Raspberry Pi Remote SSH Access over the Internet using Secure Tunnel
Raspberry Pi remote SSH access over the internet is key to monitoring, controlling and debugging industrial machineries, automobile fleet and home automation devices from far away remote locations when human access to such devices is not possible at any particular moment.
What is SocketXP
SocketXP is a cloud based IoT remote access and device management solution that provides remote SSH access to your IoT devices in the field using secure SSL/TLS VPN tunnels. SocketXP IoT Solution does not require any changes to your firewall or gateway router configuration. SocketXP creates a secure tunnel through your firewall and NAT and over the internet for secure remote SSH access.
SocketXP IoT Features:SocketXP IoT Solution provides the following features:
- Remote SSH Access
- Remote File Transfer - SFTP/SCP
- Remote Desktop Access - RDP/VNC
- Remote web server access - Public URL for your IoT localhost web server
- Remote API server access
- Relay webhooks from IFTTT or Zapier or any online service to your IoT device.
How SocketXP IoT Remote SSH solution works
Install a simple, secure and lightweight SocketXP IoT agent on your IoT device (or Rasperry Pi). The SocketXP agent will securely connect (using a SSL/TLS tunnel) to the SocketXP IoT Cloud Gateway using an authentication token.
SocketXP is a highly scalable solution. It can connect more than 10K RPi or IoT devices for a single user account.
Step 1: Download and Install
Download and install the SocketXP IoT agent on your IoT device or Raspberry Pi device from here
Step 2: Get your Authentication Token
Sign up at https://portal.socketxp.com and get your authentication token.
Use the following command to login to the SocketXP IoT Cloud Gateway using the auth token.
$ socketxp login <your-auth-token-goes-here>
Note: By default, all users are subscribed to "Tunnel Free Plan". Switch to "IoT Free Plan" in the SocketXP Portal Page so that you could connect upto 4 IoT or Raspberry Pi devices to our online service as a free user.
Step 3: Create SocketXP SSL Tunnel Endpoint for Remote SSH
Use the following command to create a secure and private SSL tunnel endpoint at the SocketXP IoT Cloud Gateway.
$ socketxp connect tcp://localhost:22 --iot-device-id "tempsensor-00001" TCP tunnel [test-user-gmail-com-34445] created. Access the tunnel using SocketXP agent in IoT Slave Mode
SocketXP IoT Solution doesn't create any public TCP tunnel endpoints that can be connected by any SSH client on the internet. SocketXP private tunnel endpoints are not exposed to the internet and can be accessed only using the SocketXP agent (using the auth token of the user) or through the XTERM terminal in the SocketXP Portal page.
The screen capture above shows the "htop" command output from an SSH session created using the XTERM window from the SocketXP Portal page in a web browser.
Single-Touch Installation on large number of IoT devices
The 3 step instruction explained above to setup SocketXP on your IoT device is a tedious process, if you got thousands of RPi to install, configure and manage.
With this mind, SocketXP IoT Solution also provides a single-touch installation for installing and configuring SocketXP IoT Agent on large number IoT or RPi devices. Copy paste the below single command into the terminal of your IoT devices and it will install/configure/setup and bring up the devices online in our SocketXP portal.
Configuring SocketXP agent to run in slave mode
This is an alternate method for connecting to your RPi from a remote location using the SocketXP solution.
If you don't want to access your IoT device or RPi from the browser and you want to access it using your SSH client then follow the instructions below.
First download and install the regular SocketXP agent software on your accessing device (such as a laptop running Windows or Mac OS). Next, configure the agent to run in slave mode using the command option "--iot-slave" as shown in the example below. Also, specify the name of the private TCP tunnel you want to connect to, using the "--tunnel-name" option.
$ socketxp connect tcp://localhost:3000 --iot-slave --tunnel-name test-user-gmail-com-34445 Listening for TCP connections at: Local URL -> tcp://localhost:3000
Accessing the IoT device from your laptop
Now you can access your IoT device’s SSH server using the above SocketXP local endpoint, instead of a public endpoint, as shown below.
$ ssh -i ~/.ssh/john-private.key john@localhost -p 3000
We recommend using SocketXP Private TCP Tunnels for all your remote IoT device access needs.
If you are stuck and need assistance with our SocketXP IoT Remote Access Solution or you have a query that needs to be answered, please feel free to reach out to us. We'll get back to you as soon as possible. Email us: firstname.lastname@example.org
SocketXP Scaling and Performance
SocketXP IoT Gateway easily supports upto 10K device per customer account. SocketXP IoT Gateway also has the built-in capability to grow on demand, as it is deployed as a Kubernetes service in the Google Cloud Platform.
All Raspberry Pi devices come with SSH Server installed. If your device is not Raspberry Pi based and you wanted to know how to install and configure SSH server, SSH clients and SSH public/private keys for remote access, continue reading the following sections.
How to install OpenSSH server on your IoT device
OpenSSH is a free open source software that uses SSH protocol to create secure and encrypted communication channels over computer networks. Open SSH is developed by the Open BSD community and it is released under a Simplified BSD License
OpenSSH comes with additional features such as SFTP and SCP to perform secure file transfer and secure copy over a computer network.
To install and run SSH server on your IoT device, execute the following commands:
Debian/Ubuntu Linux:First update your linux and then install the openssh server
$ sudo apt-get update $ sudo apt-get install openssh-serverThe following commands will enable and run SSH server as a daemon in the background.
$ sudo systemctl enable ssh $ sudo systemctl start ssh
$ sudo yum update $ sudo yum -y install openssh-serverThen enable SSH server and start it.
$ sudo chkconfig sshd on $ sudo service sshd start
SSH uses port 22 for communication. If it is not enabled already, execute the following command to open up the SSH port on your linux system.
$ sudo /sbin/iptable -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT $ sudo service iptables save
How to install SSH client on your client machines
Use the following command to install SSH client on your laptops or any device from where you would remote SSH into your IoT device.
$ sudo apt-get update $ sudo apt-get install openssh-client
$ sudo yum update $ sudo yum -y install openssh-client
How to create and setup SSH Keys
SSH uses a public/private key based encryption algorithm for encrypting the communication channel. Use the ssh-keygen command to generate SSH keys for those clients that need to SSH into your IoT devices.
Go to your client machine (Laptop, for eg.) and open up a terminal and execute the following command. Follow the instructions on the screen to create a public/private key pair.
$ ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/home/your_home/.ssh/id_rsa):
The keys will be saved usually in your home directory under the “.ssh” folder. Leave the private key in your client machine. Copy just the contents of /home/your_)home/.ssh/id_rsa.pub file and paste it (actually append it) to the “~/.ssh/authorized_keys” file in your IoT device where the SSH server runs.
From now on, you can login to your IoT device remotely using the SSH private key in your client machine using the following command
$ ssh -i ~/.ssh/id_rsa.key email@example.com -p 23224
Disable Password Authentication on your SSH Server
After configuring your SSH server and client to use private/public key for authentication, it is wise and safe to turn off password based authentication, because passwords are relatively easy to crack.
Before you perform this step, make sure you have setup your public/private key pairs correctly and you are able to login using them. Otherwise, once you disable password authentication, you’ll be locked out of your IoT device.
To disable password authentication, open the SSH server’s configuration file as a sudo user.
sudo nano /etc/ssh/sshd_config
Inside the file, search for a directive called PasswordAuthentication. This may be commented out. Uncomment the line and set the value to “no”. This will disable your ability to log in to the SSH server using account passwords:
Save and close the file when you are finished.
To actually implement the changes we just made, you must restart the service.
On Ubuntu or Debian machines, you can issue this command:
sudo service ssh restart
On CentOS/Fedora machines, issue the following command:
sudo service sshd restart
After completing this step, you’ve successfully transitioned your SSH daemon to only respond to SSH keys.
The solution discussed in this article is a secure method to remote SSH into your home or office computer because the data is encrypted using SSL.
SSH uses the same cryptography technology used by banks and governments to exchange highly confidential data over the internet.
The data transferred gets encrypted end-to-end between the SSH client and the SSH server.
SocketXP has no way to decrypt or eavesdrop your encrypted data without knowing your SSH private keys. SocketXP merely acts as an online TCP reverse proxy server for your encrypted data traffic transmitted through the SSH connection.
IoT Remote SSH Security - Do's and Don'ts
What is IoT
IoT means Internet of Things. The term IoT refers to the devices that are connected to the internet. Today, almost all electrical and electronic gadgets at home such as your air conditioner, refrigerator, washing machine, light bulbs, fans, and security video cameras can be connected to the internet using home automation devices or IoT devices.
Automobiles such as cars, trucks, trains, airplanes and ships are connected to the internet through IoT devices to track the movement and operation of these vehicles.
Even industrial heavy machineries are connected to the internet via the IoT devices. Sensors are added to the machineries or placed at various locations in a plant to monitor the performance and operation of these machineries.
A simple Raspberry Pi based IoT device can be used to monitor, control and operate smart electronic gadgets and electrical appliances in your home or factory.
Remote SSH access to IoT devices
The primary reason why you deployed these IoT devices and connected them to the internet was to monitor, track and operate the devices while you are away from the location at which they are installed.
Sometimes you need a way to gain access to those IoT devices for troubleshooting, configuration updates, and other operational tasks. For example, a sensor device deployed at a factory that is hundreds of miles away is having trouble measuring the factory temperature. You can use secure remote access tunnels to open and quickly start a session to that sensor device. After you have identified the problem (for example, a misconfiguration or disk full error), you can reset the configuration, delete unwanted files or logs history and restart the sensor device through the same session.
In the traditional methods of troubleshooting you would typically wait until the next day to send a technician to the factory to investigate the sensor device. But remote access using secure tunneling (using SocketXP) decreases incident response and recovery time and operational costs.
But gaining remote access to IoT devices is no simple task. So often people take shortcuts and perform quick hacks on routers/firewall settings to permit internet traffic into the corporate network. In the next section, we'll discuss about some of these unsafe practices and the security risks associated with such configuration options.
Unsafe methods of SSH into Remote IoT devices
IoT devices in industries, factories, offices and homes are placed behind a firewall and NAT(Wifi Router or Gateway Router). IoT devices are always assigned a Local IP address using mechanisms such as DHCP. The local IP addresses are usually assigned in the 10.X.X.X or 192.X.X.X range. IoT devices do not have publicly reachable IP addresses assigned to them.
The IoT devices behind the firewall can talk to servers on the internet (via the gateway router) but not the other way around. This is because you want to prevent your IoT devices from being accessed from the internet by unwanted people or hackers.
So to gain remote access from the internet to IoT devices in your home or factory is not easy and straightforward.
Many people would practice the unsafe method of opening up ports (SSH port 22 or HTTP/HTTPS ports 80/443) in their firewall settings(ACL rules) or gateway router NAT configuration to allow a particular traffic to sneak into the local network. Then they would use Dynamic DNS (DDNS) solutions to track the non-static public IP address of the gateway router. This method is prone for errors and would create a security risk for your IoT installation. Online hackers could scan such open ports and try sneaking into your local network and servers.
The common myth or the misunderstanding here is that, people falsely believe that as long as they use a secure shell connection (SSH) everything going to that port 22 is safe. but they fail to understand that they have left a door to their industrial, corporate or home network wide open for any strangers to sneak in without being noticed. The same door will be shared by hackers and your secure SSH session alike. The problem is not in the SSH session but in the door you left wide open for anyone to sneak in.
What is the solution for IoT device Remote SSH Access
Secure reverse proxy tunneling to your remote IoT devices is the best solution for IoT remote access. Secure tunneling helps establish bidirectional communication channels to remote IoT devices over the internet. Secure tunneling does not require updates to your existing inbound firewall rule or gateway router, so you can keep the same security level provided by firewall rules at a remote site.