Best practice ssh server on Lan or DMZ?
-
I could use vpn, but i will need to ssh any way into the machine. So wont there be a decrease in performance doing ssh over openvpn?
What you initially said was…
@trumee:I want to be able to access my Lan from outside.
In the initial post you indicated desire to access your LAN from outside. Now you seem to be indicating accessing a specific machine from outside. Which is it? A specific machine or the LAN?
-
A specific machine from outside. My internal LAN is composed of linux/BSD machines and i need ssh access to these.
-
so multiple of them… So vpn is solution.. I ssh to machine after a vpnall the time.. What do you think you would be doing over a ssh connection which I use to admin that would need 100% of your pipe?
-
A specific machine from outside. My internal LAN is composed of linux/BSD machines and i need ssh access to these.
Access to all of them is not a specific machine.
OpenVPN is the route I'd go. Extends the LAN (at IP layer) to wherever you go. And more manageable than machine specific NAT/Firewall rules.
-
So wont there be a decrease in performance doing ssh over openvpn?
SSH spends 99.99999% of its time waiting for you.
-
In a security aspect, is it better to run a openvpn server in a dmz (additional interface on pfsense, not the lan one) or on the pfsense itself?
-
so not you have just changed your word of ssh to openvpn and asked the same stupid question.
If you only allow vpn clients into your dmz segment.. How you going to get to whatever it is you need to do in the lan?? Dude think for 2 freaking seconds..
-
so not you have just changed your word of ssh to openvpn and asked the same stupid question.
If you only allow vpn clients into your dmz segment.. How you going to get to whatever it is you need to do in the lan?? Dude think for 2 freaking seconds..
Was this addressed to me?
-
did you ask the question? Then YES!!!
-
In a security aspect, is it better to run a openvpn server in a dmz
As john said, if you use your DMZ interface for OpenVPN then how will your VPN clients do anything? The point of DMZ is to allow isolation between your external servers and LAN. Bind OpenVPN to your WAN interface.
