jimjamz
Posts: 38
Joined: Sun Feb 09, 2014 12:37 am

Remote Connections, VPNs and Proxies

Wed Feb 12, 2014 1:25 pm

Hello all,

In a couple of weeks I'm off to work in China and having been over there before, I know it's hard work trying to access certain websites which I regularly use.
I would like to leave one of my Raspberry Pi's here, always on and connected by Ethernet to my router. I would somehow like to connect to it from China, and divert all my Internet traffic through it so my laptop in China thinks I am connected using my UK Internet connection, therefore bypassing the infamous Chinese firewall. How can I do it?

Would I be better connecting to it through a remote terminal or remote desktop, or setting up a VPN to connect to the router's network at home, or set it up as some kind of proxy server?

I'm a software engineer and not a network guy. I have some experience of remote desktopping and VPNing on Windows and such, but never on the Raspberry Pi, so I'm considering myself still a noob in this department.

I found this topic on the forum but it was only somewhat helpful:
http://www.raspberrypi.org/phpBB3/viewt ... 36&t=68682

Any recommendation of tools and guides would be most useful.

Cheers,

James

P.S: I didn't know if to post this topic here or in the Beginners section, but felt it might be more appropriate here for others to find it.

john564
Posts: 87
Joined: Tue Oct 30, 2012 7:05 am

Re: Remote Connections, VPNs and Proxies

Wed Feb 12, 2014 2:20 pm

Raspberry PI is perfect.

From China where I'm now !. SSH is the easiest
There is nothing to setup on the PI, other than improving security.
As soon as you connect to it from China, the Chinese will start attacking it,
trying to break in... seriously.

The main work for you depends on your home broadband setup.
Static IP or dynamic IP ?
If static, nothing to do
If dynamic, need to set up no-ip or dyndns to keep track of changing IP

is there a router ? do you have admin password to do port forwarding ?
If no router, nothing to do, except install firewall
if router need to set up port forwarding. follow guide at http://portforward.com
if no admin password, then you need to use a service like hamachi or neorouter

For some security tips and SSH
see
http://tryapi.wordpress.com/2013/07/09/ ... ssh-proxy/

jimjamz
Posts: 38
Joined: Sun Feb 09, 2014 12:37 am

Re: Remote Connections, VPNs and Proxies

Wed Feb 12, 2014 9:09 pm

Hi John,

Thanks for your reply.

- What is the best way to use SSH on the Raspberry Pi?
- How can I improve on the Pi's security in order to prevent the Chinese from attacking it?
- My ISP provides me with a dynamic IP so it will change every few days or so. I use a wireless router (but the Pi will be wired to it), I have the admin password and the router can do port forwarding.
- What kind of firewall are you referring to? A software-based one or a hardware firewall?

HiroProtagonist
Posts: 212
Joined: Sat Jun 29, 2013 9:45 am

Re: Remote Connections, VPNs and Proxies

Wed Feb 12, 2014 9:54 pm

jimjamz wrote: - What is the best way to use SSH on the Raspberry Pi?
Set up your router to forward a port of your choice [say 8822] to port 22 on the pi.
If your primary use will be web traffic, install a proxy on your pi. You could go all out & install squid, but something simple like tinyproxy will be simpler to set up. Configure the proxy to listen on a suitable port [say 8080].

ssh to your pi thus:

ssh -p 8822 -L 8080:127.0.0.1:8080 username@addr.of.your.pi

This will port forward port 8080, as well as logging you onto the pi. If you don't want to log on, but just want to port forward, use:

ssh -p 8822 -L 8080:127.0.0.1:8080 -N username@addr.of.your.pi

You should now be able to set your browsers proxy settings to use port 8080 at 127.0.0.1, which will tunnel to the proxy on your pi.

N.B. you should set up ssh so you can log in with a key rather than a password & disable password authentication - details here:
http://www.thegeekstuff.com/2008/11/3-s ... h-copy-id/

Obviously you need to get this working before you go to China...
jimjamz wrote:- My ISP provides me with a dynamic IP so it will change every few days or so. I use a wireless router (but the Pi will be wired to it), I have the admin password and the router can do port forwarding.
Does your router support dynamic dns? Quite a few do. If so go to http://dyn.com/dns/ & set up an account. This will let you have a domain address which tracks the IP address assigned by your ISP.

If your router doesn't provide dyndns support, you'll need a client which can run on your pi to keep the DNS address updated - have a look here: http://dyn.com/support/clients/

jimjamz
Posts: 38
Joined: Sun Feb 09, 2014 12:37 am

Re: Remote Connections, VPNs and Proxies

Mon Feb 24, 2014 6:24 pm

Thank you very much guys!

I will try and attempt to set this up in my free time and I will post here to let you know how I went on.

All the best,

jimjamz
Posts: 38
Joined: Sun Feb 09, 2014 12:37 am

Re: Remote Connections, VPNs and Proxies

Sun Mar 16, 2014 11:25 am

HiroProtagonist wrote:Set up your router to forward a port of your choice [say 8822] to port 22 on the pi.
The one bit I struggle to follow is using a port (e.g. 8822) to access another port (22). Again, my knowledge of port forwarding is not amazing.

My router (Netgear DG834G) is only capable of basic port forwarding, if any at all.
For example, I can enable a service (e.g. SSH) on the router to use port 22 (already defaulting to SSH according to the router).
This service can then be allowed inbound through the router's firewall to ONLY one specific internal address on the router (e.g. the Raspberry Pi @ 192.168.0.3) so that when I remotely access the external IP (e.g. 86.100.1.2) with port 22, it redirects specifically to the specified router's internal address (e.g. 192.168.0.3) and not any other device on the router (e.g. my Windows Server @ 192.168.0.5).

Couldn't I just set up port forwarding to access port 22 directly, lIke this:
ssh -p 22 -L 8080:127.0.0.1:8080 username@addr.of.your.pi

However, does this also mean that I can't enable SSH and forwarding to port 22 for any other device on the router (e.g. my Windows Server @ 192.168.0.5) if I'm already using it to connect to Raspberry Pi @ 192.168.0.3? Because how will the Netgear router know which device to send the traffic to if I connect using the external IP and port 22?

HiroProtagonist
Posts: 212
Joined: Sat Jun 29, 2013 9:45 am

Re: Remote Connections, VPNs and Proxies

Mon Mar 17, 2014 12:17 am

jimjamz wrote: The one bit I struggle to follow is using a port (e.g. 8822) to access another port (22). Again, my knowledge of port forwarding is not amazing.

My router (Netgear DG834G) is only capable of basic port forwarding, if any at all.
For example, I can enable a service (e.g. SSH) on the router to use port 22 (already defaulting to SSH according to the router).
If your router will allow it, you should coinfigure it to forward some other port to port 22. Leaving port 22 open will result in loads of 'bots trying to log in as 'root', which if nothing else will fill your logs with crap. Using a different port will reduce this noise dramatically.
jimjamz wrote: This service can then be allowed inbound through the router's firewall to ONLY one specific internal address on the router (e.g. the Raspberry Pi @ 192.168.0.3) so that when I remotely access the external IP (e.g. 86.100.1.2) with port 22, it redirects specifically to the specified router's internal address (e.g. 192.168.0.3) and not any other device on the router (e.g. my Windows Server @ 192.168.0.5).

Couldn't I just set up port forwarding to access port 22 directly, lIke this:
ssh -p 22 -L 8080:127.0.0.1:8080 username@addr.of.your.pi

However, does this also mean that I can't enable SSH and forwarding to port 22 for any other device on the router (e.g. my Windows Server @ 192.168.0.5) if I'm already using it to connect to Raspberry Pi @ 192.168.0.3? Because how will the Netgear router know which device to send the traffic to if I connect using the external IP and port 22?
Yes you could use port 22 directly [in which case you don't need to specify it], but avoid that if you can.

Your router can only forward a port to a single IP address, but ssh tunneling can direct you to whichever device you need inside your network.

The ssh -L flag args are 'local_port:remote_addr:remote_port' so 'ssh -L 8080:127.0.0.1:8080 username@addr.of.your.pi forwards traffic from your local port 8080 via the ssh tunnel, then at the other end sends it to '127.0.0.1:8080' which is port 8080 on your pi, but it could just as easily be '192.168.0.5:1234' as long as that is a valid address on your lan that is listening on port 1234.

HTH

HiroProtagonist
Posts: 212
Joined: Sat Jun 29, 2013 9:45 am

Re: Remote Connections, VPNs and Proxies

Mon Mar 17, 2014 12:23 am

I should also add that you can put multiple -L args on the ssh commandline if you want to forward to multiple addr/port combinations at once.

jimjamz
Posts: 38
Joined: Sun Feb 09, 2014 12:37 am

Re: Remote Connections, VPNs and Proxies

Sun Mar 23, 2014 11:52 pm

@HiroProtagonist - Thanks very much as that really clears a lot of things up!
HiroProtagonist wrote:If your router will allow it, you should coinfigure it to forward some other port to port 22. Leaving port 22 open will result in loads of 'bots trying to log in as 'root', which if nothing else will fill your logs with crap. Using a different port will reduce this noise dramatically.
What is the term for this "forwarding of ports to other ports"? "Super port forwarding"? :D
If I know the term, maybe I can find out if my router is capable of it, although I doubt it will be able to as it's quite an old wireless router.

HiroProtagonist
Posts: 212
Joined: Sat Jun 29, 2013 9:45 am

Re: Remote Connections, VPNs and Proxies

Mon Mar 24, 2014 4:47 am

jimjamz wrote:What is the term for this "forwarding of ports to other ports"? "Super port forwarding"? :D
If I know the term, maybe I can find out if my router is capable of it, although I doubt it will be able to as it's quite an old wireless router.
I'm not aware of a term for this, but it should be quite easy to see if your router allows you to specify an external and internal port when configuring port forwarding. If you only get to specify a single port, then you don't have the option.


johndough
Posts: 254
Joined: Sun Jan 13, 2013 2:00 pm

Re: Remote Connections, VPNs and Proxies

Mon Mar 24, 2014 10:21 am

Hi

Perhaps you mean

NAT & PAT

Network Address Translation
Port Address Translation

for assigning internet packets.

HiroProtagonist
Posts: 212
Joined: Sat Jun 29, 2013 9:45 am

Re: Remote Connections, VPNs and Proxies

Tue Mar 25, 2014 12:33 am

In those instructions you can see that the Linksys and DD-WRT support "from" and "to" port numbering, but the others don't.

HiroProtagonist
Posts: 212
Joined: Sat Jun 29, 2013 9:45 am

Re: Remote Connections, VPNs and Proxies

Tue Mar 25, 2014 12:35 am

johndough wrote:Perhaps you mean

NAT & PAT

Network Address Translation
Port Address Translation

for assigning internet packets.
No, we are simply talking about port forwarding here.

jimjamz
Posts: 38
Joined: Sun Feb 09, 2014 12:37 am

Re: Remote Connections, VPNs and Proxies

Tue Jun 03, 2014 10:55 am

Hello all,

I've set up my Pi by remote. I am successfully SSHing to it via puTTY.
Now I want to re-direct all my local web traffic through the remote Pi. I've just installed tinyproxy. What do I do next and how can I use tinyproxy through puTTy?

john564
Posts: 87
Joined: Tue Oct 30, 2012 7:05 am

Re: Remote Connections, VPNs and Proxies

Tue Jun 03, 2014 4:41 pm

jimjamz wrote:Hello all,

I've set up my Pi by remote. I am successfully SSHing to it via puTTY.
Now I want to re-direct all my local web traffic through the remote Pi. I've just installed tinyproxy. What do I do next and how can I use tinyproxy through puTTy?
setting up firefox on PC, this guy shows how to do it with nice pictures
http://diddy.boot-land.net/ssh/files/browser.htm

using firefox on android phone,
http://www.devineloper.com/wp-content/u ... tions1.png
http://www.devineloper.com/wp-content/u ... tions2.png

p.s. also worth a try, myentunnel, imho better for this job than putty,
# https://billing.julyrush.com/downloads/myentunnel.zip
# http://nemesis2.qx.net/pages/MyEnTunnel
# http://nemesis2.qx.net/rdownload.php?fi ... tunnel.exe

jimjamz
Posts: 38
Joined: Sun Feb 09, 2014 12:37 am

Re: Remote Connections, VPNs and Proxies

Thu Jun 05, 2014 5:46 am

john564 wrote: setting up firefox on PC, this guy shows how to do it with nice pictures
http://diddy.boot-land.net/ssh/files/browser.htm

using firefox on android phone,
http://www.devineloper.com/wp-content/u ... tions1.png
http://www.devineloper.com/wp-content/u ... tions2.png
@john564,
Yes, I already know about the proxy settings required for the browser or any other app and have already set this up, but it's good that you posted it here just in case someone else would like to follow this thread for the whole process. Thanks for that.

Q: I just want to say that, because my router cannot internally forward ports to another port, I was rather sceptical about using such a well-known port like 22 as it would just get bombarded. Instead, I closed port 22 and opened up Port 8822 on my router. So PuTTy now connects to my remote Pi using 8822. I am assuming that this will be safer???

I installed tinyproxy by doing the following:

Code: Select all

apt-get update
apt-get install tinyproxy
I then made just two simple changes to tinyproxy by editing /etc/tinyproxy.conf:

Code: Select all

Port 8888
Listen 127.0.0.1
And restarted tinyproxy:

Code: Select all

/etc/init.d/tinyproxy restart
I got the proxy settings working just by loading my saved PuTTy session then going to Connection -> SSH -> Tunnels. In the Tunnels settings, I set my local outbound port (under Source Port) to 8888 and my remote Raspberry Pi's local loopback IP and incoming port (Destination) to 127.0.0.1:8888. The options below I left selected as Local and Auto.
I then opened the SSH connection (with certificate key) and logged onto the Pi. I tried Facebook and YouTube (from China) as a test and it works!

To keep things simple and straight-forward, I used the same port number (8888) as the local outgoing and remote incoming. Now, my next question is, is it in any way less safer to use the same local outgoing port number as the remote incoming? In the earlier examples, there were some suggestions to have a local outgoing port of 8080 such as this example:

ssh -p 8822 -L 8080:127.0.0.1:8080 -N username@addr.of.your.pi

If I used a different outgoing port to that of the remote incoming, for example:

ssh -p 8822 -L 8080:127.0.0.1:8888 -N username@addr.of.your.pi

Q: Would this have any impact on making the connection more secure to unauthorised users???

@john564 - Thanks. I might give that a whirl if I have any problems with tinyproxy. I'll be sure to look into it to see if it's more efficient.

For more info on how to set up tinyproxy, visit http://www.the-hawkes.de/a-web-proxy-wi ... unnel.html. It helped me to set it up.

HiroProtagonist
Posts: 212
Joined: Sat Jun 29, 2013 9:45 am

Re: Remote Connections, VPNs and Proxies

Thu Jun 05, 2014 11:28 pm

jimjamz wrote: I got the proxy settings working just by loading my saved PuTTy session then going to Connection -> SSH -> Tunnels. In the Tunnels settings, I set my local outbound port (under Source Port) to 8888 and my remote Raspberry Pi's local loopback IP and incoming port (Destination) to 127.0.0.1:8888. The options below I left selected as Local and Auto.
I then opened the SSH connection (with certificate key) and logged onto the Pi. I tried Facebook and YouTube (from China) as a test and it works!

To keep things simple and straight-forward, I used the same port number (8888) as the local outgoing and remote incoming. Now, my next question is, is it in any way less safer to use the same local outgoing port number as the remote incoming? In the earlier examples, there were some suggestions to have a local outgoing port of 8080 such as this example:

ssh -p 8822 -L 8080:127.0.0.1:8080 -N username@addr.of.your.pi

If I used a different outgoing port to that of the remote incoming, for example:

ssh -p 8822 -L 8080:127.0.0.1:8888 -N username@addr.of.your.pi

Q: Would this have any impact on making the connection more secure to unauthorised users???
Great to hear that you got it working.

Changing the mapping of local/remote ports shouldn't make any difference to security. The only issue I can think of would be if you were forwarding a port on your PC that was open to outside users - e.g. if your PC was set up to allow users on your network to access port 8080, using that port to access your proxy might not be what you want. As long as you don't have anything like that set up, the choice of port to forward is up to you [as long as you don't clash with anything else].

jimjamz
Posts: 38
Joined: Sun Feb 09, 2014 12:37 am

Re: Remote Connections, VPNs and Proxies

Sat Jun 07, 2014 7:44 am

HiroProtagonist wrote:The only issue I can think of would be if you were forwarding a port on your PC that was open to outside users - e.g. if your PC was set up to allow users on your network to access port 8080, using that port to access your proxy might not be what you want. As long as you don't have anything like that set up, the choice of port to forward is up to you [as long as you don't clash with anything else].

I'm not sure I quite understand you. I have to forward a port that is open to outside users (e.g. me) because I'm accessing my Pi by remote from an external network (and for that matter, another country).
Are you referring to the function of forwarding to one port on the router and the router re-directing to another? I have no choice but to use an open port like 8888 because my router is not capable of forwarding from one port and re-directing to another (e.g Linksys) as I discussed above.
In my case, my traffic goes to port 8888 because that is the port I've chosen on my Raspberry Pi that is listening for any of my incoming web traffic to forward on. I cannot set up my router to re-direct everything from 8888 to, for example, 8000. I know this is a nice feature to have on some of the Linksys routers but I don't have it.

Steven Boelens
Posts: 55
Joined: Sat Sep 08, 2012 12:16 pm

Re: Remote Connections, VPNs and Proxies

Sat Jun 07, 2014 1:03 pm

Maybe I am misreading this as I am not a network guru but I would also like to have encryption for my http traffic on the link between China and the RPi. I haven't seen that in the postings so far?

The SSH link does encrypt the communication but the standard proxy doesn't. So the chinese can still observe your http traffic and block it if you visit "illegal" sites.

Shouldn't you also have a VPN tunnel for encryption?
Or do you not need encryption of the traffic between China and the UK?

jimjamz
Posts: 38
Joined: Sun Feb 09, 2014 12:37 am

Re: Remote Connections, VPNs and Proxies

Thu Jun 26, 2014 7:12 am

Steven Boelens wrote: The SSH link does encrypt the communication but the standard proxy doesn't. So the chinese can still observe your http traffic and block it if you visit "illegal" sites.
Not being a network guru myself either, I wouldn't know if the HTTP traffic being carried by the SSH connection AND tinyproxy is being encrypted or not. Admittedly, it's not my primary concern (which is to just make sure I can access the content I need to in the first place). However, it would be nice to know in case further steps are requested to ensure encryption.
My assumption is that it is encrypted because the HTTP traffic is still being carried across an SSH connection (whether it's 1,2 or 3-factor authenticated).
Maybe @HiroProtagonist or someone else in the know can shed light on what's really encrypted for this type of configuration.
Shouldn't you also have a VPN tunnel for encryption?
Or do you not need encryption of the traffic between China and the UK?
A VPN wrapped around an SSH connection? Not sure if it's possible, and secondly, why? If you can set up an SSTP VPN then you really don't need an SSH connection as it's purpose would be defeated.

User avatar
DougieLawson
Posts: 36312
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Remote Connections, VPNs and Proxies

Thu Jun 26, 2014 7:39 am

OpenVPN runs the traffic in an encrypted tunnel.
SSH uses encryption no matter what the secure shell is being used for.

You would not want to tunnel SSH traffic in an OpenVPN tunnel if you can avoid it. In the same way you would not want to run OpenVPN traffic in a SSH tunnel. Because with both of those there's double encryption. Encryption costs CPU on both ends. Double encryption costs double.

Pick one or the other.

The way I'd do it is with an OpenVPN server running at home and an OpenVPN client on the system in China.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

jimjamz
Posts: 38
Joined: Sun Feb 09, 2014 12:37 am

Re: Remote Connections, VPNs and Proxies

Wed Aug 20, 2014 9:45 am

I do have one question about the SSH proxy I have set up on my RPi using puTTY and tinyproxy.

Q: Is the connection only set up for traffic over the HTTP protocol? Or is it possible to use SOCKS v5?

I ask this because I tried to use the SOCKS protocol instead of the HTTP protocol when using my Firefox browser and it doesn't work.

I have some programs that can use a proxy connection but only over on SOCKS and not HTTP. Will it work for this setup?

Does tinyproxy support SOCKS?

jimjamz
Posts: 38
Joined: Sun Feb 09, 2014 12:37 am

Re: Remote Connections, VPNs and Proxies

Wed Oct 29, 2014 11:49 am

How can I SSH to my Pi using MacOSX? My SSH is using a public/private key configuration so running in MacOSX's terminal:
ssh -p 8822 -L 8888:127.0.0.1:8000 user@address.com
results in:
Permission denied (publickey).
What's the easiest way to generate a key on MacOSX to add to the authorized_keys list on the Pi? Once I have it, how do I point MacOSX's terminal to my newly generated public/private keys?

Lawrence10
Posts: 1
Joined: Fri Jan 02, 2015 4:18 am

Re: Remote Connections, VPNs and Proxies

Fri Jan 02, 2015 5:40 am

:D :D
Last edited by Lawrence10 on Mon Jan 21, 2019 10:46 am, edited 1 time in total.

Return to “Networking and servers”