ZPMMaker
Posts: 111
Joined: Sun Aug 23, 2015 11:04 am
Location: Australia

SSH tunnel to Pi via my own server

Fri Nov 02, 2018 9:44 am

So I've tried about half a dozen different commercial SSH tunnelling services (e.g. Weaved/Remote-IoT/AWS Systems Manager, OpenPort, and so on) over the last year for remote controlling my RPis. They all have issues that make them unreliable.

So I want to replace/augment them with my own SSH tunnels (better having multiple redundancy options for extremely remote - other side of the planet - IoT devices...).

I was hoping to do this with my pre-existing AWS EC2 instance (running Amazon Linux, equivalent to Red Hat).

Whenever I SSH into the EC2 instance, I have to use a .pem file.

I tried rayjoh's suggestion in an earlier discussion viewtopic.php?p=993843#p993843, with minor modification to include the .pem file. So I actually did the following:

Code: Select all

On pi
ssh -i pemfile.pem -R 7575:localhost:7575 ec2-user@1.1.1.1
On my Mac
ssh -L 7575:localhost:7575 ec2-user@1.1.1.1
(where 1.1.1.1 is the EC2 instance's public static IP address)

However, when I ran the first command (on the Pi), all it did was open a new SSH connection from the Pi to the EC2 instance (i.e. I could control the EC2 instance through the SSH connection I had made to control the Pi).

And when I ran the second command on the Mac, it simply connected to the EC2 instance.

My goal is to be able to remotely control the RPi from my Mac.
Could someone please explain what I'm doing wrong?

Thanks in advance.

User avatar
topguy
Posts: 7145
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: SSH tunnel to Pi via my own server

Fri Nov 02, 2018 2:15 pm

However, when I ran the first command (on the Pi), all it did was open a new SSH connection from the Pi to the EC2 instance (i.e. I could control the EC2 instance through the SSH connection I had made to control the Pi).
This is correct, you will have the tunnel created anyway. There is an option for ssh to not open a login session/shell, dont remember exactly what it was.
And when I ran the second command on the Mac, it simply connected to the EC2 instance.
That is because its what you asked it to do.. ;)
You dont need a second tunnel you just need ssh to connect to port 7575 on the EC2 instance..

Code: Select all

ssh -p 7575 ec2-user@1.1.1.1
EDIT:
I just saw it now, but one of the port numbers on the ssh from the Pi need to be 22 and not 7575. Unless you have changed which port the SSHD will listen on..

EDIT2:
And you should use "-R" and not "-L"

Code: Select all

     -R remote_socket:host:hostport
     -R [bind_address:]port
             Specifies that connections to the given TCP port or Unix socket on the remote (server) host
             are to be forwarded to the local side.
so "-R 22:localhost:7575" sounds better to me.

ZPMMaker
Posts: 111
Joined: Sun Aug 23, 2015 11:04 am
Location: Australia

Re: SSH tunnel to Pi via my own server

Sat Nov 03, 2018 5:14 am

topguy wrote:
Fri Nov 02, 2018 2:15 pm
However, when I ran the first command (on the Pi), all it did was open a new SSH connection from the Pi to the EC2 instance (i.e. I could control the EC2 instance through the SSH connection I had made to control the Pi).
This is correct, you will have the tunnel created anyway. There is an option for ssh to not open a login session/shell, dont remember exactly what it was.
And when I ran the second command on the Mac, it simply connected to the EC2 instance.
That is because its what you asked it to do.. ;)
You dont need a second tunnel you just need ssh to connect to port 7575 on the EC2 instance..

Code: Select all

ssh -p 7575 ec2-user@1.1.1.1
EDIT:
I just saw it now, but one of the port numbers on the ssh from the Pi need to be 22 and not 7575. Unless you have changed which port the SSHD will listen on..

EDIT2:
And you should use "-R" and not "-L"

Code: Select all

     -R remote_socket:host:hostport
     -R [bind_address:]port
             Specifies that connections to the given TCP port or Unix socket on the remote (server) host
             are to be forwarded to the local side.
so "-R 22:localhost:7575" sounds better to me.
Hi topguy; thanks for your advice.

I tried the following...

1. On the Pi:

Code: Select all

ssh -i pemfile.pem -R 22:localhost:7575 ec2-user@1.1.1.1
This then prompted me for the password for the EC2 instance and let me log in fine (i.e. I had SSH control of the EC2 instance from the RPi), as expected.

2. On my Mac:

Code: Select all

ssh -i "pemfile.pem" ec2-user@1.1.1.1-p 7575
and also:

Code: Select all

ssh -i "pemfile.pem" ec2-user@ec2-1.1.1.1.ap-southeast-2.compute.amazonaws.com -p 7575
(this is what I would usually type in to connect to the EC2 instance, without the -p 7575, so I figured it may be worth trying... ).
And then finally, I also tried:

Code: Select all

ssh -p 7575 ec2-user@1.1.1.1
(which was your suggestion).

Unfortunately, all three of these commands timed-out.

Do you have any further suggestions please?

Thanks again for your help.

ZPMMaker
Posts: 111
Joined: Sun Aug 23, 2015 11:04 am
Location: Australia

Re: SSH tunnel to Pi via my own server

Sat Nov 03, 2018 10:50 am

Never mind; got it working by following the steps at https://www.howtoforge.com/reverse-ssh-tunneling

Let's assume that Destination's IP is 192.168.20.55 (Linux box that you want to access).

You want to access from Linux client with IP 138.47.99.99.

Destination (192.168.20.55) <- |NAT| <- Source (138.47.99.99)

1. SSH from the destination to the source (with public IP) using the command below:

ssh -R 19999:localhost:22 sourceuser@138.47.99.99
* port 19999 can be any unused port.

2. Now you can SSH from source to destination through SSH tunneling:

ssh localhost -p 19999
3. 3rd party servers can also access 192.168.20.55 through Destination (138.47.99.99).

Destination (192.168.20.55) <- |NAT| <- Source (138.47.99.99) <- Bob's server

3.1 From Bob's server:

ssh sourceuser@138.47.99.99
3.2 After the successful login to Source:

ssh localhost -p 19999
* the connection between destination and source must be alive at all time.

Tip: you may run a command (e.g. watch, top) on Destination to keep the connection active.

Thanks again for your help. :)
Last edited by ZPMMaker on Wed Jan 22, 2020 8:13 am, edited 1 time in total.

ZPMMaker
Posts: 111
Joined: Sun Aug 23, 2015 11:04 am
Location: Australia

Re: SSH tunnel to Pi via my own server

Wed Jan 22, 2020 8:05 am

Just wanted to give an update on this discussion.

The tunnels I had set up to EC2 proved unreliable. I can't remember why; it was over a year ago.

However, someone recommended I use MeshCentral, which is freeware that you install on a server (such as an AWS EC2 instance) and on the remote devices (RPi's) themselves. I've been using MeshCentral for about three months now, and it has been far more reliable than anything else I've tried previously. And the only cost is - of course - the cost of the EC2 server (works out at about $5 per month as I'm using the lowest-spec EC2 instance type).

MeshCentral is very well-documented and they also have a sub-Reddit where the developer answers questions, so I can recommend it.
https://www.meshcommander.com/meshcentral2

Hope this is of help to someone in future.

tpyo kingg
Posts: 982
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: SSH tunnel to Pi via my own server

Wed Jan 22, 2020 9:02 am

You can likely find an even cheaper server if all you need is for it to act as a jump host. There are some around for half that.

As for the tunnel, you had the first part almost working. Just make sure the right port is forwarded:

Code: Select all

ssh -f -N -i yoursshkey -R 7575:localhost:22 zpmmaker@server.example.com
Then on you OS X machine hop through your bastion host into your reverse tunnel:

Code: Select all

ssh -J zpmmaker@server.example.com -p 7575 localhost
And that will put you through to a shell on your Raspberry Pi from the outside.

Return to “General discussion”