1080*80 ad
Home » Blog » Enabling SSH on OPNsense

Enabling SSH on OPNsense

Benhcmark Administrator Benhcmark Administrator
14/10/2025
0 Views 0
Enabling SSH on OPNsense

How to Securely Enable SSH on OPNsense: A Step-by-Step Guide

Managing your OPNsense firewall efficiently often requires more than just the web interface. For power users, network administrators, and anyone who needs direct command-line access, enabling the Secure Shell (SSH) protocol is essential. SSH provides a secure, encrypted channel for remote management, automation, and advanced troubleshooting.

However, enabling SSH on a security appliance like a firewall must be done with caution. This guide will walk you through the steps to enable SSH on OPNsense and, more importantly, how to configure it securely to protect your network.

Why Use SSH for OPNsense Management?

While the OPNsense web GUI is excellent for most daily tasks, SSH access unlocks a new level of control. It allows you to:

  • Perform advanced troubleshooting by viewing logs in real-time or running diagnostic commands.
  • Automate tasks with scripts for backups, updates, or configuration changes.
  • Access the firewall if the web interface becomes unresponsive.
  • Manage files directly on the firewall’s filesystem.

Enabling SSH in OPNsense: The Core Steps

Activating the SSH service is straightforward and is done directly from the administrative web interface.

  1. Navigate to the Administration Panel: Log in to your OPNsense web GUI. From the main menu on the left, go to System -> Settings -> Administration.

  2. Locate the Secure Shell Section: Scroll down the page until you find the “Secure Shell” section. This is where all SSH-related configurations are managed.

  3. Enable the Service: To turn on the SSH server, simply check the box next to “Enable Secure Shell”.

While checking this box is all you need to start the service, you should not stop there. The default settings are not ideal for a secure environment.

Configuring Key SSH Options for Enhanced Security

Before you save your changes, take a moment to review and adjust the options below the enable checkbox.

  • SSH Port: The default SSH port is 22. While functional, this port is constantly scanned by malicious bots on the internet. Changing this to a high, non-standard port (e.g., 2222, 49152, etc.) is a simple first step to reduce your exposure to automated attacks.

  • Login Group: For better access control, you can restrict SSH access to users belonging to a specific group. You can create a dedicated “ssh-admins” group under System: Access: Groups and add only trusted user accounts to it.

  • Authentication Method: This is the most critical security setting. You have two main options: password-based or public key-based authentication.

    • Permit password login: Allowing passwords makes your firewall vulnerable to brute-force attacks, where an attacker tries thousands of common passwords.
    • Permit public key login: This method is far more secure. It uses a cryptographic key pair for authentication. You keep a private key on your computer, and the corresponding public key is stored on OPNsense. It is nearly impossible to brute-force a properly generated key.

For maximum security, you should disable password login and exclusively use public key authentication.

Once you have configured these settings, click the Save button at the bottom of the page. The SSH service will now be active with your specified configuration.

Crucial Security Best Practices for OPNsense SSH

Enabling a service is easy; securing it is what matters. Follow these non-negotiable rules to maintain a hardened firewall.

1. Never Expose SSH to the WAN Interface

This is the golden rule of firewall management. Under no circumstances should you create a firewall rule that allows SSH access from the internet (WAN). Exposing your firewall’s management port to the public is an open invitation for attackers. The correct way to manage your firewall remotely is to first connect to your network using a secure VPN (like WireGuard or OpenVPN, which are integrated into OPNsense) and then SSH into the firewall’s private LAN address.

2. Mandate Public Key Authentication

We mentioned it before, but it bears repeating: disable password authentication entirely. To set this up, you must first add your public key to your user account in OPNsense under System: Access: Users. Edit your user, paste your public key into the “Authorized SSH Keys” field, and save. Once confirmed that key-based login works, you can safely uncheck “Permit password login” in the SSH settings.

3. Use Firewall Rules for Access Control

Even on your internal LAN, you can restrict which devices are allowed to connect to the SSH port. Create a firewall rule on your LAN interface that specifies the source IP address of your trusted management workstation and allows it to connect to the firewall’s SSH port. This prevents any other device on your network from attempting to access the firewall via SSH.

Final Thoughts

Enabling SSH on OPNsense is a powerful way to enhance your administrative capabilities. By following this guide, you can activate the service quickly and, more importantly, implement the essential security measures required for any network security appliance. Always prioritize security by using a non-standard port, mandating public key authentication, and never exposing management services directly to the internet.

Source: https://kifarunix.com/how-to-enable-secure-shell-ssh-server-on-opnsense/

900*80 ad

Related Articles
      1080*80 ad
      About Hosterdojo

      Hosterdojo reviews server performance, network capabilities, and other related benchmarks. If you are a provider interested in submitting your VPS products, feel free to reach out to me.

      Email: [email protected]
      Telegram Channel: https://t.me/hosterdojo

      Follow

      Useful Link

      Girl in a jacket