Skip to content

Instantly share code, notes, and snippets.

@jc-torresp

jc-torresp/access-pi-anywhere.md

Created September 21, 2019 05:12
Show Gist options
  • Save jc-torresp/67139847ba5616fd600489d04b638cfa to your computer and use it in GitHub Desktop.
Save jc-torresp/67139847ba5616fd600489d04b638cfa to your computer and use it in GitHub Desktop.
Download ZIP
Configuration to access Raspberry Pi from anywhere with UPnP port forwarding
Raw
access-pi-anywhere.md

Access Raspberry Pi from anywhere

Dynamic DNS

We need to use so called Dynamic DNS (DDNS) to create and dynamically update a mapping between a chosen domain name and an “external” IP address of our Raspberry Pi (i.e. router IP address).

  • Look for a DDNS provider.
  • Register a new user account.
  • Choose a desire domain name.
  • Configure it on router.

UPnP port forwarding

Router's NAT hides all devices in the “internal” router network (LAN) from inbound Internet connections. To route “external” (WAN) connections to the Raspberry Pi we will employ port forwarding on a router. We will rely on Universal Plug and Play (UPnP) protocol to dynamically configure proper port forwarding rules.

Installation:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install miniupnpc

Check router supports UPnP:

upnpc -l

This command should:

  • Enumerate all supported UPnP devices on local network.
  • Display their internal- and external IP addresses.
  • List their current port forwarding rules.

Add a port forwarding (for SSH and RDP protocol):

upnpc -e 'SSH on Raspberry Pi' -r 22 TCP
upnpc -e 'RDP on Raspberry Pi' -r 3389 TCP

Repeat process to other services on Raspberry Pi that we would like to port forwarding.

Establish an SSH connection to the Raspberry Pi from the Internet:

ssh [email protected]

NOTE: most routers are not able to establish “external” connections from the internal network itself, so a separate Internet connection is needed to fully test the setup.

Unattended configuration

Create a shell script in editor:

sudo nano /usr/local/bin/redirect.sh

Insert content:

#!/bin/bash
upnpc -e 'SSH on Raspberry Pi' -r 22 TCP > /dev/null
upnpc -e 'RDP on Raspberry Pi' -r 3389 TCP > /dev/null

Configure Cron to periodically run the script (every 20 minutes):

sudo crontab -e

Add the following line:

*/20 * * * * /usr/local/bin/redirect.sh
@hyst3ric41
Copy link

hyst3ric41 commented Feb 6, 2021
edited
Loading

Not working properly in my environment:

  • ISP Router arcadyan model VRV9529AWAC24
  • Linux RaspiOS Buster Lite armhf
  • upnpc last version

upnpc mapping the ports, but the Internet Gateway Device (IGD) shows "Found a (not connected?)" state.

By the way, the port forwarding it's working fine. I mapped the HTTP (80) and HTTPS (443) ports and then access through a 4G connection (attention here, not use the same network that the UPnP device use, NAT Loopback issue) and it connects successfully.

@devenreilly
Copy link

Worked great for me! This guide was a life saver thank you

@maaw
Copy link

maaw commented Mar 16, 2023

It's not a good idea to forward the ssh port directly, it's better if you can remap it to a lesser known port to avoid attacks

@rasmus-kirk
Copy link

rasmus-kirk commented Dec 28, 2023
edited
Loading

@maaw While good practice, it should not matter much. Many SSH attacks just scan all ports to get around this. What really matters is that you disable password authentication and only do access using ssh public/private, which is much more secure from bruteforce attacks.

Also beware of any firewalls, my nixos firewall blocks upnpc by default!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment