SSH Server Project
August 11, 2024, 23:16
okay guys i’m pretty new to the pi and to linux so bear with me as i have an idea. i’d like to leave my pi on at university 24/7 connected to an external hard drive and to the campus wifi. the idea being that when im working on my laptop i can ssh to my pi to send, receive and backup files to its external hard drive rather than storing everything i ever do on my laptop’s linux partition. obviously i cannot modify the router settings at all so how can i set it up so that i can ssh into my pi on any network? i guess i need to forward a port? i have only managed to ssh through ethernet so far and i should be able to figure it out on a LAN but this is a little different.
You've invented a NAS
yeah but
not on the same network
Accessing outside the network is a little harder
as you said you can't forward the port
okay in theory it is but i have no idea how they set up their wifi across a whole campus
so either run a VPN somewhere you can and then bridge them
or use a service like ngrok to do that for you
then you can do normal ftp/sftp file transfers all day long
i want to do it in the most complicated and manual and involved way possible
so that i can learn more about it
ah
whats bridging
and wouldnt i have to choose an ip
here it's just connecting the pi to a vpn
is that a vpn on the server or laptop side
but you must run it yourself
you need a second server
that's the trick
somewhere where you can port forward
i have four raspberry pis
more than I have
but i only have access to the one network
for internet
not even your home?
okay would that work
you could run the nas there
if i left one running at home 24/7 and the actual hardware server at uni
okay
other way round
then you only need one
just forward it at home and then connect as normal
is that like no1 way to get attacked
you have to do a lot of privacy stuff i think
be careful
only forward the ports you need
update the software regularly
and use software that gets updated obviously
if you do that you should be safe
do not expose port 22
expose port 21 for ftp
so im guessing theres a port for ftp
yep
and if i forward that via my router at home
port 22 would probably be safe to forward
i can access my pi at home from my laptop on any network
that would give you ssh and sftp too
yeah
okay so forwarding and exposing two different things
and the trick with sftp and ssh is that first s
secure
if you forward 21 and 22 and keep software up to date it should be fine
and i can update my pi via ssh anyway?
yeah
or schedule it to do it automatically
so im guessing theres a bunch of commands in the cli i can use to transfer all the files on my laptop like music and photos etc
any sftp or ftp client will do
without a gui drag and drop
no
you can have a gui
easy
for windows there's WinSCP or filezilla
linux also supports filezilla
and winscp
just pick one you like
most file managers can do it too
ohhh i see
so i just tell it where to go (my raspberry pi port)
and drag and drop
not even port
it's smart enough to now
just needs the forwarded IP
which is your home IP address btw
I don't want to see that
some people do
do i NEED a ftp client like in theory could i do this all through ssh and port forwarding and cli and stuff
It would be hard to move files otherwise but technically no
sftp is pretty good
doesn't even require any extra software
does it all over ssh
i see okay
since i have four pis
what else can i do
ive got one built up, one needs a case and two spares
one of em ill use as my NAS which is like a free icloud or whatever
and then i need to figure out what to use the rest for
idk
mine sit around doing nothing
until I write something for them to do
ill just package the other three up and bring them with me then until someone gives me an idea or a project
i want one that runs windows 95
maybe hang them on a keychain or something to show off
that's going to be a major challenge
its been done
Different architectures
that'll be a pain to get working
if you don't follow a guide
hopefully theres a decent one
more learning
Doing it yourself is pretty cool
but emulating x86 is a pain in the ass
emulating the intel 8080 is a pain in the ass
x86 is infinitely worse
QEMU will do it though
can you run the 1990s macOS on a pi?
because the specs were so low back then obviously
that's not what makes it hard
they're completely incompatible
ik QEMU does x86 32
but I don't know about power pc
qemu does power pc
I have now learnt
you could do it
emulation man
crazy
yeah
qemu is the tool
want to write an OS? QEMU
want to run an OS? QEMU
i had a problem with wine where it wouldnt recognise my usb device is that normal
what kind of USB device
speaking of emulators and also not emulators
uhh a usb recording device
wine is not an emulator of course
interesting
I couldn't get my midi controller working
all fine on lsusb it actually worked through audacity
but the app i was running through wine wouldnt recognise there was anything there
hmm
not the best person to ask
I like to roll my own crazy stuff
not use other peoples
why does my pi only have dhcp
and not dhcpcd
which i just installed
observer
I didn't build the network stack
I also don't have a reference so I was guessing
so if i wanna set up a static ip now what is the absolute best way
it depends
do you have network manager
or wpa_supplicant
on my laptop
is your network configured using ifconfig or network manager
ifconfig on the pi i guess
do you have them all but only a certain set of services running
Pi OS lite comes with dhcpcd
that was my reference
the dhcp folder is from network manager
it's its internal one
there you go
ah i have this
don't go installing stuff
it was rhetorical
I was complaining about how many variables there are for this simple question
anyway
it was network manager
dhcpcd is a little better anyway
so it couldn't hurt
yeah i got network manager up to date
okay set a static ip
what am i doin
with network manager?
not following various internet gudies for a start
uhhh
whichever way is best
if you don't want to read a guide
then consult the man page
it'll tell you
man nmcli
i say this bc the one i showed you might not be the best way
writing a dhcpcd file
I like dhcpcd
but
it's about convinience
There is an alternative to using port forwarding and that is a proxy.
An example is https://www.zerotier.com/
But remember this is also a security threat as the function is a "Man in the middle" (https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
So you need to make a risk assessment and also make a risk assessment for your neighbouring devices on the same network as they can be exposed.
my home ip is dynamic what’s the best way to deal with that for a vpn? wireguard seems like a good one btw unless you know of any other
There are a lot of free Dynamic DNS (DynDNS) providers.
So instead of using a IP that will change you use a DNS name, example: myfunkyip.dyndns.org.
Then you have a DynDNS client running on your Pi that tells the DynDNS provider what IP you have and they link that ip to your name, ex. myfunkyip.dyndns.org
there are several bash scripts on github that let you set your domain and then they check for ip changes every x minutes and update the dns record on cloudflare, no ddns domain needed
i have done this now
im moving forwards
so
i now have a working wireguard vpn server on the pi
my laptop is a client
with appropriate keys
and i can get the connection up and down
i can ping the pi and get a response but there’s one problem
well a lot of problems
it won’t let me do anything
when i try to ssh it says connection refused
and when i try to ftp it tells me refused
<@685869137939267603> any ideas sensei?
err
gotta be the firewall
iptables
sudo iptables-save
i don’t think i set one up
is there one that’s preinstalled on the pi?
idk
I don't know what the stock software is
I also can't check
i’ll do iptables tomorrow and see what it says
it makes sense
hey look at this weird device from a weird network trying to gain remote access
yeah
is there a way to get wireguard working twice
hang on let me explain
this is my webserver which i need access to so i can swap out my html files and maybe edit my server stack
i also want to build my nas as a cloud backup
obviously they will both be running separate wireguard servers but routing to the same ip (my home router) with the same client (my laptop)
will that work? do i just need to do what i did again and name everything wgs1 instead of wgs0?
you don't need two wireguard servers
that's the whole point of the VPN
oh yeah cause they’re on the same network
facepalm
but hang on
once im connected in this scenario to wgs0
how do i connect to the other pi not running the server
will it be there as if im on the home network
yeah
just use it's ip
like for the other pi
when im connected to wg0 i cant ping my router or any other device on the network
but isnt it supposed to act as if im in the network
or do i have to be ssh'd into the pi to do anything
like i have to ssh to another pi via being ssh'd into my wireguard pi
Does wireguard run as a Docker container?
i don’t think so
but i used pi-vpn to set it up
so it may well do
i should’ve done docker ps but i have to go to work
either way shouldn’t i still be able to ping other devices on the home network?
You don't know how you installed it?
If it runs in a Docker container it is isolated from the host! Docker uses its own firewall!
And it ignores the host firewall.
i installed it using pi-vpn
Yes, but did you install the pi-vpn yourself or was it already installed?
yes i installed it myself
and went through the options etc to set up wireguard
Then you should know whether you have installed it as a Docker container or not...
no it isnt
i didnt think it was but since you said it and some of the process was automated i thought i should make sue
Ok, I don't understand this text. Anyway...
Does an SSH connection work without VPN?
only when im actually on my home network legitimately
If you are connected to the VPN, what does the command for SSH look like?
ssh pi@10.x.x.x
which is the ip address for the vpn
This is the public IP?
This is the public IP? Or does your internal network also have 10.159.42.x?
this is the internal ip for the wireguard connection
Forget it, you will connect to your PC from which you connected to the VPN...
I think the only thing that helps is this https://superuser.com/questions/347534/ssh-server-cant-be-connected-to-when-vpn-is-turned-on/347543#347543
Or you have to search the internet yourself. I think the VPN connection is blocking the SSH...
Create a "Virtual network interface" and use that for either VPN or SSH.
Example nmcli connection add con-name <connection-name> ifname <device-name> type ethernet
Then you need to add an IP to that virtual interface.
Example for DHCP nmcli connection modify <connection-name> ipv4.method auto
And check the FAQ https://discord.com/channels/818384379197784084/1193810781473607732
FINISHED
aside from any problems that might arise with DDNS here's how i did it without port forwarding
1. Set up your Pi with a static IP using nmtui
2. Make sure SSH is enabled
3. Register for no-ip to create a dynamic DNS for your home router (example.ddns.net)
4. Use PiVPN to install Wireguard on your server and follow the default setup making sure to include your new DDNS entry and of course your static IP
5. Configure your client through the PiVPN setup while the client and server are both connected on your home network - copy the client .conf file to your client and change the allowed ip value to the internal Wireguard IP of your server
6. In your server .conf change the allowed ip to the internal Wireguard IP of your client
7. In the same file, set MTU to 1200. This is just a precaution, you can leave it at default
8. Use wg-quick up wg(number) to set up your connection on both devices
9. Connect to any other network on your client and connect to your new VPN
10. You can now test by pinging the Wireguard IP of the server. Using SSH to connect will allow you to ping your home network devices and the internet. In your FTP client of choice choose the Wireguard IP as the hostname, rather than the static device IP. And do whatever else you want!
What exactly is used to establish the VPN connection, the domain or the IP address?