Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Home Server setup: Raspberry PI on Internet via reverse SSH tunnel

Raspberry Pi on Internet via reverse SSH tunnel

HackerNews discussed this with many alternative solutions:

I already have my own domain name: I wanted to be able to run some webapps on my Raspberry Pi 4B running perpetually at home in headless mode (just needs 5W power and wireless internet). I wanted to be able to access these apps from public Internet. Dynamic DNS wasn't an option because my ISP blocks all incoming traffic. ngrok would work but the free plan is too restrictive.

I bought a cheap 2GB RAM, 20GB disk VM + a 25GB volume on Hetzner for about 4 EUR/month. Hetzner gave me a static IP for it. I haven't purchased a floating IP yet.

I created a subdomain with its A record pointing to the above static IP address.

Then I created two CNAME records, pointing to the above subdomain: and

I disabled nginx on the server and installed Caddy instead. These are the contents of my /etc/caddy/Caddyfile:

} {
  # These are reverse-proxied to port 10000+n which are SSH
  # tunneled into the raspberrypi at my home
  reverse_proxy localhost:10080
} {
  # These are served locally but with automatic HTTPS
  root * /usr/share/caddy

I set GatewayPorts clientspecified in my /etc/ssh/sshd_config on the server. This is needed so that the client (RaspberryPi) can specify which ports to enabled reverse tunneling on.

I enabled the Ubuntu firewall on this server and allowed incoming traffic on port 80, and 443. For eg: sudo ufw allow 80

Now, on my Raspberry Pi at home, I created a reverse SSH tunnel to this Hetzner VM with: ssh -N -T -R 10080:localhost:80

And just like that, my site running on port 80 on the Pi is now accessible at

Once we're done testing, we can add the -f option so that this tunnel runs in the background. To be able to recreate the tunnel (perhaps via crontab), I put this in a bash script:

createTunnel() {
  /usr/bin/ssh -f -N -T -R 10080:localhost:80
  if [[ $? -eq 0 ]]; then
    echo Tunnel to Hetzner created successfully
    echo An error occurred creating a tunnel to hetzner. RC was $?
/bin/pidof ssh
if [[ $? -ne 0 ]]; then
  echo Creating new tunnel connection

If I run any additional apps on the Pi, I'll need to:

  • Create a tunnel (or modify the port range for the current one).
  • Modify the Caddyfile on server and restart caddy with sudo systemctl restart caddy

Future explorations:

  • Get Caddy or perhaps TCPProxy to access other services on Pi, not just webapps
  • Map an entire port range so that the above two steps are not needed everytime I add a new Webapp on the Pi
  • Test for IPv6 handling throughtout the stack

Talk to me on Twitter for issues/suggestions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment