Home > IoT > Remotely Access IoT behind NAT Router and Firewall

Remotely Access IoT behind NAT Router and Firewall

Author: Ganesh Velrajan

Last Updated: Jul 8, 2025

Table of Content
Table of Content

In this article, we’ll discuss how to securely access, control and manage your remote IoT devices such as Raspberry Pi, Nvidia Jetson located behind a NAT router or firewall, from an outside network over the internet, allowing you to remotely manage your IoT device from anywhere.

IoT is quickly becoming popular worldwide because of the unlimited workflow automation opportunities that comes with it. However, if not managed properly, these IoT devices can become a liability and lead to customer churn, resulting in lost revenue.

The biggest challenge for any IoT vendor is:
How to securely connect, control and manage remote IoT devices, located behind NAT router and firewall, to login, debug, monitor, reboot, configure and update them remotely?

There are several ways to securely access remote IoT device behind NAT router and firewall over the Internet but the most common ones are:

  1. Secure Shell (SSH)
  2. Remote Desktop Protocol(RDP)
  3. Virtual Network Connection(VNC)
  4. Web Application
  5. Remote Command Execution

In this article, we’ll discuss how to configure and setup IoT device for:

We will be using SocketXP IoT Management and Remote Access Platform to remotely connect to IoT device behind NAT router and firewall.

You can use SocketXP to remotely connect to any IoT device behind NAT router and firewall from outside network such as the internet.

What is a NAT router

A NAT (Network Address Translation) router is a crucial device in modern networking, especially for home and small business networks. Its primary function is to allow multiple devices on a private network (like your home Wi-Fi) to share a single public IP address when communicating with the internet.

How a NAT router generally works:

A NAT router generally works by routing traffic from devices in the private network to the devices or systems in the public internet. This is typically done by mapping or translating the internal private IP address and port number to an external public IP address and port.

Private IP Addresses:

Devices within your home network (your laptop, smartphone, smart TV, IoT devices) are assigned private IP addresses (e.g., 192.168.1.x, 10.0.0.x). These addresses are not routable on the public internet, meaning they are only unique within your local network.

Public IP Address:

Your router has a single public IP address assigned by your Internet Service Provider (ISP). This is your network’s “identity” on the internet.

Translation Process:

When a device in your private network wants to access the internet (e.g., fetch a webpage), it sends a request to the NAT router. The router intercepts this request, changes the source IP address from the device’s private IP to its own public IP address, and also assigns a unique port number to that specific connection. It then sends the request to the internet.

Tracking Connections:

The NAT router maintains a “NAT table” that maps the outgoing public IP address and port number back to the original private IP address and port number of the internal device.

Returning Traffic:

When the response from the internet arrives at the router’s public IP address and the associated port, the router consults its NAT table. It then translates the destination IP address back to the correct private IP address of the original requesting device and forwards the data to that device.

Why NAT is used:

IP Address Conservation: The most significant reason for NAT is to combat the exhaustion of IPv4 addresses. With a limited number of public IPv4 addresses, NAT allows countless devices to connect to the internet using a much smaller pool of public IPs.

Security (by obscurity): By hiding the private IP addresses of internal devices, NAT adds a layer of security. External entities on the internet cannot directly “see” or initiate connections to individual devices within your private network.

Why it is difficult to remote access an IoT device behind a NAT router:

The very mechanism that makes NAT useful for IP conservation and basic security is what makes remote access to devices behind it challenging.

Here’s why:

No Direct Inbound Connection:

When an external device (e.g., your smartphone trying to connect to your IoT device from outside your home network) sends a request to your router’s public IP address, the router doesn’t automatically know which internal device (like your smart thermostat or camera) that request is intended for.

The NAT table only records connections that originated from the internal network. If the internal IoT device hasn’t initiated an outbound connection to the external remote access service, there’s no entry in the NAT table for the router to use to forward the incoming request.

This is like trying to call someone in an apartment building when you only know the building’s address and not the specific apartment number. Firewall Functionality:

Most NAT routers also include basic firewall functionality. This firewall, by default, is configured to block unsolicited incoming connections from the internet to your private network. This is a security measure to prevent unauthorized access.

For a remote access attempt to succeed, this firewall needs to be explicitly configured to allow the connection.

Dynamic Public IP Addresses:

Many ISPs assign dynamic public IP addresses to residential and small business routers. This means your router’s public IP address can change periodically.

If you’re trying to connect to your IoT device using its public IP, and that IP changes, your connection will fail. You’d need a Dynamic DNS (DDNS) service to constantly update a hostname with your router’s current public IP.

Common (but problematic or complex) workarounds for NAT challenges:

These are workarounds and not solutions for overcoming NAT challenges.

Port Forwarding:

This involves manually configuring your router to direct incoming traffic on a specific public port to a specific private IP address and port of your IoT device.

Challenge: Requires manual configuration for each device, can be complex for non-technical users, and significantly reduces security by exposing a specific port of your internal device directly to the internet, making it vulnerable to scanning and attacks. Also problematic with dynamic IPs without DDNS.

Demilitarized Zone (DMZ):

You can assign a device to the DMZ, outside the scope of the firewall, which essentially exposes all of its ports directly to the internet.

Challenge: This is a major security risk as it bypasses the firewall entirely for that device. Rarely recommended for IoT devices.

VPN (Virtual Private Network):

You can set up a VPN server within your private network or on a device inside the network. This creates a secure tunnel, making your external device appear as if it’s on the local network.

Challenge: Requires technical expertise to set up and manage, and the VPN server itself still needs to be accessible from outside (often requiring port forwarding).

UPnP (Universal Plug and Play):

Some devices use UPnP to automatically request port forwarding from the router.

Challenge: While convenient, UPnP is often considered a security risk as it can allow devices to open ports without explicit user approval.

Modern Solutions (like SocketXP):

Solutions like SocketXP overcome these NAT and firewall limitations by establishing outbound-initiated connections (a.k.a reverse proxy connections) from the IoT device to a cloud-based service.

Since the IoT device initiates the connection, it appears as legitimate outbound traffic to the NAT router and firewall.

The cloud service then acts as a secure intermediary, creating a secure SSL/VPN tunnel that allows remote access to the IoT device without requiring any complex port forwarding or exposing the device directly to the internet.

This is often referred to as a reverse tunnel or secure tunnel.

What is SocketXP

SocketXP is a cloud based secure remote access solution to access, manage and debug embedded Linux devices such as IoT device, Nvidia Jetson or any IoT device over the internet.

Usually these devices are located a NAT router or firewall making it challenging to access them safely and securely. SocketXP creates a secure SSL/TLS connection over the internet through your NAT router and firewall to your IoT device for secure remote access.

No configuration changes are required in your home or office router to make the SocketXP solution work. Also, no public IP is required.

It simply works out of the box.

SocketXP creates SSL/TLS reverse proxy tunnels to securely connect to remote devices.

SocketXP does not use insecure methods such as port-forwarding techniques and Dynamic DNS(DDNS) which will expose your IoT device directly to the internet, permitting hackers and port scanners to access your devices.

SocketXP is an enterprise-grade IoT remote access and management platform trusted by thousands of customers around the world today for secure remote access to their IoT device behind NAT router and Firewall over the internet from outside network.

Let’s dive in and get started.

1. Remotely connect to IoT behind NAT router or firwall over the Internet using SSH

Secure Shell (SSH) is a network protocol that provides a secure means to connect to a raspberry terminal over an unsecured network such as the internet.

SSH follows a client server model – the SSH server runs on the IoT and the SSH client runs on the user laptop or PC. SSH server listens on TCP port 22 by default.

OpenSSH provides an open source implementation of the SSH server and client software.

Note: Your IoT device comes installed with an SSH server software in it.

SSH client needs to know the IP address of the device in which the SSH server runs so that it can connect to it.

Because IoT devices installed behind a NAT router and firewall cannot be access from the internet, we’ll use SocketXP’s IoT Remote Access solution to remotely connect to the IoT terminal using SSH over the internet.

remote access IoT behind NAT router or Firewall over the internet from outside network

To learn more refer to: how to setup and configure your IoT for remote SSH access over the internet

2. Connect to IoT behind NAT router and Firewall over the Internet using VNC

Virtual Network Connection(VNC) is a protocol for safely accessing the IoT Graphical User Interface(GUI) or desktop. VNC is typically used for remotely accessing the GUI of a Linux based platforms such as IoT.

VNC follows a client server model – the VNC server runs on the IoT and the VNC client runs on the user laptop or PC. VNC server listens on TCP port 5901 by default.

TightVNC is a open source based VNC software that can be installed on IoT for remote desktop access.

Because IoT devices installed behind a NAT router and firewall cannot be access from the internet, we’ll use SocketXP’s IoT Remote Access solution to remotely connect to the IoT GUI Desktop using VNC over the internet.

iot remote access behind NAT router or firewall over the internet from outside network

To learn more refer to: how to setup and configure your IoT behind NAT router and firewall for remote VNC access over the internet

3. Connect to IoT Remote Desktop(RDP) behind NAT router and Firewall over the Internet using xrdp

Remote Desktop Protocol(RDP) is a proprietary protocol invented by Microsoft for accessing the Windows desktop of one Windows machine from another Windows machine in a local network.

RDP follows a client server model – the RDP server runs on the IoT and the RDP client runs on the user laptop or PC. RDP server listens on TCP port 3389 by default.

Microsoft has opened up the RDP for third parties to implement the same. xrdp is a open source implementation of the Microsoft RDP. xrdp is typically used for remotely accessing the GUI desktop of a Linux based platforms such as IoT.

Because IoT devices installed behind a NAT router and firewall cannot be access from the internet, we’ll use SocketXP’s IoT Remote Access solution to remotely connect to the IoT GUI desktop using xrdp over the internet.

IoT behind NAT router or firewall remote desktop access from outside network over the internet from windows 10

To learn more refer to: how to setup and configure your IoT behind NAT router and firewall for remote desktop access over the internet using xrdp

4. Remote Control IoT Behind NAT router or Firewall using a Web App

Installing and running a web application on your IoT is one way to remotely connect and control your IoT using a web client.

For example, you could write a simple python flask web server application to remotely access the files – images, videos from a web camera, configuration files, log files etc.

$ cat get_files.py
from flask import Flask, send_from_directory

app = Flask(__name__)

@app.route('/')
def send_report(path):
    return send_from_directory('/', path)

if __name__ == '__main__':
    app.run(host='127.0.0.1', port=3000, debug=True)

You can use a web browser to access this web server application running in your IoT from a local network. Just point your browser to: http://localhost:3000

But, IoT devices installed behind a NAT router and firewall cannot be access from the internet.

We’ll use SocketXP’s IoT Remote Access solution to remotely connect to the python flask web server application over the internet.

SocketXP creates a secure public web URL (HTTPS) for the local web app running in your Pi.

remotely connect to IoT behind NAT router or firewall over the internet from outside network

To learn more refer to: how to remote access IoT web app over the internet

5. Send Remote Commands to IoT over the Internet from Outside Network

Remote Command Execution - the ability to send one-off shell commands to your IoT to quickly fetch crucial information or take some corrective action on your remote IoT is immensely important.

It is cumbersome to always having to SSH login to your IoT using your login and password to execute even a simple command or a program.

This becomes even more tedious if you have to execute the same script or command on a fleet of IoT.

SocketXP’s IoT Remote Access solution provides you the ability to remotely execute shell script, command or any python program on a single IoT or on a fleet of IoT over the internet.

To learn more refer to: how to setup and configure your IoT behind NAT router and firewall for remote command execution over the internet

Conclusion:

In this article, we discused the five different options available to remotely access IoT behind NAT router and firewall, such as: SSH, VNC, RDP, Web App and Remote Command Execution.

We also discussed how SocketXP’s IoT Remote Access solution offers a secure, powerful and convenient way to remotely manage and control your IoT devices.

With its user-friendly interface, advanced features, and unparalleled flexibility, this innovative solution is a must-have tool for IoT enthusiasts.

Take advantage of this cutting-edge solution and unlock the full potential of your IoT devices. Try SocketXP’s IoT Remote Access solution today and discover the convenience and versatility it can bring to your IoT projects.

Simplify IoT Remote Access and Management using SocketXP

Effortlessly access, monitor, and manage your IoT devices remotely with SocketXP’s secure and scalable platform.

Transform Your IoT Experience Today

Join thousands of satisfied users who trust SocketXP for secure, reliable, and scalable IoT solutions. Start your free trial now and unlock the potential of seamless IoT management.