Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ssh noob question

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      S762
      last edited by

      first post... I’m completely NEW to pfsense, tomorrow will be one week. The install and setup went nicely and I was able to use the ovpn wizard to create and export certs for my phone and laptop and been testing for a few days and it seems to be working without issue.

      I know this is not advisable but my dilemma is I’m also trying also setup ssh via putty over the WAN. I enabled it on the System Advanced /Admin/Access page and created keys with putty gen and it works over the LAN but it’s a no go for the Wan. I know this has been probably answered a million times and I looked but not making any headway so could I get some guidance on this one? Is there something else required?

      I tested the ovpn and ssh from an outside network so I know ovpn is working and ssh it not. I tired port various ports such as the default 22 then 2222, 443 and 8443 and can’t establish a connection from two different outside networks. Thanks for any assistance

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        Have you set up the firewall rules to pass TCP port 22 to pfSense? You can do a port scan at www.grc.com to see if port 22 is open.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 1
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Are you wanting to ssh to pfsense or something behind pfsense? Why would you not just ssh through your vpn connection to whatever it is be pfsense or something behind pfsense?

          If your trying to port forward to something behind pfsense.. Just follow the port forwarding troubleshooting guide..
          https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

          You do understand that while the openvpn wizard will create the wan rules for you - and normally port forwarding does as well. We need to understand exactly what your trying to do - at first you just wanted to access pfsense wan IP via ssh - but then you bring up you tried to port forward.. So not not sure what your trying to do. You state you turned on ssh in pfsense - so points to pfsense.

          Allowing access to pfsense wan IP for ssh is simple as firewall rul on your wan allowing dest 22 (or what port your listening on for ssh) to wan address.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          JKnottJ 1 Reply Last reply Reply Quote 1
          • JKnottJ
            JKnott @johnpoz
            last edited by

            @johnpoz said in ssh noob question:

            Why would you not just ssh through your vpn connection to whatever it is be pfsense or something behind pfsense?

            You might want to reach pfSense from a device that doesn't have a VPN available.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • S
              S762
              last edited by

              First off thank you both for taking the time to answer. My reason to enable ssh is occasionally when we go out of town I remote into to my home desktop system. Some locations block ovpn so I would use ssh, putty and a authorized key file on port 443 for access. I been doing it this way for years with dd-wrt and its always worked but then I started using disabling ssh and using ovpn. On dd-wrt I could see all the attempts in the log file to access 443 so started using ovpn and prefer it but still would like to see ssh work even if ovpn is the main vehicle for RDP. I guess pfsense is not as forgiving as dd-wrt, thanks for the feedback I’ll will explore it further based on your replies

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                @s762 said in ssh noob question:

                Some locations block ovpn

                That is why you listen on 443 tcp ;) Never found a spot where that has been blocked.. And openvpn when running tcp on common port even works over proxy.. Use it pretty much very single day from work that way ;)

                If you want ssh to listen on 443, ok - then again just setup your wan firewall rules to allow traffic to your wan IP on the port your listening on with. If you want to ssh on 443.. Your not going to be listening on 443 for your webgui, make sure you change that to use say port 8443.

                But to be honest openvpn on tcp 443 is better than just ssh on 443.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 1
                • S
                  S762
                  last edited by S762

                  I’m just a pfsense noob and never will understand all of the under the hood stuff so I'm grateful for you guys. Thank you both, Success! I ran over to Starbucks for the outside network access and was able to connect via ssh But now johnpoz has me thinking do I try and redo ovpn with port 443. I guess that would kind of be the best of both worlds. Would that be just a matter of re-running the wizard?? If so I guess I could back up the config just in case it goes wrong so I don't lose my gains so far...

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott
                    last edited by JKnott

                    The only place I've come across where OpenVPN is blocked is the local library/community centres. They seem to allow only browsers. Also, it's not a good idea to use TCP for a VPN if you can avoid it. This is because TCP has flow control and when you have flow control on top of flow control, the 2 levels might conflict.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • S
                      S762
                      last edited by

                      Thanks JKnott, I’ll just leave it as is since its working and that's how I had dd-wrt setup. Mission accomplished, next adventure is to find a replacement for Pihole so I could remove my Ras Pi…

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        Why do you need to redo anything. You can run as many instances of openvpn you want... I have one that listens on 443, and an other on standard udp 1194. You could really have as many as you wanted as long as the ports do not conflict with other services you want to listen on, etc.

                        Pretty much every single work place you go will have 1194 udp blocked that is pretty much a given. Most enterprise networks would block all outbound traffic like that - good luck getting a udp session over the proxy they hand out ;) As to flow control conflicting - no sorry not going to be an issue. is tcp going to be as fast as your udp connection. No prob not - but it works just fine. Just set it up as a fall back is what I say. I normally try udp 1194, but fails its too clicks to connect to the 443 tcp session.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 1
                        • S
                          S762
                          last edited by

                          If I could get that to work that would be perfect. I have to be honest here, it took me 4 + hours to get the first one working. IIRC my phone had to use a different or older version of the cert because of the older ovpn app. Then I couldn’t get the laptop to work until I upgraded the ovpn client so it wasn’t easy for me. Even with ssh, I had putty ver 6 and needless to say couldn't get ssh to work (on the LAN) until went to ver 7.0. then you guy solved the ssh issue with the FW rule. Anyway back to the second instance ovpn, could I use the wizard to create it? Anything special to watch out for vs the first setup. Thanks again!

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Yeah you can use the wizard.. To be honest I have hard time understanding why people have issues with this stuff. It really is clickity clickity.. Then again I have been doing this sort of thing for 30 years and its all basic stuff for me.. There is a "thing" they call it when people that know stuff have a hard time understanding why everyone doesn't "know" it ;)

                            I prob fall into that - and trying to be better about grasping "why" users would have issues. 4 hours?? Having a hard time with comprehending that to be honest.. A port forward for example should take you like 2 minutes to troubleshoot to where the problem is..

                            Then again you prob wouldn't be here asking questions if you were a network engineer ;) heheh

                            Here is some givens - you should "ALWAYS" being using current products... First thing any company/user/anyone will ask is what version your on.. If you are not current - they will tell you to upgrade.. Your ssh issues were yeah most likely related to using a client that didn't support current ciphers and algo's for whatever version of pfsense you were/are running. Putty is normally ahead of the game in support. But like securecrt I was fighting with them for like a year to support chacha.. Finally got a pre beta access.. I was bitching to their support that how could they be a major player in ssh clients and not support chacha ;) I even used the example that putty supported it - and that is 1 guy....

                            When you run the 2nd instance you will want to use a different tunnel network. I use 10.0.8/24 on 1 and 10.0.200/24 on other for example. Other than that exactly how you setup 1st instance - just this time listen on tcp port vs udp port.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • S
                              S762
                              last edited by S762

                              Thank you, its done. As you know it pretty much imported everything so had to make the port change and that was it. I’m able to remote in going over a VPN service here locally but pretty sure it should work from an outside network. Thank you again, your help was greatly appreciated!!!!!

                              update: tested from outside network and working perfectly

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.