Connection Agent

Connection Agent

This page is dedicated to the DynFi Manager Connection Agent. 

What is the DynFi Connexion Agent ?

The DynFi Connection Agent (DFConAg) is a plugin available both for pfSense®-CE and OPNsense® firewall devices. 

It works in conjunction with the Connection Agent back-end found on the DynFi manager. 

The goals of this package are the following:

  • Ease the addition of new devices into the DynFi Manager
  • Allow connections to be initiated from the Firewall to the Manager 
  • Limit the number of manipulation requested by end-users to deploy their devices

 

Screencast of DynFi Connection Agent

 

 

What are the steps needed to install and use this Agent ?

1. Install the agent 

For pfSense-CE: 

You can simply copy and paste the link below as root on your pfSense® devices. This will download and deploy the connexion agent on your devices.  

root@pfsense:~# pkg add -f https://dynfi.com/connection-agent/download/pfsense/pfSense-pkg-dfconag-1.2.txz

or  

root@pfsense:~# curl https://dynfi.com/connection-agent/download/pfsense/dfconag-1.2-installer.sh --output /tmp/dfconag-installer.sh && sh /tmp/dfconag-installer.sh
Once the Agent is installed you will have a new menu located in: Services >> DynFi Connection Agent
You will be prompted to allow the install of the autossh service "Click here to install the autossh" service. Please proceed.
You are now able to use the connexion agent, please refer to the section "adding your first device". 
 
Please note that the DFConAg is not compatible with pfSsense-Plus which is no longer Open Source
 

For OPNsense: 

root@opnsense:~# pkg add -f https://dynfi.com/connection-agent/download/opnsense/os-dfconag-1.2.txz
or
  
root@opnsense:~# wget -O - https://dynfi.com/connection-agent/download/opnsense/dfconag-1.2-installer.sh | sh

 

2. Deploy your first device 

Enable the Connexion Agent on the Dynfi Manager 

You should make sure that your DynFi Manager configuraiton file (located in /etc/dynfi.conf) contains the following lines:  

connectionAgentPort=2222​

This will enable your the connexion Agent SSH service on the Manager. 

Please make sure that the port you are using is unique and not used by any other service. 

Also make sure that you are allowing incoming SSH connexion from your remote devices (if DynFi is protected by a firewall).

 

Restart the DynFi Manager using: 

# systemctl restart dynfi

The DynFi Manager status of Connection Agent shall now be  Green  and ready to operate. 

 

Generate your first token on DynFi Manager

Just go to the DynFi Manager >> Connection Agent.

Go to Connection Agent >> Tokens. 

Specify the validity period of the token and other parameters and generate your token. 

Your token will appear in an overlay window, you can copy or download the token. 

 

Deploy your first device 

Paste the copied token into your device's Connection Agent and validate the action.

Either let the Connexion Agent generate a key pair between your Manager and your firewall device (prefered method) or use some other SSH credentials. 

Validate and the Agent shall connect automtically to the DynFi Manager. 

 

3. Troubleshooting  

Most of the time the problem will come from port access problems. So make sure that you have the proper firewall rules enabled mostly on the Manager side. 

This is a common mistake which will prevent the Firewalls from self registering.