Raspberry Pi VPN Server w/o Port Forwarding
I am trying to setup my raspberry pi as a temporary VPN for while I am traveling. Problem is I don't have access to the home router, so I can't set up port forwarding. So I researched a bit and these are the methods I have found.
1. remote.it and other similar services
I'm not entirely sure how this service works, but it seems to act like a proxy, forwarding traffic to the Raspi. However, I'm worried that I will be restricted by the bandwidth of the remote.it servers, eg when I am trying to stream video. It does seem like remote.it has a way to set up a direct connection using a client script but it doesn't really explain how it works, and I don't think I would be able to use that on my phone.
2. Reverse SSH Tunneling
This is the method I see talked about the most. However, from the explanations I've read online, I still can't tell if the proxy server is used for all traffic, or just for establishing the initial connection. If I use a 3rd party service like ngrok, would I be limited to the bandwidth of their servers?
3. UPnP
This seems like the simplest method, and doesn't require any additional servers. However, it doesn't seem to be mentioned much so I'm wondering if there are some glaring issues I am overlooking.
Overall, I am just looking for a comparison between limitations and security of the three methods (or any other methods you can suggest). Any help would be greatly appreciated
networking vpn raspberry-pi ssh-tunnel
asked Feb 12 at 11:02
woojoo666woojoo666
1188
add a comment |
I am trying to setup my raspberry pi as a temporary VPN for while I am traveling. Problem is I don't have access to the home router, so I can't set up port forwarding. So I researched a bit and these are the methods I have found.
1. remote.it and other similar services
I'm not entirely sure how this service works, but it seems to act like a proxy, forwarding traffic to the Raspi. However, I'm worried that I will be restricted by the bandwidth of the remote.it servers, eg when I am trying to stream video. It does seem like remote.it has a way to set up a direct connection using a client script but it doesn't really explain how it works, and I don't think I would be able to use that on my phone.
2. Reverse SSH Tunneling
This is the method I see talked about the most. However, from the explanations I've read online, I still can't tell if the proxy server is used for all traffic, or just for establishing the initial connection. If I use a 3rd party service like ngrok, would I be limited to the bandwidth of their servers?
3. UPnP
This seems like the simplest method, and doesn't require any additional servers. However, it doesn't seem to be mentioned much so I'm wondering if there are some glaring issues I am overlooking.
Overall, I am just looking for a comparison between limitations and security of the three methods (or any other methods you can suggest). Any help would be greatly appreciated
networking vpn raspberry-pi ssh-tunnel
asked Feb 12 at 11:02
woojoo666woojoo666
1188
add a comment |
I am trying to setup my raspberry pi as a temporary VPN for while I am traveling. Problem is I don't have access to the home router, so I can't set up port forwarding. So I researched a bit and these are the methods I have found.
1. remote.it and other similar services
I'm not entirely sure how this service works, but it seems to act like a proxy, forwarding traffic to the Raspi. However, I'm worried that I will be restricted by the bandwidth of the remote.it servers, eg when I am trying to stream video. It does seem like remote.it has a way to set up a direct connection using a client script but it doesn't really explain how it works, and I don't think I would be able to use that on my phone.
2. Reverse SSH Tunneling
This is the method I see talked about the most. However, from the explanations I've read online, I still can't tell if the proxy server is used for all traffic, or just for establishing the initial connection. If I use a 3rd party service like ngrok, would I be limited to the bandwidth of their servers?
3. UPnP
This seems like the simplest method, and doesn't require any additional servers. However, it doesn't seem to be mentioned much so I'm wondering if there are some glaring issues I am overlooking.
Overall, I am just looking for a comparison between limitations and security of the three methods (or any other methods you can suggest). Any help would be greatly appreciated
networking vpn raspberry-pi ssh-tunnel
asked Feb 12 at 11:02
woojoo666woojoo666
1188
I am trying to setup my raspberry pi as a temporary VPN for while I am traveling. Problem is I don't have access to the home router, so I can't set up port forwarding. So I researched a bit and these are the methods I have found.
1. remote.it and other similar services
I'm not entirely sure how this service works, but it seems to act like a proxy, forwarding traffic to the Raspi. However, I'm worried that I will be restricted by the bandwidth of the remote.it servers, eg when I am trying to stream video. It does seem like remote.it has a way to set up a direct connection using a client script but it doesn't really explain how it works, and I don't think I would be able to use that on my phone.
2. Reverse SSH Tunneling
This is the method I see talked about the most. However, from the explanations I've read online, I still can't tell if the proxy server is used for all traffic, or just for establishing the initial connection. If I use a 3rd party service like ngrok, would I be limited to the bandwidth of their servers?
3. UPnP
This seems like the simplest method, and doesn't require any additional servers. However, it doesn't seem to be mentioned much so I'm wondering if there are some glaring issues I am overlooking.
Overall, I am just looking for a comparison between limitations and security of the three methods (or any other methods you can suggest). Any help would be greatly appreciated
networking vpn raspberry-pi ssh-tunnel
networking vpn raspberry-pi ssh-tunnel
asked Feb 12 at 11:02
woojoo666woojoo666
1188
asked Feb 12 at 11:02
woojoo666woojoo666
1188
edited Feb 12 at 11:08
woojoo666
asked Feb 12 at 11:02
woojoo666woojoo666
1188
asked Feb 12 at 11:02
woojoo666woojoo666
1188
asked Feb 12 at 11:02
woojoo666woojoo666
1188
1188
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
1:
Remote.it and co. are services that work by playing MITM and forward your commands. Now I don't say they are capturing everything you do but they very well could, although when you exchange your certificates through a secure channel before, you should be good. Whether they work with VPN I don't know, they seem to be rather constrained when wanting to use multiple ports. I wouldn't use them to run all my traffic through, even when encrypted; and they might not like it either.
2: This seems to be your best bet. If you don't have a static IP I recommend using DuckDNS for that. Setting up a reverse SSH-Tunnel is also really easy
3: UPnP is a protocol to enable plug and play networking. It opens ports by sending requests to the router to do so. If it is available to you, you could open all the ports you need like this. But beware, it can be quite insecure to have active.
answered Feb 12 at 13:35
jaaqjaaq
133
Thank you for the detailed reply. It does seem like reverse say tunneling is the most recommended, but my biggest worry is that it seems to also require some sort of MitM. What exactly is the MitM server used for? Is it persistently rerouting all traffic, or is it only used to establish a connection?
– woojoo666
Feb 12 at 22:57
Oh and I should clarify that since I will be traveling around, my client IP will be constantly changing, so I can't just have my raspi directly connect to my client like in the reverse ssh example you provided. In other words, both my server and client don't have port forwarding capabilities
– woojoo666
Feb 13 at 1:54
The service needs to play MitM to set up the connection. It is the thing your client and server both know(after they resolve the URL to get an IP). The service can then establish a connection between the two parties, depending on implementation this means you have to trust the service with quite a lot of information about your traffic and you(IP). DuckDNS already solves the problem you have with the changing IP. Just have your client register there and yours server shall try to establish a connection with it every minute or so.
– jaaq
Feb 21 at 8:07
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1404799%2fraspberry-pi-vpn-server-w-o-port-forwarding%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
1:
Remote.it and co. are services that work by playing MITM and forward your commands. Now I don't say they are capturing everything you do but they very well could, although when you exchange your certificates through a secure channel before, you should be good. Whether they work with VPN I don't know, they seem to be rather constrained when wanting to use multiple ports. I wouldn't use them to run all my traffic through, even when encrypted; and they might not like it either.
2: This seems to be your best bet. If you don't have a static IP I recommend using DuckDNS for that. Setting up a reverse SSH-Tunnel is also really easy
3: UPnP is a protocol to enable plug and play networking. It opens ports by sending requests to the router to do so. If it is available to you, you could open all the ports you need like this. But beware, it can be quite insecure to have active.
answered Feb 12 at 13:35
jaaqjaaq
133
Thank you for the detailed reply. It does seem like reverse say tunneling is the most recommended, but my biggest worry is that it seems to also require some sort of MitM. What exactly is the MitM server used for? Is it persistently rerouting all traffic, or is it only used to establish a connection?
– woojoo666
Feb 12 at 22:57
Oh and I should clarify that since I will be traveling around, my client IP will be constantly changing, so I can't just have my raspi directly connect to my client like in the reverse ssh example you provided. In other words, both my server and client don't have port forwarding capabilities
– woojoo666
Feb 13 at 1:54
The service needs to play MitM to set up the connection. It is the thing your client and server both know(after they resolve the URL to get an IP). The service can then establish a connection between the two parties, depending on implementation this means you have to trust the service with quite a lot of information about your traffic and you(IP). DuckDNS already solves the problem you have with the changing IP. Just have your client register there and yours server shall try to establish a connection with it every minute or so.
– jaaq
Feb 21 at 8:07
add a comment |
1:
Remote.it and co. are services that work by playing MITM and forward your commands. Now I don't say they are capturing everything you do but they very well could, although when you exchange your certificates through a secure channel before, you should be good. Whether they work with VPN I don't know, they seem to be rather constrained when wanting to use multiple ports. I wouldn't use them to run all my traffic through, even when encrypted; and they might not like it either.
2: This seems to be your best bet. If you don't have a static IP I recommend using DuckDNS for that. Setting up a reverse SSH-Tunnel is also really easy
3: UPnP is a protocol to enable plug and play networking. It opens ports by sending requests to the router to do so. If it is available to you, you could open all the ports you need like this. But beware, it can be quite insecure to have active.
answered Feb 12 at 13:35
jaaqjaaq
133
Thank you for the detailed reply. It does seem like reverse say tunneling is the most recommended, but my biggest worry is that it seems to also require some sort of MitM. What exactly is the MitM server used for? Is it persistently rerouting all traffic, or is it only used to establish a connection?
– woojoo666
Feb 12 at 22:57
Oh and I should clarify that since I will be traveling around, my client IP will be constantly changing, so I can't just have my raspi directly connect to my client like in the reverse ssh example you provided. In other words, both my server and client don't have port forwarding capabilities
– woojoo666
Feb 13 at 1:54
The service needs to play MitM to set up the connection. It is the thing your client and server both know(after they resolve the URL to get an IP). The service can then establish a connection between the two parties, depending on implementation this means you have to trust the service with quite a lot of information about your traffic and you(IP). DuckDNS already solves the problem you have with the changing IP. Just have your client register there and yours server shall try to establish a connection with it every minute or so.
– jaaq
Feb 21 at 8:07
add a comment |
1:
Remote.it and co. are services that work by playing MITM and forward your commands. Now I don't say they are capturing everything you do but they very well could, although when you exchange your certificates through a secure channel before, you should be good. Whether they work with VPN I don't know, they seem to be rather constrained when wanting to use multiple ports. I wouldn't use them to run all my traffic through, even when encrypted; and they might not like it either.
2: This seems to be your best bet. If you don't have a static IP I recommend using DuckDNS for that. Setting up a reverse SSH-Tunnel is also really easy
3: UPnP is a protocol to enable plug and play networking. It opens ports by sending requests to the router to do so. If it is available to you, you could open all the ports you need like this. But beware, it can be quite insecure to have active.
answered Feb 12 at 13:35
jaaqjaaq
133
1:
Remote.it and co. are services that work by playing MITM and forward your commands. Now I don't say they are capturing everything you do but they very well could, although when you exchange your certificates through a secure channel before, you should be good. Whether they work with VPN I don't know, they seem to be rather constrained when wanting to use multiple ports. I wouldn't use them to run all my traffic through, even when encrypted; and they might not like it either.
2: This seems to be your best bet. If you don't have a static IP I recommend using DuckDNS for that. Setting up a reverse SSH-Tunnel is also really easy
3: UPnP is a protocol to enable plug and play networking. It opens ports by sending requests to the router to do so. If it is available to you, you could open all the ports you need like this. But beware, it can be quite insecure to have active.
answered Feb 12 at 13:35
jaaqjaaq
133
edited Feb 21 at 7:59
answered Feb 12 at 13:35
jaaqjaaq
133
answered Feb 12 at 13:35
jaaqjaaq
133
answered Feb 12 at 13:35
jaaqjaaq
133
133
Thank you for the detailed reply. It does seem like reverse say tunneling is the most recommended, but my biggest worry is that it seems to also require some sort of MitM. What exactly is the MitM server used for? Is it persistently rerouting all traffic, or is it only used to establish a connection?
– woojoo666
Feb 12 at 22:57
Oh and I should clarify that since I will be traveling around, my client IP will be constantly changing, so I can't just have my raspi directly connect to my client like in the reverse ssh example you provided. In other words, both my server and client don't have port forwarding capabilities
– woojoo666
Feb 13 at 1:54
The service needs to play MitM to set up the connection. It is the thing your client and server both know(after they resolve the URL to get an IP). The service can then establish a connection between the two parties, depending on implementation this means you have to trust the service with quite a lot of information about your traffic and you(IP). DuckDNS already solves the problem you have with the changing IP. Just have your client register there and yours server shall try to establish a connection with it every minute or so.
– jaaq
Feb 21 at 8:07
add a comment |
Thank you for the detailed reply. It does seem like reverse say tunneling is the most recommended, but my biggest worry is that it seems to also require some sort of MitM. What exactly is the MitM server used for? Is it persistently rerouting all traffic, or is it only used to establish a connection?
– woojoo666
Feb 12 at 22:57
Oh and I should clarify that since I will be traveling around, my client IP will be constantly changing, so I can't just have my raspi directly connect to my client like in the reverse ssh example you provided. In other words, both my server and client don't have port forwarding capabilities
– woojoo666
Feb 13 at 1:54
The service needs to play MitM to set up the connection. It is the thing your client and server both know(after they resolve the URL to get an IP). The service can then establish a connection between the two parties, depending on implementation this means you have to trust the service with quite a lot of information about your traffic and you(IP). DuckDNS already solves the problem you have with the changing IP. Just have your client register there and yours server shall try to establish a connection with it every minute or so.
– jaaq
Feb 21 at 8:07
Thank you for the detailed reply. It does seem like reverse say tunneling is the most recommended, but my biggest worry is that it seems to also require some sort of MitM. What exactly is the MitM server used for? Is it persistently rerouting all traffic, or is it only used to establish a connection?
– woojoo666
Feb 12 at 22:57
Thank you for the detailed reply. It does seem like reverse say tunneling is the most recommended, but my biggest worry is that it seems to also require some sort of MitM. What exactly is the MitM server used for? Is it persistently rerouting all traffic, or is it only used to establish a connection?
– woojoo666
Feb 12 at 22:57
Oh and I should clarify that since I will be traveling around, my client IP will be constantly changing, so I can't just have my raspi directly connect to my client like in the reverse ssh example you provided. In other words, both my server and client don't have port forwarding capabilities
– woojoo666
Feb 13 at 1:54
Oh and I should clarify that since I will be traveling around, my client IP will be constantly changing, so I can't just have my raspi directly connect to my client like in the reverse ssh example you provided. In other words, both my server and client don't have port forwarding capabilities
– woojoo666
Feb 13 at 1:54
The service needs to play MitM to set up the connection. It is the thing your client and server both know(after they resolve the URL to get an IP). The service can then establish a connection between the two parties, depending on implementation this means you have to trust the service with quite a lot of information about your traffic and you(IP). DuckDNS already solves the problem you have with the changing IP. Just have your client register there and yours server shall try to establish a connection with it every minute or so.
– jaaq
Feb 21 at 8:07
The service needs to play MitM to set up the connection. It is the thing your client and server both know(after they resolve the URL to get an IP). The service can then establish a connection between the two parties, depending on implementation this means you have to trust the service with quite a lot of information about your traffic and you(IP). DuckDNS already solves the problem you have with the changing IP. Just have your client register there and yours server shall try to establish a connection with it every minute or so.
– jaaq
Feb 21 at 8:07
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1404799%2fraspberry-pi-vpn-server-w-o-port-forwarding%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
