I needed a way to remotely and securely access the internal network of a few different installations in places where I couldn't control port forwarding, thus preventing me from directly establishing a VPN connection to the two Raspberry Pis. I can connect via RealVNC, which works, but is a clunky solution for accessing internal network resources, especially on mobile.
I used the following guide as a starting point:
https://www.it-react.com/index.php/2020 ... -on-linux/
and then added a bit from Bostrot's answer in this StackExchange thread:
https://superuser.com/questions/1356330 ... ssh-tunnel
Installed OpenVPN via PiVPN script
Code: Select all
curl -L https://install.pivpn.io | bash
Edit /etc/openvpn/server.conf on RASPI HOST
Change "proto udp" to "proto tcp" and restart service
Add a user profile via "pivpn add" then adjust .ovpn profile to "proto tcp-client" instead of "proto udp", and replace "remote 192.168.x.x 1194" with ddns address and a different port so the RASPI SERVER can forward the VPN TCP traffic to the SSH tunnel (like "remote domain.myvnc.com 11194") then install that ovpn profile onto a phone or laptop or whatever
Edit /etc/ssh/sshd_config to the following on RASPI SERVER and RASPI HOST. Uncomment and enable:
Code: Select all
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
TCPKeepAlive yes
ClientAliveInterval 300
ClientAliveCountMax 2
PermitTunnel yes
Install autossh on RASPI HOST and adjust the init.d script to the following:
Code: Select all
#! /bin/sh
# author: Clément Désiles
# date: 01/08/2016
# source: https://gist.github.com/suma/8134207
# source: http://stackoverflow.com/questions/34094792/autossh-pid-is-not-equal-to-the-one-in-pidfile-when-using-start-stop-daemon
### BEGIN INIT INFO
# Provides: autossh
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: autossh initscript
# Description: establish a tunnelled connexion for remote access
### END INIT INFO
. /etc/environment
. /lib/init/vars.sh
. /lib/lsb/init-functions
TUNNEL_HOST=yourddns.domain.com
TUNNEL_USER=pi
TUNNEL_PORT_SSH=10022
TUNNEL_PORT_NODERED=11880
TUNNEL_PORT_GRAFANA=13000
TUNNEL_PORT_TASMOADMIN=15555
TUNNEL_PORT_VPN=11194
MONITOR_PORT=10000
# All the services you want to tunnel, in this guide, vpn is the important one
KEY_PATH=/home/pi/.ssh/id_rsa
# If you saved the RSA key in a different spot, you need to adjust
NAME=autossh
DAEMON=/usr/lib/autossh/autossh
AUTOSSH_ARGS="-M $MONITOR_PORT -f"
SSH_ARGS="-nNTv -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o
IdentitiesOnly=yes -o StrictHostKeyChecking=no \
-i $KEY_PATH -R $TUNNEL_PORT_SSH:localhost:22 -R
$TUNNEL_PORT_VPN:localhost:1194 -R
# Forward traffic from VPN 11194 port to RASPI HOST tunnel which is listening on 1194 like normal
$TUNNEL_PORT_TASMOADMIN:localhost:5555 -R
# Add or remove these other port forwards as necessary for other services, note that these are not secure https unless you set that up separately
$TUNNEL_PORT_NODERED:localhost:1880 -R
$TUNNEL_PORT_GRAFANA:localhost:3000 $TUNNEL_USER@$TUNNEL_HOST"
DESC="autossh for reverse ssh"
SCRIPTNAME=/etc/init.d/$NAME
DAEMON_ARGS=" $AUTOSSH_ARGS $SSH_ARGS"
# Export PID for autossh
AUTOSSH_PIDFILE=/var/run/$NAME.pid
export AUTOSSH_PIDFILE
do_start() {
start-stop-daemon --start --background --name $NAME --exec $DAEMON
--test > /dev/null || return 1
start-stop-daemon --start --background --name $NAME --exec $DAEMON --
$DAEMON_ARGS || return 2
}
do_stop() {
start-stop-daemon --stop --name $NAME --retry=TERM/5/KILL/9 --pidfile
$AUTOSSH_PIDFILE --remove-pidfile
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
start-stop-daemon --stop --oknodo --retry=0/5/KILL/9 --exec $DAEMON
[ "$?" = 2 ] && return 2
return "$RETVAL"
}
case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) log_end_msg 0 ;;
2) log_end_msg 1 ;;
esac
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) log_end_msg 0 ;;
2) log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2
exit 3
;;
esac