dpslusser
Posts: 5
Joined: Sat Feb 21, 2015 7:04 pm

Remote Access to PI behind any network

Sun Jun 10, 2018 8:58 pm

All,

I am trying to think through a project I have coming up where I will be deploying 3 rpi's in a network that I can not configure the facilities firewall/network. But, I need remote access to the PI's.

The PI's will have guest WIFI/Internet access though.

One thought I had, was to enable an OpenVPN server here at my house, and then get the PI's to connect as a OVPN client.

Even though I have never done this with a PI, I have done it with my own PC to my home.

Is there any reason this wouldn't allow me access to the PI's remotely?

I'll have to setup the PI's OVPN to connect to my home through DDNS since my IP changes every few months.

Any other thoughts or concerns?

PiGraham
Posts: 3212
Joined: Fri Jun 07, 2013 12:37 pm
Location: Waterlooville

Re: Remote Access to PI behind any network

Sun Jun 10, 2018 9:08 pm

I think you can run Team Viewer on Pi and that works well to allow access into a network without configuration. AFAIK bothe ends must have internet access to TeamViewer's servers to make contact though.

See also "reverse VNC" and "reverse SSH tunnel"

dpslusser
Posts: 5
Joined: Sat Feb 21, 2015 7:04 pm

Re: Remote Access to PI behind any network

Mon Jun 11, 2018 12:56 am

I use team viewer pretty heavy, and I will probably install it on the PI regardless..

The main problem is this:

Even though the PI will be connected to WIFI at this facility, the network port of the PI will have a device connected to it which I need to program remotely. The programming software can't run on the PI. So, essentially, the PI will be used as a WIFI Bridge for this particular device connected via LAN to the PI.

B.Goode
Posts: 5808
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: Remote Access to PI behind any network

Mon Jun 11, 2018 5:18 am

Some possible options include the 'cloud' access feature of RealVNC https://www.raspberrypi.org/documentati ... /README.md and various 'reverse ssh tunnel' utilities from third parties such as Dataplicity. https://www.dataplicity.com

User avatar
DougieLawson
Posts: 32679
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: Remote Access to PI behind any network

Mon Jun 11, 2018 9:30 am

Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

PiGraham
Posts: 3212
Joined: Fri Jun 07, 2013 12:37 pm
Location: Waterlooville

Re: Remote Access to PI behind any network

Mon Jun 11, 2018 10:13 am

dpslusser wrote:
Mon Jun 11, 2018 12:56 am

The main problem is this:

Even though the PI will be connected to WIFI at this facility, the network port of the PI will have a device connected to it which I need to program remotely. The programming software can't run on the PI. So, essentially, the PI will be used as a WIFI Bridge for this particular device connected via LAN to the PI.
So you want to make the Ethernet port on the remote Pi appear as a local network port on your local PC so that some software for device programming can run locally but program a remote device. Is that it?

Or do you just need to bridge the remote Pi network to your local PC network so that TCP/IP traffic is routed to the programmable device?
In either case it seems a rather different question that you seemed to be asking.

This discussion mentions OpenVPN.
https://serverfault.com/questions/62635 ... vpn-tunnel

epoch1970
Posts: 1640
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Remote Access to PI behind any network

Mon Jun 11, 2018 11:39 am

Simple solution to avoid the "multi-homed" effect on the Pi, use an anonymous+bridged VPN setup:
- Pi uses wlan0 to get to the LAN and the Internet.
- Add a bridge with no IP address (anonymous) on the Pi.
- Set tap0 and eth0 as bridge members
- Setup openvpn to connect to your DDNS address

This works because a) the Pi only knows one IP route (the LAN's router via wlan0), and b) the device behind the Pi connects directly to the machines "connected" to the bridge by their MAC address: Pi's tap0, your remote workstation...
In other words, if your devices and workstation are on 192.168.1.0/24 and a remote site's LAN is on 192.168.1.0/24, this setup works.

Because the Pi has no IP address on the VPN, you can't log into it from the workstation. You can only access the devices behind it. To access the Pi itself, the teamviewer thing or VNC or a reverse SSH connection that uses wlan0 will work.

Bridging uses more bandwidth than a routed network, but unless you're bridging to a LAN with a ton of Windows/SMB workstations that shouldn't be a problem.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

mxracer
Posts: 3
Joined: Tue Jun 12, 2018 9:33 pm

Re: Remote Access to PI behind any network

Wed Jun 13, 2018 8:18 am

I have done this but for accessing PLC connected to the pi behind other networks, I have openvpn clients running on the pi connected back to my digitalocean droplet ($5 a month can't go wrong) all the clients have there own cert for the vpn with static ips on the tunnel and use reverse proxy and dns a record pointed to the tunnels, all the pi's can be on same subnet and not be an issue as I create a remote route to the client i need access to. I don't have to worry about changing ip's etc look into running your own server and if you pc goes down you don't have to worry

dpslusser
Posts: 5
Joined: Sat Feb 21, 2015 7:04 pm

Re: Remote Access to PI behind any network

Wed Jun 13, 2018 11:41 am

mxracer wrote:
Wed Jun 13, 2018 8:18 am
I have done this but for accessing PLC connected to the pi behind other networks, I have openvpn clients running on the pi connected back to my digitalocean droplet ($5 a month can't go wrong) all the clients have there own cert for the vpn with static ips on the tunnel and use reverse proxy and dns a record pointed to the tunnels, all the pi's can be on same subnet and not be an issue as I create a remote route to the client i need access to. I don't have to worry about changing ip's etc look into running your own server and if you pc goes down you don't have to worry
This is exactly what I am trying to do. lol.

My customer's network has WIFI (internet) for the PI to connect to. On the Raspberry PI, there will be a webserver (HMI) running for the customer to view/control the PLC (which will be connected directly to the PI). I need access to the PI and the PLC when I am not onsite, for remote support.

Is it possible for you to send me your OpenVPN Client config (minus your Keys of course :D ). As well as your network setup for the PI? I would love to see how you set this up!

epoch1970
Posts: 1640
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Remote Access to PI behind any network

Wed Jun 13, 2018 12:15 pm

Nitpicking, no doubt. But there is any network (anywhere) and any network (anywhere, any IP):

- If I understood it right, mxracer's proposition is simple and flexible, with a central config server and everybody connecting to it. Let's say the VPN uses network 10.8.0.0/24, if a new customer's LAN is on 10.8.0.0 you'd need to change the VPN network to, say, 10.9.0.0. No big deal as this can be handled from the central server.
- If you do without IP address on the Pi for the VPN site ( my previous post), you can set your PLC supervision network to 10.10.10.10 and drop a Pi in a LAN that uses the same network. Routing doesn't break because there is no routing done in the Pi.
If you use "advanced routing", or something like a container you can make a routed setup that will work in any network; these options are more complex. Routing doesn't break because interfaces are treated separately or there is a software layer that is smart enough to adapt network settings.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

dpslusser
Posts: 5
Joined: Sat Feb 21, 2015 7:04 pm

Re: Remote Access to PI behind any network

Wed Jun 13, 2018 12:31 pm

epoch1970 wrote:
Wed Jun 13, 2018 12:15 pm
Nitpicking, no doubt. But there is any network (anywhere) and any network (anywhere, any IP):
epoch, I think it was my lack of understanding. Your solution will also work.
My networking knowledge (especially with linux) is definitely not advanced. I know enough to be dangerous; jack of all trades, master of none type of guy. :lol: About the only thing I have done (related to my OP) was setting up simple OpenVPN Server/Clients. Nothing fancy, and followed alot of white papers.

Would you (or anyone) know where I could find some documentation/forum to get this rocking?

epoch1970
Posts: 1640
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Remote Access to PI behind any network

Wed Jun 13, 2018 1:55 pm

The digitalocean (or any VPN provider you trust) is still no doubt a good solution.

This being said,
- What they provide is probably based around the client.conf and server.conf files you can see over there: All the VPN IP config is in the server; if needed change its config and define a new VPN network, restart the server and after a little while the clients should be back on the new VPN network.
- If you're intrigued by bridging, you could see this. It describes bridging with OpenVPN acting as a sort of DHCP server for its clients (server-bridge mode). Don't miss the How-to and FAQ.
- If you're intrigued by bridging in peer-to-peer mode (external DHCP server etc, OpenVPN doing only the bridging) combined with anonymous bridging, you could have a look at this post. It is a different application, but the Pi in this case has the same dilemma: it lives on LAN 192.168.1.0/24 and needs to let machines behind it access a VPN network numbered 192.168.1.0/24 as well.

HTH
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

mxracer
Posts: 3
Joined: Tue Jun 12, 2018 9:33 pm

Re: Remote Access to PI behind any network

Wed Jun 13, 2018 9:42 pm

So what I have done is installed pfsense into a digitalocean droplet ( quite complex todo and took long time to get running right ) pfsense have a lot of great packages and has openvpn installed by default, I use HA Proxy todo the reverse proxy which point's my sub domain to the tunnel ip address and the port to access at the end of the tunnel ( SCADA/HMI webserver in my case ) customers can just type in my subdomain and will go straight to that webserver with the HMI and control PLC etc where ever in the world they may be. If I need to access a network behind the PI I add a remote route on the openvpn server under advance client options example remote route the ip address, also keep in mind on the server you need inter-client communication enabled. My config files won't help you as they are set up for pfsense. This works very well and have a few devices running like this issue free, I am also doing this over 4G lte cell network and had to add a script to ping google and dns and if unsuccessful restart the openvpn service as for some reason the ip change on the ppp connection does not automatically reconnect to the server, shows it's connected but won't send any data, this only happens on 4G on wifi and ethernet it's fine. I currently a bit limited at the moment as my pis have a static IP and act as the router so have to change the static ip to the customer's network which is no biggie and take notes of ip address. I also have the issue if the ethernet is unplugged the whole lot goes down as the static ip is bound to eth0 so need a way to overcome this as sometimes there won't be anything connected to the ethernet as im also using xbees to receive data from a PLC that is a few KM away the has not cell coverage or internet access and sometimes just sensors on the xbess. I have not found out how to keep the eth0 interface up even when unplugged yet. I'm still a beginner with linux/raspberry pi so been a big learning curve past 6 months

Return to “Networking and servers”

Who is online

Users browsing this forum: Bing [Bot] and 13 guests