• 0 Posts
  • 18 Comments
Joined 1 year ago
cake
Cake day: October 18th, 2023

help-circle








  • IIRC Getting the LetsEncrypt certificate for NGINX Reverse Proxy requires direct access to the web site on port 80 - you are behind CGNAT and stuffed…

    Possibly have a look at Cloudflare tunnel (Cloudflared in Docker) - this gives you http / https access with certificates. I used these instructions and it took less than an hour to get up and running https://www.crosstalksolutions.com/cloudflare-tunnel-easy-setup/ Note my TTL on the domain was set low to speed up transfer of name servers.

    This also lets me access the sites directly using the full DNS entry even though my router does not handle hair pinning - no need for a local DNS server anymore.

    Note the above are slightly out of date to the screen layout but in principal they work fine.

    There is a small security concern - Cloudflare can intercept all traffic (even to/from https sites) internally - that does not worry me but your use case (or principals) may differ :-)




  • Not a router I know so I can only give general advice.

    You need to find out if your ISP allows incoming connections on port 22

    You will need to find out if you are on CGNAT or equivalent for your internet connection - look at the external IP address of your kit.

    You will need to set your Pi up to have a fixed IP address internally (based done on the router / DHCP server rather than on the PI)

    Get fail2ban and ssh keys working first (I would also look to add UFW - do it with a keyboard and screen set up just incase you lock down port 22 in error).

    Then you will need to find your router manual and look at that for port forwarding, It can be called a few things:

    1. Application / web services
    2. Port Forwarding
    3. NAT forwarding
    4. Incoming Port Triggering

    Avoid anything that is setting up DMZ - you only want to to open one port to the Pi and keep it on your network.

    Normally port forwarding will need to know the source and destination port (port 22 in both cases for SSH by default) and the internal IP address or destination (the PI) - some routers will need the MAC address of the PI instead of the IP address. You can normally find this from the router / DHCP server or from the Pi using ip a and looking for the MAC details. Some folk will recommend moving ssh from port 22 - two minds over this as a port scan will show the new port up BUT you do stop the stupid attacks that try to brute force 22 using pi / raspberry

    Testing is best done with a different network - use your mobile or a different house as lots of routers do not allow a loop back (hair pinning) into the same network as your originate the connection.

    If you find yourself on CGNAT or not able to open port 22 then there are a few things you can look at:

    • Zeroteir or Tailscale have a free offering for a VPN that originates inside your network so no ports need to be open
    • Cloudflare tunnels allow web (HTTP / HTTPS) and ssh tunnels to be set up

    All of these require a small client program to be running on the Pi or other machine.