Best practice ssh server on Lan or DMZ?

trumee

I want to be able to access my Lan from outside. To do that i need to run an ssh server on my network. I could
1. Run the ssh server on the Lan and do a port forward on the router to the ssh server.
2. Setup the ssh sever in the DMZ. Additionally create a rule for the DMZ host to connect to my Lan. So from WAN I will have to first ssh to the DMZ host. And then ssh from DMZ to the Lan.

Which from the above two is a better setup for security? Is there any other better setup?

Thanks

NOYB

@trumee:

Is there any other better setup?
Thanks

What about VPN.  I use OpenVPN.

johnpoz

While yes a ssh tunnel is a poor mans vpn.. Not sure why you don't just setup openvpn?

doktornotor

The question doesn't make sense. You run SSH server whereever you need SSH access.

trumee

@johnpoz:

While yes a ssh tunnel is a poor mans vpn.. Not sure why you don't just setup openvpn?

I could use vpn, but i will need to ssh any way into the machine. So wont there be a decrease in performance doing ssh over openvpn?

NOYB

@trumee:

I could use vpn, but i will need to ssh any way into the machine. So wont there be a decrease in performance doing ssh over openvpn?

What you initially said was…
@trumee:

I want to be able to access my Lan from outside.

In the initial post you indicated desire to access your LAN from outside.  Now you seem to be indicating accessing a specific machine from outside.  Which is it?  A specific machine or the LAN?

trumee

A specific machine from outside. My internal LAN is composed of linux/BSD machines and i need ssh access to these.

johnpoz

so multiple of them…  So vpn is solution..  I ssh to machine after a vpnall the time..  What do you think  you would be doing over a ssh connection which I use to admin that would need 100% of your pipe?

NOYB

@trumee:

A specific machine from outside. My internal LAN is composed of linux/BSD machines and i need ssh access to these.

Access to all of them is not a specific machine.

OpenVPN is the route I'd go.  Extends the LAN (at IP layer) to wherever you go.  And more manageable than machine specific NAT/Firewall rules.

KOM

So wont there be a decrease in performance doing ssh over openvpn?

SSH spends 99.99999% of its time waiting for you.

Marvho

In a security aspect, is it better to run a openvpn server in a dmz (additional interface on pfsense, not the lan one) or on the pfsense itself?

johnpoz

so not you have just changed your word of ssh to openvpn and asked the same stupid question.

If you only allow vpn clients into your dmz segment.. How you going to get to whatever it is you need to do in the lan??  Dude think for 2 freaking seconds..

Marvho

@johnpoz:

so not you have just changed your word of ssh to openvpn and asked the same stupid question.

If you only allow vpn clients into your dmz segment.. How you going to get to whatever it is you need to do in the lan??  Dude think for 2 freaking seconds..

Was this addressed to me?

johnpoz

did you ask the question?  Then YES!!!

KOM

In a security aspect, is it better to run a openvpn server in a dmz

As john said, if you use your DMZ interface for OpenVPN then how will your VPN clients do anything?  The point of DMZ is to allow isolation between your external servers and LAN.  Bind OpenVPN to your WAN interface.