Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Home Server setup: Raspberry PI on Internet via reverse SSH tunnel

Raspberry Pi on Internet via reverse SSH tunnel

HackerNews discussed this with many alternative solutions: https://news.ycombinator.com/item?id=24893615

I already have my own domain name: mydomain.com. I wanted to be able to run some webapps on my Raspberry Pi 4B running perpetually at home in headless mode (just needs 5W power and wireless internet). I wanted to be able to access these apps from public Internet. Dynamic DNS wasn't an option because my ISP blocks all incoming traffic. ngrok would work but the free plan is too restrictive.

I bought a cheap 2GB RAM, 20GB disk VM + a 25GB volume on Hetzner for about 4 EUR/month. Hetzner gave me a static IP for it. I haven't purchased a floating IP yet.

I created a subdomain u1.mydomain.com with its A record pointing to the above static IP address.

Then I created two CNAME records, pointing to the above subdomain: home.mydomain.com and cloud.mydomain.com.

I disabled nginx on the server and installed Caddy instead. These are the contents of my /etc/caddy/Caddyfile:

{
  email myemail@gmail.com
}

home.mydomain.com {
  # These are reverse-proxied to port 10000+n which are SSH
  # tunneled into the raspberrypi at my home
  reverse_proxy localhost:10080
}

cloud.mydomain.com {
  # These are served locally but with automatic HTTPS
  root * /usr/share/caddy
  file_server
}

I set GatewayPorts clientspecified in my /etc/ssh/sshd_config on the server. This is needed so that the client (RaspberryPi) can specify which ports to enabled reverse tunneling on.

I enabled the Ubuntu firewall on this server and allowed incoming traffic on port 80, and 443. For eg: sudo ufw allow 80

Now, on my Raspberry Pi at home, I created a reverse SSH tunnel to this Hetzner VM with: ssh -N -T -R 10080:localhost:80 myuser@u1.mydomain.com

And just like that, my site running on port 80 on the Pi is now accessible at https://home.mydomain.com.

Once we're done testing, we can add the -f option so that this tunnel runs in the background. To be able to recreate the tunnel (perhaps via crontab), I put this in a bash script:

#!/bin/bash
createTunnel() {
  /usr/bin/ssh -f -N -T -R 10080:localhost:80 myuser@u1.mydomain.com
  if [[ $? -eq 0 ]]; then
    echo Tunnel to Hetzner created successfully
  else
    echo An error occurred creating a tunnel to hetzner. RC was $?
  fi
}
/bin/pidof ssh
if [[ $? -ne 0 ]]; then
  echo Creating new tunnel connection
  createTunnel
fi

If I run any additional apps on the Pi, I'll need to:

  • Create a tunnel (or modify the port range for the current one).
  • Modify the Caddyfile on server and restart caddy with sudo systemctl restart caddy

Future explorations:

  • Get Caddy or perhaps TCPProxy to access other services on Pi, not just webapps
  • Map an entire port range so that the above two steps are not needed everytime I add a new Webapp on the Pi
  • Test for IPv6 handling throughtout the stack

Talk to me on Twitter for issues/suggestions.

@fasmide
Copy link

fasmide commented Oct 26, 2020

I created https://github.com/fasmide/remotemoe for this exact use-case :)

@CzBiX
Copy link

CzBiX commented Oct 26, 2020

Nebula/WireGuard VPN + nginx works well.

@enno-au
Copy link

enno-au commented Oct 26, 2020

Nice stuff... but once you had the Hetzner VPC, you could have dropped ZeroTier on it, dropped another ZeroTier instance on your Pi, plumbed them both onto a common private network and then just used Caddy to reverse proxy the web server (or any other service) directly from your home over the private ZeroTier mediated network. All you need at home is port 9993 open (I think) for ZeroTier to work. It provides an encrypted & authenticated SDN-like connection between your systems. And frankly, it's a lot easier than IPsec or the other VPN style solutions and at least as strong if not stronger.

If you just want private access to the Pi based resources you can put ZeroTier on your phone, tablet or laptop and just access things directly that way, no need for the VPC.

As I say, nice work though. Hadn't seen caddy before. Must have a closer look.

@crappyrules
Copy link

crappyrules commented Oct 26, 2020

btw, WireGuard would also be a excellent ssh replacement for this case

I use wireguard with nginx reverse-proxy to accomplish the same thing. Now I'm curious as to which is faster.

@tommyvn
Copy link

tommyvn commented Oct 27, 2020

It's awesome to see SSH being used for more than just logging in to servers.
A few years back i wrote a custom ssh server to do this exact thing, altho my use case was webhook development rather than connecting a pi. other peeps have found it useful and it's turned into a bit of a side project so if anyone wants to try a reverse ssh tunnel on it before putting in the work to setup their own server, run ssh -R 80:localhost:8080 ssh.localhost.run and you'll have a reverse tunnel wired up to localhost:8080 with an internet accessible domain name returned in your terminal.

@nielswart
Copy link

nielswart commented Oct 27, 2020

@seekr
Copy link

seekr commented Nov 14, 2020

@nileshtrivedi I wonder is this technique can be used to actually enable me to ssh into my rpi using a subdomain, similar to how you are serving html via port 80.

I try to ssh user@home.domain.com but it didn't work...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment