guacamole

[mimugmail]

Some months ago I tested guacamole as a central mgmt tool for SSH access. It could be used as a clientless HTML5 VPN but the dependencies are huge: java, tomcat, mysql.

Nonetheless .. we can use this as a start for a discussion to integrate it as a plugin?

Any opinions to this?

[AdSchellevis]

@mimugmail it looks like a nice product, but personally I'm not too enthusiastic putting things like this on a firewall, it adds a lot of attack surface to one of the most sensitive systems in your infrastructure.

Normally I would place a solution like this on it's own virtual environment, but integrating a virtual solution with it's own connectivity challenges in OPNsense is quite some work (and usually not really worth the effort).

[ndejong]

Had never heard of this, it's a remote-desktop gateway that provides a client interface via a HTML5 browser - for others that want to read up on it:-

• https://guacamole.apache.org

Apparently it builds on FreeBSD

As of 0.9.2, Guacamole builds properly on FreeBSD and against the latest FreeRDP from git.

The documentation talks about a lot of dependencies as @mimugmail mentioned:-

• https://guacamole.apache.org/doc/gug/installing-guacamole.html

Their previous 0.9.1.x revision is available in the FreeBSD ports tree

• https://www.freshports.org/net/guacamole-server/
• https://www.freshports.org/www/guacamole-client/

As a network edge device, does the Guacamole functionality belong on OPNsense? It does seem to fit into the definition of things some administrators might be willing to run at a network edge, but wow it is a heavy weight set of components to be adding on the firewall itself.

Personally I'd feel uncomfortable running this directly on a firewall via a publicly exposed port(s), I might consider it over an ssh-tunnel or VPN connection but if an ssh-tunnel or VPN connection is an option then why not just run the RDP session directly from my client machine?

Perhaps you could describe scenarios where Guacamole provides access that is otherwise not possible? I appreciate this question might sound silly or that the answer is "obvious" but there is something about your words "tested guacamole as a central mgmt tool for SSH access" that makes me believe there is another (much easier, and more secure) approach to addressing your remote-ssh access requirements.

[mimugmail]

You could fix your internal Routers in an emergency via your Android Phone since it's only Browser based. Juniper, Sophos and Cisco also offer this in their UTM products. And since it would be an optional Plugin I dont see a huge risk for the mass of the normal users.

[AdSchellevis]

@mimugmail aren't they offering a html terminal to only there own box? we declined html5 consoles earlier, if I'm not mistaken there are other, more lightweight options that do this for access to the firewall itself only.

[mimugmail]

It's a Tomcat App working as a rdp/vnc/SSH Client with predefined profiles. It's not intended for managing OPN itself

[ndejong]

I feel like you might be wanting to create a setup where you can access an RDP enabled host using just username/password authentication from an external location and then keep your ssh keys on that RDP host so you can access whatever you have internally - is that right?

[AdSchellevis]

I know it's not for managing OPNsense, I'm just a bit surprised if Sophos and Cisco add this into their firewall products, that's all.

[mimugmail]

Cisco https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-overview.html

Sophos https://community.sophos.com/kb/en-us/117470

SonicWall http://help.sonicwall.com/help/sw/eng/9600/26/2/3/content/SSL_VPN_Virtual_Office.095.6.htm

FortiGate https://cookbook.fortinet.com/ssl-vpn-using-web-and-tunnel-mode-54/

... I can count more if you like.

I know it's overblown .. and I dont need it for myself, but it would make the project more attractive to prospects.

[AdSchellevis]

well, that's my main concern, I have no objections to offering web tunnels when properly integrated and secured (which is what other vendors indeed also offer), but guacamole just feels like too much in my humble opinion.

[mimugmail]

That's why I opened this issue :) Let's wait what @fichtner thinks about it, there's no hurry on my side.

[AdSchellevis]

sure, no rush

[mimugmail]

@fichtner your objective opinion in this? :)

[fichtner]

I need more time to eval the new build server speed and how to optimise the build process

To be frank, adding more software, especially larger dependency chains will bring the build time up to half a day at least which slows down response time for tests and releases, introduces more chances for breakage and also bloats major update set downloads, but that's just the cautious side talking....

[mimugmail]

Ok, I think this pkg is not that much important to risk all this downsides it brings into the build process. But perhaps it brought the awareness that modern (but also only commercial) NGFW offer a HTML5 VPN :)

[fichtner]

Let's revisit when we have a large deployment use case at hand?

[mimugmail]

Sure, there are many different VPNs available to reach the network behind .. but clientless is clientless :)

[Freighter]

Hi all, I just found this discussion. My Personal Problem is that I'm stuck with a Sophos UTM Home License due to the fact that it is the ONLY Sollution that brings the HTML5 capabilities to a Private Home Customer Basis. But this is Limited at some point. So from my private experience would this feature boost the distribution of Opnsense in the community and also for Users that are using pfSense enable to switch to Opnsense sollution. :)

best regards Klaus

[mimugmail]

It's not our effort to make users switch from pf :) I worked with guacamole for some time now. The upgrade process on linux itself is a mess, no idea how to support this in a stable manner.

It would be better to use the docker container somewhere behind your Firewall.