IoT Raspberry Pi SSH Remote Access over Starlink, 3G, 4G LTE, or 5G mobile cellular network

Ganesh Velrajan
8 min readApr 17, 2021

IoT or Raspberry Pi remote SSH access is key to monitoring, controlling and debugging industrial machineries, automobile fleet, environmental IoT sensors and smart city IoT devices from far away remote locations when human access to such devices is not immediately possible.

Environment researchers and scientists use Raspberry Pi based IoT devices to collect and stream environmental data (as MQTT data stream) to a server(MQTT Broker) in their research institution’s network.

IoT or Raspberry Pi devices when placed in open fields or remote rural locations where internet access via WiFi is not readily available, Starlink, 3G or 4G LTE dongle or 4G/5G modems or mobile cellular routers could be used to get internet access to the Raspberry Pi in the field.

SocketXP IoT Platform provides remote connectivity solution to IoT or Raspberry Pi devices in the field using secure tunnels without having to setup port-forwarding or hack the configuration in your cellular modem or dongle.

In the following section, we’ll discuss how to setup Raspberry Pi or IoT device for remote SSH access over a Startlink, 3G or 4G LTE or 5G mobile cellular network using SocketXP.

How SocketXP IoT Remote SSH solution works

Install a simple, secure and lightweight SocketXP IoT agent on your IoT device or Rasperry Pi. The SocketXP agent will securely connect (using a SSL/TLS tunnel) to the SocketXP IoT Cloud Gateway using an authentication token. You can access your IoT device or Raspberry Pi from the SocketXP Cloud Gateway Portal.

SocketXP is a highly scalable solution. It can connect more than 10K RPi or IoT devices for a single user account.

Follow the below instructions to remote SSH into your IoT or Raspberry Pi device.

Step 1: Download and Install

Download and install (opens new window) the SocketXP IoT agent on your IoT or Raspberry Pi device.

Step 2: Get your Authentication Token

Sign up at (opens new window) and get your authentication token.

Use the following command to login to the SocketXP IoT Cloud Gateway using the auth token.

Step 3: Create SocketXP SSL Tunnel Endpoint for Remote SSH

Use the following command to create a secure and private SSL tunnel endpoint at the SocketXP IoT Cloud Gateway.

$ socketxp connect tcp://localhost:22 --iot-device-id "tempsensor-00001" 
TCP tunnel [test-user-gmail-com-34445] created.
Access the tunnel using SocketXP agent in IoT Slave Mode

Where TCP port 22 is the default port at which the SSH server running in your IoT device would listen for SSH connections from any SSH clients. The “ — iot-device-id” represents a unique identifier assigned to the IoT device within your organization. It could be any string value but it must be unique for each device.

Security Info:

SocketXP does not create any public TCP tunnel endpoints that can be connected and accessed by anyone in the internet using an SSH client. SocketXP TCP tunnel endpoints are not exposed to the internet and can be accessed only using the SocketXP agent (using the auth token of the user) or through the XTERM terminal in the SocketXP Portal page.

You could now remote SSH into your IoT device or Raspberry Pi by clicking the terminal icon as shown in the screenshot below.

Next, you’ll will be prompted to provide your SSH login and password.

Once your credentials are authenticated with your SSH server you’ll be logged into your device’s shell prompt.

The screen capture below shows the “htop” shell command output from an SSH session created using the XTERM window in the SocketXP Portal page.

Single-Touch Installation

The 3 step instruction explained above to setup SocketXP on your IoT device is a tedious process, if you have thousands of RPi to install, configure and manage.

With this mind, SocketXP IoT Solution also provides a single-touch installation for installing and configuring SocketXP IoT Agent on large number IoT or RPi devices.

Copy paste the below single-touch installation command from the SocketXP portal page into the terminal of your IoT devices and it will install/configure/setup and bring up the devices online in our SocketXP portal.


The above single-touch installation command works best for Raspberry Pi based IoT devices. The script automatically retrieves the Raspberry Pi device serial number from /proc/cpuinfo system file and uses it as the IoT Device ID when configuring the device with the SocketXP IoT Cloud Gatway.

If your IoT device is not Raspberry Pi based and doesn’t have the serial number available in /proc/cpuinfo system file, then provide an organizationally unique device identifier Eg: techron-ABC123456789 as an argument to the script.

Platform Architecture Type:

The above single-touch installation command automatically reads your CPU platform arch and OS type information from the uname -m command output.

If your device is Arduino, MiniPC, NVIDIA Jetson, UDOO, Asus Tinker Board, Banana Pi, Orange Pi, Nano Pi or other Pi variations, feel free to edit the script to meet your device or platform archtecture requirements.

In addition to installing and configuring SocketXP IoT Agent on your Raspberry Pi device, the single touch installation command would also make the SocketXP IoT Agent to run as a Linux Systemd deamon in the background. So that whenever your device gets rebooted, SocketXP IoT Agent will be automatically kickstarted on boot up.

Sample Configurations for various usecases:

The installation script takes the following arguments:

IoT Remote SSH Configuration

An example use of the script for remote SSH configuration would like this:

$./ -a "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." -d "techron-ABC123456789" -p "arm" -l "tcp://"

IoT Remote Web Service Access Configuration

For example, to set up remote access for the web service running inside your IoT device, use the below sample command:

$./ -a "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." -p "arm" -l "http://localhost:80" -s "techron-ABC123456789"

Note the use of -s <subdomain prefix> argument in the above command, which is a mandatory argument for web service usecase. The IoT Device ID is used as the subdomain prefix to easily map the device to the SocketXP Public URL used to access the device.

In this case, the public URL generated by SocketXP IoT Cloud Gateway would look like this:

SocketXP Public URL:

How to setup both SSH and webservice HTTP remote access:

The single-touch installation script creates a config file at: $HOME/config.json It would look something like this:

Update the tunnels section in the above config file to include the HTTP webservice as well. The config.json file would look like this:

Restart the socketxp systemd service using the following command. So that the above config change could take effect.

$ systemctl restart socketxp $ systemctl status socketxp

The SocketXP public web URL generated for your webservice would look something like this:

You could update the destination URL, destination HTTP port and the subdomain name in the above config.json file to the one that suits for your webservice.

If you have few more HTTP services running in your device, and you would like to generate public web URL for each of those services too, then repeat the same steps explained above. Add a new service configuration in the tunnels section in the config.json file. And finally don't forget to restart the socketxp systemd service for the new configuration to take effect.

Configuring SocketXP agent to run in slave mode

This is an alternate method for connecting to your RPi from a remote location using the SocketXP IoT solution.

If you don’t want to access your IoT device or RPi from the browser(SocketXP Portal) and you want to access it using an SSH client on your laptop or desktop, follow the instructions below.

First download and install the regular SocketXP agent software on your accessing device (such as a laptop running Windows or Mac OS). Next, configure the agent to run in slave mode using the command option “ — iot-slave” as shown in the example below. Also, specify the device ID of the IoT device you want to connect to, using the --iot-device-id option.

$ socketxp connect tcp://localhost:3000 --iot-slave --iot-device-id "abc123456789" 
Listening for TCP connections at: Local URL -> tcp://localhost:3000 Accessing the IoT device from your laptop

Where port 3000 is the local proxy port at which the SocketXP agent is listening for SSH connections from any SSH client. You could specify any free port in your laptop as a local proxy port instead of 3000.

Why this is important?:

SocketXP IoT Agent when run in IoT Slave Mode acts like a localproxy server. It proxies all connections to a user-specified local port (3000 in the example above) in your laptop/PC to the SocketXP IoT Cloud Gateway using a secure SSL/TLS tunnel. Also the SocketXP IoT Agent authenticates itself with the SocketXP IoT Cloud Gateway using your auth token. This ensures that only legitimate, authenticated users are permitted to access your remote IoT devices. SocketXP ensures Zero-Trust security on all connected devices.

Now you can SSH into your IoT device using the local proxy port (3000), as shown in the example below.

$ ssh -i ~/.ssh/john-private.key john@localhost -p 3000

Where john is a user account that exists in your IoT device.


You can also use SSH client to remote SSH into your device using the same parameters show above. You can also use PuTTY or FileZilla (opens new window) to perform SFTP actions such as file upload and file download on your remote IoT or Pi device.

SocketXP Scaling and Performance

SocketXP IoT Gateway easily supports 10K devices or more per customer account. SocketXP IoT Gateway also has the built-in capability to grow on demand, as it is deployed as a Kubernetes service in the Google Cloud Platform.


We recommend that you download, install and configure SocketXP agent on your IoT device using the WiFi connection in your office network. This way you could save your cellular data for use in the field. Once you have setup SocketXP IoT agent on your device, you could shutdown the WiFi interface in your IoT device and turn-on the WLAN interface (the interface on which your 3G or 4G LTE dongle is connected.). Verify you could remote SSH into your device from the SocketXP portal via your cellular network. Your device is ready to be placed in the field for secure remote access.

Originally published at



Ganesh Velrajan

Ganesh Velrajan is the founder of Ampas Labs Inc. Learn more about our SSH Remote Access Solutions at and