VPN/SSH to remote Pi


#1

Hi all, I’ve relocated a Pi to my brother’s house about 30 miles away. I’d like to be able to VPN/SSH tunelling into it to check logs etc. I have no idea how to do this nor does my brother.

I’ve done a bit of reading about VPN but it went over my head :confused:
Can one of you point me in the right direction?


#2

It is going to depend on your brother’s router and network config. Are you using DHCP or a static IP address on the PI? The easiest way to do it would be to enable port forwarding for port 22 on his router to your PI with a static IP address on his network. You could then SSH to his router’s IP address on port 22 to get to your PI.

I use dyndns to automatically register my router’s ip address in DNS when it boots. That way I can go to a hostname of my choice rather than having to look up the IP for my router manually. I also forward SSH on an alternate external port (say 45722) to my PI so if someone port-scans my router, they don’t get SSH on port 22. (potentially more secure)

Cheers!
LitterBug


#3

You have to enable SSH in the firewall settings/application support of your BROTHER’s ROUTER. Exact procedure to do this varies with make & model of the router.
After SSH is enabled, install on YOUR computer a SSH client software like PuTTy, and connect through it. You will need the IP address of your brother’s router, RPi’s user name (or its local IP address on LAN), and RPi’s password to login remotely from PuTTy.


#4


And some routers will also do port mapping too

  • so from your router you would ssh to brothers-ip-addr:32022 the the router would redirect that to the internal address of the pi on port 22

If your brother has a dynaminc IP address (the address the ISP gives him may change), then you might need to use a dynamic naming service to find his present IP address (see en.wikipedia.org/wiki/Dynamic_DNS ).

If you have a fixed IP address, then the rule on the brothers router could say only redirect inbound traffic on port 32022 to the Pi if it comes from your fixed IP address.

Though it would be better still if the brothers router could put the Pi onto it’s own network … one that isn’t used for the brothers PC, iPad, TV, etc

(I have a Draytek router, my ADSB stuff is in a private network on it’s own IP range serviced through Lan port 3 (only) on the back of the router and with it’s own SSID for that network … this provides the same sort of isolation from the other stuff in the house as the next door neighbor has with his own private rig)


#5

One workaround the dynamic IP address is that at the time you want to SSH, go to Flightaware stats page of RPi at your brothers home, login, and in site settings area, you will see the current internet IP address as well as local IP address on LAN. Use that Internet IP address in PuTTy to connect.


#6

I use weaved.com. Install their raspberry module on your pi and good to go. Free (30 minute periods) and works great. No messing with modems or routers.


#7

Messing with router firewall is still there, only difference is that instead of router owner doing it manually, he lets the weaved.com software do it, so the owner dont have to bother to do it himself.


#8

Thanks guys, I knew you would come up with some suggestions :smiley:

Hi ab cd, tried that as I’m familiar with using PuTTY to manage my local RPis. I got a connection refusal so thought it was likely to be more complicated than that.

My brother does have a static IP address for his router and has also assigned a static one to the RPi.

PeterHR, are you suggesting Port Forwarding port 22 to 32022 on my brother’s router then connecting, SSH, to that port instead of port 22? I’ve read that opening port 22 is not a good idea due to nefarious scroats. Ahhh, just realised that whilst writing that sentence, my brother probably doesn’t have port 22 open. :unamused: :unamused:

I need to look up router rules and also how to create a separate network for the ADSB stuff. I like that idea.

[Edit] how does the “Send Command” work in FA Control Panel because I can see the logs and send commands to the RPi at my brothers?


#9

The “send command” thing sends a command down the already-established outgoing connection that piaware makes to the FA servers.


#10

The screenshot below shows how to configure “applications support” in my router’s Firewall Settings.
This is an example. You can try mapping port 22 to some other port number.
Those “nefarious scroats” :smiley:, who intend to access my RPi using details in screenshot below, may please note that:
(1) I have setup SSH only to take this screenshot, after which I removed SSH from my router.
(2) I rebooted my router, which has a dynamic address, so the IP address in screenshot is no more valid.
(3) I have changed my RPi’s device name shown in screenshot to something else.
:smiley: :smiley: :smiley:


#11

My brother has used Team Viewer in the past so I loaded it onto my PC. It works fine and I was able to login to the RPi.
His PC is a Mac :open_mouth:

My router, a BT Home Hub 3, doesn’t seem to have the ability to create a sub net or have firewall rules.

Thanks for all your help.


#12

As you have seen, there are several ways to do this. If you are reading about VPN, that is one way. A VPN is an encrypted link from your remote location into your brother’s local LAN. From there you can access the Pi as if you were local to his house. Unless you do some work to shut it off, you can also access anything else on his LAN, but being as it’s family that’s probably not a concern. Some routers will run a VPN service for you. In that case, you don’t do anything to the Pi, just set up the VPN service on the router. You can also run a VPN service on the Pi. There are various open source and commercial solutions for that too.

Another way is to expose the SSH service on the Pi to the internet. That is the discussion on this thread about using the router to port forwarding some random external port to port 22 on the Pi. I second the suggestion to pick a random big number port. If you open port 22 (i.e. forward external port 22 to Pi port 22) you will quickly get lots of traffic trying to break in. It’s the unfortunate nature of the internet these days. You need a very strong password in place either way. I suggest a long one with random numbers and special characters. PuTTY can save the password for you so you don’t need to type it every time. You are depending upon “security through obscurity” though.

If you are going to expose the SSH service on the Pi to the internet, a better solution is to use public/private key pairs (PKI- public key infrastructure) and prohibit password log-ins completely. While keys might look like really long passwords, they are not used that way, and thus can not be intercepted. Explaining how they work is beyond a short post, nor is it really necessary to know the details to implement it. SSH on the Pi supports the use of keys. All you have to do is turn this on in the config file and generate your keys.
Here are some instructions: https://www.raspberrypi.org/documentation/remote-access/ssh/passwordless.md Once you get this working, edit /etc/ssh/ssh_config and set PasswordAuthentication to “no”.

Hope this helps,


#13

Perhaps the biggest problem people have with remote stuff like this is how to reboot the pi when it’s gone off the network - I guess your brother would do this for you.


#14

@Jranderson777 - many thanks for the link, I’ll take a look
@PeterHR - Yes, I’m sure he would reboot it. He’s getting interested in this now and is already talking about getting the antenna on his roof and upgrading to a Pi2 :astonished:


#15

[quote=“triggers”]
@Jranderson777 - many thanks for the link, I’ll take a look
@PeterHR - Yes, I’m sure he would reboot it. He’s getting interested in this now and is already talking about getting the antenna on his roof and upgrading to a Pi2 :astonished:/quote]

There goes your remote station :frowning:[/quote]


#16

There goes your remote station :frowning:

How prophetic :exclamation: He bought a Pi2 and replaced my Pi B+ :open_mouth:


#17

hi all, now i buy pi2 and installed PiAware (SD Card) 2.1-5

i want connect by SSH

what is login and password thanks :slight_smile:


#18

Look here for default login and password. flightaware.com/adsb/piaware/bui … l#password


#19

For me i use VPN if i want to SSH. If i want to view my gmap.html GUI i assign that rpi IP with DNS host. You can make your own VPN and remote access your rpi… But you need a dedicated freebsd pc or vpn capable router and do some NAT or port forwarding… A bit head scratching idea but it works.