How do I SSH into my Pi at home from a remote location?

Question

I can't seem to find a straight answer anywhere. So I'm just going to ask SO instead.

For arguments sake, lets assume these are my details

public IP       ~ 11.111.11.11
Pi's private IP ~ 192.168.0.6
Port forwarded  ~ 21 both TCP and UDP
Pi's name       ~ pi@mikespi 

I have my pi turned on, sitting at home. Now I'm at work, and I want to SSH onto my pi. I am running linux mint so I want to use the terminal (bash) to SSH. What command do I write?

even ssh -h hasn't helped me work out how to do this remotely.

Note: I have managed to SSH onto the pi within my own network easily.

Answer 1

This is a combination of M. Rostami's answer and my reflections on his answer, which I found cumbersome to add as comments.

NB: Your question shows you know how to find your public IP address and the internal address of your Pi. I've included directions here in the hope that they will help others.

On your Pi, set up SSH on the default port number, port 22. You will also need the internal IP address of your Pi, which you can get with ip a typed into a terminal window. Look for the eth0 address for wired connections or the wlan0 address for wireless. The address may look like 192.168.x.x or 10.x.x.x.

When you have SSH running, set up SSH cryptographic key security. That allows you to log in with a cryptographic key rather than a password. For so long as you keep the key secure, your Pi is protected. There are instructions for setting up cryptographic authentication here: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2 and probably plenty of other places, including a brief discussion of the value of such keys in this Stack Exchange Community.

• Do protect the private key with a password. You'll have to type it every time you log in, but you've at least somewhat protected the private key in case your remote system is somehow compromised.
• Do disable root logins using passwords after you've tested that you can log in using SSH protected by cryptographic keys.
• Consider disabling all logins with passwords. (Do this unless there's a good reason why someone could not use a key to log in.)

Note: Your Pi is not accessible from outside yet, and that's good. Set up security first, then open up access.

You will need to pick an external port number to access your server from outside. The bad guys on the Internet "rattle doorknobs" looking for open ports, then try to get in through those ports. You can't stop them, but you can discourage them. One way of doing that is to use a slightly obscure external port. Pick a port number that is greater than 1023 and does not end in 22. Perhaps something like 7137. Your SSH will still be detected by full port scanning, but it's a lot more work than just rattling those doorknobs that end in 22.

Now set up your router to forward incoming traffic on the port you picked to the internal IP of your Pi on port 22. How to do that will depend on the router you have.

You are now set to SSH to your Pi from outside. You can find out the public (outside) address of your router with https://www.whatismyip.com/

Assuming a public address of 11.111.11.11 and a port of 7137, you'd SSH to 11.111.11.11:7137. Done!

Although your ISP can change that outside address, called a dynamic IP address, my own experience is that mine doesn't change often. If you find, using WhatIsMyIP, that yours changes frequently, there are dynamic DNS services that will let you assign a name and keep up with the changing IP address. I use a paid service, but there are free services. Something within your home will have to run the dynamic DNS client. You can do that on your Pi.

Answer 2

Port forwarded ~ 21 both TCP and UDP

It's actually forward packets to port number 21 which is the default port of FTP. You must change it to port number 22 on your router/switch.

If you are stubborn about changing the default port of SSH which is 22 to another port number, take note that you can set the SSH default port to 21 but the FTP client would be disabled. Therefore, Well Known Port is term of telling don't use port numbers in the range of 0 through 1023. If you do, you will face a problem with other protocols. So, you should set a port number more than 1023 for the SSH daemon.

On the other hand, according to your router/switch/firewall on your network, you can set a port forwarding rule or PAT. As an example forward all external port number 9022 to 22 on the raspberry pi IP address/hostname. In this case, you should connect to your raspberry pi over the internet by x.x.x.x:9022 because the router/switch/firewall will forward to 22.

In addition, it's so easy to find which opened port number of your raspberry pi has been used for SSH. You can do it by nmap command.

---

How to change the default SSH port number on Raspberry PI?

Open the SSH server config file:

sudo nano /etc/ssh/sshd_config  

Then, (for example) add this line to set the port number to `2222:

port 2222  

Reboot the device or restart the SSH server's service:

sudo service ssh restart

Answer 3

First the ssh port is usually port 22 but it can be changed and secondly you only need tcp not udp. Another issue that can crop up is ensuring the pi will accept connections on port 22 from outside your LAN which can be achieved using UFW https://wiki.ubuntu.com/UncomplicatedFirewall

Make sure you set a strong password or better still use SSH keys as you WILL get hackers trying to force their way in, some guides to best security practises here https://blog.devolutions.net/2017/4/10-steps-to-secure-open-ssh https://www.howtogeek.com/443156/the-best-ways-to-secure-your-ssh-server/

Answer 4

Provided that the SSH server at the PI is actually configured to listen on port 21 instead of the default 22, and that the network public IP address doesn't change. Then you should just SSH to the public IP address of your network.

>ssh 11.111.11.11 21

login the same way as you do when only using the local (home) network. Using no-ip or dydns can help give your network a name in DNS that remains updated if your public IP is changed by your ISP (assuming you don't have a static IP assigned here).

If this doesn't work then make sure that

1. RPi network parameters are set correctly (particularly gateway)
2. Port forwarding is correctly configured at the router and that responses are not being blocked by any router firewall.

Answer 5

Short Answer:

Here's a TESTED and WORKING specimen config from my MikroTik router that you can use as a model for your own router.

chain=dstnat action=dst-nat to-addresses=192.168.0.6 to-ports=21 protocol=tcp in-interface=ether1-Gateway dst-port=60000 log=no log-prefix=""

Where:

• "ether1-Gateway" is my connection to Internet
• "dst-port=60000" is an arbitrary port chosen from the "Dynamic/Private" port range.
• "to-addresses=192.168.0.6" The Pi
• "to-ports=21" The port on Pi receiving the forwarded traffic

WARNING: Avoid "Privileged" port numbers such as "21"- use a high port in the "Dynamic/Private" port range. "21" is used for FTP and now some routers are offering FTP services...

So when I SSH into the router on port 60000 as follows:

ssh pi@11.111.11.11 -p 60000 

The router sends my traffic to the FORWARDED port "21":

192.168.0.6 on port 21

DON'T FORGET TO CHECK YOUR FIREWALL RULES allow the desired connectivity

Long Answer:

Using DNAT to connect remote-in to internal hosts that are NOT offering public services such as mail or web servers is not ideal. Using a VPN to connect to hosts on Local IPs is.

Here's a comparison between the (2) methods to connect remotely to a host on an RFC 1918 address:

VPN: Preferred Method

Configuration: You'll need to configure VPN on the router, then configure a client on your computer/device to establish a VPN connection to the router.

So once your VPN connection is established to your home/work router, your SSH connection looks like this:

ssh pi@192.168.0.6 -p 60000

Note that you're reaching it on a LOCAL IP.

Upside:

• Using a VPN, you don't publicly expose your Pi. You can talk directly to it on the local address once you establish the VPN connection to your router.

Downside:

• Configuring an IPsec VPN on the router requires a little bit of networking knowledge. From the nature of your question, I suspect you don't possess the fundamental skills to do this easily. But hey- great opportunity to learn!

• Some countries are not VPN friendly and do not want you passing traffic through an encrypted tunnel...

DNAT

In the "Short Answer" I showed you a very simple way to do a DNAT using the ROUTER's own Public IP. The following method is a bit more elegant, where each host has traffic forwarded on a Public IP dedicated to it.

Configuration: A Better DNAT Solution:

Ask your ISP for a block of Public IPs. If you ask for a /29, you're more likely to get your request approved than if you ask for a /28 (or greater). Configure these Public IP addresses on the router and setup a DNAT rule to forward traffic from the public IP to the internal IP. Each host can have use a different public IP to forward traffic to it. Tidy.

Upside:

Less complex to setup a DNAT than an IPsec VPN.

Downside:

• Just as you can connect to your Pi from the outside world, so can anybody else: traffic is being forwarded from the Public IP that is being mapped by the DNAT rule to the Pi's internal (non world-routable) local IP.

• Requires your ISP to assign you a block of Public IPv4 IPs, which are getting scarcer and scarcer by the day. And it's very likely they'll charge you a monthly fee for the block they assign to you so potentially a recurring cost to this solution (thanks @goldilocks)

• You'll lose your current Public IP the router is using, which may or may not be a problem. If they assign you the block of Public IPs, the router's address itself must be from within this range of IPs.

• If you change ISPs, you will lose this block of Public IPs and your connectivity to the Pi will be busted. The ISP owns the block- they are letting you use their IPs only.