Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Home Server setup: Raspberry PI on Internet via reverse SSH tunnel

Raspberry Pi on Internet via reverse SSH tunnel

HackerNews discussed this with many alternative solutions: https://news.ycombinator.com/item?id=24893615

I already have my own domain name: mydomain.com. I wanted to be able to run some webapps on my Raspberry Pi 4B running perpetually at home in headless mode (just needs 5W power and wireless internet). I wanted to be able to access these apps from public Internet. Dynamic DNS wasn't an option because my ISP blocks all incoming traffic. ngrok would work but the free plan is too restrictive.

I bought a cheap 2GB RAM, 20GB disk VM + a 25GB volume on Hetzner for about 4 EUR/month. Hetzner gave me a static IP for it. I haven't purchased a floating IP yet.

I created a subdomain u1.mydomain.com with its A record pointing to the above static IP address.

Then I created two CNAME records, pointing to the above subdomain: home.mydomain.com and cloud.mydomain.com.

I disabled nginx on the server and installed Caddy instead. These are the contents of my /etc/caddy/Caddyfile:

{
  email myemail@gmail.com
}

home.mydomain.com {
  # These are reverse-proxied to port 10000+n which are SSH
  # tunneled into the raspberrypi at my home
  reverse_proxy localhost:10080
}

cloud.mydomain.com {
  # These are served locally but with automatic HTTPS
  root * /usr/share/caddy
  file_server
}

I set GatewayPorts clientspecified in my /etc/ssh/sshd_config on the server. This is needed so that the client (RaspberryPi) can specify which ports to enabled reverse tunneling on.

I enabled the Ubuntu firewall on this server and allowed incoming traffic on port 80, and 443. For eg: sudo ufw allow 80

Now, on my Raspberry Pi at home, I created a reverse SSH tunnel to this Hetzner VM with: ssh -N -T -R 10080:localhost:80 myuser@u1.mydomain.com

And just like that, my site running on port 80 on the Pi is now accessible at https://home.mydomain.com.

Once we're done testing, we can add the -f option so that this tunnel runs in the background. To be able to recreate the tunnel (perhaps via crontab), I put this in a bash script:

#!/bin/bash
createTunnel() {
  /usr/bin/ssh -f -N -T -R 10080:localhost:80 myuser@u1.mydomain.com
  if [[ $? -eq 0 ]]; then
    echo Tunnel to Hetzner created successfully
  else
    echo An error occurred creating a tunnel to hetzner. RC was $?
  fi
}
/bin/pidof ssh
if [[ $? -ne 0 ]]; then
  echo Creating new tunnel connection
  createTunnel
fi

If I run any additional apps on the Pi, I'll need to:

  • Create a tunnel (or modify the port range for the current one).
  • Modify the Caddyfile on server and restart caddy with sudo systemctl restart caddy

Future explorations:

  • Get Caddy or perhaps TCPProxy to access other services on Pi, not just webapps
  • Map an entire port range so that the above two steps are not needed everytime I add a new Webapp on the Pi
  • Test for IPv6 handling throughtout the stack

Talk to me on Twitter for issues/suggestions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment