Accessing SSH outside local network

[snoborox]

Hey all,

I have my raspberry pi all set up to connect via SSH to other devices (desktop, laptop) on my local network. I was wondering if there was any way to connect to the pi via SSH outside my local network? I'm rather new to linux and networking.

Thanks!

[Boezelman]

You need to "open" the ports in your modem/router.

For example:
You your Raspberry Pi's IP to forward port 22.

[snoborox]

Ok, so how exactly do you do this?

[Dweeber]

Depend on what kind of router you have if you have one. Different routers do it differently but basically you need to look for the NAT rules or port forwarding.

You setup a port forward using one port (would not suggest 22, maybe 2022) and then forward it to the IP of your RPi on port 22. Then when you connect to port 2022 from the outside to your outside IP, you will be passed onto the IP of your Raspberry on port 22.

You would have to test this normally from outside of your network.

[k4gbb]

Port forwarding is a tricky subject.
Google How to set up port forwarding and see what I mean.

If you intend to do a lot of remote access from outside your Home network you might want to consider subscribing to a Dynamic DNS service like NOIP or DYNDNS.
These services allow you to choose a URL that always points to the correct public ip address.

[snoborox]

Alright guys I got it working, thanks!

[inder]

Care to tell us exactly what you did?

[raspberrypiguy1]

Hate to break it to ya BUT it doesn't matter what he did!

It would only be useful to YOU if you had EXACTLY the same router/ wherever you get your internet from!

Try the link above!

The Raspberry Pi Guy

[Dweeber]

Hate to break it to ya BUT it doesn't matter what he did!
It would only be useful to YOU if you had EXACTLY the same router/ wherever you get your internet from!

Most routers are similar in how they express setting up NAT's. It is not that hard most of the time. Unless you have a brain dead router with a very poor interface as long as you have a general idea what you need to do, you should be able to figure it out. If you need help there are better resources to find that info like http://www.dslreports.com

Unless you home IP changes a lot and often, you normally don't need to bother with a dynamic DNS service. If you manage you own DNS for other hosting, you can just setup a static IP using that an your current domain and point a host name like home.your_domain to your home IP and be happy without setting up another account and more software. I just use the IP.

Try the link above!

What link?

[snoborox]

Care to tell us exactly what you did?

Having my pi connected to the router (which is netgear for the record), I:

1)Connected to the router's settings page. I did that by putting the router's local IP address into the web browser on my PC. The local IP is usually either 192.168.0.1, or 192.168.0.0, depending on the brand of the router. It will ask you for a username and password, and unless you changed it, it's usually admin (username) and password (password), or admin and admin.

2)Clicked on the LAN setup tab (might be called something else on yours), went to address reservation and reserved an IP address for the Pi so that every time it connects to my router, it will never change the IP (you'll see why it's important later)

3)I went to the "Port Forwarding" tab (usually under advance settings), and set it up so whenever an outside device tried to connect to the router at port 22, it would send it to the IP of my Pi (this is why I reserved the IP for the Pi in the previous step, so it would always send to the right IP).

Then it's all done.

If you want to connect to the Pi via Putty from outside the LAN, instead of connecting to the Pi's IP, you have to connect to your routers outside IP. You can find this by going to that router settings page we went to before, and looking under "Router Status" (Make sure you're still connecting to port 22 in putty, by the way)

Also note, every time you turn on and off the router, it will change it's outside IP address, so you'll have to and find it every time you plug it in again.

Hope it helps!

[Dweeber]

Also note, every time you turn on and off the router, it will change it's outside IP address, so you'll have to and find it every time you plug it in again.

That greatly depends on who your provider is. When I had residental DHCP service I had the same IP for long stretches of time sometimes as long as a year... rebooting the router had no effect. Unless you are changing your MAC number of your router you should be picking up the same lease most of the time.

[ski522]

Make sure to have a good password if you're letting access to SSH from the internet. I wouldn't be surprised if the ssh hacking attempts haven't started by now.

[snoborox]

Also note, every time you turn on and off the router, it will change it's outside IP address, so you'll have to and find it every time you plug it in again.

That greatly depends on who your provider is. When I had residental DHCP service I had the same IP for long stretches of time sometimes as long as a year... rebooting the router had no effect. Unless you are changing your MAC number of your router you should be picking up the same lease most of the time.

I see, yeah mine changes every time I reboot (AT&T is my provider)

[AshP]

If you open up SSH on the internet you will get a lot of brute force attacks. I had around 4500 connections in 24 hours, from 3 IPs.

I changed my SSHD settings to
AllowUsers username
LoginGraceTime 30
MaxAuthTries 1
MaxStartups 2

Installed denyhosts to temporarily ban the IPs and also set two factor authentication for my user via Google Authenticators PAM module. (Or you could turn off passwords and use keys instead).

[Dweeber]

If you open up SSH on the internet you will get a lot of brute force attacks. I had around 4500 connections in 24 hours, from 3 IPs.

I changed my SSHD settings to
AllowUsers username
LoginGraceTime 30
MaxAuthTries 1
MaxStartups 2

Installed denyhosts to temporarily ban the IPs and also set two factor authentication for my user via Google Authenticators PAM module. (Or you could turn off passwords and use keys instead).

Or you could do what banks and other businesses do and simply not use port 22, pick another port. The other actions are wise as well but why you would expose your system unnecessarily when there is an easy fix.

[AshP]

Or you could do what banks and other businesses do and simply not use port 22, pick another port. The other actions are wise as well but why you would expose your system unnecessarily when there is an easy fix.

Changing the port will reduce the script kiddies/worms attacks, so keeps the logs cleaner, but port scans can still find it, so it offers no real security. Nothing against doing it, but I personally prefer running on standard ports, and denyhosts stops most of the carp in the logs.

[inder]

@snoborox, Thanks for the details. I'm always interested in how people approach a particular problem and solve it. My setup has avahi running on the rpi and thus I can access it from Macs on my lan using ssh into raspberrypi.local. I can also connect from windows boxes using rdp to raspberrypi.local. I would like to be able to do this from outside my lan as well. I'm a bit leery of port forwarding but might use something other than 22 and use the other measures suggested. Perhaps someone knowledgeable like Raspberryguy1 has solution(s) and might even do a video tutorial.

[Pencoys]

Using SSH into Raspi from remote locations is relativly easy.
The problem comes when the routers IP changes due to external reasons, e.g.power cut, reset, ISP IP renewal etc.
What would be nice would be a script running on the PI, detecting the routers changed IP and then automagically sending the new IP information to you via your web based email server.
I know there is a way to run automatic scripts at certain times, but as a newbie to Linux have no idea of how to write the 'read router IP and send it' script.
any offers?

[Dweeber]

There are services that can be used to do that. They run a small client on your inside network and ping back to their servers thus providing them with the current IP of your connection. They then update their DNS zone info so the host name you use with them always points to the correct IP.

If you really don't care about an actual host name, and just want to know the email address... and you have web hosting elsewhere, you can setup your own process to pint your own web host using a special URL that you can then look up the result from your website to see what IP was last used.

Simply using wget like

Code: Select all

 wget -T 15 -q "http://yourwebsite/special.html"  -O /dev/null

and putting it into cron will make the connection to your external website. If you are using PHP or something like that you can capture the IP and store it somewhere.

Lots of clever things you can try.

[Dweeber]

I created an article with a real script example of a phonehome script. You could use this if you decided not to use a service to keep track of your current outside router's IP and wanted to just roll your own..

http://rpi.tnet.com/project/scripts/phonehome

[POSitality]

If we're talking about uber security, I recently read an article about an old concept...

http://en.wikipedia.org/wiki/Port_knocking

Seems like a nice, lightweight way to secure personal servers like the RPi.

Regards,

Andy

[b_welding]

Hello,

I try to access my pi from outside my LAN network.
I configured the sshd daemon on port 2223 modifying the file /etc/ssh/sshd_config
I forwarded the port 2223 TCP to the ip of my PI.

I can reach teh PI inside my LAN on port 2223 but can't reach it if I'm using the external ip addres when I'm connected to my office VPN (simulating a situation outside the LAN).

So is there a parameter somewhere blocking incomming traffic ?
Do I have to configure another service?

thanks

[Dweeber]

I can reach teh PI inside my LAN on port 2223 but can't reach it if I'm using the external ip addres when I'm connected to my office VPN (simulating a situation outside the LAN).

So is there a parameter somewhere blocking incomming traffic ?
Do I have to configure another service?

Sounds like you only have access from within your local network and that your router is not properly forwarding the port OR your work is blocking the use of port 2223 which is a possibility depending on how your work controls network access.

[b_welding]

ok I've found the solution...
The problem was not my port forwarding.
In fact when my PI boot, it is in dhcp mode and I changed the ipv4 address using ifconfig eth0 192.xxx.xxx.xxx.
After that, there were no default gateway set in route settings and the pi was unable to communicate with the internet. So perhaps my incomming messages came to the sshd server but the responses were not sent over the internet and I was not able to connect from the outside.

I hope this solution will be usefull for someone else

[amitsaha]

Several solutions exist which doesn't need you to muck with your router:

PageKite: The one I am most familiar with. Coded in Python. Since the Linux on your Raspberry Pi already has Python installed, its simple to get it working. See: http://pagekite.net/

Localtunnel: I used it once. Doesn’t involve sign up from what I remember. Ruby, so you will have to install it. See: http://progrium.com/localtunnel/

showoff.io: Haven’t used this. Ruby again. See: https://showoff.io/