Differences

This shows you the differences between two versions of the page.

--- pi:remote_access [2025/04/14 20:50] – m0mzf
+++ pi:remote_access [2025/04/14 22:08] (current) – [Remotely accessing your Pi - Roll your own!] m0mzf
@@ Line 1: / Line 1: @@
-======= Remote accessing your Pi =======
+======= Remotely accessing your Pi - Roll your own!=======
-Unsurprisingly there are many solutions to this particular cat; is the client Windows or Linux, do you have an internet connection with a public-facing IP address, do you want to roll your own or use / purchase a commercial solution, what on the Pi do you want to access; all these questions and scenarios have different solutions. This guide is mostly geared towards packet operators running LinBPQ on a headless Pi, so let's get into it!
+Unsurprisingly there are many solutions to this particular cat; is the client Windows or Linux, do you have an internet connection with a public-facing IP address, do you want to roll your own or use / purchase a third party solution, what on the Pi do you want to access; all these questions and scenarios have different solutions. This "guide" is mostly geared towards packet operators with limited network / Linux / Pi experience running LinBPQ on a headless Pi, so let's get into it!
-=====Roll your own=====
+=====IP addresses, ports, and the internet=====
-====IP addresses, ports, CGNAT and the internet====
-To set up remote access without using a third party provider, save of course whichever ISPs you have chosen, you will need what is known as a globally routable IP. This is a unique address on the internet which your ISP provides to you, and from this address you connect out, or indeed people connect in. There are two address spaces, IPv4 (which look like 173.194.203.102) and IPv6 (which look like 2607:f8b0:400e:c05::8a); this guide is going to stick to IPv4 addresses for the sake of familiarity and ubiquity. To find out your public IP address (maybe, caveat below!) you can visit a website such as [[https://whatismyipaddress.com/]].
+To set up remote access without using a third party provider, save of course whichever ISPs you have chosen, you will need what is known as a //globally routable IP//, or //Public IP// This is a unique address on the internet which your ISP provides to you, and from this address you connect out, or indeed people connect in. There are two address spaces, IPv4 (which look like 173.194.203.102) and IPv6 (which look like 2607:f8b0:400e:c05::8a); this guide is going to stick to IPv4 addresses for the sake of familiarity and ubiquity. To find out your public IP address (maybe, caveat below!) you can visit a website such as [[https://whatismyipaddress.com/]].
-The IP address of your computer on your home network will almost certainly not be the a public IPv4 address because you are using a router. One of the jobs of this router is to translate your internal addresses (most often in the range 192.168.x.x) to the single external address (e.g. 173.194.203.102) such that many computers can share a single internet connection. This is referred to as //NAT, Network Address Translation//. In order for you access a service inside your home network from the outside world your router must be configured to pass that traffic from the outside to the inside; this is referred to as //Port Forwarding, or NAPT, Network Address Port Translation//.
+The IP address of your computer on your home network will almost certainly not be the a public IPv4 address because you are using a //Router//. One of the jobs of this //Router// is to translate your internal addresses (most often in the range 192.168.x.x) to the single external address (e.g. 173.194.203.102) such that many computers can share a single internet connection. This is referred to as //NAT, Network Address Translation//. In order for you access a service inside your home network from the outside world your router must be configured to pass that traffic from the outside to the inside; this is referred to as //Port Forwarding, or NAPT, Network Address Port Translation//.
-All software running on a //Host// using IP also uses a //Port// in conjunction with this IP address, ranging from 0 to 65535. There are also a number of protocols (for example TCP and UDP) which a service may use; this unique combination of IP address, protocol and port is referred to as a //Socket//. Any application running on a //Host// will have a unique //Socket//, and for a //Client// to connect to that //Host// it needs to know what //Socket// to connect to.
+All network-able software running on a //Host// also uses a //Port// in conjunction with this IP address, ranging from 0 to 65535. There are also a number of protocols (for example TCP and UDP) which a service may use; this unique combination of IP address, protocol and port is referred to as a //Socket//. Any application running on a //Host// will have a unique //Socket//, and for a //Client// to connect to that //Host// it needs to know what //Socket// to connect to.
-Increasingly, 4G providers and many domestic ISPs are using NAT internally
+Thus, in order to access your Pi from the outside world you have to tell your //Router// to pass traffic from an external //Socket// to an internal //Socket//, i.e. set up //Port Forwarding//. The exact process for doing this on your home router will change from model to model, but is usually pretty easy after a little googling.
-====Dynamic DNS====
+====CGNAT (a neccessary evil)====
-DuckDNS
+Increasingly, 4G providers and many domestic ISPs are using NAT internally within their infrastructure to share the limited number of IPv4 addresses available on the internet with their customers, much like what your home router is doing to share your single IP with all the computers in your home network. This is referred to as //Carrier Grade NAT, CGNAT//. To determine if your ISP is using GCNAT use a service such as [[https://whatismyipaddress.com/]] and compare this address to the address your internet router is reporting as your //Public IP//, or //WAN address//, depending on the terminology.
-No-IP
+**If your ISP is usig CGNAT your Public IP will not be a //Globally Routable IP//, and  if both your home connection and remote connection are using CGNAT you will be unable to roll your own access, and must use a third party provider.**
+ISPs known to use CGNAT:
+  * All 4G / 6G providers
+  * Toob
+  * ...
+ISPs known to distribute globally routable IPs:\\
+  * Most UK ADSL / VDSL providers
+  * Toob, if you pay 'em
+  * Virgin
+  * Three 4G / 5G connections using the 3internet APN
+  * ...
+====Dynamic IPs and dynamic DNS====
+If you're provided with a globally routable IP address most ISPs will hand out a dynamic address. This is subject to change periodically, or when you disconnect / reconnect. If you've got a service running on your home network and a port forward set up to access it then this constantly moving IP address will require some sort of translation; and in any case remembering IP addresses is hard and remembering words is easy, so it's a good idea regardless to set up some sort of dynamic DNS.
+When you set up dynamic DNS a program will run on your Pi, usually every few minutes or so, which grabs your Public IP and sends it to the Dynamic DNS provider. Thus when your Public IP changes there will be, at most, a few minutes of outage before the Dynamic DNS provider is made aware of the new address.
+Probably the best service is [[https://www.duckdns.org/|DuckDNS]], here's how you [[https://pimylifeup.com/raspberry-pi-duck-dns/|set it up on a Pi]]
+=====Remote access tools=====
+By far and away the most secure, flexible and modern way of doing this is using wireguard. Wireguard creates a tunnel between two points, perhaps your Pi and your favourite home PC, and from there you can just use the IP address of the Pi's end of the tunnel to access anything you'd normally do over the network, just as if it was plugged in at home. Wireguard can do much more, but that's outside the scope of these ramblings.
 ====SSH====
+< To do >
 Public / Private keys
 SOCKS proxying; browser / telnet
 ====Wireguard====
-Setup
+(Further expansion needed! Is this the easiest? It's not the "cleanest" but it does work... are full manual setup instructions a good idea?)
-Usage examples
+Setting up Wireguard is a little complex, but most of the work has been taken out of it by the superb [[https://www.pivpn.io/|PiVPN Project]], [[here's how you set it up|https://pimylifeup.com/raspberry-pi-wireguard/]].
+Assuming your Pi is on an internet connection with a globally routable IP and you've set up dynamic DNS and port forwarding, this will work.
+Take a look at the file you created in, for example, /home/pi/configs/myvpn.conf:
+<code>
+[Interface]
+ListenPort = 51820
+PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
+Address = 172.16.23.58/32
+[Peer]
+PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
+AllowedIPs = 0.0.0.0/0
+Endpoint = x.x.x.x:58120
+PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
+</code>
+Make a note of the "Address" line under [Interface] - this will be the IP address you use to connect to your Pi.
+To set up the other end of the wireguard tunnel on Windows [[https://www.wireguard.com/install/|Install the client]] and import the file which PiVPN created in the previous step.
+To set up the other end of the wireguard tunnel on (most) Linux Distributions (which use NetworkManager) [[https://forum.manjaro.org/t/howto-configure-wireguard-via-the-networkmanager-gui-advanced-network-manager/138040|follow this guide]] to import the file which PiVPN created in the previous step.
+Now you can, for example telnet into your linbpq node:
+<code> telnet 172.16.23.58 8010 </code>
+or view the LinBPQ web server
+<code> http://172.16.23.58:8008 </code>
+or SSH into your Pi
+<code> ssh [email protected] </code>
-=====Commercial solutions=====
+=======Remotely accessing your Pi - Third party solutions=======
 To do!
-  * Tailscale
+  * Tailscale - wireguard made super easy
-  * Anydesk
+  * Anydesk - remote desktop made easy
-  * Rustdesk
+  * Rustdesk - remote desktop made easy and open source