Saturday, 3 April 2021

IOT: Server Behind Cellular Access Point

Update: My current ISP has NAT restrictions that affects the ability to reach a server externally.

My family's summer house is now equipped with a 4G hotspot that provides Wi-Fi connectivity to the house. That will make it suitable for remote surveillance.

I will need to connect the Raspberry PI computer in that network, but since IP addresses on cellular networks aren't static, the network will be hard to reach. This blog post will explore how to reach a server behind a cellular network.

The task is divided into two sub tasks:

  1. Reach a server behind a router (Port Forwarding)
  2. Being able to access a cellular router whose IP will change once in a while

Step 1: Reach a Server Behind a Router

This is quite straight forward - I just used the port forwarding settings. When one sends a request to the router with a specific port number, the router translates that port number into an IP number inside the local network. 

You can find much better explanations here.


In order to make my Raspberry PI less vulnerable for malicious access, I have changed the SSH port to a secret port number. 

On the router, I've enabled port forwarding for the new port number to my Raspberry PI. To verify, I opened a ssh connection from my laptop->Iphone->4G Network ->Internet-> Router-> Raspberry PI

As an extra layer of safety, I installed fail2ban, a software that protects servers from brute force attacks.

Step 2: Handle Dynamic IP Numbers

This will be handled using DDNS (Dynamic Domain Name System). A script on the Raspberry PI will regularly update the IP number to the DDNS server. Whenever a user tries to reach the DDNS, the server will provide the current IP number.

Step 2a: Change the SSH port on the Raspberry PI

This is a security measure that will be more necessary since my network will be easier to find.

Step 2b: Register to a DDNS Service

The easiest option would be to make the router itself connect to a dynamic DNS service. That must be done on site.



No-IP or Duck DNS

DLink had a DDNS service, but that one is unfortunately closed. That's a pity since I am using a DLink router.


Step 2c: Register a Client

https://community.home-assistant.io/t/guide-how-to-set-up-duckdns-ssl-and-chrome-push-notifications/9722

The password will later be sent in plain text (CURL) to the server - don't use a password that you use for other services!

https://www.wundertech.net/how-to-setup-duckdns-on-a-raspberry-pi/

https://www.youtube.com/watch?v=uhJ1zQIjujg

https://www.youtube.com/watch?v=ZKEGP_qBmxg

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)