Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reverse SSH Tunnel

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kapara
      last edited by

      Is it possible to do a reverse SSH tunnel to allow management of the firewall when it is behing a natted device?  I can do openvpn and ipsec but this requires alot of IP managment and set up and all I want to be able to do is manage the firewall remotely.  Again behind NAT.

      https://openport.io/

      I was looking at this as an option to access all the firewalls but I would need a way to enable reverse SSH tunnel on the pfSense.

      Skype ID:  Marinhd

      1 Reply Last reply Reply Quote 0
      • K Offline
        kapara
        last edited by

        Found this:  http://www.bsdnow.tv/tutorials/reverse-ssh

        The site generates a public and private key but when I do this I get denied.

        https://sshreach.me

        Do I need to import something into pfsense or freebsd?

        ssh -v -fN -R 9000:localhost:10290 root@fw1.sshreach.me
        OpenSSH_7.2p2, OpenSSL 1.0.1s-freebsd  1 Mar 2016
        debug1: Reading configuration data /etc/ssh/ssh_config
        debug1: Connecting to fw1.sshreach.me [139.162.161.211] port 22.
        debug1: Connection established.
        debug1: permanently_set_uid: 0/0
        debug1: Fssh_key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_rsa type -1
        debug1: Fssh_key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_rsa-cert type -1
        debug1: Fssh_key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_dsa type -1
        debug1: Fssh_key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_dsa-cert type -1
        debug1: Fssh_key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_ecdsa type -1
        debug1: Fssh_key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_ecdsa-cert type -1
        debug1: Fssh_key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_ed25519 type -1
        debug1: Fssh_key_load_public: No such file or directory
        debug1: identity file /root/.ssh/id_ed25519-cert type -1
        debug1: Enabling compatibility mode for protocol 2.0
        debug1: Local version string SSH-2.0-OpenSSH_7.2 FreeBSD-20160310
        debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6
        debug1: match: OpenSSH_6.6 pat OpenSSH_6.5*,OpenSSH_6.6* compat 0x14000000
        debug1: Authenticating to fw1.sshreach.me:22 as 'root'
        debug1: SSH2_MSG_KEXINIT sent
        debug1: SSH2_MSG_KEXINIT received
        debug1: kex: algorithm: ecdh-sha2-nistp256
        debug1: kex: host key algorithm: ecdsa-sha2-nistp256
        debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit   ="">compression: none
        debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit   ="">compression: none
        debug1: sending SSH2_MSG_KEX_ECDH_INIT
        debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
        debug1: Server host key: ecdsa-sha2-nistp256 SHA256:nCeg0Bt8GiwhKOuEf4Q72pWxxjas                                                                                                                    EIbxm4yRhAqgkos
        DNS lookup error: general failure
        debug1: Host 'fw1.sshreach.me' is known and matches the ECDSA host key.
        debug1: Found key in /root/.ssh/known_hosts:1
        debug1: rekey after 134217728 blocks
        debug1: SSH2_MSG_NEWKEYS sent
        debug1: expecting SSH2_MSG_NEWKEYS
        debug1: rekey after 134217728 blocks
        debug1: SSH2_MSG_NEWKEYS received
        debug1: SSH2_MSG_SERVICE_ACCEPT received
        debug1: Authentications that can continue: publickey
        debug1: Next authentication method: publickey
        debug1: Trying private key: /root/.ssh/id_rsa
        debug1: Trying private key: /root/.ssh/id_dsa
        debug1: Trying private key: /root/.ssh/id_ecdsa
        debug1: Trying private key: /root/.ssh/id_ed25519
        debug1: No more authentication methods to try.
        Permission denied (publickey).</implicit ></implicit >

        Skype ID:  Marinhd

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          For that sort of thing there isn't any IP management to do in OpenVPN… You just want to hit the GUI/ssh then just connect to the OpenVPN tunnel network IP address, no need to setup full site-to-site tunnels.

          Only thing you'd have to manage is setting the tunnel network for the VPN, then check the openvpn status to see who lands where.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • K Offline
            kapara
            last edited by

            But is it possible to do a reverse ssh tunnel to be able to manage the firewall rather than using openvpn?

            Skype ID:  Marinhd

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.