Remote access using reverse ssh tunnel, without port forwarding

Question

I am trying to setup a remote connection (from anywhere in the world not just locally) to my Raspberry Pi 3. I want to do so without port forwarding, and without third party service (such as Weaved, or Digitalocean). Only using open-source software. I am even willing to pay for a dedicated domain and server if the solution requires it.

To describe what I have, take a look at attached image - my network configuration. I have a RPi3 at home with a static IP address. It is connected to a router (wlan0). And I want to connect to the RPi3 from "My laptop" - via SSH.

Possible solutions that I read on different forums: There is a possibility to establish a reverse ssh connection to my laptop. The problem is that my Home router's firewall won't any incoming connection go through - I don't want to open ports such as 3389.

My questions are:

1. If I establish this reverse tunnel, is it possible for my laptop to connect to the RPi3 at any moment I want? Or do I need to implement it on the RPi3 as scheduled service and then I'd be able to connect only every hour or so?
2. How can I implement this, theoretically.

Answer 1

First of all:

You MUST have an open port to connect to something. Anything else is like talking to someone's locked front-door instead of that person.

Reverse tunnelling:

This means that the Pi3 connects to something. Then orders that something to return traffic through that same connection.

This way you can talk to your Pi3 through that tunnel. Which in reality is a forwarded open port. Except for two things.

1. The exposed socket is located at another external IP than your home.
2. Traffic in the tunnel goes over shh, which should be encrypted. That means your ISP can't see what the packages contain.

Laptop vs 3rd party:

If your laptop has: 1. The same IP all the time (or a very fast ddns). 2. An ssh-socket exposed to the web.

Then you won't need a third party. The Pi3 can ssh (connect) to you, and then you use that connection to connect to what ever you want at home. If you don't have both those points sorted. You'll need a third party.

The third party:

Has to be somewhere that both your laptop and your Pi3 can connect to at any time. It has to be something that accepts ssh connections, and that can forward traffic both to, and from both the Pi and Laptop back through those connections.

Security:

If that third party has shitty security, you're better off forwarding an external port at home, to port 22 on the Pi3.

And securing the Pi3. Like allowing ONLY pubkey authentication, No external root logins. NO password logins. And setting options to ignore traffic (for an hour or two) from any IP with more than 5 or 6 failed login-attempts in 15 minutes (just an example).

Tunnel Persistence:

For the Pi3 to stay accessible, if you go with reverse-tunnelling, you can use something like autossh combined with cron-jobs. Perfect to keep the tunnel(s) up when possible. Even after reboots, the Pi3 will connect to it's target.

Answer 2

I know the original poster didn't want to use a third party service, but some are free and work really well.

Take PiTunnel.com for example. I needed to access a bunch of Pi's remotely. I set this up in a few minutes and had remote terminal, status monitoring, and tunnels to web server and vnc working in no time.

(Full disclosure, I'm the creator of PiTunnel and we created it specifically to solve this problem for ourselves and others looking to do the same thing)

Answer 3

The reverse tunnel should work. If you ssh with a reverse tunnel from your rpi to your laptop (the ssh connection0 then a port will be open on the laptop so that when you connect to said port of the laptop (either from the laptop itself or another computer that has access to the laptop, it really depends on how you try to set up the reverse tunnel and the ssh service restrictions on the laptop) then you will connect to some host/port on the rpi side (which very well could be some service of the rpi itself). This all depends on the laptop being reachable from the rpi. If your laptop has a public IP address then you should not have any problem at all.... however, if you are talking about connection to your laptop (or from your laptop with the ssh tunnel already set up, anyway) anywhere, even behind proxies and stuff (as in when you are at a private LAN), then you need both computers (rpi and laptop) on a different set up.

It might sound like an over kill but have you considered setting up a server on a VM provider so that you can access it with your rpi and your laptop so that they can see each other on a VPN? That should be enough.

Answer 4

Accessing your RaspberryPi ( or even laptops/servers) from outside your home network (meaning, from the internet) is not an easy task, because your home laptop or RaspberryPi has only local IP address ( in the 10.x.x.x range or 192.168.x.x range). It doesn't have a Public IP address that is visible from the Internet.

The simple answer to your question is use free online services like SocketXP which provides a secure public tunnel endpoint to SSH into your RaspberryPi from outside the home network.

Full disclosure: I am the founder of SocketXP.

The reason I recommend, SocketXP ( a third party service and not a self-hosted service) is that when you use SSH over the internet, it is highly secure. No one could decrypt your data without knowing your private key. Why go through the pain of hosting your own VM in the cloud just for the sake of getting a Public IP ( to act like a fulcrum to login to your RPi.)

SocketXP provides a simple, secure and easy way to access your home RaspberryPi from the outside network. It give you a free public IP. With SSH your data is encrypted end-to-end. Even SocketXP cannot decrypt your data connection.

SocketXP doesn't require you to hack any settings in your WiFi router. It works out of the box. To know how to setup your RaspberryPi to SSH from outside, read this blog on how to remote SSH into your RaspberryPi using SocketXP.

How to setup SocketXP:

Step1: Install SocketXP client on your RaspberryPi using the following command.

$ curl -O https://portal.socketxp.com/download/linux/socketxp && chmod +wx socketxp && sudo mv socketxp /usr/local/bin

Step2: Connect SocketXP client with SocketXP Cloud Service using the following command. You need to register at https://portal.socketxp.com to get your unique auth-token.

$ socketxp -register "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDk1MTg0MDAsImlkIjoiZ2FuZXNodmVscmFqYW5AZ21ha6K208n0.cB2uYevpH4lWIQGQUJdQ0eiEDqS8OiP_YOiqernnui3rjjadfadsfsfas34"

Step3: Get a public tunnel endpoint to access your RaspberryPi from the internet.

$ socketxp -connect tcp://localhost:22

Tunnel Access -> tunnel.socketxp.com:35277

Step4: SSH into your RaspberryPi from the internet using the following command.

$ ssh raspberry-username@tunnel.socketxp.com -p 35277

where "raspberry-username" is the username/password you use to SSH login to your RaspberryPi.