Creating Reverse SSH tunnel from insecure remote device?

I have been using IPCop for years but the hardware has just failed. I am looking a IPFire as a replacement.

I have a specific requirement for my remote, headless Raspberry Pi based, devices to be able to create a reverse tunnel to ssh to my home PC. The remote devices are in the wild and must be regarded as insecure. The connections are intermittent and unreliable, so I use autossh. I do not want to use a VPN.

This is not a question about how to setup what is a relatively complex ssh tunnel configuration. I am seeking advice on whether IPFire will allow me to make the changes I need to do.

The remote devices may be behind a firewall, specifically they may be connected via a wireless phone network. Mobile operators have firewalls to prevent internet traffic flooding their network. This makes it necessary for the remote device to initiate a reverse ssh connection back to (what was) my IPCop firewall.

I wanted to be able to connect to the reverse tunnel from anywhere within my home network, from any pc. This required the reverse tunnel to terminate within the firewall. To do this, I created a special IPCop user called ‘tunnel’ that provided a dead end to any intruder. This was achieved doing the following:

Create a user “tunnel” with no password and no access to a shell. Even if a hacker is able to modify the remote reverse ssh tunnel command to reach the tunnel user in the IPCop firewall, they will be unable to login or execute any commands.
root@ipcop:~ # useradd tunnel -m -d /home/tunnel -s /bin/true
with options:
-m create the user’s home directory
-d home directory of the user account
-s login shell of the account. –s /bin/true gives no shell access

disable password-based access to the tunnel account while allowing SSH access with:
$ usermod -p ‘*’ tunnel

Q1. Can I create a tunnel user on IPFire?

The next step is to be able to set up a forward ssh tunnel that connects to the reverse tunnel via the user ‘tunnel’. That creates a single tunnel from my PC, through the firewall and out to the remote device. I can then access the remote CLI with a forward ssh connection through the single tunnel. A tunnel in a tunnel.

There are other things I need to do as well, like creating services and firewall rules but the main one is to be able to create a special non-standard user ‘tunnel’. I use puTTY to build a forward tunnel from my PC to connect end to end to the reverse tunnel. I then use puTTY to connect to the tunnel that now ends on my PC.

Q2. Can I manually setup ssh keys etc on IPFire? I need to be able to manually setup ssh keys from the command line.

Q3. Is there a better way? Does IPFire offer features that will allow me to achieve the same result. VPN is not the answer.

I haven’t read the manual. Any feedback would be great.

I think I can answer my own questions.
I found this link where a new user is added a the CLI

If I can create a user from the CLI, then I will be able to manually configure ssh files.

I also found sTunnel as an addon. It may do more than I want but it doesn’t do anything more than I can already do. It also uses closed code, so not thrilled about that.

Being based on IPCop, it is comforting to see largely familiar features and GUI. It won’t be a large learning curve to climb.

Hi @dazz

Welcome to the IPFire community.

Q1 You found the wiki section on creating additional users

Q2 Yes you can create ssh keys for your additional user on the command line.

Could you explain what you you found that was closed.

My mistake. I mis-read the stunnel home page.