Ssh access to your Raspberry Pi from anywhere

Editor’s 2017 note: Lots of great alternatives are discussed in the Comments section.

Intro
I’ve done a couple things with my Raspberry Pi. There’s this post on setting it up without a monitor, keyboard or mouse, and this post on using it to monitor power and Internet connection at my home.

I eventually realized that the Pi could be accessed from anywhere, with one big assumption: that you have your own hosted server somewhere on the Internet that you can ssh to from anywhere. This is the same assumption I used in describing the power monitor application.

The details
I can’t really take any credit for originality here. I just copied what I saw in another post. My only contribution is in realizing that the Pi makes a good platform to do this sort of thing with if you are running it as a server like I am.

What you can do is to create a reverse ssh tunnel. I find this easier and probably more secure than opening up ssh (inbound) on your home router and mapping that to the Pi. So I’m not going to talk about that method.

First ssh log in to your Pi.

From that session ssh to your hosted server using syntax like this:

> ssh −f −N −R 10000:localhost:22 username@ip_address_of_your_hosted_sever

You can even log out of your Pi now – this reverse tunnel will stay*.

Now to access your Pi from “anywhere,” log into your server like usual, then from that session, login to your Pi thusly:

> ssh −p 10000 pi@localhost

That’s it! You should be logged on after supplying the password to the pi account.

*Except that in my experience the reverse tunnel does not stay! It’s staying up less than two hours.

But I think the approach is sound.

Feb 15th Update
This is a case of RTFM. That same web page I cited above has the necessary settings. I needed to have them on the Pi. It didn’t help when I put them on my Amazon server. Here they are repeated:

TCPKeepAlive yes
ClientAliveInterval 30
#ClientAliveCountMax 30
ClientAliveCountMax 99999
GatewayPorts yes
AllowTcpForwarding yes

This goes into the /etc/ssh/sshd_config file. Make sure you don’t have these mentioned a second time in that file.

With these settings my reverse tunnel has been up all day. It’s a real permanent tunnel now!

Security note
Make sure you modify the default passwords to your Pi before attempting this. You’re potentially exposing your whole home network in creating a reverse tunnel like this so you really have to be careful.

Conclusion
You can use your Raspberry Pi to create a reverse tunnel tht allows you to access it from anywhere, assuming you have a cooperating hosted server on the Internet as a mutual meeting point for the ssh sessions. Exercise caution, though, as you are opening up your Home network as well.

Currently the tunnel doesn’t stay up for very long – perhaps an hour or so. If I find a way to extend that I’ll revise this post.

References
Having trouble ssh’ing to your Ras Pi under any conditions? This article explains how to get past one common cause of this problem.

This entry was posted in Admin, Linux, Raspberry Pi and tagged . Bookmark the permalink.

9 Responses to Ssh access to your Raspberry Pi from anywhere

  1. tamberg says:

    Hi John, great post. An alternative, simple method to make your Raspi accessible from the Web or SSH is via Yaler, our relay infrastructure. See https://yaler.net/raspi for details.

    Kind regards,
    Thomas

    • Arde says:

      You might have mentioned right away that Yaler is a paid option. It’s probably worth it for those who have loads of devices or want enterprise quality connectivity, but most of those won’t end up in blogs like this anyway.

  2. Vic says:

    I have my Raspi setup to tunnel VNC and view my security cam.
    I cannot understand why I should use reverse tunnel.
    I have honestly tried to read as much as I could on the matter, but I still don’t understand
    the difference, or benefits.

  3. Grazer says:

    OMG thanks so much – this worked perfectly.
    Great for accessing my Raspberry PI on the side of a mountain!

  4. Arde says:

    Thanks for the nice post. I found this among a few others while trying to find the best solution for the reverse tunneling of my several Pi’s. A few notes if you care to update a post this old at this point. It’s still valid and people still find it so it’d probably be worth it. If not, at least you can consider these for your future posts. 😉

    1) In the Conclusions you still mention the tunnel only stays up for a while. You posted the fixes but forgot to take that out. I think it’d be better if you just modified the post to contain only the right information – at this point it doesn’t matter that you first say it doesn’t work and then tell us how to fix that.

    2) I would’ve liked some more information about the actual ssh command line parameters you used. It doesn’t take too much effort to figure out what -f and -N do but since you already know, why not share it right away?

    Just my 2c, thank you for sharing!

  5. Dara Adib says:

    You can avoid changing sshd_config by relying on ServerAliveInterval and ServerAliveCountMax options on the client side (ssh -o ServerAliveInterval=... or in ~/.ssh/config). TCPKeepAlive is not needed alongside SSH keep alives, GatewayPorts is not needed for forwarding to localhost on the hosted server, and AllowTcpForwarding should be the default.

    Also, if you don’t want to fully trust the provider of the hosted server, you can use ProxyCommand for end-to-end encryption, see ssh_client_config_example.

    I wrapped this up in a small package for Debian/Raspbian/Ubuntu, let me know if it’s helpful:
    https://github.com/daradib/sidedoor

  6. marco says:

    Hello,

    i found this link:

    http://www.raspberryanywhere.com/

    Perhaps it can be of some help. I’v been using the service from several weeks and it works great!

    The link provide a simple software teamviewer like to access your raspberry board anywhere you are.
    Furthermore, you can use your usual SSH client; they just provide a virtual address to connect to your board
    via SSH or HTTP . It worths a try for sure!

Leave a Reply

Your email address will not be published. Required fields are marked *