I Don't Need Port Forwarding and Don't Care About CGNAT
This article is for users that want all these features:
- To connect to home network from anywhere
- Can connect without any port forwarding; either by choice or internet provider can't or won't provide access
- No setup or configuration or installation on client machine
- No enrollment / registration required
- To connect to these services in your home network:
- Web services, like website or monitoring web browser-based services
- Terminal (SSH) access to a machine at home
- Graphic User Interface (GUI) access to a machine at home **
- Access control optional on any service
- No cost for home user
This is not a project for the beginner but allows for the implementation of simple, straightforward public facing access with adequate security to protect your home.
I have two networks, one is in a city, and it has a publicly accessible Ipv4 address, the other is in the country and has internet service with CGNAT so it has no addressable Ipv4 ports. On each of these I wanted to enable the following
- Access various web services
- Access Raspberry Pi GUI using Virtual Network Computing (VNC) technology.
- Access terminal (SSH) support for maintenance
- Enable with no setup on client machine so I, or anyone, could access the sites
- No enrollment or registration for use of the client
- No open inbound ports on my networks, deliberate or imposed
I can do all this using free Cloudflare tunnelling services with no need for VPN or other setup on client machines.
You will need a Linux based machine that can be left running all the time. I chose to use a single Raspberry Pi 4 dedicated to being my gateway.
I am not a gamer, I do not need to support Minecraft servers or other single purpose services, just web services, VNC GUI and SSH. Cloudflare supports web-based access to GUI interface (VNC) and RDP (Windows Remote Desktop Protocol) I have not tested RDP. I have not pursued IPv6 internet protocol yet as my city ISP is not supplying it at this time.
This is not the solution for everyone, but it works for me.
Disclosure. I have no affiliation with any company mentioned herein other than being a user/customer. No money or favours change hands.
NOTE : If you do not need public access to your network using client machines with no special setup or configuration, there is no point using this technique. I recommend you just use TailScale or ZeroTier.
This needs to be imlemented on a machine that runs all the time. Typically, these are Linux machines. It does not need to be a special purpose machine, this software does not need a lot of resources. My configuration runs on a raspberry Pi.
You will need these skills and services:
- A Cloudfare Teams account (free)
- Cloudflare DNS service
- Your own, owned, domain name
- Understanding of DNS records and setting them up
- Command line (terminal) use on a linux machine
I will use mydomain.com as my example domain name. Although this post is using Raspberry Pi devices, nothing is special to the Pi, and the software could be implemented on any Linux machine. Cloudflare says it also supports Windows and Mac OS, but I have not tested them.
I now have the following working with no port forwarding or 3rd party VPN:
- Each access point is separate subdomain except my main website.
- All URLs use https certificate protocol management for encrypted access to websaervices. This is handled completely by Cloudflare, none on my network
- A public website running in my network
- Two Grafana dashboards running on separate machines.
- These are accessed with grafana1.mydomain.com and grafana2.mydomain.com.
- There is no need for public use of special port number that is handled in the Cloudflare interface
- Access to these is controlled by Cloudflare Access control so only sanctioned users can access the sites.
- A container management dashboard called portainer to view all container (docker) activity in my network.
- This has the same features as the Grafana sites, but access control is distinct for this URL.
- URL is portainer.mydomain.com
- A Network Accessed Strorage (NAS) device by QNAP
- GUI (VNC) access to a Raspberry Pi running headless GUI.
- A web browser based SSH session to one of my Pi devices.
The upside of all this?
- I have one small service running on a Pi device and configuration is one text configuration file
- No port forwarding setup on router. All "routing" is in one configuration file which I can store in a git repository.
- My router has NO open ports
- No need for a static IP address or dynamic Domain Name Service(DDNS) service providers No one needs to know where I am.
- No risk of cyber attacks (DDOS) or vandalism attacks as my public access is managed by Cloudflare.
- SSL certificates are managed by Cloudflare not on my site. I have no need for LetsEncrypt or other certificate service.
- No need for a NGINX or other reverse proxy server to sort out requests
- Anyone who is allowed to access my servers has zero setup on their systems. They do need an email address as that's what I use for Access control. The list of valid email addresses is my control list.
- There is no need for users to register, they get a time sensitive access code sent to their pre-authorized email address when they access the URL
- I have access to many of my inside services, including SSH, from any browser, I don't need my specially configured laptop to access my network
- At my usage level all these services are provided free by Cloudflare
Possible downside?
- You need to own a domain name. These are not expensive.
- You need to set up Cloudflare as your DNS service. This is free and has various options. I will not elaborate, just check it out.
- You do need a constantly running device in your network as the interface
- This is not for a beginner, but neither is port forwarding or VPN setup
This is not a step-by-step tutorial. I assume that you will use instructions provided on the various links I include.
I got my inspiration from this blog and many of the steps are described in that blog.
I did the following.
I established my Cloudflare account months ago, but it was straight forward. I recall at the time thinking "that's it?"
Migrating was fast. There are tutorials here to guide you through. If need to you can use a script to implements dynamic DNS on Cloudflare using their REST API. I no longer need this service although I used it for many months before this project.
This seems redundant but, yes, there are two Cloudflare accounts. Or it seems that way to me. Teams is here. Once you're enrolled Cloudflare seems to keep track.
I used this as my guide for installing. It's only one file.
Here's part of my YAML file, anonymized.
tunnel: 7f948b69-4272-489b-b76c-XXXXXXXXXXX credentials-file: /home/pi/.cloudflared/7f948b69-4272-489b-b76c-XXXXXXXXXXX.json ingress: - hostname: "db1.mydomain.com" service: http://192.168.2.2:3000 - hostname: "ssh.mydomain.com" service: ssh://localhost:22 - hostname: "vnc.mydomain.com" service: http:// localhost:5900 originRequest: noTLSVerify: true - hostname: "mydomain.com" service: http://localhost:80 - service: http\_status:404
I had some problems setting up SSH and VNC
I had a problem with SSH as Cloudflare prefers to use password authentication to login. My Pi was set up by Pi Image Builder to use authentication keys. This also disables the ability to login using a password. The solution is to modify the sshd server config file to allow password authentication.
To find out if you have this problem, run this command:
grep ^PasswordAuthentication /etc/ssh/sshd_config
you will see something like this
PasswordAuthentication no
If you have a line that says PasswordAuthentication no, then you need to edit the /etc/ssh/sshd_config file to change it to yes and restart sshd. If you get no result from the grep command, all is good.
You need to change VNC authentication to use a VNC Password.
Step 1, configure VNC to work headless.
- This YouTube video will show you how to set it up for headless operation. This must be done even if you are, at this point, working with an attached monitor, mouse, and keyboard.
Step 2, change the default authorization for VNC from SystemAuth to VNCAuth
-
Open a terminal or ssh to the Pi
-
Generate a hashed password for VNC with this command
- vncpasswd -print
- It will prompt for a password and respond with something like this Password=ac622484dc2939XX
- Copy this to your clipboard
-
Edit/create a VNC config file
- sudo nano /etc/vnc/config.d/common.custom
- Add these two lines to the file, save it and exit (the password line is from your clipboard) Authentication=VncAuth Password=ac622484dc2939XX
- Restart the Pi
When finished you will be able to use the GUI interface in a browser. I use the Pi GUI just for testing applications or anonymous web browsing.
All of this is to enable simple access to selected services on my network with zero configuration on the client machine. This does not resolve my need to access as much of my network as possible from anywhere. I do that by using software defined network software TailScale. I have also used ZeroTier but, subjectively, prefer TailScale. However, I use my laptop for this which is configured to work with TailScale. Implementing this is simple but is beyond the scope of this post.