Unsurprisingly there are many solutions to this particular cat; is the client Windows or Linux, do you have an internet connection with a public-facing IP address, do you want to roll your own or use / purchase a third party solution, what on the Pi do you want to access; all these questions and scenarios have different solutions. This “guide” is mostly geared towards packet operators with limited network / Linux / Pi experience running LinBPQ on a headless Pi, so let's get into it!

To set up remote access without using a third party provider, save of course whichever ISPs you have chosen, you will need what is known as a globally routable IP, or Public IP This is a unique address on the internet which your ISP provides to you, and from this address you connect out, or indeed people connect in. There are two address spaces, IPv4 (which look like 173.194.203.102) and IPv6 (which look like 2607:f8b0:400e:c05::8a); this guide is going to stick to IPv4 addresses for the sake of familiarity and ubiquity. To find out your public IP address (maybe, caveat below!) you can visit a website such as https://whatismyipaddress.com/.

The IP address of your computer on your home network will almost certainly not be the a public IPv4 address because you are using a Router. One of the jobs of this Router is to translate your internal addresses (most often in the range 192.168.x.x) to the single external address (e.g. 173.194.203.102) such that many computers can share a single internet connection. This is referred to as NAT, Network Address Translation. In order for you access a service inside your home network from the outside world your router must be configured to pass that traffic from the outside to the inside; this is referred to as Port Forwarding, or NAPT, Network Address Port Translation.

All network-able software running on a Host also uses a Port in conjunction with this IP address, ranging from 0 to 65535. There are also a number of protocols (for example TCP and UDP) which a service may use; this unique combination of IP address, protocol and port is referred to as a Socket. Any application running on a Host will have a unique Socket, and for a Client to connect to that Host it needs to know what Socket to connect to.

Thus, in order to access your Pi from the outside world you have to tell your Router to pass traffic from an external Socket to an internal Socket, i.e. set up Port Forwarding. The exact process for doing this on your home router will change from model to model, but is usually pretty easy after a little googling.

Increasingly, 4G providers and many domestic ISPs are using NAT internally within their infrastructure to share the limited number of IPv4 addresses available on the internet with their customers, much like what your home router is doing to share your single IP with all the computers in your home network. This is referred to as Carrier Grade NAT, CGNAT. To determine if your ISP is using GCNAT use a service such as https://whatismyipaddress.com/ and compare this address to the address your internet router is reporting as your Public IP, or WAN address, depending on the terminology.

If your ISP is usig CGNAT your Public IP will not be a Globally Routable IP, and if both your home connection and remote connection are using CGNAT you will be unable to roll your own access, and must use a third party provider.

ISPs known to use CGNAT:

• All 4G / 6G providers
• Toob
• …

ISPs known to distribute globally routable IPs:

• Most UK ADSL / VDSL providers
• Toob, if you pay 'em
• Virgin
• Three 4G / 5G connections using the 3internet APN
• …

If you're provided with a globally routable IP address most ISPs will hand out a dynamic address. This is subject to change periodically, or when you disconnect / reconnect. If you've got a service running on your home network and a port forward set up to access it then this constantly moving IP address will require some sort of translation; and in any case remembering IP addresses is hard and remembering words is easy, so it's a good idea regardless to set up some sort of dynamic DNS.

When you set up dynamic DNS a program will run on your Pi, usually every few minutes or so, which grabs your Public IP and sends it to the Dynamic DNS provider. Thus when your Public IP changes there will be, at most, a few minutes of outage before the Dynamic DNS provider is made aware of the new address.

Probably the best service is DuckDNS, here's how you set it up on a Pi

By far and away the most secure, flexible and modern way of doing this is using wireguard. Wireguard creates a tunnel between two points, perhaps your Pi and your favourite home PC, and from there you can just use the IP address of the Pi's end of the tunnel to access anything you'd normally do over the network, just as if it was plugged in at home. Wireguard can do much more, but that's outside the scope of these ramblings.

< To do > Public / Private keys SOCKS proxying; browser / telnet

(Further expansion needed! Is this the easiest? It's not the “cleanest” but it does work… are full manual setup instructions a good idea?)

Setting up Wireguard is a little complex, but most of the work has been taken out of it by the superb PiVPN Project, https://pimylifeup.com/raspberry-pi-wireguard/.

Assuming your Pi is on an internet connection with a globally routable IP and you've set up dynamic DNS and port forwarding, this will work.

Take a look at the file you created in, for example, /home/pi/configs/myvpn.conf:

[Interface]
ListenPort = 51820
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 172.16.23.58/32
 
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 0.0.0.0/0
Endpoint = x.x.x.x:58120
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=

Make a note of the “Address” line under [Interface] - this will be the IP address you use to connect to your Pi.

To set up the other end of the wireguard tunnel on Windows Install the client and import the file which PiVPN created in the previous step.

To set up the other end of the wireguard tunnel on (most) Linux Distributions (which use NetworkManager) follow this guide to import the file which PiVPN created in the previous step.

Now you can, for example telnet into your linbpq node:

 telnet 172.16.23.58 8010 

or view the LinBPQ web server

 http://172.16.23.58:8008 

or SSH into your Pi

 ssh [email protected] 

To do!

• Tailscale - wireguard made super easy
• Anydesk - remote desktop made easy
• Rustdesk - remote desktop made easy and open source