0

I'd like to access multiple different devices residing on my home network, from anywhere else in the world, using custom domain names.

I'm running a standard (commercial) router provided by my ISP, and don't have the option to change (they won't provide login info for the ADSL connection required by a third-party router).

I'm aware of how to access things like my Raspberry Pi running web services with Nginx/Apache/Reverse proxy, but would like similar functionality (access to individual devices via unique domain names) for things like SSH too. Reverse Proxy's typically only handle HTTP(S) traffic, so aren't applicable for this scenario.

One comment below mentions IPv6, but how would this actually be achieved through standard commercial routers?

Matthew
  • 101
  • 4
  • 1
    The clean solution is IPv6. Everything else is just nasty workarounds. – Michael Hampton Sep 15 '18 at 18:22
  • I'd *love* to use IPv6, but wouldn't know how to go about starting with this, and my router settings for it seem to be a hell of a lot more complicated than IPv4. I've got an ISP-provided router from Sky (UK), so it's a bit more locked down than others (can't set my own DNS servers, for example), and they don't provide ADSL login details to use third-party routers. It does have IPv6 support, and it does have firewall/services that I can set up, but otherwise I'm stuck - how do I connect to a device behind the router via IPv6? – Matthew Sep 18 '18 at 08:37
  • @UPChoo I do not know how Sky operates. If they haven't published sufficient documentation, have you tried contacting their customer support? If Sky is one of those ISPs which refuse to support IPv6 (I have no idea if they are), then the solution is to switch to another ISP. As far as I know aa.net.uk is the ISP which is most serious about IPv6, and they don't require you to use a router provided by them, so you can configure your own router the way you want. And IPv6 is not complicated. It's a bit different from IPv4, but overall it is simpler than IPv4. – kasperd Sep 18 '18 at 11:06

1 Answers1

1

I am using wrapsrv together with SRV records, socat and ProxyCommand ssh_config option to have different names for my internal hosts visible on the internet.

First of all you need appropriate DNAT rules on your router. Let's call it router.example.com with IP address 192.0.2.1 and the internal host will be host1.example.com with IP address 198.51.100.1 which is behind NAT.

The rule would be:

iptables -t nat -A PREROUTING -d 192.0.2.1 -p tcp --dport 2222 -j DNAT --to-destination 198.51.100.1:22

Now you need to put SRV record for this service in external DNS:

_ssh._tcp.host1.example.com. SRV 10 0 2222 router.example.com.

Let's configure ssh to use the above mentioned record:

Host *.example.com
    ProxyCommand wrapsrv _ssh._tcp.%h socat STDIO TCP:%%h:%%p

SOCAT can be also used to for example make a connection through some kind of proxy as well (and I also exercise this option in some setups behind firewall but with SOCKS proxy available). Also, you will not be able to use -p ssh option for this domain.

Now you may also want to add SRV record for your router, so you don't need specific section in ssh_config just to get to it:

_ssh._tcp.router.example.com. SRV 10 0 22 router.example.com.

As an added bonus it makes it pretty easy to move sshd port on the router to some other value to prevent anyone from brute forcing you too easily (yes, I know, it is advertised there but so far I haven't seen anyone trying the ports I am advertising this way).

Tomek
  • 3,390
  • 1
  • 16
  • 10