clifer4
Posts: 3
Joined: Mon Jul 09, 2018 10:06 pm

Access Raspberry Pi outside of local network, without port forwarding or third party software

Mon Jul 09, 2018 10:39 pm

Intro
Hello everyone,

I am a beginner to networking and I have seen numerous topics on the internet on how to remotely communicate with Raspberry Pi (3) outside of local network, e.g.: Unfortunately, it is still hard for me to understand how this works, plus not all of the tips match my desired outcome. I know that I can access my device using the port 3389. However, I don't want to open that on my router, as it may cause security risk. And I don't want to use any commercial software such as Weaved (basically I need something like Weaved just self made).

My setup

I have connected the Raspberry Pi to my local network using a WiFi, the Pi has static IP address at 192.168.0.7 (I was able to accomplish this in my router settings by matching Pi's the MAC address, for others, who's routers don't have that option this might be useful). The router gateway is at 192.168.0.1.

What I need

I need to be able to access the Pi (not remote desktop, just shell) from anywhere on in the world, using a secured connection. The problem I am facing is the router and it's firewall. I heard it can be "bypassed" with a reverse tunneling, but I am not sure how to.

Any help is appreciated.

User avatar
topguy
Posts: 4750
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: Access Raspberry Pi outside of local network, without port forwarding or third party software

Tue Jul 10, 2018 9:50 am

However, I don't want to open that on my router, as it may cause security risk.
That risk is 100% controllable by you. You control the forwarding to a specific IP and port on your LAN. You decide what service will be listening on that port on that machine... you decide the security of that service.

This method does not pose any extra risk compared to the one thing you are already wanting to do. ( letting the internet access one port on your Pi )


Reverse tunnelling is what those cloudservices are based on, only possible if you know exactly which internet machine/ip-address you will connect from in the future.

clifer4
Posts: 3
Joined: Mon Jul 09, 2018 10:06 pm

Re: Access Raspberry Pi outside of local network, without port forwarding or third party software

Tue Jul 10, 2018 12:19 pm

Thank you for the info, what if I just want to do that anyway? On top of that, I was going through my router settings and I was not able to find anything about port forwarding :cry:

User avatar
Z80 Refugee
Posts: 358
Joined: Sun Feb 09, 2014 1:53 pm

Re: Access Raspberry Pi outside of local network, without port forwarding or third party software

Tue Jul 10, 2018 12:32 pm

clifer4 wrote:
Tue Jul 10, 2018 12:19 pm
I was going through my router settings and I was not able to find anything about port forwarding
That may be because you are using the free router supplied by the likes of BT with your broadband package. Typically, settings like that are locked down and not made available via the web admin interface. Contrary to common misconception, you can connect your own router instead (regaining control, and ditching the freeloader facilities BT throws open so other BT subscribers can get hot spot access at the expense of your bandwidth).
Military and Automotive Electronics Design Engineer (retired)

For the best service: make your thread title properly descriptive, and put all relevant details in the first post (including links - don't make us search)!

drgeoff
Posts: 8442
Joined: Wed Jan 25, 2012 6:39 pm

Re: Access Raspberry Pi outside of local network, without port forwarding or third party software

Tue Jul 10, 2018 1:23 pm

All BTHomeHubs to date have made port forwarding available to the end user.

clifer4
Posts: 3
Joined: Mon Jul 09, 2018 10:06 pm

Re: Access Raspberry Pi outside of local network, without port forwarding or third party software

Tue Jul 10, 2018 1:38 pm

Thank you for the tips with port forwarding, but when I don't want to use it, is reverse tunneling the answer? Will I be able to bypass my router firewall and not cause my local network to be at security risk?

As topguy says:
...only possible if you know exactly which internet machine/ip-address you will connect from in the future

Does this mean I need a dedicated IP address outside of my network which I can use? I own a domain which basically is an IP address, that's what I could use.

I just don't know how to establish such connection. Somewhere I read that I can setup a service (script, cronjob, not sure) on my Raspberry Pi that will establish such connection at a regular interval, let's say every hour, but I need to connect to the Pi anywhere and anytime I want.

mutrised
Posts: 44
Joined: Thu Nov 08, 2012 12:41 am
Location: France

Re: Access Raspberry Pi outside of local network, without port forwarding or third party software

Tue Jul 10, 2018 3:12 pm

It may be too much for what you want but I give it anyway.

If you don't want to open a remote display port on your public interface, which I understand, you may setup a VPN on your PI.

You then will need to open a port anyway, 1194 by default for OpenVPN.

This will give you a secure remote access to you local network, which mean to your pi:3389 port.

It's not THAT hard to setup... I always follow this: https://www.digitalocean.com/community/ ... n-debian-8

The difference is it gives you full access to your pi with quite strong security (VPN encryption).

I don't know if it will fit your needs, but that's what I would do
RPI2B 7/24 - web, NAS/media, Owncloud and more
RPI0 7/24 - VPN, DHCP, DNS (including filtering), wakeonlan proxy
RPI0W - VPN gateway providing secure WIFI AP and network router, some kind of internet BOX when on the move ;)

User avatar
topguy
Posts: 4750
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: Access Raspberry Pi outside of local network, without port forwarding or third party software

Tue Jul 10, 2018 3:24 pm

Does this mean I need a dedicated IP address outside of my network which I can use?
Yes sort of, and this is exactly the service that Weaved and those others provides for you. They are the fixed point that the Pi can connect to, and then you can access that connection from their server again.
I own a domain which basically is an IP address
No its not.. but if the domain is linked to a server you control ( and not just another web-hotel ) then you could in theory set it up as a reverse tunnelling server.

The option that isnt mentioned so far is to set up OpenVPN on the Pi, but then you have to log into the OpenVPN first before you connect to the real service on the Pi.
You still have to open a port in the router for OpenVPN, but now you are exposing a VPN service that you can assume is pretty secure and you can care less about the security of the other service.

My suggestion is to use port-forwarding but remember to follow a few rules of thumb.
- Always change password of "pi" user to something secure.
- Your service shall not run as root.
- Your service shall not run as a user that can do sudo.
- ... and someone will probably add a few more...

mfa298
Posts: 1274
Joined: Tue Apr 22, 2014 11:18 am

Re: Access Raspberry Pi outside of local network, without port forwarding or third party software

Thu Jul 12, 2018 12:24 pm

clifer4 wrote:
Tue Jul 10, 2018 1:38 pm
Thank you for the tips with port forwarding, but when I don't want to use it, is reverse tunneling the answer? Will I be able to bypass my router firewall and not cause my local network to be at security risk?
It's a potential option, but may not be any more secure than port forwarding on your router. To setup a reverse tunnel you generally need to ssh into something that's got a (reasonably) fixed public address (I.e. a vps server). To connect to your pi you either need the reverse tunnel listening for connections (at which point it's arguably less secure than port forwarding as it's more complex to setup and understand). You may also be able to tunnel from your client to the vps server which may make things a bit more secure but adds to the complexity.
topguy wrote:
Tue Jul 10, 2018 3:24 pm
My suggestion is to use port-forwarding but remember to follow a few rules of thumb.
- Always change password of "pi" user to something secure.
- Your service shall not run as root.
- Your service shall not run as a user that can do sudo.
- ... and someone will probably add a few more...
- Set a strong password for any user with password authentication (or disable ability to login remotely from any open service).
- For any service that sends credentials ensure it's suitably protected (I.e. use ssh or https) and for anything else tunnel it (ssh tunnel or vpn for rdp/vnc over that if you need a desktop)
- For non public services restrict the addresses that can connect to it and/or move it to a non standard port (non standard port isn't so much security but it stops log spam and defeats a lot of bots).

Return to “Beginners”

Who is online

Users browsing this forum: Baidu [Spider], LTolledo, mooblie and 35 guests