Recently I stumbled upon this article https://raspberrydiy.com/access-raspberry-pi-over-internet/
I don't know if author will ever publish my comment, but here what I wrote to him:
==== cut ====
Oh mate, how can you trust to some random companies in such sensitive topics like security more than yourself? It's such a naive approach.
I'll tell you this: configure an SSH daemon on your Raspberry PI (here and after, the same applies to anything running Linux). Make sure to disable the password-based authentication in sshd config so your weak passwords won't be bruteforced, while leaving only sshkey based authentication. Restart the sshd. Check you're only able to connect to your PI with using ssh-key and not the plain text password.
Now you can safely configure a port forwarding on your router to expose just-and-only 22 port from your PI to the external world. Nothing bad will ever happen to you. No Chineese or Russian hacker will be able to get through that door. It's such a basic idea.
You should more trust to SSH rather than some random list of companies on internet, who only promise you that you'll be safe. Even if those companies are having some big names, like Google. Didn't you know you can use Chrome for remote accessing your PI? "You can" doesn't mean "you should".
All these companies are doing pretty much the same thing - they ask you to install their own software on your machine in a way to create a "secured" network tunnel from your machine to their servers. So then you can grab your phone/tablet/laptop and access their servers from anywhere, they will authenticate you, and allow to use that your tunnel. But you see, this whole idea is just bleeding with a number of issues:
- the software they suggest you to install to your PI (usually they call it an agent) could have a backdoor, malware, virus, having bugs or just silently mining some cryptocoins on your PI - you'll never know that until it's too late. On a contrary SSHD doesn't do that.
- you need to trust that the "protected" tunnel that software creates is really protected. Not just because they say so. At least you would want to look on the network traffic with tools like tcpdump/wireshark while copying some text file remotely. The thing is, if some 3rd party proprietary software is used for tunneling, developers can easily miss some bug there or just not to use proper level of encryption (remember HTTP days?) so anyone in between your PI and their servers would be able to see what you're doing on your machine. Again SSHD is far more secured than any random implementation of any "protected" tunnels from these companies.
- you need to trust these companies won't let anyone else, apart from you, to login to their web servers and use your "secured tunnel" to get onto your PI. On a contrast to this, if you're using SSHD + key based authentication noone apart from you will ever be able to authenticate.
SSHD is everywhere, it's used on a every single server. I do believe all these companies you listed are managing their own servers by logging on them with using SSH and not their own shitty software.
Trust me, you don't need all those companies and their software. They are only existing due to the fact that most people are foolish / scared / lazy / believing in fairy tales or just uneducated (yet).
Learn how to use SSH properly. You can tunnel everything through it. You don't need all that extra software from some random companies, like you're not allowing yourself to swallow any random medicine on a market.
==== end of cut ====
Here I just wanted to add something on a top of that. If your ISP (internet service provider) has assigned a private IP address to your router, of course the port forwarding doesn't make any sense, because you'll be only exposing your ports to the inner network of ISP where your router exists probably together with similar routers of other ppl.
There're lot of ads of services on internet, which allow you to build pretty much the same as that guy listed - but none of them can be trusted due to the same reasons I listed above. I senselessly suggest you to avoid all of them:
https://www.pitunnel.com/
https://www.socketxp.com
https://www.dwservice.net/
https://remotedesktop.google.com/?pli=1
https://www.realvnc.com/en/connect/
https://www.remote.it/
and many-many others.
What you should be using instead are services, that are either open-source or based on the existing well-known technologies or disclosing it clearly, how do they traverse the NAT.
Tor and its hidden services feature
Here is my post on how to get it configured in just few simple stepsI2P - Invisible Internet Protocol
https://geti2p.net/en/FreeNet
https://freenetproject.org/Cloudflare tunnel
First of all, if you don't have a domain name, you can get one, even for free. See https://www.getfreedomain.name/ for various options (it is just an information site, they don't provide any services).
Once you have a domain name you can configure it to be served by Cloudflare name servers. Then you configure a tunnel, which requires you to install and run a special software in your LAN to keep that tunnel up and running. For personal and hobby projects they do offer a free plan.
There're lots of tutorials on internet how to do so, here is one - https://youtu.be/uTwjJaoknBA
Some more advanced stuff, like protecting your services with additional Cloudflare authentication - https://youtu.be/eojWaJQvqiw
https://en.wikipedia.org/wiki/WireGuard
Wireguard is akin to OpenVPN - that is the software which simply speaking creates secured tunnels between endpoints.
Typical use case: if you have a machine within your LAN, which runs a service you want to access to outside of your LAN, you install and configure Wireguard somewhere within your LAN, and on the remote machine you want to have access from. Then, assuming your router gets real IP from your ISP you configure your router to do the port forwarding to where you have Wireguard installed, so now you can use your remote machine to establish a safe connection to your home LAN.
Another use case, is if you don't have a real IP at your routers from ISP. Then you rent a VPS (which is by nature is having a public access from internet) and configure Wireguard there and somewhere within your LAN. These two endpoints will be connected by a secured tunnel. Then you have two options: either to install Wireguard on the device you want to remote access your service@home, so it will be "included" into this virtual LAN, or you expose the service on VPS.
Tailscale (or Headscale)
It is akin to VPN - you install the special software on all your devices, and if it's up, they appear in the same network. Even if those devices are behind firewall. If you want to selfhost something at home just for yourself, so you can access your own service from anywhere in the world, it's fine.
But it doesn't work if you want to host a service, which you want to make available for yourself or other people without installing an additional piece of software.
The good thing about Tailscale is that they opened source both client and server. They didn't went opensource for the managment / configuration server, so the opensource server is quite stripped, but still very useful, if you don't mind to host it on some VPS which is having a public IP address.https://tailscale.com/opensource/
If you do trust to the server provided by Tailscale themselves, you can opt for Free plan, which allows you to connect up to 20 different devices together in the same virtual network.
Zerotier
Similar to Tailscale. Even plans are similar.
https://en.wikipedia.org/wiki/ZeroTier
Nebula
httptunnel
xxx
Tinc
http://tinc-vpn.org/
No comments:
Post a Comment