ssh noob question

S762

first post... I’m completely NEW to pfsense, tomorrow will be one week. The install and setup went nicely and I was able to use the ovpn wizard to create and export certs for my phone and laptop and been testing for a few days and it seems to be working without issue.

I know this is not advisable but my dilemma is I’m also trying also setup ssh via putty over the WAN. I enabled it on the System Advanced /Admin/Access page and created keys with putty gen and it works over the LAN but it’s a no go for the Wan. I know this has been probably answered a million times and I looked but not making any headway so could I get some guidance on this one? Is there something else required?

I tested the ovpn and ssh from an outside network so I know ovpn is working and ssh it not. I tired port various ports such as the default 22 then 2222, 443 and 8443 and can’t establish a connection from two different outside networks. Thanks for any assistance

JKnott

Have you set up the firewall rules to pass TCP port 22 to pfSense? You can do a port scan at www.grc.com to see if port 22 is open.

johnpoz

Are you wanting to ssh to pfsense or something behind pfsense? Why would you not just ssh through your vpn connection to whatever it is be pfsense or something behind pfsense?

If your trying to port forward to something behind pfsense.. Just follow the port forwarding troubleshooting guide..
https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

You do understand that while the openvpn wizard will create the wan rules for you - and normally port forwarding does as well. We need to understand exactly what your trying to do - at first you just wanted to access pfsense wan IP via ssh - but then you bring up you tried to port forward.. So not not sure what your trying to do. You state you turned on ssh in pfsense - so points to pfsense.

Allowing access to pfsense wan IP for ssh is simple as firewall rul on your wan allowing dest 22 (or what port your listening on for ssh) to wan address.

JKnott

@johnpoz said in ssh noob question:

Why would you not just ssh through your vpn connection to whatever it is be pfsense or something behind pfsense?

You might want to reach pfSense from a device that doesn't have a VPN available.

S762

First off thank you both for taking the time to answer. My reason to enable ssh is occasionally when we go out of town I remote into to my home desktop system. Some locations block ovpn so I would use ssh, putty and a authorized key file on port 443 for access. I been doing it this way for years with dd-wrt and its always worked but then I started using disabling ssh and using ovpn. On dd-wrt I could see all the attempts in the log file to access 443 so started using ovpn and prefer it but still would like to see ssh work even if ovpn is the main vehicle for RDP. I guess pfsense is not as forgiving as dd-wrt, thanks for the feedback I’ll will explore it further based on your replies

johnpoz

@s762 said in ssh noob question:

Some locations block ovpn

That is why you listen on 443 tcp ;) Never found a spot where that has been blocked.. And openvpn when running tcp on common port even works over proxy.. Use it pretty much very single day from work that way ;)

If you want ssh to listen on 443, ok - then again just setup your wan firewall rules to allow traffic to your wan IP on the port your listening on with. If you want to ssh on 443.. Your not going to be listening on 443 for your webgui, make sure you change that to use say port 8443.

But to be honest openvpn on tcp 443 is better than just ssh on 443.

S762

I’m just a pfsense noob and never will understand all of the under the hood stuff so I'm grateful for you guys. Thank you both, Success! I ran over to Starbucks for the outside network access and was able to connect via ssh But now johnpoz has me thinking do I try and redo ovpn with port 443. I guess that would kind of be the best of both worlds. Would that be just a matter of re-running the wizard?? If so I guess I could back up the config just in case it goes wrong so I don't lose my gains so far...

JKnott

The only place I've come across where OpenVPN is blocked is the local library/community centres. They seem to allow only browsers. Also, it's not a good idea to use TCP for a VPN if you can avoid it. This is because TCP has flow control and when you have flow control on top of flow control, the 2 levels might conflict.

S762

Thanks JKnott, I’ll just leave it as is since its working and that's how I had dd-wrt setup. Mission accomplished, next adventure is to find a replacement for Pihole so I could remove my Ras Pi…

johnpoz

Why do you need to redo anything. You can run as many instances of openvpn you want... I have one that listens on 443, and an other on standard udp 1194. You could really have as many as you wanted as long as the ports do not conflict with other services you want to listen on, etc.

Pretty much every single work place you go will have 1194 udp blocked that is pretty much a given. Most enterprise networks would block all outbound traffic like that - good luck getting a udp session over the proxy they hand out ;) As to flow control conflicting - no sorry not going to be an issue. is tcp going to be as fast as your udp connection. No prob not - but it works just fine. Just set it up as a fall back is what I say. I normally try udp 1194, but fails its too clicks to connect to the 443 tcp session.

S762

If I could get that to work that would be perfect. I have to be honest here, it took me 4 + hours to get the first one working. IIRC my phone had to use a different or older version of the cert because of the older ovpn app. Then I couldn’t get the laptop to work until I upgraded the ovpn client so it wasn’t easy for me. Even with ssh, I had putty ver 6 and needless to say couldn't get ssh to work (on the LAN) until went to ver 7.0. then you guy solved the ssh issue with the FW rule. Anyway back to the second instance ovpn, could I use the wizard to create it? Anything special to watch out for vs the first setup. Thanks again!

johnpoz

Yeah you can use the wizard.. To be honest I have hard time understanding why people have issues with this stuff. It really is clickity clickity.. Then again I have been doing this sort of thing for 30 years and its all basic stuff for me.. There is a "thing" they call it when people that know stuff have a hard time understanding why everyone doesn't "know" it ;)

I prob fall into that - and trying to be better about grasping "why" users would have issues. 4 hours?? Having a hard time with comprehending that to be honest.. A port forward for example should take you like 2 minutes to troubleshoot to where the problem is..

Then again you prob wouldn't be here asking questions if you were a network engineer ;) heheh

Here is some givens - you should "ALWAYS" being using current products... First thing any company/user/anyone will ask is what version your on.. If you are not current - they will tell you to upgrade.. Your ssh issues were yeah most likely related to using a client that didn't support current ciphers and algo's for whatever version of pfsense you were/are running. Putty is normally ahead of the game in support. But like securecrt I was fighting with them for like a year to support chacha.. Finally got a pre beta access.. I was bitching to their support that how could they be a major player in ssh clients and not support chacha ;) I even used the example that putty supported it - and that is 1 guy....

When you run the 2nd instance you will want to use a different tunnel network. I use 10.0.8/24 on 1 and 10.0.200/24 on other for example. Other than that exactly how you setup 1st instance - just this time listen on tcp port vs udp port.

S762

Thank you, its done. As you know it pretty much imported everything so had to make the port change and that was it. I’m able to remote in going over a VPN service here locally but pretty sure it should work from an outside network. Thank you again, your help was greatly appreciated!!!!!

update: tested from outside network and working perfectly