I got my Raspberry Pi 3. I hooked it up to my university's Wi-Fi... and then realized - I have no way to SSH into it. Or connect to it at all. The university does not maintain a client-to-client network, and of course, you cannot port-forward. I tried some third-party solutions (ngrik, remot3.it), and while they worked, I wanted something free, unlimited, with my own static domain, which was also very fast. Given I already have a VPS, I turned it into a reverse tunnel to my RPi3.
[‾‾‾‾‾‾‾‾] SSH request [‾‾‾‾‾‾‾‾] SSH request [‾‾‾‾‾‾‾‾]
| | ---------------> | | ---------------> | |
| Anyone | port 6000 | VPS | port 22 | RPi3 |
| | | | | |
| | SSH response | | SSH response | |
[________] <--------------- [________] <--------------- [________]
port 6000 port 22
Due to the above limitations, I created a virtual network using OpenVPN
. This way, the VPS can pass all traffic through this internal network.
I used the following fantastic script to set up the server. You may want to modify it so it doesn't touch your iptables
, since internet forwarding won't be required. I then connected the two computers and made sure they see each other by pinging each other's internal IPs. It is also very important to set a static IP for the RPi3 in this virtual network. In my case, that is: 10.8.0.100
This tells the computer that it should pass along any traffic that is meant for a different computer on its network.
We modify /etc/sysctl.conf
:
net.ipv4.ip_forward = 1
and force a configuration reload:
sysctl -p
or simply:
echo 1 > /proc/sys/net/ipv4/ip_forward
I opted for ufw
, but you can do the same with bare iptables
, since the commands are the same.
We add the rules under /etc/ufw/before.rules
:
# PART 1/2
*nat
-A PREROUTING -p tcp --dport 6000 -j DNAT --to-destination 10.8.0.100:22
-A POSTROUTING -d 10.8.0.0/24 -j MASQUERADE
COMMIT
The first rule takes any traffic on port 6000
and re-writes it so its destination becomes 10.8.0.100
(the RPi3) on port 22
.
The second rule MASQUERADE
s all traffic in the subnet of the virtual network (10.8.0.XXX
). This does 2 things:
- Re-write outbound traffic to originate from the VPS
- Re-write inbound traffic to reach the original client
We also have to allow the now redirected traffic to be forwarded, since, by default, UFW blocks all forwarding. You can insert the following rule to the already existing filter
section, or make one yourself (remember to COMMIT
!):
*filter
.
.
# PART 2/2
-A FORWARD -p tcp --dport 22 -j ACCEPT
.
.
COMMIT
Trigger a ufw reload
and use port 6000
on the VPS to access SSH on the RPi3. You can use this same method for any other port and service as well.