6

I have an IoT device that is connected via an LTE gateway. The LTE ISP uses carrier-grade NAT, which seems to be increasingly common and hard to avoid in the US.

I need to access the device remotely to manage upgrades, debugging, etc. What options do I have for remote access?

I have considered the following:

  1. SSH doesn't work. The double NAT makes SSH via IPv4 impossible. The ISP does not supply an IPv6 address.
  2. Third party services like remote-iot.com or dataplicity.com seem to use a higher-level communication protocol that avoids the IP address problem altogether. The trouble with these is that they have lower security standards- the account is protected by just a password, whereas I can setup RSA encryption on SSH.
  3. Set up a VPN server on my device, login to it, then ssh to the device. This seems a big heavyweight and complicated to manage.

Are there other options that I haven't considered or have I misevaluated any of these options?

ericksonla
  • 223
  • 1
  • 2
  • 1
    Note additionally that you can use SSH via a similar method - both the device and thing that want to reach it need to make outbound SSH connections to a mutually visible server, which can patch the SSH forwards through. – Chris Stratton Aug 15 '17 at 00:50
  • @ChrisStratton The "duplicate" link describes how to do messaging over the MQTT broker, but now how to use it as an SSH relay. This looks like a classic case of "this obvious point shall be left as an exercise for the reader" where the reader is clueless. Can you describe or point to a description of how that might work? – ericksonla Nov 29 '17 at 03:53
  • @ericksonia the duplicate flag concerns the question not the answer which used MQTT merely as an example. In terms of SSH, the same kind of topology makes sense, but the mutually visible server wouldn't be an MQTT broker, but rather something that can connect SSH sessions. Often it's just a virtualized Linux instance to which all the clients connect with the target ones enabling SSH port forwarding. After an authorized user connects up they can then reach out to a target machine from the command line via the established tunnels. Though of course you can automate it too. – Chris Stratton Nov 29 '17 at 06:17
  • https://tunnelin.com service created just for that - it can make tunnels to your network services (like ssh, vnc web server, etc.) and forward traffic from behind firewalls. For your use case, you can connect to your device using RSA keypair and have bank-level security. – simon Jun 28 '20 at 22:05

0 Answers0