remote maintenance from outside of network?

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Post Reply
TOMillr
Posts: 13
Joined: Wed Apr 04, 2018 8:29 pm

remote maintenance from outside of network?

Post by TOMillr »

I'd like to run a DietPi-setup as an offsite backup location at my parent's place.

Is it possible to setup DietPi to allow me to access the system remotely and do some basic maintenance?

I'm already using a DynDNS setup on my router. Do I need to install additional software to get this done?
User avatar
MichaIng
Site Admin
Posts: 2295
Joined: Sat Nov 18, 2017 6:21 pm

Re: remote maintenance from outside of network?

Post by MichaIng »

You can use SSH, but when opening to www, you should harden SSH seurity. Read our wiki about it: https://github.com/MichaIng/DietPi/wiki ... dation#ssh
- Do not open port 22 directly, but forward some random 4-integer port via router to port 22 of the DietPi machine. This is since there are many bots out there, trying to login on random IPs at port 22.
- Install fail2ban via dietpi-software to as well prevent possible brute-force attacks on your random ports. There will be most likely none, but better to be on secure side.
- And to finally break any non-bot hackers login attempts, use pub key authentication instead of user/password, at least for root user. You can as well add a passphrase to the key, so that for login the clients needs to key + still a password. I can add some details to the wiki about how to do this with e.g. PuTTY on Windows or openssh+dropbear on Linux clients.
- You can even disable root login via SSH completely and login via another user + use password-protected sudo then. However IMO, as long as there is no very private data or things like company secrets reachable from within your network (that would attrackt hackers), with key-authenticated login on non-default port + fail2ban you should be fine.
LuciaBab
Posts: 2
Joined: Tue Aug 27, 2019 12:01 pm

remote maintenance from outside of network

Post by LuciaBab »

K3 1258MKII on the semote site. But I run this staton on a cabin without powerline. All goes with photovoltaik so I want to run the server on the control site.
Is that possible?

arno oe9amj, 73
User avatar
MichaIng
Site Admin
Posts: 2295
Joined: Sat Nov 18, 2017 6:21 pm

Re: remote maintenance from outside of network?

Post by MichaIng »

@LuciaBab
Not sure how those two boxes work, but yeah if you want/need a Linux server to control it, I would for sure place it on control side where you have power line. DietPi is not reall read-only capable without some modifications, so power losses always mean a risk of data corruption/losses.
echable
Posts: 30
Joined: Mon May 20, 2019 3:03 pm

Re: remote maintenance from outside of network?

Post by echable »

Another way is setting up a VPN server on your home router (Asus with Merlin firmware is good on this). Then you can use e.g. Android OpenVPN connect app to connect to your home network and access it's internal IPs, e.g. use an Android SSH app to go into the DietPi CLI.
User avatar
WarHawk
Posts: 610
Joined: Thu Jul 20, 2017 8:55 am

Re: remote maintenance from outside of network?

Post by WarHawk »

echable wrote: Thu Nov 14, 2019 2:56 pm Another way is setting up a VPN server on your home router (Asus with Merlin firmware is good on this). Then you can use e.g. Android OpenVPN connect app to connect to your home network and access it's internal IPs, e.g. use an Android SSH app to go into the DietPi CLI.
Is that a reverse ssh connection? The remote site connects when it comes up vs trying to connect to it remotely?
and good call on the VPN thing with an AndroidSSH app (juicessh is a GREAT one)

create an OpenVPN on the inside of the "remote site" and VPN in that way...this way all traffic/maintenance apps can act as a "local machine" at the remote site, heck could even then use a remote control app securely if needed to work on their PC's in the home network...
User avatar
Phillski
Posts: 35
Joined: Fri Feb 02, 2018 10:52 am

Re: remote maintenance from outside of network?

Post by Phillski »

You could also use Zerotier (https://www.zerotier.com) to create a private network, no matter where your device is in the world it will show up as if it was local (it creates an encrypted p2p connection between the machines). It's similar to a VPN except it's always on and only grants access to the machines explicitly defined in it's network (a machine can belong to multiple Zerotier networks though).

I have this set up with a small virtual network between 4 windows boxes, my android tablet and 2 Diet-Pi servers (Pi-Hole, NAS and Jellyfin).
echable
Posts: 30
Joined: Mon May 20, 2019 3:03 pm

Re: remote maintenance from outside of network?

Post by echable »

WarHawk wrote: Fri Nov 15, 2019 5:11 am
echable wrote: Thu Nov 14, 2019 2:56 pm Another way is setting up a VPN server on your home router (Asus with Merlin firmware is good on this). Then you can use e.g. Android OpenVPN connect app to connect to your home network and access it's internal IPs, e.g. use an Android SSH app to go into the DietPi CLI.
Is that a reverse ssh connection? The remote site connects when it comes up vs trying to connect to it remotely?
and good call on the VPN thing with an AndroidSSH app (juicessh is a GREAT one)

create an OpenVPN on the inside of the "remote site" and VPN in that way...this way all traffic/maintenance apps can act as a "local machine" at the remote site, heck could even then use a remote control app securely if needed to work on their PC's in the home network...
Don't know if that's what's called "reverse SSH", I doubt it. I think it's called an "OpenVPN Server", setting one up on a router. Here's a link:

http://randyshomeprojects.blogspot.com/ ... outer.html

Don't worry, he makes it seems overly complicated, on an Asus router with Merlin firmware it's done in literally less than than ten clicks. Click Advanced Settings - VPN - VPN Server - ON - create a username and password - click + - click apply - export .ovpn file - email .ovpn file to yourself - open OpenVPN Connect app on your Android - open .ovpn file in the app - click connect - go to e.g. 192.168.1.100 in a web browser while you're on the Android on a remote wifi or a mobile network and it will take you to whatever is on 192.168.1.100 on your home network.

My problem is I can't, despite contacting Asus and Privateinternetaccess support (both useless of course) and reading a thousand websites on the topic (outdated or requiring SSH scripts I'm not running because it should be able to be done through the GUI and I'm not running Linux ssh scripts that I have no idea what means on my router) - get the router to work as both a server and a client at the same time (a VPN client on the router in this case would be the more common usage of the term VPN, i.e. a commercial provider that is "in between" you and your ISP and encrypts, unblocks (e.g. Piratebay), optionally geolocates etc. your internet traffic. I've researched them all and www.privateinternetaccess is by far the cheapest and best one, recommended!

I'll check out the ZeroTier stuff, but so frustrated I can't get the Asus Merlin VPN server and client working at the same time, I know it's just one damn check box or setting to change but I can't work it out despite trying for days. Anyone have any tips on that or a good updated guide ?
User avatar
Joulinar
Posts: 2077
Joined: Sat Nov 16, 2019 12:49 am

Re: remote maintenance from outside of network?

Post by Joulinar »

why not using one of the VPN Server provided by DietPi?

I'm personally using WireGuard on my DietPi RPi. It's running quite well and I'm able to access it from all over the world, with all my devices. Doesn't matter if it's Win10, iOS or Android client.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
MichaIng
Site Admin
Posts: 2295
Joined: Sat Nov 18, 2017 6:21 pm

Re: remote maintenance from outside of network?

Post by MichaIng »

Jep a VPN to connect to the remote machines "local network" and then use network-internal SSH, hence not opening any SSH port to www, is the most secure solution. Depends a bid on the security-needs and client machine (VPN + SSH client required) if this is reasonable or even possible or not.
Post Reply