Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Best practice ssh server on Lan or DMZ?

    Scheduled Pinned Locked Moved Firewalling
    15 Posts 6 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      doktornotor Banned
      last edited by

      The question doesn't make sense. You run SSH server whereever you need SSH access.

      1 Reply Last reply Reply Quote 0
      • T
        trumee
        last edited by

        @johnpoz:

        While yes a ssh tunnel is a poor mans vpn.. Not sure why you don't just setup openvpn?

        I could use vpn, but i will need to ssh any way into the machine. So wont there be a decrease in performance doing ssh over openvpn?

        1 Reply Last reply Reply Quote 0
        • N
          NOYB
          last edited by

          @trumee:

          I could use vpn, but i will need to ssh any way into the machine. So wont there be a decrease in performance doing ssh over openvpn?

          What you initially said was…
          @trumee:

          I want to be able to access my Lan from outside.

          In the initial post you indicated desire to access your LAN from outside.  Now you seem to be indicating accessing a specific machine from outside.  Which is it?  A specific machine or the LAN?

          1 Reply Last reply Reply Quote 0
          • T
            trumee
            last edited by

            A specific machine from outside. My internal LAN is composed of linux/BSD machines and i need ssh access to these.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              so multiple of them…  So vpn is solution..  I ssh to machine after a vpnall the time..  What do you think  you would be doing over a ssh connection which I use to admin that would need 100% of your pipe?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • N
                NOYB
                last edited by

                @trumee:

                A specific machine from outside. My internal LAN is composed of linux/BSD machines and i need ssh access to these.

                Access to all of them is not a specific machine.

                OpenVPN is the route I'd go.  Extends the LAN (at IP layer) to wherever you go.  And more manageable than machine specific NAT/Firewall rules.

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  So wont there be a decrease in performance doing ssh over openvpn?

                  SSH spends 99.99999% of its time waiting for you.

                  1 Reply Last reply Reply Quote 0
                  • M
                    Marvho
                    last edited by

                    In a security aspect, is it better to run a openvpn server in a dmz (additional interface on pfsense, not the lan one) or on the pfsense itself?

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      so not you have just changed your word of ssh to openvpn and asked the same stupid question.

                      If you only allow vpn clients into your dmz segment.. How you going to get to whatever it is you need to do in the lan??  Dude think for 2 freaking seconds..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • M
                        Marvho
                        last edited by

                        @johnpoz:

                        so not you have just changed your word of ssh to openvpn and asked the same stupid question.

                        If you only allow vpn clients into your dmz segment.. How you going to get to whatever it is you need to do in the lan??  Dude think for 2 freaking seconds..

                        Was this addressed to me?

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          did you ask the question?  Then YES!!!

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • KOMK
                            KOM
                            last edited by

                            In a security aspect, is it better to run a openvpn server in a dmz

                            As john said, if you use your DMZ interface for OpenVPN then how will your VPN clients do anything?  The point of DMZ is to allow isolation between your external servers and LAN.  Bind OpenVPN to your WAN interface.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.