Bosse_B
Posts: 1074
Joined: Thu Jan 30, 2014 9:53 am

Any way to reach an RPi sitting behind an ISP NAT router?

Sun Oct 18, 2020 7:41 pm

I have an RPi unit located in my vacation home with a mobile broadband router as Internet connection.
This RPi is managing a small monitoring system for temperatures etc in the house as well as intrusion detection.
I have set up the router with port forward of the SSH port to the RPi and it has worked fine for several years.

Now my ISP has decided to "improve" the connection so they have upped the monthly data allowance to 32 GB and doubled the subscription fee.

So I have tried another provider with coverage at the location at a lower cost, but it turns out the IP address given to the router by DHCP is not the same as what is reported by for example http://checkip.dyndns.com/
It looks like they have introduced another NAT layer inside their own network...

If this makes it totally impossible to reach the RPi on location then it will be unusable for me.

So my question is then:
Is there some trick I can use in order to get through to the RPi even in this NAT case?

Can my RPi be set up (via cron or something else) to connect out to another RPi sitting in my home and then talk to and from the internet via this?
It would be something akin to a VPN tunnel initiated on the client side but opening up for access initiated from the other side.

I can't even think up a good search on google for this kind of question....
Bo Berglund
Sweden

User avatar
DougieLawson
Posts: 40123
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Any way to reach an RPi sitting behind an ISP NAT router?

Sun Oct 18, 2020 7:45 pm

RealVNC's cloud stuff will let you reach any RPi from anywhere as long as it can connect out to the public internet.
Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

PiGraham
Posts: 4174
Joined: Fri Jun 07, 2013 12:37 pm
Location: Waterlooville

Re: Any way to reach an RPi sitting behind an ISP NAT router?

Sun Oct 18, 2020 8:04 pm

You could also try TeamViewer server for remote admin. That seems to have no problems with firewalls and its free for personal use.

Bosse_B
Posts: 1074
Joined: Thu Jan 30, 2014 9:53 am

Re: Any way to reach an RPi sitting behind an ISP NAT router?

Sun Oct 18, 2020 8:08 pm

That might be possible for the desktop, but I have services on the RPi, which I want to be reachable from outside the internal network.
For example I have written a system that manages external equipment attached to the RPi and it uses a client interface over TCP/IP sockets that I have also written. It works fine as long as the RPi is reachable...

Do you mean that they have some kind of service on their computers that channel the traffic I want to initiate from the outside to go to the RPi on the inside? And this is not the GUI interface...
Bo Berglund
Sweden

User avatar
DougieLawson
Posts: 40123
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Any way to reach an RPi sitting behind an ISP NAT router?

Sun Oct 18, 2020 8:15 pm

If you're behind a NAT you're always going to need an external server to connect through. That could by your local system with a "reverse tunnel".
Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

jools72
Posts: 26
Joined: Sun Sep 29, 2019 12:40 pm

Re: Any way to reach an RPi sitting behivd an ISP NAT router?

Sun Oct 18, 2020 8:27 pm

You could try a reverse vpn tunnel. I managed to do this in a case where my isp didn't have a public ip for my rpi. Can't remember the guide I used but it is possible. Basically the raspberry initiates a vpn connection to your computer instead of the other way around.

NimbUx
Posts: 268
Joined: Fri Jan 03, 2020 10:33 am

Re: Any way to reach an RPi sitting behind an ISP NAT router?

Sun Oct 18, 2020 8:52 pm

There are workarounds for your uneasy situation (which is "double NAT", carrier-grade-NAT if I understand clearly). Various forms of "reverse" tunneling, as others have suggested.
One which has not been mentioned yet would be running a TOR hidden service aka onion service
on your Pi.

jools72
Posts: 26
Joined: Sun Sep 29, 2019 12:40 pm

Re: Any way to reach an RPi sitting behind an ISP NAT router?

Sun Oct 18, 2020 9:29 pm

Also your isp may be able to provide you with a public ip for a small extra charge.

User avatar
rpdom
Posts: 17695
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Any way to reach an RPi sitting behind an ISP NAT router?

Mon Oct 19, 2020 1:35 am

I use the VPN with external server method. All I need is one system accessible via a public IP address (with port forwarding if needed) and I can get to my home systems from almost anywhere (some WiFi networks block too much to be of any use).

Although I have a Pi at home that can be accessed via port forwarding, I have set up a couple of external VPS servers (which I use for other things) with VPN software on both of them, a Pi at home with the same software, and my laptop also with the same software for when I'm away from home. The Pi at home connects to either or both of the servers, and so does my laptop when I'm out and about. That way I can access my home systems from anywhere and my laptop has the same internal IP address as it would at home.

I normally only route internal network traffic across my VPN, but with a quick routing change I was able to route traffic to one particular UK web site through my VPN so I could access it while I was on holiday in Sweden.
Unreadable squiggle

bls
Posts: 844
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA
Contact: Twitter

Re: Any way to reach an RPi sitting behivd an ISP NAT router?

Mon Oct 19, 2020 1:44 pm

jools72 wrote:
Sun Oct 18, 2020 8:27 pm
You could try a reverse vpn tunnel. I managed to do this in a case where my isp didn't have a public ip for my rpi. Can't remember the guide I used but it is possible. Basically the raspberry initiates a vpn connection to your computer instead of the other way around.
I helped a friend of mine set one of these up from his mountain location (via Hughes Gen 5) to his house. He controls it remotely by setting a "flag file" on the internet somewhere that his mountain Pi checks regularly. When the flag file is set, the mountain Pi starts the VPN. Works great!
Pi tools:
Quickly and easily build customized-just-for-you SD Cards: https://github.com/gitbls/sdm
Easily run your network's DHCP/DNS on a Pi: https://github.com/gitbls/ndm
Easy strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

Bosse_B
Posts: 1074
Joined: Thu Jan 30, 2014 9:53 am

Re: Any way to reach an RPi sitting behivd an ISP NAT router?

Mon Oct 19, 2020 4:51 pm

bls wrote:
Mon Oct 19, 2020 1:44 pm
jools72 wrote:
Sun Oct 18, 2020 8:27 pm
You could try a reverse vpn tunnel. I managed to do this in a case where my isp didn't have a public ip for my rpi. Can't remember the guide I used but it is possible. Basically the raspberry initiates a vpn connection to your computer instead of the other way around.
I helped a friend of mine set one of these up from his mountain location (via Hughes Gen 5) to his house. He controls it remotely by setting a "flag file" on the internet somewhere that his mountain Pi checks regularly. When the flag file is set, the mountain Pi starts the VPN. Works great!
So the "Mountain Pi" calls home via VPN (OpenVPN?) on demand via a flag file on his webserver or similar?
What I would like to know then is how VPN is configured such that once the remote pi has connected it will be "visible" for connection from my own computer on the LAN? Can I SSH that way for instance?
Depending on VPN solution this must be about routing and IP address ranges, right?

When I normally set up OpenVPN server on a Pi then the tunnel is using a completely different IP address range than either endpoint, like 10.8.19.xxx.
And the OpenVPN server has IPTABLES set up to route calls coming in from the remote client to either the internal LAN or the Internet gateway depending on the destination address.
So the client can see the LAN and also go to the Internet via the tunnel. (I also have connections that stay on their own Internet connection and only route LAN addresses via the tunnel.
But I have so far never used the other direction, i.e. connecting to the VPN client from a computer on the LAN.
Bo Berglund
Sweden

bls
Posts: 844
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA
Contact: Twitter

Re: Any way to reach an RPi sitting behivd an ISP NAT router?

Mon Oct 19, 2020 7:09 pm

Bosse_B wrote:
Mon Oct 19, 2020 4:51 pm

So the "Mountain Pi" calls home via VPN (OpenVPN?) on demand via a flag file on his webserver or similar?
What I would like to know then is how VPN is configured such that once the remote pi has connected it will be "visible" for connection from my own computer on the LAN? Can I SSH that way for instance?
Depending on VPN solution this must be about routing and IP address ranges, right?

When I normally set up OpenVPN server on a Pi then the tunnel is using a completely different IP address range than either endpoint, like 10.8.19.xxx.
And the OpenVPN server has IPTABLES set up to route calls coming in from the remote client to either the internal LAN or the Internet gateway depending on the destination address.
So the client can see the LAN and also go to the Internet via the tunnel. (I also have connections that stay on their own Internet connection and only route LAN addresses via the tunnel.
But I have so far never used the other direction, i.e. connecting to the VPN client from a computer on the LAN.
Yep, you've got it. This VPN is using strongSwan, which is an ipsec/ikev2 VPN. My friend can SSH either way (mountain to home, or home to mountain) when the VPN is up. And, yes, indeed, there are some restrictions on IP address ranges, and the tunnel configuration script gathers all that info and "does the right thing", assuming that the IP ranges are set up correctly.

The VPN was installed on both ends using https://github.com/gitbls/pistrong, and the tunnel was built using the makeTunnel script that you'll find there.

HTH. If you have any more questions on it, happy to answer them here or on the above github.
Pi tools:
Quickly and easily build customized-just-for-you SD Cards: https://github.com/gitbls/sdm
Easily run your network's DHCP/DNS on a Pi: https://github.com/gitbls/ndm
Easy strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

Return to “General discussion”