What is port forwarding?
You will probably need to expose an IoT embedded device from the local network to the external internet in order to access it from anywhere in the world. You will want to do this safely. With specific router configuration knowledge, it is feasible to manually open ports so that you would be able to access a web server running on the Raspberry Pi via a specific port in it such as Port 22 for a SSH connection of 80.
Defining and performing Port Forwarding
Port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router. This technique allows remote computers (for example, computers on the Internet) to connect to a specific computer or service within a private local network (LAN).
When used with SSH, port forwarding constructs secure transit tunnels that are encrypted between local computers and remote devices. The effect of setting this up is that a user can send important information, that would otherwise be unencrypted, through a secure and encrypted connection.
The great benefit of port forwarding is that due to its incorporation of encrypted tunnels, it will avoid and bypass poorly configured routers and sniffers. It also helps to provide access to servers that would otherwise be hard to reach, to get access to a remote device, or to set up a temporary secure tunnel so that a user can allow another machine temporary access to their machine.
Three different types of Port Forwarding
There are different types of SSH-based port forwarding. Jack Wallen from TechRepublic provides an expert description on how to use these two of the methods which we briefly summarise here.
Dynamic Port Forwarding Connections from various programs are forwarded, via the SSH client to an SSH server, and finally to several destination servers.
Local Port Forwarding Connections from an SSH client are forwarded, via the SSH server, to a destination server. You can connect to your desired destination by creating a SSH tunnel from your client to the destination so as your browser is pointed to the 8080 local host and have it redirected to the destination. Then you would open up a terminal window on the client and issue the command:
ssh -L 8080:destination URL:80 localhost
You would then need to enter a password for the client. This will create an SSH connection back to the client, and also create the SSH tunnel to the destination. Once the user’s local account is authenticated, they can open up their browser and it will point to the 8080 destination. The browser will automatically redirect the user to the desired destination.
Remote Port Forwarding Connections from an SSH server are forwarded, via the SSH client, to a destination server. Remote port forwarding is like local port forwarding in reverse. This approach supports setting up a secure tunnel to allow a third party access via VNC to your client device. To make this work, you need to add the following line of text in your text editor to the /etc/ssh/sshd_config file.
GatewayPorts yes Then the SSH daemon need to be restarted by using the following command:
sudo systemctl restart sshd
To make the secure connection, the user needs access to the 3rd party’s machine. You would take the 3rd party’s IP address and issue the following command to set up the secure tunnel for the VNC access.
ssh -R 5900:localhost:5900 USERNAME@3rd party’s IP address
The username would be the username the user would have access to on the 3rd party’s machine. The user would need to authenticate with the USERNAME password on the remote machine. For the duration of the SSH session, the third party would have an encrypted VNC tunnel to the user’s machine, via localhost at port 5900.
If you are unable to port forward your router, a technique that can be used is called hole punching. Hole punching sets up a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). To punch a hole, each client connects to an unrestricted third-party server that temporarily stores external and internal address and port information for each client. The server then relays each client's information to the other, and using that information each client tries to establish direct connection; as a result of the connections using valid port numbers, restrictive firewalls or routers accept and forward the incoming packets on each side. To use hole punching, you need an external server to manage the connection and you need to trust the server that is performing the hole punching. Hole punching also requires very specific knowledge, port forwarding on the other hand is the more common technique to manage remote access to an IoT device.
Mender Remote Terminal
Mender has a Remote Terminal feature that offers a secure alternative to SSH and port forwarding for remotely accessing an IoT device in a secure way. Remote Terminal leverages a bidirectional channel to transmit terminal characters over an existing secure Websocket connection. This will allow you to use the same secure channel to get OTA updates to your IoT device and get shell access to the device in the process.