OpenSSH is a tool that was created to provide a secure remote sign-in to remote devices using the SSH protocol. SSH utilizes advanced encryption for data transfers between the client and server machines, for both remote login and file transfer. This level of security will eliminate eavesdroppers, hijackers, and other type of attackers in your network.
Prerequisites
Before you get started with this article, you must meet the following requirements:
- Have installed OPNsense server
- Your local device should be able to access OPNsense web dashboard
- You have OPNsense login account that is a member of the built-in admins group.
Enable OpenSSH Service on OPNsense
OPNsense is known to be one of the best open-source firewalls and routing solutions that can be adopted for home use, or in a small to medium size company.
We have a separate article on how to install OPNsense: How To Install OPNSense Firewall on Proxmox VE. With the firewall up and running, login to the web dashboard.
Once you’re in the dashboard, navigate to System –> Administration –> Secure Shell.
Tick the box to Enable OpenSSH Server, and permit root user login. You can optionally enable password authentication method, but this will be disabled for me since prefer the key based authentication mechanism.
We recommend you allow SSH service to listen only on LAN, or any other VLAN network that’s not exposed to the outside world.
Using SSH Public key to login
The SSH protocol has support for many authentication methods. The most used yet secure for interactive and automated connections is Public Key authentication. You can read this documentation to learn more about public key authentication method.
The default path to your SSH public key is ~/.ssh. You can confirm if you have the keys by listing contents in this directory.
$ ls -1 ~/.ssh
config
id_rsa
id_rsa.pub
known_hosts
known_hosts.oldYour public key is named id_rsa.pub. If there is none in your machine, then generate it on Linux / Unix based systems using the following commands.
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jmutai/.ssh/id_rsa):
Created directory '/home/jmutai/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/jmutai/.ssh/id_rsa
Your public key has been saved in /home/jmutai/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:bgcrnow9O7wKbgeOdJ6kO2CnwPvpW5kGY84rMDv+DPY jmutai@josphat-devops2
The key's randomart image is:
+---[RSA 3072]----+
| |
| |
| |
| |
|. + S |
|=+=+o o. o |
|*BX+.*. + . |
|=B*+*=++ . |
|.=OE+.B= |
+----[SHA256]-----+You will need to copy the contents in the file for use in OPNsense.
cat ~/.ssh/id_rsa.pubOn macOS you can copy the contents to clipboard using pbcopy.
pbcopy <~/.ssh/id_rsa.pubLinux users can use xclip.
xclip -sel clip <~/.ssh/id_rsa.pubNext go to OPNsense web console, then find System –> Users section. Select the user to edit using the pencil icon.
Paste the copied key for the selected user. In our example the user is root.
When done save the changes.
Testing SSH into OPNsense
The final step is testing SSH connection to OPNsense from our local machine.
The command syntax for SSH is.
$ ssh username@OPNsenseIPWindows users can try one of the tools in the Best SSH, Telnet and Serial Client Applications for Windows Systems article.
$ ssh [email protected]
Warning: Permanently added '192.168.1.1' (ED25519) to the list of known hosts.
Last login: Thu Jan 25 01:05:07 2024 from 192.168.1.151
----------------------------------------------
| Hello, this is OPNsense 23.7 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website: https://opnsense.org/ | @@@\\\ ///@@@
| Handbook: https://docs.opnsense.org/ | )))))))) ((((((((
| Forums: https://forum.opnsense.org/ | @@@/// \\\@@@
| Code: https://github.com/opnsense | @@@@ @@@@
| Twitter: https://twitter.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
*** fw01.example.io: OPNsense 23.7.12 ***
GuestWifi (vlan020) -> v4: 172.20.40.1/24
IoTDevices (vlan021) -> v4: 172.20.41.1/24
LAN (igb1) -> v4: 192.168.1.1/24
PrivateServers (vlan030) -> v4: 172.20.30.1/24
WAN (igb0) -> v4: a.b.c.d/24
HTTPS: SHA256 66 1B 87 B8 43 2C 15 45 05 57 05 1E 5E FF BB BD
AC A6 DF 50 C9 73 FC A6 D5 88 29 10 A4 16 7B 29
SSH: SHA256 lmQRFUxZjpwargrS5JII5m57XW04q8gE4ZHIrO3Ub0I (ECDSA)
SSH: SHA256 H3emXepr/oufi2zVoVRBWCt5iJM+JTVjtReBpBOlPUc (ED25519)
SSH: SHA256 +vgBRjGF6QyimDHDr9Dcq7aZqxuZGUlEdi//XEVLy8E (RSA)
0) Logout 7) Ping host
1) Assign interfaces 8) Shell
2) Set interface IP address 9) pfTop
3) Reset the root password 10) Firewall log
4) Reset to factory defaults 11) Reload all services
5) Power off system 12) Update from console
6) Reboot system 13) Restore a backup
Enter an option:We can try performing an action to confirm this works. For example “12) Update from console“
Enter an option: 12
Fetching change log information, please wait... done
This will automatically fetch all available updates and apply them.
Proceed with this action? [y/N]: y
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
.....This is a validation that we enabled OpenSSH Server on OPNsense and we’re able to access it. The OpenSSH client program is called ssh, and it available on most Linux and Unix based systems. Windows users may be required to install tools such as PuTTY or MobaXterm, that provide ssh client functionality.
Similar articles:
- How To Install and Configure Tailscale Client on OPNsense
- How To Run Headscale with UI in Docker Container
