Back to Blog
Raspberry pi ssh tunnel6/11/2023 ![]() ĭebug1: client_input_global_request: rtype want_reply 0ĭebug1: remote forward success for: listen 0.0.0.0:2222, connect localhost:22 This will output a bunch of debug information, and eventually show. First, on the Raspberry Pi, run this command to configure a tunnel over the IPv4 interface between port 22 on the Pi to port 2222 on the VPS: $ ssh -nNTv -R 0.0.0.0:2222:localhost:22 Now, it's time to test if tunneling works. You'll be prompted to accept the host key, so type yes when prompted, and you should be logged in. Now, log into your tunnel VPS, edit the ~/.ssh/authorized_keys file, paste the public key you just copied into a new line, and save that file.Īt this point, you should be able to SSH into the VPS from your Raspberry Pi. ![]() Get the contents of that file by copying the output of: $ cat /home/pi/.ssh/id_ed25519.pub This should create a public SSH key located at /home/pi/.ssh/id_ed25519.pub. On the Raspberry Pi, run: $ ssh-keygen -t ed25519 -C "my-raspberry-pi-name" The Raspberry Pi will need to be able to connect to the VPS via SSH, so you should create an SSH key pair for this purpose. Or, you could restrict access to localhost by setting GatewayPorts no-that way only users who are logged into the tunnel server could access the Raspberry Pi via SSH. Security Warning: For better security, you can set GatewayPorts clientspecified, and then specify certain IP addresses allowed to connect. Save your changes, and restart SSH: $ sudo systemctl restart sshĬonfirm both settings are yes with: $ sshd -T | grep -E 'gatewayports|allowtcpforwarding' You will need to configure the GatewayPorts option, so edit the SSH config file: $ sudo nano /etc/ssh/sshd_configĪnd add the following line at the bottom: GatewayPorts yes SSH's AllowTCPForwarding option must be set to yes for this to work-and that's the default. ![]() I pay $5/month for it, use it to host some websites, and it also gets assigned a static public IP address, so I can point a domain at it, like On that VPS, I needed to configure SSH so it could work as a tunnel server: So I chose to use one of my existing DigitalOcean VPSes for the task. Sometimes they are easier for specific needs, but as I mentioned, I just wanted two open ports. Paid services like VPNs and ngrok run their own servers, but can cost upwards of $10-20/month if you want to run a lot of traffic through them. You're responsible for your own security, and if you don't have a good grasp on fundamental Linux and SSH security, you might not want to do this. Security Warning: Punching a hole through to any network-especially to expose something like a Raspberry Pi to the public Internet, increases your network's attack surface. There are a few different ways people have traditionally dealt with accessing devices running through CG-NAT connections:Īnd after weighing the pros and cons, I decided to go with option 3, since-for my needs-I want to have two ports open back to the Raspberry Pi: ![]() What this means is there's no publicly routable address for the Pi-you can't access it from the public Internet, since it's only visible inside the cell network's private network. This modem is on AT&T's network, but regardless of the provider, unless you're willing to pay hundreds or thousands of dollars a month for a SIM with a public IP address, the Internet connection will be running behind CG-NAT. For a project I'm working on, I'll have a Raspberry Pi sitting behind a 4G LTE modem:
0 Comments
Read More
Leave a Reply. |