Hi all, I'm about to deploy a small server (raspberry pi) in a remote location (outback WA). The site has satellite internet, which I believe is reliable but laggy. I'd like to set up my server so I have remote shell access, but the problem I'm struggling with is the two layers of dynamic IP. The site as a whole has some satellite modem that gets a dynamic IP, but then my server will get a NATted dynamic IP from the router. I don't have control over the router, so I can't implement port forwarding with a static IP. Does anyone know what the "correct" solution might be? I've only gotten as far as very hacky solutions such as a reverse tunnel via an ssh cron job (hourly?) to my local IP. The server is in hourly communication with an Amazon S3 service to upload its collected data, so another possibility is that it periodically checks the S3 drive for a file to execute. If i place a script there it could run it and pipe the results back to me. Nasty and not very interactive. Anyone? Cory
Hi all, I'm about to deploy a small server (raspberry pi) in a remote location (outback WA). The site has satellite internet, which I believe is reliable but laggy. I'd like to set up my server so I have remote shell access, but the problem I'm struggling with is the two layers of dynamic IP. The site as a whole has some satellite modem that gets a dynamic IP, but then my server will get a NATted dynamic IP from the router. I don't have control over the router, so I can't implement port forwarding with a static IP. Does anyone know what the "correct" solution might be? I've only gotten as far as very hacky solutions such as a reverse tunnel via an ssh cron job (hourly?) to my local IP. The server is in hourly communication with an Amazon S3 service to upload its collected data, so another possibility is that it periodically checks the S3 drive for a file to execute. If i place a > script there it could run it and pipe the results back to me. Nasty and not very interactive. Anyone? Cory
I would use an IPSEC or OpenVPN (or whatever) connection back to a central location and access from that way. IPSEC is nice because its standard and should be supported in some form or another by just about anything. I don't know if the raspberry pi will support it, but your local router might. OpenVPN is nice because you can tunnel at L2 or L3 and you get an interface and routing is a bit more intuitive. I've used OpenVPN before on a satellite connection for more or less the same reasons as you, and it worked really well. You might also consider DynDNS and port forwarding, if your Satellite connection is actually a world routable IP. It could actually be CGN like most 4G connections though, in which case you won't be able to get back through it even if you know the dynamic IP via DynDNS. James
On Sat, Oct 7, 2017 at 11:56 AM, James Harper <james@meadowcourt.org> wrote:
Hi all, I'm about to deploy a small server (raspberry pi) in a remote location (outback WA). The site has satellite internet, which I believe is reliable but laggy. I'd like to set up my server so I have remote shell access, but the problem I'm struggling with is the two layers of dynamic IP. The site as a whole has some satellite modem that gets a dynamic IP, but then my server will get a NATted dynamic IP from the router. I don't have control over the router, so I can't implement port forwarding with a static IP. Does anyone know what the "correct" solution might be? I've only gotten as far as very hacky solutions such as a reverse tunnel via an ssh cron job (hourly?) to my local IP. The server is in hourly communication with an Amazon S3 service to upload its collected data, so another possibility is that it periodically checks the S3 drive for a file to execute. If i place a > script there it could run it and pipe the results back to me. Nasty and not very interactive. Anyone? Cory
I would use an IPSEC or OpenVPN (or whatever) connection back to a central location and access from that way.
IPSEC is nice because its standard and should be supported in some form or another by just about anything. I don't know if the raspberry pi will support it, but your local router might. OpenVPN is nice because you can tunnel at L2 or L3 and you get an interface and routing is a bit more intuitive.
I've used OpenVPN before on a satellite connection for more or less the same reasons as you, and it worked really well.
You might also consider DynDNS and port forwarding, if your Satellite connection is actually a world routable IP. It could actually be CGN like most 4G connections though, in which case you won't be able to get back through it even if you know the dynamic IP via DynDNS.
Thanks for the pointers, I'll look into them. Correct me if I'm wrong, but they both depend heavily on me having a server with a static IP elsewhere. Do both method also require that some process periodically check whether the connection is still up and re-try? cheers, Cory
tl;dr version: 1. yes it does require a host with a static IP 2. VPN clients generally auto-reconnect by themselves.
On Sat, Oct 7, 2017 at 11:56 AM, James Harper <james@meadowcourt.org> wrote:
I would use an IPSEC or OpenVPN (or whatever) connection back to a central location and access from that way.
I was going to reply "use a VPN" but you beat me to it. That's the right solution. On Sat, Oct 07, 2017 at 01:38:05PM +1100, cory seligman wrote:
Correct me if I'm wrong, but they both depend heavily on me having a server with a static IP elsewhere.
Yes. If you have two hosts with dynamic IPs that need to communicate, there is no way for either of them to know with any certainty what the other host's IP address is at any given time, so the only reliable way to communicate is via a host with a static IP address known (or discoverable, e.g. via DNS) to both of the dynamic IP hosts. If both dynamic hosts establish a VPN connection to the static IP host, packets between the two are just routed back and forth as normal with no fuss. If either or both of them have to restart their upstream connection and get a new dynamic IP, then they just re-establish the VPN and any communication between the two is unaffected (aside from timeout issues - e.g. an ssh connection won't drop immediately, but will eventually time out if one of the hosts doesn't re-establish its connection within a reasonable time) This also works if you have more than two hosts with dynamic IP addresses. A single static IP host can act as a central VPN communications hub for an arbitrarily large number of dynamic IP "clients". If you have just one host with a dynamic IP and another with a static IP, the dynamic host should establish a VPN connection directly to the static host. If you don't currently have any hosts with a static IP, look around for the cheapest & closest (network-wise) & lowest-latency co-hosting or VPS provider you can find and run the VPN service on that. google for "cheap VPS australia": https://www.google.com.au/search?q=cheap+VPS+australia&oq=cheap+VPS+australi... The key things you want are: 1. a static IP 2. a real VPS with root access so you can run openvpn or whatever, **NOT** just a virtual web server or a restricted container. 3. if it's mostly ssh traffic, you don't really need to care about upload/download limits on the VPS. You can transfer bulk files via your S3 service anyway. You probably can't find anything for under $10/month inside Australia but if that's too expensive AND you can tolerate the latency introduced by a trip back and forth across the Pacific (about 200ms each way) or the Pacific & the Atlantic (about 350ms each way) you can find a VPS in the US or Europe for under $5/month. For ssh, ~400ms would be annoying but (just) usable, but that's still 0.4 seconds between each keystroke, which makes editing command lines a major PITA. IMO interactive ssh at 700+ms would be far too annoying to use. One simple solution to that is to keep another shell or a text editor open in another window, edit your commands there and copy-paste into the ssh session. There's also a useful program on github that can make interactive ssh sessions far more tolerable over high-latency links: https://github.com/mnalis/ssh-line-mode
From the README:
This is wrapper around ssh(1) which allows it to do local line editing before sending it to remote host (also known by names such as telnet line mode, line-by-line, line mode, line buffered mode, canonical mode, cooked mode, RFC 1184) It is inspired by line-by-line editing mode in telnet(1) of old. While most of the time you're much better served by char-by-char mode (which is only mode openssh provides), line-by-line mode is much preferred when you use SSH over high latency ("terrible ping") links (and/or high TCP packet loss links) such as low wireless signal, overloaded (or flaky) GPRS EDGE mobile networks and such - because you can do all the line editing locally without involving network. Only when you press enter is whole line sent at once in just one TCP packet (as opposed to dozens of them in char-by-char mode!) [....] sshlm allows you to interactively choose whether to use line-by-line (with local line editing) or common char-by-char mode. See USAGE.txt for instructions. Apparently putty (which is available for Linux) has a line-editing mode. Dunno if putty's plink command has that too...probably not - putty itself is a terminal emulator as well as an ssh client. plink is just another command line tool like ssh.
Do both method also require that some process periodically check whether the connection is still up and re-try?
Most VPN software will automatically reconnect, or can easily be configured to do so. You shouldn't need any hacky cron jobs or similar. craig -- craig sanders <cas@taz.net.au>
On 07/10/17 15:57, Craig Sanders via luv-main wrote:
tl;dr version:
1. yes it does require a host with a static IP 2. VPN clients generally auto-reconnect by themselves.
1a. Since you're already using AWS, you might want to use their AWS Managed VPN service. There are guide on how to do this with a Pi[1]. Cheers, Darren [1]: https://www.cososo.co.uk/2016/07/vpn-bridge-from-home-network-to-aws-vpc-wit...
On Sat, 2017-10-07 at 16:13 +1100, Darren Wurf via luv-main wrote:
1. yes it does require a host with a static IP 2. VPN clients generally auto-reconnect by themselves.
1a. Since you're already using AWS, you might want to use their AWS Managed VPN service. There are guide on how to do this with a Pi [...]
Maybe double check, but I understand a VPN connection at AWS Virtual Private Cloud (VPC) costs USD $0.05 per hour [1], which is approx. USD $37.- per month. Running a (very) small Linux EC2 instance with a static IP at AWS in Australia costs USD $0.0146 per hour (t2.micro) [2], which is approx. USD $11.- per month. With an 1-year commitment ("reserved instance"), you can save up to 37% on top of that [3]. Don't get me wrong, the VPN at AWS is a nice service, but it depends on the use case if it's worth the money :-) [1] https://aws.amazon.com/vpc/pricing/ [2] https://aws.amazon.com/ec2/pricing/on-demand/ [3] https://aws.amazon.com/ec2/pricing/reserved-instances/pricing/ Cheers Michael
On Saturday, 7 October 2017 10:34:21 AM AEDT cory seligman via luv-main wrote:
I'd like to set up my server so I have remote shell access, but the problem I'm struggling with is the two layers of dynamic IP.
The site as a whole has some satellite modem that gets a dynamic IP, but then my server will get a NATted dynamic IP from the router.
I don't have control over the router, so I can't implement port forwarding with a static IP.
https://etbe.coker.com.au/2015/01/28/play-machine-tor/ For such situations I use a tor hidden service. Tor is very good at working with such network situations, both because it's only making outbound connections (which usually work) and because Tor is often used in places like China where the government tries to make it break. There is noticable lag when using ssh over a Tor hidden service, but it doesn't stop me doing what I need to do. It seems likely that Tor won't make things noticably slower than they already are with a satellite link. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
participants (6)
-
cory seligman -
Craig Sanders -
Darren Wurf -
James Harper -
Michael Schams -
Russell Coker