Reverse SSH Tunnel

kapara

Is it possible to do a reverse SSH tunnel to allow management of the firewall when it is behing a natted device?  I can do openvpn and ipsec but this requires alot of IP managment and set up and all I want to be able to do is manage the firewall remotely.  Again behind NAT.

https://openport.io/

I was looking at this as an option to access all the firewalls but I would need a way to enable reverse SSH tunnel on the pfSense.

kapara

Found this:  http://www.bsdnow.tv/tutorials/reverse-ssh

The site generates a public and private key but when I do this I get denied.

https://sshreach.me

Do I need to import something into pfsense or freebsd?

ssh -v -fN -R 9000:localhost:10290 root@fw1.sshreach.me
OpenSSH_7.2p2, OpenSSL 1.0.1s-freebsd  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to fw1.sshreach.me [139.162.161.211] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2 FreeBSD-20160310
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6
debug1: match: OpenSSH_6.6 pat OpenSSH_6.5*,OpenSSH_6.6* compat 0x14000000
debug1: Authenticating to fw1.sshreach.me:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit   ="">compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit   ="">compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:nCeg0Bt8GiwhKOuEf4Q72pWxxjas                                                                                                                    EIbxm4yRhAqgkos
DNS lookup error: general failure
debug1: Host 'fw1.sshreach.me' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).</implicit ></implicit >

jimp

For that sort of thing there isn't any IP management to do in OpenVPN… You just want to hit the GUI/ssh then just connect to the OpenVPN tunnel network IP address, no need to setup full site-to-site tunnels.

Only thing you'd have to manage is setting the tunnel network for the VPN, then check the openvpn status to see who lands where.

kapara

But is it possible to do a reverse ssh tunnel to be able to manage the firewall rather than using openvpn?