hanayama404
Posts: 1
Joined: Mon Oct 07, 2019 3:00 pm

How can i access my raspberry pi at home from anywhere in the most secure way?

Mon Oct 07, 2019 3:19 pm

Hi, i've just purchased a raspbery bi 3b+ and i want it to serve mainly as a web server.
I also want to be able to remotely access it outside of my LAN, so from anywhere. I don't
know to much about networking and i'm wondering how i can do this without putting my home network at risk.

As i'm currently studying web development i want to be able to access it from school and upload/host websites on it basically.

I've been reading some topics about this and to my understanding is that i need to do some portforwarding and then access the raspberry pi through my router but i want to do this the most secure way possible. Any help/tips is highly appreciated, thanks!


epoch1970
Posts: 3867
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: How can i access my raspberry pi at home from anywhere in the most secure way?

Mon Oct 07, 2019 4:24 pm

hanayama404 wrote:
Mon Oct 07, 2019 3:19 pm
how i can do this without putting my home network at risk.
Setup a so-called "DMZ" supplementary network at home, and allow access from the outside to this network alone. In the other direction, make sure machines in the "DMZ" network cannot access the main LAN, only the Internet.
Eg your LAN 192.168.1.0/24, add a new DMZ network 192.168.88.0/24 and configure your router to filter accesses.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

tpyo kingg
Posts: 639
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: How can i access my raspberry pi at home from anywhere in the most secure way?

Mon Oct 07, 2019 5:06 pm

If you're planning on accessing it via SFTP using Nautilus, Filezilla, WinSCP, or Cyberduck, then you'll need to make sure you change the default password prior to turning on port forwarding. You'd then need to forward a chosen external port on the router to port 22 on your Raspberry Pi. Bonus if you set up key-based authentication and turn off passwords for SSH/SFTP.

geektechstuff.com
Posts: 17
Joined: Sat Mar 02, 2019 8:08 pm
Contact: Website

Re: How can i access my raspberry pi at home from anywhere in the most secure way?

Tue Oct 08, 2019 7:55 pm

Make sure you change the default Pi password and set up a firewall on the Pi ( https://geektechstuff.com/2019/06/22/in ... pberry-pi/ ) if you are allowing direct web traffic to it.
www.geektechstuff.com

fruitoftheloom
Posts: 21067
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: How can i access my raspberry pi at home from anywhere in the most secure way?

Wed Oct 09, 2019 5:10 am

hanayama404 wrote:
Mon Oct 07, 2019 3:19 pm
Hi, i've just purchased a raspbery bi 3b+ and i want it to serve mainly as a web server.
I also want to be able to remotely access it outside of my LAN, so from anywhere. I don't
know to much about networking and i'm wondering how i can do this without putting my home network at risk.

As i'm currently studying web development i want to be able to access it from school and upload/host websites on it basically.

I've been reading some topics about this and to my understanding is that i need to do some portforwarding and then access the raspberry pi through my router but i want to do this the most secure way possible. Any help/tips is highly appreciated, thanks!

https://www.raspberrypi.org/blog/get-ba ... c-connect/
Retired disgracefully.....
This at present is my daily "computer" https://www.asus.com/us/Chrome-Devices/Chromebit-CS10/

calleblyh
Posts: 71
Joined: Thu Feb 12, 2015 6:14 pm
Location: Southwest Finland

Re: How can i access my raspberry pi at home from anywhere in the most secure way?

Wed Oct 09, 2019 4:31 pm

goodburner wrote:
Mon Oct 07, 2019 4:21 pm
I use ngrok, very easy to run and free for most use cases.

https://www.dexterindustries.com/howto/ ... l-network/
I tried to install using sudo wget https://dl.ngrok.com/ngrok_2.0.19_linux_arm.zip , but unfortunately i get an erros message

[email protected]:~ $ sudo wget https://dl.ngrok.com/ngrok_2.0.19_linux_arm.zip
--2019-10-09 19:28:48-- https://dl.ngrok.com/ngrok_2.0.19_linux_arm.zip
Resolving dl.ngrok.com (dl.ngrok.com)... failed: Name or service not known.
wget: unable to resolve host address ‘dl.ngrok.com’

I have no idea what could be wrong? Any help appreciated

Carl Blyh / Helsinki

deepo
Posts: 251
Joined: Sun Dec 30, 2018 8:36 pm

Re: How can i access my raspberry pi at home from anywhere in the most secure way?

Wed Oct 09, 2019 6:03 pm

calleblyh wrote:
Wed Oct 09, 2019 4:31 pm
goodburner wrote:
Mon Oct 07, 2019 4:21 pm
I use ngrok, very easy to run and free for most use cases.

https://www.dexterindustries.com/howto/ ... l-network/
I tried to install using sudo wget https://dl.ngrok.com/ngrok_2.0.19_linux_arm.zip , but unfortunately i get an erros message

[email protected]:~ $ sudo wget https://dl.ngrok.com/ngrok_2.0.19_linux_arm.zip
--2019-10-09 19:28:48-- https://dl.ngrok.com/ngrok_2.0.19_linux_arm.zip
Resolving dl.ngrok.com (dl.ngrok.com)... failed: Name or service not known.
wget: unable to resolve host address ‘dl.ngrok.com’

I have no idea what could be wrong? Any help appreciated

Carl Blyh / Helsinki
It's telling you that the server dl.ngrok.com no longer exists.
Have a look here instead:
https://ngrok.com/download

/Mogens

User avatar
SyncBerry
Posts: 51
Joined: Sat Sep 21, 2019 11:13 am
Location: France (S-W)

Re: How can i access my raspberry pi at home from anywhere in the most secure way?

Wed Oct 09, 2019 6:29 pm

You would have to set only 2 rules in firewalls for this (the less the rules the less resources for this job).
The path in official documentation:
Your Pi is at home (protected from world natties by your router that defaults to block anyone asking anything from the outside... unless it has uPnP enabled)
So, first, on the Pi change password for user pi and its name (search recent thread here in my posts->)
If you have already started your web server, use the native firewall in linux (netfilter/iptables). If lost there, install gufw (gnome uncomplicated firewall) from official Raspbian repo. You have 3 profiles there : one is firewall disable, two are firewall enable (not sure if the single difference in these 2 is supported by the current raspbian kernel : the diff is, when a visitor knocks the door and the firewall is instructed by the defaults and you to refuse to let he come in, either the firewall will reply why or will reply nothing).
Remote access
As long as you're in front of the pi keyboard, you can select one of the 2 active profiles in gufw (the firewall won't prevent you from local logins)
Then learn some bits of SSH, yet embedded in mostlinux distributions.
Choose/select for keys authentication for your ssh server, so create your keys, put the public part in the file ~/.ssh/authorized keys, set your SSH server to refuse password authentication (all this is in the official doc).
Test your ssh login
Then you can create the firewall rule to accept ssh from anywhere (anyone being you ATM, regards to your private key (don't leave it unprotected)).
Retest
Go out of home (with your IP in mind), retest: if you can login and never put hands in the firewall of your router, that means it had uPnP enabled (imagine rotten server softwares in Windows or even Linux or any box with IoT inside to ask your router to open their door!). Now decide to leave uPnP enable and you're done with ssh, or decide to disable it then will have to walk a last step: set your Pi for a static IP (the way you want, real static set in the Pi, or my preferred (centralization), a dhcp lease in your router) so that then you can instruct the router to allow SSH (port 22>22 or random>22, or random>same-random (for this last, set the ssh server port in the conf where you disabled password auth etc...)) in to the Pi.
Once your http server is secured with its own methods, go back in your router to instruct it to allow http[ s ] to the Pi (which yet have it's own static IP).
Then you can use VNC over SSH to gain remote GUI access to your Pi () I prefer this than relying on an additional service for security (VNC). You only need to choose the VNC client you'll give your trust. I stuck to my old VNC 5 for accesses from Windows because I hate to install new softs, and for my nuxes I selected Remmina long ago, so I stick with it.

You'll love this peace of mind: help with your /etc/hosts file:
/etc/hosts :
pi public IP # for remote access. Or "pir" in this line
pil lan IP #the one you set ( in the router dhcp lease or static). Or "pi" in this line


In terminal ssh pi when you just want a command line on the Pi (or ssh pir, or pil, see above)
In Remmina GUI, simple double-clic a pir VNC type entry to have remmina trigger the ssh tunnel and place the VNC over it when I want the Pi Gui. You may here also want another entry (pil, calling hosts' pil entry) for when you're at home (in bed away from keyboard).

Return to “Beginners”