Question about SSH. how to connect from the outside?

Hi i have a small Q, maybe not related to OH but for OH needs…

i have SSH enabled on my OH system, from local i can ssh root@193.158.14.1
put password
how can i do it from remote PC lets say my remote adress is 172.158.14.1

can tunnel into another PC with this address ? is there any other way to do it?

Dear Gad

It is possible to do so, but firstly: NEVER EVER use root to login to SSH also not local

Secondly it might be risky, in reference to my recent post here

Cheers
Stefan

do NOT do that.

configure VPN on your router and connect to there from outside and then use your network as you were home.

i will look this up thank you

thanks for the heads up

From a risk perspective, there really isn’t a whole lot of difference between exposing OpenVPN to the internet on port 1194 and exposing a well configured SSH server on port 22 (or preferably some other non-standard port).

There can be many reasons why OpenVPN would not be an option (e.g. most corporate firewalls or machine policies will prevent joining a machine to a non-corporate VPN).

I’m not saying that a VPN isn’t a good option, but I don’t see how it’s any better of an option than SSH.

@Gad_Ofir, this is one of those cases where if you have to ask it might not be the best idea. It takes a lot of knowledge and skills to open up a port on your LAN’s firewall safely. My first choice would be to set it up in a way that doesn’t require opening any ports at all (not even for a VPN). For example:

Then your LAN won’t be under direct attack because it has no ports exposed.

If you insist on exposing a port for ssh, you need to do a lot to make sure it’s secured. Some best practices include:

  • only allow certificate authentication, never allow passwords
  • put a password on the certificate itself
  • set up the NAT so a non-standard port is exposed
  • set up Fail2Ban
  • monitor the authentication logs and Fail2Ban logs
  • if possible, isolate this ssh machine into a DMX with a firewall on both sides. The outside firewall doesn’t allow outgoing connections at all. The inside firewall only allows connection to the one destination machine. Configure this machine with a different set of certs to log into your actual machine, also password protected but with a different password.

I like the two approaches above because it puts that DMZ machine outside your LAN further limiting any attack’s ability to move into your LAN.

configuring linux machine properly for exposed ssh port for regular joe is not easy task and a lot of things could go wrong, not to mention you are still kind of exposing full linux machine, usually with user pi in sudoers… :stuck_out_tongue:

Otherwise openVPN on router itself exposing only relatively secure part and rest is handled by router anyways.
I mean … yes everything is potentionally dangerous, but some stuff is less hot than other

Setting up OpenVPN is no easier to do well than SSH in my experience. And a lot of things can gow wrong with it as well. And for some vulnerabilities with OpenVPN, if they break out of the server they have access to your firewall/gateway which is a far juicier target than some RPi.

As someone who runs both, I just don’t see there is a big difference is complexity, difficultly in setting them up securely, and exposure to attack.

Hi Rich and all thanks for the inputs , i will avoid it and will use teamviwer :slight_smile:
as i did till now, just wanted a slick terminal from my phone or work desktop
but it sounds like … and i will not bother

I have WireGuard running as a service on my “home server” (a Cubietruck running OpenHAB, XMPP server, and some other things).

It was pretty easy to set up and works flawless for over a year now.

There is even a white paper, and some serious security analysis there on their site, if you are interested in such things. Even Linus Torvalds had favorable things to say about it(!) :smiley:

1 Like

Just noticed you mentioned your phone also. Not sure if you are on Android or not, but an implementation of Wireguard has just been released to F-Droid (Free Software repository) somewhat recently. I’ve been using it to ssh in from my phone (using Termux) and it all works great.