Remote SSH into IoT devices or Raspberry Pi behind NAT router or firewall from outside network over the internet
Raspberry Pi remote SSH access is key to monitoring, controlling and debugging industrial machineries, automobile fleet and home automation devices from far away remote locations when human access to such devices is not possible at a particular moment.
In this article, we’ll discuss how to remote SSH into IoT devices or Raspberry Pi behind NAT router or firewall from outside network over the Internet using SocketXP IoT Controller.
What is SocketXP
SocketXP is a cloud based IoT Controller that empowers you to remotely connect, login, configure, debug, upgrade, monitor and manage millions of IoT, IIoT or Raspberry Pi devices installed in your customer’s local network behind NAT router and firewall.
SocketXP creates secure SSL/TLS tunnels to connect to your remote IoT devices.
SocketXP also creates a unique public web URL for each of the private web applications running in your remote IoT devices. Online services could communicate with your private web application using the public web URL..
How SocketXP IoT Remote SSH Access solution works
Install a simple, secure and lightweight SocketXP IoT agent on your IoT device (or Rasperry Pi). The SocketXP agent will securely connect (using a SSL/TLS tunnel) to the SocketXP IoT Cloud Gateway using an authentication token.
Step 1: Download and Install
Download and install the SocketXP IoT agent on your IoT device or Raspberry Pi device from here
Step 2: Get your Authentication Token
Sign up at https://portal.socketxp.com and get your authentication token.
Use the following command to login to the SocketXP IoT Cloud Gateway using the auth token.
Step 3: Create SocketXP SSL Tunnel Endpoint for Remote SSH
Use the following command to create a secure and private SSL tunnel endpoint at the SocketXP IoT Cloud Gateway.
$ socketxp connect tcp://localhost:22TCP tunnel [test-user-gmail-com-34445] created.
Access the tunnel using SocketXP agent in IoT Slave Mode
Security Note:
SocketXP is a highly secure IoT Remote Access solution. SocketXP, unlike other IoT Remote SSH solutions in the market, doesn’t create any public TCP tunnel endpoints (a public IP address and TCP port combo) that can be connected to by any SSH client from the internet. SocketXP secure private tunnel endpoints are not exposed to the internet.
SocketXP secure private tunnel endpoints can be accessed only using the SocketXP agent running in IoT slave mode (using the auth token provided to the user) or through the XTERM terminal in the SocketXP IoT Portal page.
Why this is important?
Anonymous users or hackers or random port scanners from the internet cannot SSH into your IoT device from the internet. Even your employees cannot access your IoT device without knowing the SocketXP auth-token uniquely assigned to you. SocketXP secure private tunnel endpoints thwarts DDoS attacks that prevent remote access to your IoT or Raspberry Pi devices.
SSH from Web Browser after SSO Login
When you click the terminal icon next to your device listed in the SocketXP Portal Page, you’ll be prompted to provide your Username and Password. After successful authentication with the SSH server running in your IoT device, you’ll be logged into your device shell.
Once you are in the shell you could execute any shell command. The above screen capture shows the ‘htop’ command run to display the CPU and Memory resource usage.
Configuring SocketXP agent to run in slave mode
This is an alternate method for accessing your Raspberry Pi behind router or firewall remotely over the internet from outside network using the SocketXP solution.
If you don’t want to access your IoT device or RPi from the browser and you want to access it using your own SSH client using a public/private key then follow the instructions below.
First download and install the regular SocketXP agent software on your accessing device (such as a laptop running Windows or Mac OS). Next, configure the agent to run in slave mode using the command option “ — iot-slave” as shown in the example below. Also, specify the name of the private TCP tunnel you want to connect to, using the “ — tunnel-name” option.
$ socketxp connect tcp://localhost:3000 --iot-slave --tunnel-name test-user-gmail-com-34445Listening for TCP connections at:
Local URL -> tcp://localhost:3000
Accessing the IoT device from your laptop
Now you can access your IoT device’s SSH server using the above SocketXP local endpoint, instead of a public endpoint, as shown below.
$ ssh -i ~/.ssh/john-private.key john@localhost -p 3000We recommend using SocketXP Private TCP Tunnels for all your remote IoT device access needs.
SocketXP Scaling and Performance
SocketXP IoT Gateway easily supports upto 10K devices per customer account. SocketXP IoT Gateway also has the built-in capability to grow on demand, as it is deployed as a Kubernetes service in the Google Cloud Platform.