Outside looking in (accessing the Pi from the internet)


If you are using the Raspberry Pi to monitor or control something in your house while you are not home, it may be important for you to login to your Pi from the internet (e.g. on the road). To do this you need a port on your Pi that is exposed to the outside world and some way to find your Pi on the world wide internet.

To do the latter, you need a dynamic DNS service. Here I assume that your Pi sits behind a router (maybe wireless) and gets a local IP address. Your router is connected to your ISP and it has the internet IP address that is accessible from the outside. You could memorize your router’s IP address, but your ISP may change it from time to time and so that IP address will go out of date. Dynamic DNS services solve this problem. You run a little program (called ddclient) on your Pi that every few minutes figures out the internet IP address of your router (it in fact does this by going to http://checkip.dyndns.org (try it yourself). It then contacts your Dynamic DNS service and reports this IP address. The Dynamic DNS service provides you with an internet address that will take you to this IP address (e.g. blah.dnsdynamic.com).

Next, you need your router to forward a port to your Pi for access. I will forward port 9622 on the router to port 22 on the Pi. Port 22 is the ssh port. So that means from the outside world I can do ssh pi@blah.dnsdynamic.com -p 9622 and I can ssh to my Pi!

Realize that exposing a Pi port to the outside world is somewhat dangerous, because other people can find it and try to hack into your little Pi. That could be really bad. So to try to prevent this, I’m only going to expose the ssh port, and I’m going to forward it to an obscure port number on my router. This will be the only port I expose (so I’m going to do ssh port-forwarding if I want to look at a web server on my Pi). A malicious user would need to do a full port-scan to find my obscure port (this does happen – where I work new machines are port scanned by someone on the outside within minutes of being attached to the network). And then I’m going to have my ssh server locked down very tightly. More on this below.

Setting up a Dynamic DNS service

There are several free dynamic DNS services. The one that seemed to work the best and was easy to set up was http://www.dnsdynamic.org/. After making an account there and creating a name for your address (e.g. blah.dnsdynamic.com), you then need to install the ddclient program. I followed the instructions at http://wellsb.com/post/29412820494/raspberry-pi-vpn-server#router which worked pretty well. Just follow the instructions for dynamic DNS, not the other stuff (e.g. don’t do VPN nor clients). The nice config screen only comes up when you are installing ddclient. If you mess this up, it is hard to get it to come back. To make that happen, completely remove the ddclient software with sudo apt-get purge ddclient. The config program should run again when you reinstall ddclient. Be sure to follow the directions about editing the config file. That’s important. When you are done, you should be able to access your router using the address that you set up with dnsdynamic.

Opening and forwarding a port on your router

You now need to open a port on your router and tell it to forward to port 22 on your Pi. Hopefully, you know how to do this on your router. Be sure to pick a large router port number (like 9000 <= your number <= 9999). You'll have to remember it though. Once this is set up, if you ssh to the machine name (e.g. blah.dnsdynamic.org) and that port, your Pi’s ssh daemon should ask you for a password.

Locking down ssh

Having ssh ask for a password could possibly give attackers a way into your machine, if they can guess that password. A better thing is to not use a password and to give your ssh public key to the Pi. The advantages is that only you, or others who give their key to the Pi, can log into the machine. You don’t need a password. This is secure because you keep your private key on your “client machine” (the laptop or desktop you are using to log into the Pi) and that is needed to ssh to the Pi. No one else can guess that private key (it’s big). The disadvantages are that you have to always use that client machine to log into the Pi. You can’t use a public machine (e.g. at the library) nor a friend’s machine. If your laptop or desktop breaks, you won’t be able to use another and you’ll have to log into your Pi physically from the console to regain access.

If you don’t already have a private/public key pair on your client machine, you can easily make one with the ssh-keygen command. Follow the instructions. You can assign a passphrase to the key, so that you have to enter that phrase whenever you use it to ssh. I don’t bother with this, but you might if others can use your client machine. This will leave you with two files, id_rsa is the private key. Don’t move it nor share it with anyone. id_rsa.pub is your pubic key. Copy this file to your Pi (use the scp command) and add it to the contents of ~/.ssh/authorized_keys on the Pi. If you don’t have that file, make it. If you already have it, make sure the keys in there are still valid (remove ones that you don’t use anymore). Then simply add the text for your public key to the bottom.

Now, on the Pi, lock down sshd so that it no longer accepts password trys. To do this, sudo vi /etc/ssh/sshd_config and change the line with PasswordAuthentication to say no. Then, restart sshd with sudo /etc/init.d/ssh restart . Now you are all set.


One comment

  1. vassilios · · Reply

    Thank you. Very nice explanation of things I could not find (in a sort description) on any recent posts. Will try some of them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: