TransWikia.com

Is it possible to configure a reverse VPN tunnel?

Server Fault Asked by Nikita240 on February 3, 2021

Basically, my goal is to have a 100% portable and independent server. I’m building it using a Raspberry Pi powered by solar panels and batteries, and it is to be connected to the internet using a 4g hotspot. It only needs to have 2 functions, an SSH service, and a VPN service.

Here is my problem.

I initially started this project thinking that my biggest issue will be IP roaming. I set myself up a Dynamic DNS domain and wrote a cron that updated it every 60 seconds. I then port forwarded my hotspot to the Pi (the hotspot is basically a router, and the pi has a wifi dongle).

However, I was unable to connect to the hotspot router using it’s public IP. It is then that I realized that all 4G LTE devices receive IP’s on a subnet to a much larger NAT. This is apparently a new practice with 4G. 3G devices used to receive a reachable public IP.

Basically I need a way to reach a VPN server that doesn’t have a unique IP.

Is it possible for a VPN server to establish connections with clients, kinda like a reverse SSH tunnel?

Like it could either continuously poll a set of IP addresses (or a dynamic DNS domain) until one of them accepts a connection, or maybe poll another server that would contain a list of IP’s currently “wanting” a connection (and those IP’s would essentially poll that server to ask for a VPN connection).

I know it’s retarded and breaks the client server model, but I’m kind of desperate here. Is it possible?

4 Answers

Here are a couple of techniques, which I used a lot for similar tasks.

  1. you can use jump server for forwarding traffic between your raspberry PI and you (your ssh client), however, you should somehow manage to connect (using reverse ssh) your raspberry to the jump server. This can be achieved via cron jobs or using PubSub messaging (Amazon IoT, PubNub, etc.) to send the message to raspberry for connecting to the intermediate server. However, you should manage a connection properly to not left holes for attacking.

  2. You can use one of the free tunneling providers such as https://tunnelin.com or https://www.dataplicity.com/ or another one.

From my experience Tunnel In provides true tunneling and can wrap all kinds of TCP traffic (SSH, VNC, HTTP, etc.) in their tunnels. It even provides a cloud-based firewall to control who and when can use the tunnel. While Dataplicity uses sockets to transfer data which limits it to support key-based authentication for ssh or support other protocols.

Answered by Albert on February 3, 2021

I also experienced some issues connecting to my Raspberry Pi while connected to open hot spot (in my case it was Optimum WiFi) (SSH into my Raspberry Pi 2@Optimum WiFi - Raspberry Pi Stack Exchange).

So, I'd like to share my way of getting into my Raspberry Pi 2 using this ssh reverse tunnel:

pi@raspberrypi ~ $ crontab -l | tail -1
@hourly     ssh -S alexus -O check XXX > /dev/null 2>&1 ; if [ $? != 0 ] ; then ssh -M -S alexus -fN -R2222:localhost:22 -p 443 XXX ; fi
pi@raspberrypi ~ $ 

this solution requires yet another host up and running, through which you can ssh in to your raspberry. even if this solution won't work for you it might work for others)

in near future, i'm plan to explore openvpn option as well.

Answered by alexus on February 3, 2021

Nikita, you actually have a couple of options. I have setup RPs this way on dedicated power but with only a mifi card on a board.

The simplest solution is to contact your ISP and request a public or static NAT IP address. Most wireless providers will do this but they may charge you for it. Verizon has a $500 charge per account but then you can setup as many public IPs on devices on your account as you want. I don't know if or how much other providers would charge.

Another option is to setup a poor man's VPN with reverse SSH. This allows the Pi to create the connection to a server where you can traverse the SSH connection back to the device. See this article for instructions http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

There are many remote administration clients as well that would work just keep in mind that without a public IP not a private NAT'd IP you will have to make the Pi establish the connection. Luckily this is how most clients operate on home networks so there are many solutions.

Answered by Sam Coffland on February 3, 2021

As you can see, connecting back to your system isn't so simple. The essence of your problem is that even you can do the DNS registration (which makes eligible for the servers to find eachother), the actual ip connection between your machines is further impossible.

There are multiple solutions for your problem.

The simplest were if you have some type of central server (with a public, fixed IP), and the VPN server run on that. On your rasperry pi, just as on your other clients, only a VPN client runned. This server worked as an intermediate gateway between your rasperrys and other devices.

Raspberry -> Central GW machine <- Your any other system

It solved both of the problem of the DNS registering and the problem the IP contact.

From the viewpoint of the network, nobody connected to your rasperry. Only your raspberry connected out to your central GW.

OpenVPN is a very beatiful solution for that.


There are more tricky solutions as well. For example, you could somehow say to your rasperry to connect out to your clients and do the vpn over that. But it didn't work if your clients were also behind a NAT, which is quite common currently, especially in mobile networks.

Or you could use tor as well to find intermediate servers behind you. Yes, tor isn't really a cracker tool, it can be used for regular tasks as well. But it isn't really reliable and quite slow.

Answered by peterh - Reinstate Monica on February 3, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP