In this scenario, the setup consists of one cloud linux server, several Raspberry Pi 3 devices with Raspbian installed and a unix based Laptop/Computer from which you want to access the devices.
We will configure a forward of the SSH port (22) to the server on port 10000. Feel free to change this port to anything you want. Also, each device needs a different port number.
IMPORTANT: if you use autossh as described down below, you also need TWO monitoring ports for your connection. We will specify 10001 and autossh will automatically use this port + 1, so we need 10000, 10001, 10002. Keep that in mind when you configure more devices.
First we create a seperate user for the incoming ssh forwards:
Then we login as the user and create the .ssh directory:
The ~/.ssh/authorized_keys file will be used to place all the public keys of the IoT devices.
Next thing we need to do is to switch the login shell for the tunnel user, so it cannot execute any commands on the server after connecting:
Then we need to configure the /etc/ssh/sshd_config file, add the following to the end of the file:
In the above snippet, we define new rules for the user tunnel:
Additionaly, you SHOULD disable password authentication on your server, so users can only login via their public key. IMPORTANT: only do this if you already have public keys placed on your server, else you will lock yourself out!
With this set, the server is ready to accept remote forwarding connections.
First, it is advisable to use autossh for stable ssh tunnels (it also works with the normal ssh command):
Then we need to install supervisord, so the tunnel will start on boot and will be restarted after crashing:
The next step is to setup a supervisor script (create /etc/supervisor/conf.d/ssh-forward.conf):
This config will start autossh with the monitoring port 10001 AND 10002 for monitoring the connection. The tunnel itself will be opened on port 10000 on the cloud server.
Then we need create a private & public key for the root user and add the config for the ssh connection: We need to start the tunnel as root, since the ssh port is a privileged port (< 1024) and cannot be forwared otherwise.
Then we need to add a host-config to your ssh-config file (/root/.ssh/config):
Add the following to the config file (replace 123.123.123.123 with your cloud server’s IP address):
After this, we need to add the public key to the tunnel user on the server:
Copy this key and login to your cloud server, and add it to the authorized_keys file:
We need to do this from another user, since the tunnel user does not have a shell anymore. Be sure to check the files permission afterwards, authorized_keys should have a chmod of 600.
Then you need to test the connection and also accept the fingerprint. If you skip this step, your ssh connection from the supervisor will be stuck waiting for the fingerprint confirmation!
The ssh command should keep a connection open without opening a shell AND without closing immediately. Then you know it works as expected!
Then we need to reload the supervisor configuration:
Check if everything worked as expected:
You should see a Active: active (running), and in the process list you should see the /usr/bin/autossh process.
You also need to check on your server if the connection has been opened:
There you should see something like this:
After setting up your cloud server and configuring your IoT device, let’s make some use of the tunnel.
First, we need to open a tunnel from your Computer (port 9090, feel free to change) to the cloud server (to port 10000):
And last but not least, we need to open a ssh connection to the IoT device through that tunnel. Exchange user with your IoT unix user:
This was the setup for your first IoT device.
To add n-other devices, just switch out the port numbers on your /etc/supervisor/conf.d/ssh-forward.conf file.
IMPORTANT: be aware that when you specify a monitoring port (10001 in this case), autossh will also use the port above (10002).
So if we would add another IoT device, we would use the following port numbers:
Port
10000 -> Tunnel for IoT #1
10001 -> Monitoring port #1 for Iot #1
10002 -> Monitoring port #2 for Iot #1
10003 -> Tunnel for IoT #2
10004 -> Monitoring port #1 for Iot #2
10005 -> Monitoring port #2 for Iot #2