Skip to content

Enable SSH from WAN (with Security Best Practices)

Published by [email protected] on October 26, 2025

Enable SSH from WAN (with Security Best Practices)

⚠️ Security Warning: Opening SSH to the internet is risky. Consider using a VPN instead. If you must enable WAN SSH, follow these security measures!

Method 1: Basic SSH from WAN (Not Recommended)

configure

# Allow SSH from any IP (DANGEROUS!)
set service ssh listen-address 0.0.0.0
set service ssh port 22

# Allow SSH in firewall
set firewall ipv4 input filter rule 100 action accept
set firewall ipv4 input filter rule 100 destination port 22
set firewall ipv4 input filter rule 100 protocol tcp
set firewall ipv4 input filter rule 100 description 'Allow SSH from WAN'

commit
save

Method 2: Secure SSH from WAN (Recommended)

configure

# Change SSH to non-standard port (reduces bot attacks)
set service ssh port 2222
set service ssh listen-address 0.0.0.0

# Disable password authentication (use SSH keys only)
set service ssh disable-password-authentication

# Allow only specific source IP (YOUR home/office IP)
set firewall ipv4 input filter rule 100 action accept
set firewall ipv4 input filter rule 100 destination port 2222
set firewall ipv4 input filter rule 100 protocol tcp
set firewall ipv4 input filter rule 100 source address YOUR.PUBLIC.IP.ADDRESS
set firewall ipv4 input filter rule 100 description 'Allow SSH from trusted IP'

commit
save

Method 3: SSH with Rate Limiting (Best Security)

configure

# Use non-standard port
set service ssh port 2222
set service ssh listen-address 0.0.0.0

# Disable password auth
set service ssh disable-password-authentication

# Rate limit SSH connections (prevents brute force)
set firewall ipv4 input filter rule 100 action accept
set firewall ipv4 input filter rule 100 destination port 2222
set firewall ipv4 input filter rule 100 protocol tcp
set firewall ipv4 input filter rule 100 recent count 4
set firewall ipv4 input filter rule 100 recent time minute
set firewall ipv4 input filter rule 100 state new
set firewall ipv4 input filter rule 100 description 'SSH rate limit - 4 per minute'

# Drop excessive attempts
set firewall ipv4 input filter rule 101 action drop
set firewall ipv4 input filter rule 101 destination port 2222
set firewall ipv4 input filter rule 101 protocol tcp
set firewall ipv4 input filter rule 101 recent count 4
set firewall ipv4 input filter rule 101 recent time minute
set firewall ipv4 input filter rule 101 state new
set firewall ipv4 input filter rule 101 description 'Drop SSH brute force'

commit
save

Method 4: Port Knocking (Most Secure)

configure

# SSH listens only on LAN by default
set service ssh listen-address 192.168.99.1

# Port knocking sequence: knock ports 7000, 8000, 9000 in order
# Then port 2222 opens for 30 seconds

set firewall ipv4 input filter rule 90 action accept
set firewall ipv4 input filter rule 90 destination port 7000
set firewall ipv4 input filter rule 90 protocol tcp
set firewall ipv4 input filter rule 90 recent set
set firewall ipv4 input filter rule 90 recent name knock1

set firewall ipv4 input filter rule 91 action accept
set firewall ipv4 input filter rule 91 destination port 8000
set firewall ipv4 input filter rule 91 protocol tcp
set firewall ipv4 input filter rule 91 recent check
set firewall ipv4 input filter rule 91 recent name knock1
set firewall ipv4 input filter rule 91 recent set
set firewall ipv4 input filter rule 91 recent name knock2

set firewall ipv4 input filter rule 92 action accept
set firewall ipv4 input filter rule 92 destination port 9000
set firewall ipv4 input filter rule 92 protocol tcp
set firewall ipv4 input filter rule 92 recent check
set firewall ipv4 input filter rule 92 recent name knock2
set firewall ipv4 input filter rule 92 recent set
set firewall ipv4 input filter rule 92 recent name knock3

# Allow SSH only after knock sequence
set firewall ipv4 input filter rule 100 action accept
set firewall ipv4 input filter rule 100 destination port 2222
set firewall ipv4 input filter rule 100 protocol tcp
set firewall ipv4 input filter rule 100 recent check
set firewall ipv4 input filter rule 100 recent name knock3
set firewall ipv4 input filter rule 100 description 'SSH after port knock'

commit
save

To use port knocking:

# From remote client, knock the sequence
nc -z your.wan.ip 7000
nc -z your.wan.ip 8000
nc -z your.wan.ip 9000

# Now SSH within 30 seconds
ssh -p 2222 [email protected]

Setup SSH Key Authentication (Required for Security)

On your client machine (Linux/Mac):

# Generate SSH key if you don't have one
ssh-keygen -t ed25519 -C "[email protected]"

# Copy public key to VyOS
ssh-copy-id -p 2222 [email protected]

Or manually on VyOS:

configure

# Add your public key
set system login user vyos authentication public-keys mykey key 'AAAAB3NzaC1yc2EA...your-public-key-here'
set system login user vyos authentication public-keys mykey type ssh-rsa

commit
save

Better Alternative: Use WireGuard VPN Instead

Instead of exposing SSH, expose a VPN and SSH through it:

configure

# Setup WireGuard (more secure than SSH from internet)
set interfaces wireguard wg0 address 10.99.99.1/24
set interfaces wireguard wg0 private-key 'YOUR_PRIVATE_KEY'
set interfaces wireguard wg0 port 51820

# Add client peer
set interfaces wireguard wg0 peer client1 allowed-ips 10.99.99.2/32
set interfaces wireguard wg0 peer client1 public-key 'CLIENT_PUBLIC_KEY'

# Allow WireGuard from WAN
set firewall ipv4 input filter rule 50 action accept
set firewall ipv4 input filter rule 50 destination port 51820
set firewall ipv4 input filter rule 50 protocol udp
set firewall ipv4 input filter rule 50 description 'WireGuard VPN'

# SSH only listens on LAN and VPN
set service ssh listen-address 192.168.99.1
set service ssh listen-address 10.99.99.1

commit
save

Then connect via VPN first, then SSH.

Security Checklist

Before enabling WAN SSH:

  • [ ] Change default SSH port (e.g., 2222, 2244, 8822)
  • [ ] Disable password authentication
  • [ ] Use SSH keys only
  • [ ] Enable rate limiting
  • [ ] Restrict source IPs if possible
  • [ ] Enable fail2ban or similar
  • [ ] Monitor auth logs regularly
  • [ ] Consider VPN instead

Monitor SSH Access

# View SSH login attempts
show log | match ssh

# View current SSH sessions
show system session

# Real-time auth log monitoring
monitor log | match sshd

Fail2Ban (Block Brute Force Attempts)

# Install fail2ban
sudo apt update
sudo apt install fail2ban

# Configure for SSH
sudo nano /etc/fail2ban/jail.local

Add:

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check banned IPs
sudo fail2ban-client status sshd

Find Your WAN IP

# From VyOS router
show interfaces ethernet eth2

# Or
curl ifconfig.me

# Or on client
curl ifconfig.me

Test Connection

# From external network
ssh -p 2222 [email protected]

# Verbose for troubleshooting
ssh -vvv -p 2222 [email protected]

Disable WAN SSH (Revert to LAN Only)

configure

# Remove WAN firewall rule
delete firewall ipv4 input filter rule 100

# SSH only on LAN
set service ssh listen-address 192.168.99.1
delete service ssh listen-address 0.0.0.0

commit
save

My Recommendation

Best approach:

  1. Set up WireGuard VPN on port 51820
  2. Keep SSH on LAN only (192.168.99.1)
  3. Connect to VPN first, then SSH

This is much more secure than exposing SSH directly to the internet!

Would you like me to show you how to set up WireGuard VPN instead?

Published inUncategorized

Be First to Comment

Leave a Reply