SSH on External IP -- how to

ridgerunnersjw · Wed Jul 31, 2019 2:48 pm

Hello...
I have a Raspberry Pi 3 B. I have started the SSH server on it and successfully changed the port number to something other than 22. I know this because on my local windows machine I can putty into it. I am however having issues getting the unit to work external to my LAN. I have gone into my local router and setup port forwarding to the correct port and the correct IP (yes I have done an IP reservation on the Pi). I have gone into my windows firewall and created an inbound rule for the new port. However when I type netstat -a at the cmd in windows my port does NOT show up....Is there something else I need to do to make sure that I can remotely ssh into my raspberry pi? I am assuming that if I type:

http://{my router IPv4 address}:{my new port number}

at a web browser page that my login credentials should show up for my Pi, yet they don't??

Thanks
Steve

jerrm · Wed Jul 31, 2019 3:09 pm

Browsers generally don't speak ssh. Use putty or other ssh client from outside just as you would from inside.

ridgerunnersjw · Wed Jul 31, 2019 3:24 pm

Is there a way to test it inside before going out to give me a sense of knowing it is going to work?

rpdom · Wed Jul 31, 2019 3:27 pm

ridgerunnersjw wrote: ↑
Wed Jul 31, 2019 3:24 pm
Is there a way to test it inside before going out to give me a sense of knowing it is going to work?

Not usually. Many routers will not support what is known as "hairpin routing" where they have to route back their external address into the internal network. They only allow outbound, inbound, or direct local traffic.

DarrenHill · Wed Jul 31, 2019 3:46 pm

Use a phone or tablet with mobile data and test it from there. It's basically a remote connection from the comfort of your own home.

Just also make sure that you have a good strong password (and ideally remove the Pi username and use a newly created different one) or better still set up key access as if you're forwarding the port to your Pi then it's exposed to anyone on the internet and can be port-scanned and found.

As noted SSH doesn't work through the browser, but there are several SSH clients for both PCs (Putty being the most common) and tablets/phones.

Also make sure that your router has a fixed public IP address (the external one that your ISP provides and that is visible from the internet, not the 192.168.x.x one it has on your internal network), or make use of a DDNS service to route a fixed url address to your router's external IP address.

ridgerunnersjw · Wed Jul 31, 2019 3:59 pm

So how to do I know if the external (ISP IP address) is fixed?....Yes I see it... Secondly when I putty from location a to server at location b, do I type my external ISP IP, my internal router IP or my fixed LAN address on my Pi to connect?

rpdom · Wed Jul 31, 2019 4:47 pm

ridgerunnersjw wrote: ↑
Wed Jul 31, 2019 3:59 pm
So how to do I know if the external (ISP IP address) is fixed?

You will be paying extra to your ISP for a fixed IP address. Sometimes you will be lucky, my Virgin Media IP address stays the same most of the time. Occasionally I have to reset things.

Secondly when I putty from location a to server at location b, do I type my external ISP IP, my internal router IP or my fixed LAN address on my Pi to connect?

You put in the external IP address. Your router will forward that to your internal address.

ridgerunnersjw · Wed Jul 31, 2019 4:54 pm

Thanks all for the help....I was able to use my cell as a hotspot for my laptop and get onto my local internal network via SSH.....

default_user8 · Wed Jul 31, 2019 4:55 pm

ridgerunnersjw wrote: ↑
Wed Jul 31, 2019 3:59 pm
So how to do I know if the external (ISP IP address) is fixed?....Yes I see it... Secondly when I putty from location a to server at location b, do I type my external ISP IP, my internal router IP or my fixed LAN address on my Pi to connect?

Typically residential ISP's do not issue static IP addresses(at least not that i've seen in the US, since I don't know where you are). You didn't need to change your port for your ssh server, however you will need to set up a port forward in your router to access your Pi from the internet. To make things easier on yourself since 22 is the default port you should change it back to 22 for use on your internal LAN. Then you can pick whatever port you want and forward that external port to 22 internally. You will then need to use a DNS (such as https://freedns.afraid.org/ a free DNS service that i use)service to forward request to your external ip address unless you plan on keeping up with what your ip address manually. The problem with that is your ISP can change your external ip address at any time so you take the chance of them changing it while you are out and about.

Andyroo · Wed Jul 31, 2019 6:46 pm

I use DYNU for management and just run this script at a regular basis to keep the DNS record updated:

Code: Select all

#!/usr/bin/python3

import logging
import sys
from subprocess import PIPE, run

if len(sys.argv) > 1:
    if sys.argv[1].upper() == 'DEBUG':
        log_level = logging.DEBUG
    elif sys.argv[1].upper() == 'INFO':
        log_level = logging.INFO
    else:
        log_level = logging.INFO
else:
    log_level = logging.INFO

logging.basicConfig(filename='/home/pi/IP-change.log',level=log_level, datefmt='%Y/%m/%d %H:%M:%S', format='%(asctime)s %(message)s')

pwd = "https://api.dynu.com/nic/update?hostname=DOMAINNAMEHERE&password=PASSWORDHERE"

update = run(['curl', pwd], stdout=PIPE, stderr=PIPE)

logging.debug('Program executed under debug logging')
logging.debug('Return code = ' + str(update.returncode))
logging.debug('Return Data = ' + update.stdout.decode())

if update.returncode > 0:
    logging.warning('Curl failed with code ' + str(update.returncode))

if update.stdout.decode() != 'nochg':
    logging.info('IP address change - ' + update.stdout.decode())

Running it with debug as the first parameter let’s me see what it’s doing but normally I just run it in info mode to show updates.

You may want to look at fail2ban to lock out Pi addresses that find the port change.

jerrm · Wed Jul 31, 2019 8:11 pm

Make sure the password is good and strong, or better yet, use key files.

thagrol · Wed Jul 31, 2019 9:00 pm

If you're feeling paranoid do what I do:

Don't expose ssh/port 22 to the internet. Instead set up an openvpn server and route all inbound connections through that.

Sure it's more complicated but you can do more than just access a single Pi over ssh with it.

DarrenHill · Wed Jul 31, 2019 9:03 pm

Personally I would favour Wireguard over OpenVPN, but either works.

For the external address changing question, simplest way is to note what the current one is (your router dashboard will usually display it, or you can get it from websites like https://www.myexternalip.com/ (there are loads of such sites, that was just the first one Google threw up) then reboot your router and check again.

The most common time for them to change is when your router reconnects to your ISP, so if you do the above and it changes then you'll need a suitable DDNS service like NoIP or similar.

SSH on External IP -- how to

SSH on External IP -- how to

Re: SSH on External IP -- how to

Re: SSH on External IP -- how to

Re: SSH on External IP -- how to

Re: SSH on External IP -- how to

Re: SSH on External IP -- how to

Re: SSH on External IP -- how to

Re: SSH on External IP -- how to

Re: SSH on External IP -- how to

Re: SSH on External IP -- how to

Re: SSH on External IP -- how to

Re: SSH on External IP -- how to

Re: SSH on External IP -- how to