autossh on pfsense

_sKo_

Hi all,

I'm tryng to estabilish a reverse ssh tunnel from a pfsense firewall to a MySql server in the WAN.
This is needed becasue the MySql server accept only local connections.

I found this guide about FreeBSD (https://project.altservice.com/issues/834) but in the pkg pfsense's repository the autossh package is not available.

Any advice?

johnpoz

@ltrivellizzi said in autossh on pfsense:

a MySql server in the WAN.

You mean on the wan net on pfsense, or you mean the internet or some remote network that is not actually your "wan net" that you access through your wan net.

_sKo_

@johnpoz the server is on the WAN net of the firewall and still in a LAN. No internet, no remote network.

stephenw10

That link fails for me so I'm not sure exactly what you're trying to achieve here. Is this a one time thing? What are you connecting to the server with?
There are many ways you could do this. A VPN would work.

Steve

johnpoz

@ltrivellizzi well if it was actually on your pfsense "wan net" then to it the connection would be coming from pfsense wan IP (unless you turned off nat on pfsense).. So to it the connection would be from its local network.

stephenw10

Ah, I assumed he was trying to use pfSense as a proxy so he could connect to the server from some external location.

johnpoz

@stephenw10 that is not how I took it.

But if he has this

mysql -- wan net -- pfsense -- lan net -- client

And client wants to talk to mysql, unless he turned off nat on pfsense to mysql the connection would be coming from pfsense wan net IP. So to mysql that would be its local network.

You sure its a "wan" to pfsense - out of the box pfsense would nat lan side network to wan net IP. But if that is not really a wan to pfsense, ie no internet or other networks access through that network. Then it would not be natting.

If that is the case to make it look like local network to mysql you would need to do a outbound nat from your lan net to the wan net IP. This is done by default when pfsense actually has a wan, ie a connection it uses to get to other networks - a gateway set on the interface.

stephenw10

Mmm, hence my assumption it was for external access. Also that's what that guide describes.

However in that setup autossh needs to be installed on the mysql server not pfSense.

Use a VPN!

Steve

_sKo_

Hi all,

the schema is like mysql -- wan net -- pfsense -- lan net -- client, like @johnpoz stated, and the client need to talk to mysql but mysql does not accept connection from the local network but only from localhost.

I've routers build up with ubuntu and iptables that have an ssh tunnel to the MySql server configured like 3306:localhost:3306.
This tunnels are established via autossh to make them permanent.

stephenw10

You can just install it from the FreeBSD repo and since it appears to have no depencies it's relatively low risk:

[22.01-RELEASE][admin@cedev-4.stevew.lan]/root: pkg add http://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/autossh-1.4g.pkg
Fetching autossh-1.4g.pkg: 100%   23 KiB  23.5kB/s    00:01    
Installing autossh-1.4g...
Extracting autossh-1.4g: 100%
[22.01-RELEASE][admin@cedev-4.stevew.lan]/root: rehash
[22.01-RELEASE][admin@cedev-4.stevew.lan]/root: autossh
usage: autossh [-V] [-M monitor_port[:echo_port]] [-f] [SSH_OPTIONS]

    -M specifies monitor port. May be overridden by environment
       variable AUTOSSH_PORT. 0 turns monitoring loop off.
       Alternatively, a port for an echo service on the remote
       machine may be specified. (Normally port 7.)
    -f run in background (autossh handles this, and does not
       pass it to ssh.)
    -V print autossh version and exit.

Environment variables are:
    AUTOSSH_GATETIME    - how long must an ssh session be established
                          before we decide it really was established
                          (in seconds). Default is 30 seconds; use of -f
                          flag sets this to 0.
    AUTOSSH_LOGFILE     - file to log to (default is to use the syslog
                          facility)
    AUTOSSH_LOGLEVEL    - level of log verbosity
    AUTOSSH_MAXLIFETIME - set the maximum time to live (seconds)
    AUTOSSH_MAXSTART    - max times to restart (default is no limit)
    AUTOSSH_MESSAGE     - message to append to echo string (max 64 bytes)
    AUTOSSH_PATH        - path to ssh if not default
    AUTOSSH_PIDFILE     - write pid to this file
    AUTOSSH_POLL        - how often to check the connection (seconds)
    AUTOSSH_FIRST_POLL  - time before first connection check (seconds)
    AUTOSSH_PORT        - port to use for monitor connection
    AUTOSSH_DEBUG       - turn logging to maximum verbosity and log to
                          stderr

But be aware of the risks:
https://docs.netgate.com/pfsense/en/latest/recipes/freebsd-pkg-repo.html

Steve

johnpoz

@ltrivellizzi said in autossh on pfsense:

but only from localhost.

Why don't you just allow network connections? That would be way easier solution. Not like your opening up to the public internet allow access from your own local IPs

edit:
Doesn't mysql just default to binding to 127.0.0.1? in the mysqld.cnf, changing that to actually bind to the boxes IP, or all zeros should allow you access from your clients.

_sKo_

@johnpoz I'm just trying to stick as much as possible to the "as is" situation.

johnpoz

@_sko_ said in autossh on pfsense:

"as is" situation.

But its a horrible solution..

You want/need to access something from your network, but that thing defaults to only listening on loopback.. So you setup a ssh connection and trick into thinking your local.. So you have created complexity for no reason, and its going to be a performance hit, running traffic through any sort of tunnel adds overhead, requires resources to perform the encryption and decryption of the traffic..

Vs just changing 127.0.0.1 in the conf file to 0.0.0.0 ?

Occam’s Razor vs Rube Goldberg

_sKo_

@johnpoz I see your point but the tunnel let the MySql server to be configured in a more secure way. But @stephenw10 just let me stop thinking about this solution because of the warnings in the linked page.

Thanks for the support and the help!

johnpoz

@_sko_ said in autossh on pfsense:

tunnel let the MySql server to be configured in a more secure way

So you have hackers or botware running on your local network?

You stated that this "wan" is not connected to the internet. So who has access to this "network" where this mysql box sits? Your devices, your users? Are you own devices and users considered hostile?

And these device need to go through pfsense to get to the mysql box do they not. So simple non rube goldberg setup to secure access to this device is rule on pfsense to limit who can talk to it and on what port.

If your routing traffic through pfsense via this ssh tunnel.. How is it any different than allowing access just via a firewall rule?

The only way this becomes more secure is stuff on the same network as the mysql box wouldn't be able to access it. So again going with the occams razor approach which is simpler.. isolate this box from others on its own network via firewall on the host, or private vlan, or just putting it in its own limited network where the bad guys don't sit, etc.

You do you - but your approach as you have described your setup seems over complicated and is more likely to cause performance issues and connectivity issues than any added security.

_sKo_

@johnpoz said in autossh on pfsense:

@_sko_ said in autossh on pfsense:

tunnel let the MySql server to be configured in a more secure way

So you have hackers or botware running on your local network?

You stated that this "wan" is not connected to the internet. So who has access to this "network" where this mysql box sits? Your devices, your users? Are you own devices and users considered hostile?

I stated wrong. Sorry but my english is a little bit rusty. The local network has a gateway and is connected to the internet but you are right just a too much complicated solution for the problem.

I just enabled a rinetd rule for the pfsense firewall in the MySql server et voilà.

Thanks!