onsite. Makes what I though would be a quick remote task turn into a 3-hour unplanned onsite visit because the router decided to hate me that day.
-
I've shot myself in the foot by reconfiguring or updating a router and not being onsite. Makes what I though would be a quick remote task turn into a 3-hour unplanned onsite visit because the router decided to hate me that day.
Correct, hence I am looking to put a very simple centralized control system which would allow me ssh access or webui access and I can pump config files etc. This will be secure because it will connect to my servers…anyway, if I make a script for this, I will post it here.
-
Perhaps something with openvpn? Can one configure a pfSense instance to be a road warrior client?
-
Just a thought, but what's wrong with setting up the remote site's pfSense with an OpenVPN client back to "home".
Hah, look at that I'm too slow again, almabes beat me to it.
There's no need to use a RoadWarrior setup (although you could) the site to site works well.
You just need to setup the OpenVPN "server" at the home base and establish the "client" at the remote site.
I've made that work more than once when stuck behind a corporate firewall.
At idle the link is not particularly bandwidth hungry and it can be configured to use TCP and/or some standardized ports(s) if the powers that be think it shouldn't be allowed.It wouldn't help if your pfSense box went down, but then a phone home script running under pfSense wouldn't either.
-
I have openvpn site-to-site set up to several customer networks, it works great.
-
…
If not, what is the most basic way to approach this?
...Reverse approach. Adopt distribute, don't centralize. Customer safety first.
Install SSH-server & VNC-server on a LAN-box of the customer site (server-mode/always-on). Remote in, through pfSense (beware lock-out), with SSH-client with portforward VNC of video to you. When in, use browser on that LAN-box to go pfSense, or ssh to pfSense.
-
Just a thought, but what's wrong with setting up the remote site's pfSense with an OpenVPN client back to "home".
Thanks for the input both Almabes and divsys
OpenVPN is great but it's the last option I will consider for few reasons:
- Service can go down and not re-spawn (I have seen this happening in different versions of pfSense)
- I am assuming the setup would be very complicated given you have to script for different types of hardware due to naming convention in WAN interface names and simply keys etc…
- OpenVPN needs directives like local lan IPs and etc...that can not be dynamic and must be pushed through tunnel to otherside to allow other side to reach it so when a factory default is done it can be rendered useless.
So, many reasons above that I can see this get very complicated. I was hoping for something really really simple that would open a tunnel to SSH or WebUI for quick access even if it's something I have to script or get my programmers to program.