Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to implement NAT traversal using STUN/ICE on my Raspberry Pi

I am trying to setup an implementation on my raspberry pi that is able to break through behind NAT routers so that I can connect to it remotely regardless of which network it is residing behind.

I've tried out pagekite.me which is great as a relay/reverse tunnel solution but I feel it is still a little bit clunky (with latency issues as there's an additional server which needs to be connected in between).

I've read up about STUN and ICE but I do not know of any solutions that I can implement on my raspberry pi.

The goal is that I can SSH into my PI regardless of its network configuration (router/network) and network firewall.

Can someone point me in the right direction as to where or what I should be looking for?

like image 958
David C Avatar asked Nov 01 '22 19:11

David C


1 Answers

I'm not answering your STUN/ICE question directly, but am answering your goal, which is how to break through NAT and ssh to your pi remotely.

The easiest way to solve this problem is to use a reverse ssh tunnel, especially one using autossh and key based authentication.

This requires you to have your own server with an ssh port somewhere for the pi to call in to (I use one just sitting on my home network, find out your public IP address, and register a free ddns account if you want to use a memorable URL).

Prepare your raspberry pi, ideally when on your own home network with the server you'll keep on and use (just connect an old desktop running linux or another pi to your router and leave it on. I'm going to assume you have forwarded external port 30022 to port 22 on your server, from your home router for this example). You're going to use key based authentication too.

On your pi:

sudo apt-get install autossh
# Generate key
sudo -u pi ssh-keygen
# Copy key to your server (while you're on your home network with the server is easiest, but not necessary)
sudo -u pi ssh-copy-id -i /home/pi/.ssh/id_rsa.pub [serverUser]@[serverIP]

You then want another 'configuration file', on your pi in the home directory if you like. Call it myConf.sh if you like

#!/bin/bash
rSSHPort=31001 # you'll use a different port for each pi you connect to your server.  Make sure all these ports are forwarded on your home router to the server (port forward the range e.g. 31000-31100 would let you do 100 pi's)
# Phone Home
USER=pi # or whatever your pi user is named
KEY=/home/pi/.ssh/id_rsa
HOST=myServer.ddns.net # or whatever your server URL or public IP address is 
REMOTE_USER=serverUser # or the user you want your pi to connect to the server as
REMOTE_PORT=30022 # or whatever port you have forwarded to your server for ssh (don't use 22 as its even more of a security vulnerability). 

You then have one final script that's going to implement the actual ssh call back to your server. Call it connectServer.sh if you like, and put it in /home/pi/

#!/bin/bash
# Reverse Tunnel SSH in to server
# -f detach script from terminal
# -N no commands can be executed on server side
# -R reverse tunnel
# -p using server ssh port
# -i path to key file
# Source the Config File
source '/home/pi/myConf.sh'

connect()
{
        # TODO need to check that autoSSH isn't already in process list
        autoSSHProc=$( ps ax | grep autossh | wc -l )
        if [ "$autoSSHProc" -le "1" ]
        then
                log
                su -c "autossh -f -N -q -i ${KEY} -p ${REMOTE_PORT} -R ${rSSHPort}:localhost:22 ${REMOTE_USER}@${HOST} -oControlMaster=no -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no" $USER
        fi
}

# Log connection details
log()
{
        datStr=$(date)
        echo "Connected system using autossh at " "$datStr" >> connection.log
}

connect

now run that on your pi

sudo ./connectServer

Now you want to ssh in to your server from your laptop or whatever device you connect in from.

ssh [serverUser]@[serverIP] -p 30022

Once in to your server, you can link up with the reverse tunnel

ssh pi@localhost -p 31001

Voila!

Here's the references I used to get this far:

Reverse ssh forwarding: https://www.howtoforge.com/reverse-ssh-tunneling

Set up Server with ssh key, pass to pi units: http://www.thegeekstuff.com/2008/11/3-steps-to-perform-ssh-login-without-password-using-ssh-keygen-ssh-copy-id/ and http://jmatthews.us/blog/2013/02/18/rpi-dorm/

Set up autodial home: https://www.raspberrypi.org/forums/viewtopic.php?f=36&t=32077

like image 194
Kelton Temby Avatar answered Nov 21 '22 10:11

Kelton Temby