Remote Access

Having your own tiny in-home server is great, but what about when you want to access your files or services from outside of your home network? There are many ways to tackle this problem, many of them require that you open up ports in your firewall, use some sort of dynamic DNS service to keep track of your ever-changing home IP address, but I use a reverse SSH tunnel, which I find to be reliable and functional.

Reverse SSH Tunnel

SSH stands for Secure Shell, which is a fancy way of saying "connect to a remote machine securely." When you establish a secure connection to a remote machine, you have the option to setup a tunnel using a feature called "port fowrarding", which is a fancy way of saying "When someone tries to connect to a certain port on the remote machine, forward that connection back to me." Using port forwarding, you can make it so that you can SSH out from your NASpberry Pi to a remote server in the cloud with a static IP address, and connect back into your NASpberry Pi from anywhere on the internet through that cloud server. The catch is that you need to have access to server. I use Digital Ocean for $5/month.

You can find more info on setting up a Linux server, and what port forwarding is and how it works, but I'm going to just dive in and talk about how I have it setup.

AutoSSH

I use a program called AutoSSH to keep an SSH session opened from my NASpberry Pi to my cloud server all the time, with the appropriate ports forwarded so I can access my NASpberry Pi from anywhere on the net. So the first thing we need to do is installed AutoSSH:

sudo apt-get install autossh
next, we need to setup a systemd service so that autossh starts as soon as our naspberry pi boots up, and so we can stop and restart it easily. create a new file for your service:
sudo vi /etc/systemd/system/autossh.service
and enter the following information, making sure to update the values as marked by <placeholds>:
[unit]
description=keeps a tunnel to '' open
after=network-online.target

[service]
user=pi
# -p [port]
# -l [user]
# -m 0 --> no monitoring
# -n just open the connection and do nothing (not interactive)
# localport:ip_on_example_com:port_on_example_com
execstart=/usr/bin/autossh -m 2222 -n -q -o "serveraliveinterval 60" -o "serveralivecountmax 3" -p 22 -l pi  -r 1234:127.0.0.1:22 -i /home/pi/.ssh/id_rsa

[install]
wantedby=multi-user.target
This script makes some assumptions: Once you update this script to meet your specific use cases, you need to register this service:
sudo systemctl enable /etc/systemd/system/autossh.service
sudo systemctl start autossh.service
Now you can start/stop/restart your AutoSSH tunnel on your NASpberry Pi anytime you want with the following commands:
sudo service autossh stop
sudo service autossh start
sudo service autossh restart

Security

With the above setup, you can SSH into your NASpberry Pi from anywhere on the internet by SSH'ing to your cloud server on port 1234, which will be forwarded to your NASpberry Pi. This also means that anyone else on the internet can (try to) SSH into your NASpberry Pi from anywhere on the internet. Now, if you disable password auth, that helps, but I take it a step farther by blocking the forwarded port (in this example, port 1234) from being accessed on my cloud server, which means that in order to access my NASpberry Pi, I have to first SSH to my cloud server and then ssh into my NASpberry Pi from there. This adds an extra step to the process, but it keeps things slightly more secure.


comments powered by Disqus