I’m looking to create a small box, probably raspberry pi, that I will give to my clients that will allow me to connect to their local network and have access to heir devices on the network. All that they need to do is plugin power and ethernet. It should not require to have any ports open or require any changes to their local network. It should work behind CGNAT.
Now, has anybody done this kind of setup?
I’m thinking I need to create a tunel between my machine and the raspberry pi using a VPS as a bridge.
Edit: I would like to add that I need direct access to their network, not to SSH into to RPI and then from RPI to other devices. My PC - (VPN tunel) - client PC/PLC. I cannot connect to RPI first because I have tools that are windows only.
Edit 2: After reading your commends and after a bit of googling I was successful at acheving what I needed by following this tutorial
NOTE: this allows one way communication from my pc to client network devices. Client devices cannot initiate communication without changing their routing table.
Sometimes I need to help relatives with computer issues. I have setup a Raspberry Pi at each of their houses that logs in to my house and sets up a reverse SSH tunnel.
This command sets up a tunnel where it listens on my home machine on port 2112 and forwards all traffic to the remote Raspberry Pi’s port 22 (where SSH listens)
From my home computer I type:
ssh -p 2112 name@localhost
And now I am logged into the Raspberry Pi at my relative’s house.
This requires NO firewall / router changes at my relative’s house. My firewall at home has to allow incoming SSH (port 22) traffic from their IP address but their IP has not changed in 2 years.
Through that SSH tunnel I can run X2Go to get a graphical X11 desktop session and run VNC within that to connect to their Windows laptop if I need to.
Perhaps I’m missing something but I would imagine tailscale would be perfect for this.
VPN tunnel based on WireGuard between nodes. You should only have to install tailscale and add it to your account. No other configuration should be necessary.
So, here’s how I do this thing - first and foremost, I run Linux, I have DNS pointing to a server box running SSH, and I’ve had bad luck trying to run my own OpenVPN box.
On the server end (example.com), I forward TCP/23456 through the router to the server, I have a user ‘secretuser’ that has a shell of /bin/false (Can’t log in), and has ed25519 keys set up for passwordless login. secretuser’s public key is also in authorized_keys.
On the 'Pi, I have the same keys in /home/pi/.ssh/ and I run this;
cat << 'EndOfText' > adminaccess.service [Unit] Description=Permit admin access from [email protected] After=network-online.target Before=multi-user.target DefaultDependencies=no Wants=network-online.target [Service] # SSH connection runs as, and uses the private key stored in this users home dir (~/.ssh/) User=pi # SSH connection with port forwarding, forwards port 22 on the client through port 23456 on the server # and creates the reverse (-R2288) port, which must be unique on the server. ExecStart=/usr/bin/ssh -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=3 \ -o ExitOnForwardFailure=yes -N -T -R2288:localhost:22 -i ~/.ssh/ed25519 -p 23456 \ [email protected] # Wait one minute before trying to restart the connection if it disconnects, and keep retrying. RestartSec=60 Restart=always [Install] WantedBy=multi-user.target EndOfText chmod a+x adminaccess.service sudo cp adminaccess.service /etc/systemd/system/adminaccess.service sudo systemctl enable adminaccess.service sudo systemctl start adminaccess.service
Once this is running, re-connections just happen if something drops. Back on the server, in a normal user’s home folder, I have the same set of ed25519 keys (as remote-ed25519) and this in .ssh/config
Host Remote-Pi Hostname localhost Port 2288 User pi ForwardX11 yes StrictHostKeyChecking no UserKnownHostsFile=/dev/null IdentityFile ~/.ssh/remote-ed25519
So, on the server, as a normal user, ssh Remote-Pi
logs me in, I can run X utilities, get a desktop (using VNC), and scp/rsync files around.
Should be doable with any VPN, but I can recommend Wireguard. Install it on the Server and the client and then ssh into the client once it is on location.
Now you should be able to access the local network at the client.
You need a world accessible server. Install vpn server on it. I use wireguard, it’s very simple. WG on RPI would need persistent keepalive enabled to keep that NAT hole open.
The way it works is that RPI will connect to your server and establish a tunnel. Take care with subnet - there are only 3 privates, if RPI DHCP IP/mask overlaps with your pre-set VPN one - routing won’t work. After VPN is on you can connect to your server, then to RPI and then to internal resource.
Whilst I would also probably go WireGuard (or equivalent) you could get hairy routing if the remote subnets are duplicated on some sites etc. Not insurmountable but worth bearing in mind. If you know what you’re doing you’ll be ok.
A slightly more leftfield option would be something like MeshCentral. An agent installed on a single device (or more) on each client subnet (could be a pi, could be an always-on desktop if one exists) connecting back to your server would let you hop on to any device on their subnet via the MeshCentralRouter. Effectively it’s just a port forwarding tool like an SSH tunnel etc. but more robust.
I didn’t see this mentioned, but why not setup a Win10 PC with a remote access software installed on it? You connect unattended through the software, and then run any of your Windows-specific tools directly on that machine instead of from your PC across a VPN.
I already listed my SSH solution but you added more specific requirements in your edit.
I helped a friend that is a small business owner with 2 store locations set up OpenVPN about 8 years ago.
The main store ran the OpenVPN server and the other store connected to that.
After the initial OpenVPN setup this is the section of the manual on “Expanding the scope of the VPN to include additional machines on either the client or server subnet”
It basically turns the machine running the client or server vpn software into a router and lets any machine in the LAN of the client or server access any machine on the other side and not just the primary client / server machines.
In the last few years WireGuard has become popular and it looks like you can also do the same there but I haven’t done as much with it.
I did this recently installing PiVPN on a Pi in my house, that also runs PiHole. Now when I’m mobile all my DNS requests go through my PiHole. & …my phone is now ‘always on’ my home network when I’m not home.
Doing it this way I can’t use my PC at home to directly connect (across VPN) to devices on client local network. Only the raspberry pi would be able to connect. I have tools for programming PLC-s that are windows-only so I cant use RPI to connect to them.
