External Access

From Sea of Fate
Jump to navigationJump to search

Introduction

I will want access to various hosts for file shares and configuration of the Home Lab. This is where I will describe it.

SSH Access

I will want access to the hosts inside the network not least the production hosts to continue the configuration while I am somewhere else. The problem is that Pfsense can only forward based on port so if I want to SSH to Lime from outside of the WAN port of Pfsense there is no way of the firewall from knowing that mean Lime and not Lemon. I could setup a bastion host to forward on SSH to the various hosts and I may well set it up at a later date just so that I know how but it is a bit of overkill for such a small number hosts. I have instead chosen to have each host listen at a different port so all I need is to have a table showing which port to which host, it will still be secure as it will still be SSH but instead. I will still need a firewall port forward rule for each host internally I will only need one pass rule for each interface because when I am "inside" there is no NAT so I can address the hosts by hostname.

Port Assignments

As previously stated each host will listen to SSH on a different port. The assignments are

  • Mandarin ***01
  • Raisin ..***02
  • Lime ...****03
  • Fig ....****04
  • Logan ..****05
  • NS1 ....****06
  • Lemon ..****07
  • Alpine .****08
  • Plum ...****09
  • Strawberry**10
  • Satsuma ****11

It would make sense to have them as aliases in Pfsense, each alias will take the form SSH_int_hostname. when testing try the user nigel@

Update we will have to fwd the port on the new edge router and these will not work from outside until that is done it should work from within the LAN though

SFTP Access

SFTP will also use port 22 by default and for the same reason as SSH it also cannot be easily port forwarded in that every SFTP server will be listening to 22. So the same port forwards from that allow SSH to work will also work here. As most of the DNS names from Cloudflare are proxied they will only forward HTTP/S traffic, we have two DNS entries that are not proxied and they should not be used for HTTP/S as these may not get the full SSL treatment on webbrowsers. They will still be secure in that SFTP is in itself secure.

Additional Note

The server that will receive all or most of the SFTP uploads needs to have the /mnt/shared chowned by root:root or the connection may be refused even before the password is entered. So if the SFTP client keeps refusing connection the first thing to do is to ssh to the box and do ls -l on /mnt/shared and if it is not owned by root do a sudo chown root:root /mnt/shared. The SFTP client should work after that.

Passwordless SSH

To setup passwordless ssh between two hosts first generate a key and put it in the home/username/.ssh/ dir and named as the name of the host 

ssh-keygen -t rsa -b 4096 -f ~/.ssh/hostname

You will be asked to enter passphrase either add one or not twice once it is done there will be a new key pair stored in .ssh/,now we can copy the pub file to the destination. The easiest is to copy by ssh-copy-id 

ssh-copy-id -i ~/.ssh/hostname.pub username@FQDN

The response will be Are you sure you want to continue connecting (yes/no/[fingerprint])? Type yes The last thig is to add a friendly name to 

nano ~/.ssh/config
  • Host is hostname or anything that is more friendly
  • Hostname is hostname.seaoffate.local (or ip address)
  • User is nigel or whatever you want
  • IdentityFile is the path to the key pair so probably ~/.ssh/hostname
Retrieved from "https://wiki.seaoffate.net/index.php?title=External_Access&oldid=1051"