Raspberry Pi devices are extremely useful for Internet of Things (IoT) projects due to their small size, affordability, and customizability. However, accessing them remotely can be challenging when they are behind a firewall or router blocking incoming connections.
This comprehensive guide will demonstrate proven methods for securely accessing your Raspberry Pi over the internet, even if it has no public IP address. We will cover SSH tunneling, virtual private networking, dynamic DNS, port forwarding, and more using various tools.
Challenges of Remotely Accessing Devices Behind Firewalls
Firewalls and network gateways are vital for securing devices from unwanted remote access. However, they can also unintentionally block legitimate administrative access to devices like Raspberry Pis from outside local networks.
Some key challenges include:
-
No Public IP Address: Most home and business routers assign private IP addresses (like 192.168.1.5) to connected devices instead of public internet routable addresses. This prevents direct worldwide access.
-
Port Blocking: Firewalls often block remote login services like SSH which use port 22 by default to prevent intrusions.
-
Dynamic IP Addresses: Consumer internet connections rarely have static IP addresses. The public IP can change anytime, breaking remote access.
-
IPv4 Shortages: There are not enough public IPv4 addresses for every internet device to have a direct connection. IPv6 adoption is increasing but has a long way to go.
Fortunately, with the right tools and techniques, we can work around these limitations to connect securely over the internet to our headless Raspberry Pi servers.
Prerequisite Access to Configure Raspberry Pi
Before setting up remote access, you will need:
- A monitor, keyboard and mouse to configure the Pi‘s Raspbian OS
- The Raspberry Pi connected by Ethernet or WiFi to your local network
- SSH enabled – using
sudo raspi-config
tool - Python 3 and pip installed – run
sudo apt install python3 python3-pip
- A static local IP address assigned to your Pi like 192.168.1.195
These allow local command line access to install and test remote access software before disconnecting peripherals.
Access Method 1 – SSH Reverse Tunnel
SSH reverse tunneling is a reliable way to remotely access a Raspberry Pi through one or more firewalls and NAT gateways using an intermediate server.
Here is a diagram showing how it works:
The key steps are:
-
Set up a publicly accessible Linux server with SSH access and no firewall. Example options are a $5/month DigitalOcean Droplet or free tier AWS EC2 instance.
-
On the public server, run
ssh -R 22222:localhost:22 user@raspberrypiclient
, replacing raspberrypiclient with your Pi‘s local IP address. This opens port 22222 on the server and tunnels traffic to port 22 (SSH) on your Pi. -
You can now connect from your home/office workstation to the public server using
ssh -p 22222 user@publicserverIP
. This gets forwarded through the tunnel to your Raspberry Pi.
SSH reverse tunnels are encrypted end-to-end and prevent remote access to your Pi from anyone except through the intermediate server. Admin access to the server should be tightly controlled and additional authentication for the Pi can be added using ssh key pairs.
If your workstation has a dynamic IP address, consider leveraging Dynamic DNS instead of remembering constantly changing public IP addresses. Major routers support automatic updates with services like DuckDNS.
Access Method 2 – OpenVPN Tap Interface
OpenVPN is a robust open source virtual private networking (VPN) package providing transport layer encryption.
With tap interfaces, it can bridge your Pi and remote machine networks seamlessly as if they are on the same LAN. This allows all access protocols between devices, not just SSH.
Key steps are:
-
Set up any publicly accessible server to run as your OpenVPN host. A $10/month VPS works well.
-
Install OpenVPN server packages. On Ubuntu/Debian run
sudo apt install openvpn
. -
Generate server certificates and keys using
openvpn --genkey --secret /etc/openvpn/static.key
. -
Make a /etc/openvpn/server.conf file with content like this example. Set protocol UDP on port 1194, the tap interface, DHCP pool and salaries.
-
Generate a client certificate using
openvpn --genkey --secret /etc/openvpn/static.key
. -
Download /etc/openvpn/static.key plus ca.crt, client.crt and client.key to your local machine.
-
Install OpenVPN client and run:
openvpn \ --config sample-config.ovpn \ --auth-user-pass /etc/openvpn/credentials.txt
-
You can now transparently access your Pi over the secure VPN tunnel on its local IP address!
OpenVPN uses extremely secure 256-bit AES encryption that takes full advantage of CPU acceleration if available. Performance is often better than basic SSH tunnels for bulk file transfer, video streaming etc.
If your OpenVPN server has a dynamic public IP address, combine this technique with Dynamic DNS services.
Access Method 3 – Port Forwarding with Dynamic DNS
If neither VPNs nor SSH tunnels work for your use case, port forwarding may be an alternative if your firewall/router supports it.
The key steps are:
-
Enable port forwarding on your router admin interface, accessible via a URL like http://192.168.1.1. Map TCP port 22222 externally to port 22 (SSH) on your Pi‘s local network IP.
-
Set up Dynamic DNS to assign a domain name to your public IP address. Many free services are available like No-IP.
-
You can now SSH remotely to yourPiDNSname:22222 from anywhere and get forwarded by the router to your Pi.
The biggest downside of port forwarding is exposing your Pi SSH port globally. Auto changing the forwarded port periodically is recommended. Also consider adding fail2ban to block brute force attacks.
Access Method 4 – Ngrok Secure Tunnels
Ngrok is a modern tunneling tool for handling dynamic IP addresses and tricky NAT traversal while avoiding firewall configuration.
Setup steps:
-
Sign up for a free Ngrok account to get an authtoken for identifying your sessions.
-
Download the
ngrok
binary for your OS from the setup instructions. -
Run
./ngrok authtoken YOUR_AUTH_TOKEN
one time to save it. -
Whenever you want to access your Pi, run
./ngrok tcp 22
. -
Ngrok will print a unique public URL to access the mapped
tcp 22
port, updating whenever your IP changes!
Unlike port forwarding, Ngrok better secures open ports by placing them behind per-session random URLs. Additional authentication can be added via HTTP auth or IP-based allowlists.
Free Ngrok tunnels disconnect after 8 hours but can be scripted to auto-reprovision. For constant connections, a paid Business plan offers custom subdomains starting at $8/month.
Integrating Remote Access with Systemd Services
Whichever remote access method you implement, considerconfiguring it to auto-start on Raspberry Pi boot and restart on failures using Linux service managers like systemd.
For example, this /etc/systemd/system/ngrokservice.service unit will run Ngrok on each reboot:
[Unit]
Description=Ngrok Tunnel Service
After=network.target
[Service]
Type=simple
ExecStart=/home/pi/ngrok tcp 22
Restart=always
[Install]
WantedBy=multi-user.target
After creating the unit file, run:
sudo systemctl enable ngrokservice
sudo systemctl start ngrokservice
This offers hands-off management of remote access instead of needing intermittent manual intervention.
Security Best Practices for Remote Raspberry Pi Access
Consider adopting these security practices:
- Always use SSH key authentication instead of passwords to prevent brute force login attempts.
- Disable SSH password authentication via
PasswordAuthentication no
in sshd_config. - Change the default SSH listening port to be non-standard using Port 22222.
- Only permit your current public IP address to tunnel/access if possible, updating it periodically in firewall rules.
- Use private VPN or SSH tunnel links rather than open port forwarding where feasible.
- Install automatic intruder detection software like fail2ban or SSHGuard.
- Keep the Raspberry Pi OS and applications updated regularly for security patches.
- Mount external network filesystems read-only wherever possible to limit damage if compromised.
- Backup critical Pi data and configuration frequently to a secure remote location.
Closing Thoughts on Securing Remote Server Access
Accessing Raspberry Pis securely over the internet through complex home and business networks can be challenging but extremely useful for administration, file transfer and control applications.
Methods like SSH tunneling, VPNs, Dynamic DNS combined with port forwarding and Ngrok provide flexible trade-offs between security, latency, complexity and cost depending on individual needs.
Implementing proactive authentication, encryption and intruder prevention best practices improves security further for remote device access.
With some diligent planning and configuration, you can manage your special projects like off-site 3D printers or crypto mining rigs from anywhere!