Reaching a device in my LAN from the Internet











up vote
17
down vote

favorite
3












I have an embedded device that I can program via Ethernet IP when it's connected on the same router with the PC as follows:



enter image description here



Is it possible to send the whole traffic through the Internet and still be able to program it? To make it a little bit more clear, something like:



enter image description here










share|improve this question




















  • 6




    "Ethernet IP"? Isn't that just... a regular LAN-like network?
    – grawity
    2 days ago










  • “Programming via Ethernet IP" — what exactly does that mean? It would help if you could specify what device and IDE you are talking about. I assume the IDE connects to the device on a given IP address and TCP port to receive commands?
    – slhck
    2 days ago










  • @grawity yes it's a regular LAN.Like network & at slhck I'm use codesys IDE and a device with codesys Runtime on it !
    – Engine
    2 days ago






  • 3




    The obvious answer is IPv6, of course.
    – Michael Hampton
    2 days ago










  • @MichaelHampton A simple programmable device is unlikely to support ipv6
    – rahuldottech
    yesterday

















up vote
17
down vote

favorite
3












I have an embedded device that I can program via Ethernet IP when it's connected on the same router with the PC as follows:



enter image description here



Is it possible to send the whole traffic through the Internet and still be able to program it? To make it a little bit more clear, something like:



enter image description here










share|improve this question




















  • 6




    "Ethernet IP"? Isn't that just... a regular LAN-like network?
    – grawity
    2 days ago










  • “Programming via Ethernet IP" — what exactly does that mean? It would help if you could specify what device and IDE you are talking about. I assume the IDE connects to the device on a given IP address and TCP port to receive commands?
    – slhck
    2 days ago










  • @grawity yes it's a regular LAN.Like network & at slhck I'm use codesys IDE and a device with codesys Runtime on it !
    – Engine
    2 days ago






  • 3




    The obvious answer is IPv6, of course.
    – Michael Hampton
    2 days ago










  • @MichaelHampton A simple programmable device is unlikely to support ipv6
    – rahuldottech
    yesterday















up vote
17
down vote

favorite
3









up vote
17
down vote

favorite
3






3





I have an embedded device that I can program via Ethernet IP when it's connected on the same router with the PC as follows:



enter image description here



Is it possible to send the whole traffic through the Internet and still be able to program it? To make it a little bit more clear, something like:



enter image description here










share|improve this question















I have an embedded device that I can program via Ethernet IP when it's connected on the same router with the PC as follows:



enter image description here



Is it possible to send the whole traffic through the Internet and still be able to program it? To make it a little bit more clear, something like:



enter image description here







networking remote-access






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 2 days ago









slhck

157k46434461




157k46434461










asked 2 days ago









Engine

20126




20126








  • 6




    "Ethernet IP"? Isn't that just... a regular LAN-like network?
    – grawity
    2 days ago










  • “Programming via Ethernet IP" — what exactly does that mean? It would help if you could specify what device and IDE you are talking about. I assume the IDE connects to the device on a given IP address and TCP port to receive commands?
    – slhck
    2 days ago










  • @grawity yes it's a regular LAN.Like network & at slhck I'm use codesys IDE and a device with codesys Runtime on it !
    – Engine
    2 days ago






  • 3




    The obvious answer is IPv6, of course.
    – Michael Hampton
    2 days ago










  • @MichaelHampton A simple programmable device is unlikely to support ipv6
    – rahuldottech
    yesterday
















  • 6




    "Ethernet IP"? Isn't that just... a regular LAN-like network?
    – grawity
    2 days ago










  • “Programming via Ethernet IP" — what exactly does that mean? It would help if you could specify what device and IDE you are talking about. I assume the IDE connects to the device on a given IP address and TCP port to receive commands?
    – slhck
    2 days ago










  • @grawity yes it's a regular LAN.Like network & at slhck I'm use codesys IDE and a device with codesys Runtime on it !
    – Engine
    2 days ago






  • 3




    The obvious answer is IPv6, of course.
    – Michael Hampton
    2 days ago










  • @MichaelHampton A simple programmable device is unlikely to support ipv6
    – rahuldottech
    yesterday










6




6




"Ethernet IP"? Isn't that just... a regular LAN-like network?
– grawity
2 days ago




"Ethernet IP"? Isn't that just... a regular LAN-like network?
– grawity
2 days ago












“Programming via Ethernet IP" — what exactly does that mean? It would help if you could specify what device and IDE you are talking about. I assume the IDE connects to the device on a given IP address and TCP port to receive commands?
– slhck
2 days ago




“Programming via Ethernet IP" — what exactly does that mean? It would help if you could specify what device and IDE you are talking about. I assume the IDE connects to the device on a given IP address and TCP port to receive commands?
– slhck
2 days ago












@grawity yes it's a regular LAN.Like network & at slhck I'm use codesys IDE and a device with codesys Runtime on it !
– Engine
2 days ago




@grawity yes it's a regular LAN.Like network & at slhck I'm use codesys IDE and a device with codesys Runtime on it !
– Engine
2 days ago




3




3




The obvious answer is IPv6, of course.
– Michael Hampton
2 days ago




The obvious answer is IPv6, of course.
– Michael Hampton
2 days ago












@MichaelHampton A simple programmable device is unlikely to support ipv6
– rahuldottech
yesterday






@MichaelHampton A simple programmable device is unlikely to support ipv6
– rahuldottech
yesterday












5 Answers
5






active

oldest

votes

















up vote
50
down vote



accepted










The simple (and unsafe) method



What you're looking for is called port forwarding [1][2].



For example, let us assume the following:




  • Your programmable device works on port 22 and has the IP 192.168.1.5


  • Your public IP is 122.176.11.55



Then you can go into your router's setting and forward a WAN port (for eg, 8022) to 192.168.1.5:22.



Now, you can remotely access the device from anywhere through the internet by accessing 122.176.11.55:8022 instead of 192.168.1.5:22 in your IDE.



Keep in mind that unless you have a static IP, your public IP can change at any time, in which case you should check out dynamic DNS services.



NOTE: unless your device has some method of authentication, someone with malicious intent will almost certainly find access to it on the open web. See below for safe alternative.



The safe (and honestly not much more complicated) method



Leave a PC (or raspberry pi, or similar) connected to your network, and access that remotely instead through something safe like SSH, and then program your device through it over LAN.

This also has the added advantage of working even if your device doesn't use TCP or UDP :)



A bit tedious, yes. But safe.






share|improve this answer



















  • 10




    It would also help to make a note, that if OP sets a portforwarding open to do this, everyone else in the whole world could potentially change the code. Unless there's some form of authentication too, sooner or later, portsniffers will find the port and a hacker will attempt to break in, that's a guarantee.
    – LPChip
    2 days ago










  • @LPChip Indeed! I should've mentioned that, my bad.
    – rahuldottech
    2 days ago










  • Nice addition. :) I would give you a +1 for it, but I already gave it earler, because even without the warning, it was already a good answer. :)
    – LPChip
    2 days ago








  • 2




    @FreeMan later as in, it can take days before a bot crawler comes along, depending on what port you use, but sooner in the sense that, if you are unlucky, it can happen in a matter of minutes.
    – LPChip
    2 days ago






  • 1




    @IsmaelMiguel Of course, you should do all the obvious basic security stuff. I just have no way of knowing what they are in this specific case.
    – rahuldottech
    2 days ago


















up vote
10
down vote













The one and only correct answer can be "VPN".



Simply using IPv6 would "work" (assuming the router isn't configured to firewall off the device, and all of ISP, device, and laptop support IPv6), but it is a terrible idea for the same reason port forwarding is.



Other than promoted by the well-known IPv6 propaganda, you actually do not ever want any of the devices on your LAN being uniquely identifiable or even accessible from the internet. No, that is not a good thing.



Port forwarding would "work" with good old IPv4, but it makes the device accessible not only to you but to everybody. Nobody knows, so that's no problem, right?

Well, there's an army of automated port scanners running 24/7 and scanning random addresses/ports in the hope anything, anywhere might possibly answer, so generally having any device that will answer to an external request online isn't optimal. If a device will happily have itself programmed according to what comes in via the network, that's a recipe for desaster.

The above is in principle true for VPN as well, but it's pretty much as good as you can get, if you want access. The only truly safe thing is no internet connection at all, which is not a practical option for obvious reasons. The next safest thing to "no internet" is VPN. Exactly one port on exactly one device (well, it depends, up to three ports), exposing VPN and nothing else, port-forwarded to the internet.



VPN lets you -- but nobody else -- access a device on your LAN via the internet as if you were on the same LAN (although a bit slower). It prevents unauthorized access, it provides confidentiality, and data integrity.



Virtually every no-shit router supports at least one flavor of VPN out of the box. Unluckily, depending on what router model you have, it may be a poor flavor of VPN or it may be poorly documented how to configure the remote computer. Still, despite the possible hassle of figuring out how to configure it -- if you have nothing better, that's by far the best option!

Most common NAS boxes support two or three no-suck methods of VPN, and every $20 credit-card sized 3 Watt computer can run a VPN server, no problem. Even many modern mobile phones support VPN without having to install extra software, so you can even access your home network when you're using your phone's mobile internet (via private hotspot, even).



For example, L2TP/IPSec may not be the most awesome choice, but it's 99% good and takes one minute to set up on my Disk Station and on my Samsung phone. Another minute if my Windows laptop is to use it as well (independently of the phone). No extra software needed.

OpenVPN takes like 3-5 minutes of setup because you'll have to download install the client software on the laptop. But in the greater picture, a 5 min setup counts as "zero", compared to being completely unsafe.






share|improve this answer

















  • 5




    Buying 3rd-party services is not the only answer. You can get the same effect with SSH or RDP.
    – jpaugh
    2 days ago






  • 4




    The two and only correct answers are VPN or SSH tunnels...Some VPN protocols aren't very good either at preventing MITM...
    – trognanders
    yesterday






  • 5




    SSH is way cheaper, more convenient, and easier to set up and probably the better option in this scenario
    – rahuldottech
    yesterday










  • @jpaugh: VPN does not involve any 3rd party services. While I'll readily agree that SSH can be made to work, it is nowhere near the same as VPN when it comes to ease of setup, no-extra-installs-no-hoops universal availability, and last but not least, seamless usability. Now, about RDP... you are of course joking, right? Not only is it the pristine implementation the probably most exploited software in the world (or at least in the top-5), but also the protocol itself is inherently insecure, using broken (workable, not theoretical) ciphers, and a TLS version which was superseded a decade ago.
    – Damon
    yesterday






  • 4




    -1 simply for "one and only" in the title, SSH with port forwarding is also completely valid and probably safer since you don't necessarily have to give remote access to your entire network, just one port of one device, and most likely it's easy to configure and you aren't relying on a router's random software implementation of a rarely used feature.
    – Bill K
    yesterday


















up vote
2
down vote













Host a VPN, either in a router/security gateway appliance, or another box with port forwarding to that box. Whenever you want to work remotely, connect to the VPN, and you will see the embedded device as if it were on a local network. It would probably be a good idea to place the embedded device in an isolated subnet, to help prevent attacks on your main network if the VPN or the embedded device is compromised.






share|improve this answer








New contributor




Michael P is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    up vote
    1
    down vote













    Make Windows PC without IDE into a Linux PC in a reasonably secure configuration with sshd running. Port forward from your router to the SSH port on the Linux machine. Use SSH tunnels to connect to the embedded device IP. Then when programming on your remote machine with an IDE, you will connect to localhost instead of the LAN IP.



    Listening on the internet with a hardened service like SSH is reasonably safe. Listening directly on the internet with development anything is a fabulously bad idea. SSH is a gatekeeper. If you make sure to verify the host key, it protects against MITM absolutely. It uses good cryptography. The tunneling setup does not involve routing or bridging but instead looks as if you are connecting directly from the SSHD machine. This is vastly simpler to setup correctly.






    share|improve this answer





















    • You can... Just run an SSH server on Windows, you don't need Linux here.
      – rahuldottech
      yesterday










    • "Then when programming on your remote machine with an IDE, you will connect to localhost instead of the LAN IP." This bit doesn't make sense to me, elaborate?
      – rahuldottech
      yesterday










    • @rahuldottech SSH port forwarding works at the tcp level. On the server the sshd opens connections to the resource on the local lan and forwards the contents of that socket over SSH. On the remote machine the ssh client listens on a localhost port. When you connect to localhost on that port it is the SSH client, and it just hooks the tcp connections together. Kinda weird but really versatile since there is no ip routing!
      – trognanders
      yesterday




















    up vote
    -1
    down vote













    I have recently come across a better solution for personal only remote access. First let's discuss the scope of the problem. There are three issues that come into play: the nat, the ip address, and the security. For example in the common cases where you wish to run a ssh or web server on a home network the traditional approach is port forwarding and dynamic dns and industry standard best practices for security. This has disadvantages for your case as your device does not have standard security. This can be mitigated by using ssh port forwarding as opposed to opening your device to the internet, but you still have to deal with nat traversal since your device (and the ssh server on your raspberry pi you are about to set up) does not have a publicly reachable IP address and the IP address of your router is subject to change (assuming there is only one nat between you and the internet) you still would need to setup port forwarding (or in the case of multiple routers, multiple port forwarding) and dynamic dns so you can still reach your ssh server.



    There is however a simpler solution, and believe it or not that is tor hidden services. tor hidden services basically act as a port forward, but automatically handles nat traversal, and does not have a changing address so dynamic dns is not needed. There are of course issues of the onion address being hard to remember, but If you are the only user, you can write it down in one of your project files. I would recommend still paring this with a ssh server to provide authentication, but you may decide that the long onion address is enough. Also tor hidden services provide encryption of the entire link except for the last hop so the only way to get better is end to end encryption, but that would depend on the device you are programing.






    share|improve this answer

















    • 4




      Using onion services will only make this way more complicated with no added benefits. Tor can be useful. Won't be in this case.
      – rahuldottech
      2 days ago











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1374979%2freaching-a-device-in-my-lan-from-the-internet%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    5 Answers
    5






    active

    oldest

    votes








    5 Answers
    5






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    50
    down vote



    accepted










    The simple (and unsafe) method



    What you're looking for is called port forwarding [1][2].



    For example, let us assume the following:




    • Your programmable device works on port 22 and has the IP 192.168.1.5


    • Your public IP is 122.176.11.55



    Then you can go into your router's setting and forward a WAN port (for eg, 8022) to 192.168.1.5:22.



    Now, you can remotely access the device from anywhere through the internet by accessing 122.176.11.55:8022 instead of 192.168.1.5:22 in your IDE.



    Keep in mind that unless you have a static IP, your public IP can change at any time, in which case you should check out dynamic DNS services.



    NOTE: unless your device has some method of authentication, someone with malicious intent will almost certainly find access to it on the open web. See below for safe alternative.



    The safe (and honestly not much more complicated) method



    Leave a PC (or raspberry pi, or similar) connected to your network, and access that remotely instead through something safe like SSH, and then program your device through it over LAN.

    This also has the added advantage of working even if your device doesn't use TCP or UDP :)



    A bit tedious, yes. But safe.






    share|improve this answer



















    • 10




      It would also help to make a note, that if OP sets a portforwarding open to do this, everyone else in the whole world could potentially change the code. Unless there's some form of authentication too, sooner or later, portsniffers will find the port and a hacker will attempt to break in, that's a guarantee.
      – LPChip
      2 days ago










    • @LPChip Indeed! I should've mentioned that, my bad.
      – rahuldottech
      2 days ago










    • Nice addition. :) I would give you a +1 for it, but I already gave it earler, because even without the warning, it was already a good answer. :)
      – LPChip
      2 days ago








    • 2




      @FreeMan later as in, it can take days before a bot crawler comes along, depending on what port you use, but sooner in the sense that, if you are unlucky, it can happen in a matter of minutes.
      – LPChip
      2 days ago






    • 1




      @IsmaelMiguel Of course, you should do all the obvious basic security stuff. I just have no way of knowing what they are in this specific case.
      – rahuldottech
      2 days ago















    up vote
    50
    down vote



    accepted










    The simple (and unsafe) method



    What you're looking for is called port forwarding [1][2].



    For example, let us assume the following:




    • Your programmable device works on port 22 and has the IP 192.168.1.5


    • Your public IP is 122.176.11.55



    Then you can go into your router's setting and forward a WAN port (for eg, 8022) to 192.168.1.5:22.



    Now, you can remotely access the device from anywhere through the internet by accessing 122.176.11.55:8022 instead of 192.168.1.5:22 in your IDE.



    Keep in mind that unless you have a static IP, your public IP can change at any time, in which case you should check out dynamic DNS services.



    NOTE: unless your device has some method of authentication, someone with malicious intent will almost certainly find access to it on the open web. See below for safe alternative.



    The safe (and honestly not much more complicated) method



    Leave a PC (or raspberry pi, or similar) connected to your network, and access that remotely instead through something safe like SSH, and then program your device through it over LAN.

    This also has the added advantage of working even if your device doesn't use TCP or UDP :)



    A bit tedious, yes. But safe.






    share|improve this answer



















    • 10




      It would also help to make a note, that if OP sets a portforwarding open to do this, everyone else in the whole world could potentially change the code. Unless there's some form of authentication too, sooner or later, portsniffers will find the port and a hacker will attempt to break in, that's a guarantee.
      – LPChip
      2 days ago










    • @LPChip Indeed! I should've mentioned that, my bad.
      – rahuldottech
      2 days ago










    • Nice addition. :) I would give you a +1 for it, but I already gave it earler, because even without the warning, it was already a good answer. :)
      – LPChip
      2 days ago








    • 2




      @FreeMan later as in, it can take days before a bot crawler comes along, depending on what port you use, but sooner in the sense that, if you are unlucky, it can happen in a matter of minutes.
      – LPChip
      2 days ago






    • 1




      @IsmaelMiguel Of course, you should do all the obvious basic security stuff. I just have no way of knowing what they are in this specific case.
      – rahuldottech
      2 days ago













    up vote
    50
    down vote



    accepted







    up vote
    50
    down vote



    accepted






    The simple (and unsafe) method



    What you're looking for is called port forwarding [1][2].



    For example, let us assume the following:




    • Your programmable device works on port 22 and has the IP 192.168.1.5


    • Your public IP is 122.176.11.55



    Then you can go into your router's setting and forward a WAN port (for eg, 8022) to 192.168.1.5:22.



    Now, you can remotely access the device from anywhere through the internet by accessing 122.176.11.55:8022 instead of 192.168.1.5:22 in your IDE.



    Keep in mind that unless you have a static IP, your public IP can change at any time, in which case you should check out dynamic DNS services.



    NOTE: unless your device has some method of authentication, someone with malicious intent will almost certainly find access to it on the open web. See below for safe alternative.



    The safe (and honestly not much more complicated) method



    Leave a PC (or raspberry pi, or similar) connected to your network, and access that remotely instead through something safe like SSH, and then program your device through it over LAN.

    This also has the added advantage of working even if your device doesn't use TCP or UDP :)



    A bit tedious, yes. But safe.






    share|improve this answer














    The simple (and unsafe) method



    What you're looking for is called port forwarding [1][2].



    For example, let us assume the following:




    • Your programmable device works on port 22 and has the IP 192.168.1.5


    • Your public IP is 122.176.11.55



    Then you can go into your router's setting and forward a WAN port (for eg, 8022) to 192.168.1.5:22.



    Now, you can remotely access the device from anywhere through the internet by accessing 122.176.11.55:8022 instead of 192.168.1.5:22 in your IDE.



    Keep in mind that unless you have a static IP, your public IP can change at any time, in which case you should check out dynamic DNS services.



    NOTE: unless your device has some method of authentication, someone with malicious intent will almost certainly find access to it on the open web. See below for safe alternative.



    The safe (and honestly not much more complicated) method



    Leave a PC (or raspberry pi, or similar) connected to your network, and access that remotely instead through something safe like SSH, and then program your device through it over LAN.

    This also has the added advantage of working even if your device doesn't use TCP or UDP :)



    A bit tedious, yes. But safe.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 2 days ago

























    answered 2 days ago









    rahuldottech

    3,28932445




    3,28932445








    • 10




      It would also help to make a note, that if OP sets a portforwarding open to do this, everyone else in the whole world could potentially change the code. Unless there's some form of authentication too, sooner or later, portsniffers will find the port and a hacker will attempt to break in, that's a guarantee.
      – LPChip
      2 days ago










    • @LPChip Indeed! I should've mentioned that, my bad.
      – rahuldottech
      2 days ago










    • Nice addition. :) I would give you a +1 for it, but I already gave it earler, because even without the warning, it was already a good answer. :)
      – LPChip
      2 days ago








    • 2




      @FreeMan later as in, it can take days before a bot crawler comes along, depending on what port you use, but sooner in the sense that, if you are unlucky, it can happen in a matter of minutes.
      – LPChip
      2 days ago






    • 1




      @IsmaelMiguel Of course, you should do all the obvious basic security stuff. I just have no way of knowing what they are in this specific case.
      – rahuldottech
      2 days ago














    • 10




      It would also help to make a note, that if OP sets a portforwarding open to do this, everyone else in the whole world could potentially change the code. Unless there's some form of authentication too, sooner or later, portsniffers will find the port and a hacker will attempt to break in, that's a guarantee.
      – LPChip
      2 days ago










    • @LPChip Indeed! I should've mentioned that, my bad.
      – rahuldottech
      2 days ago










    • Nice addition. :) I would give you a +1 for it, but I already gave it earler, because even without the warning, it was already a good answer. :)
      – LPChip
      2 days ago








    • 2




      @FreeMan later as in, it can take days before a bot crawler comes along, depending on what port you use, but sooner in the sense that, if you are unlucky, it can happen in a matter of minutes.
      – LPChip
      2 days ago






    • 1




      @IsmaelMiguel Of course, you should do all the obvious basic security stuff. I just have no way of knowing what they are in this specific case.
      – rahuldottech
      2 days ago








    10




    10




    It would also help to make a note, that if OP sets a portforwarding open to do this, everyone else in the whole world could potentially change the code. Unless there's some form of authentication too, sooner or later, portsniffers will find the port and a hacker will attempt to break in, that's a guarantee.
    – LPChip
    2 days ago




    It would also help to make a note, that if OP sets a portforwarding open to do this, everyone else in the whole world could potentially change the code. Unless there's some form of authentication too, sooner or later, portsniffers will find the port and a hacker will attempt to break in, that's a guarantee.
    – LPChip
    2 days ago












    @LPChip Indeed! I should've mentioned that, my bad.
    – rahuldottech
    2 days ago




    @LPChip Indeed! I should've mentioned that, my bad.
    – rahuldottech
    2 days ago












    Nice addition. :) I would give you a +1 for it, but I already gave it earler, because even without the warning, it was already a good answer. :)
    – LPChip
    2 days ago






    Nice addition. :) I would give you a +1 for it, but I already gave it earler, because even without the warning, it was already a good answer. :)
    – LPChip
    2 days ago






    2




    2




    @FreeMan later as in, it can take days before a bot crawler comes along, depending on what port you use, but sooner in the sense that, if you are unlucky, it can happen in a matter of minutes.
    – LPChip
    2 days ago




    @FreeMan later as in, it can take days before a bot crawler comes along, depending on what port you use, but sooner in the sense that, if you are unlucky, it can happen in a matter of minutes.
    – LPChip
    2 days ago




    1




    1




    @IsmaelMiguel Of course, you should do all the obvious basic security stuff. I just have no way of knowing what they are in this specific case.
    – rahuldottech
    2 days ago




    @IsmaelMiguel Of course, you should do all the obvious basic security stuff. I just have no way of knowing what they are in this specific case.
    – rahuldottech
    2 days ago












    up vote
    10
    down vote













    The one and only correct answer can be "VPN".



    Simply using IPv6 would "work" (assuming the router isn't configured to firewall off the device, and all of ISP, device, and laptop support IPv6), but it is a terrible idea for the same reason port forwarding is.



    Other than promoted by the well-known IPv6 propaganda, you actually do not ever want any of the devices on your LAN being uniquely identifiable or even accessible from the internet. No, that is not a good thing.



    Port forwarding would "work" with good old IPv4, but it makes the device accessible not only to you but to everybody. Nobody knows, so that's no problem, right?

    Well, there's an army of automated port scanners running 24/7 and scanning random addresses/ports in the hope anything, anywhere might possibly answer, so generally having any device that will answer to an external request online isn't optimal. If a device will happily have itself programmed according to what comes in via the network, that's a recipe for desaster.

    The above is in principle true for VPN as well, but it's pretty much as good as you can get, if you want access. The only truly safe thing is no internet connection at all, which is not a practical option for obvious reasons. The next safest thing to "no internet" is VPN. Exactly one port on exactly one device (well, it depends, up to three ports), exposing VPN and nothing else, port-forwarded to the internet.



    VPN lets you -- but nobody else -- access a device on your LAN via the internet as if you were on the same LAN (although a bit slower). It prevents unauthorized access, it provides confidentiality, and data integrity.



    Virtually every no-shit router supports at least one flavor of VPN out of the box. Unluckily, depending on what router model you have, it may be a poor flavor of VPN or it may be poorly documented how to configure the remote computer. Still, despite the possible hassle of figuring out how to configure it -- if you have nothing better, that's by far the best option!

    Most common NAS boxes support two or three no-suck methods of VPN, and every $20 credit-card sized 3 Watt computer can run a VPN server, no problem. Even many modern mobile phones support VPN without having to install extra software, so you can even access your home network when you're using your phone's mobile internet (via private hotspot, even).



    For example, L2TP/IPSec may not be the most awesome choice, but it's 99% good and takes one minute to set up on my Disk Station and on my Samsung phone. Another minute if my Windows laptop is to use it as well (independently of the phone). No extra software needed.

    OpenVPN takes like 3-5 minutes of setup because you'll have to download install the client software on the laptop. But in the greater picture, a 5 min setup counts as "zero", compared to being completely unsafe.






    share|improve this answer

















    • 5




      Buying 3rd-party services is not the only answer. You can get the same effect with SSH or RDP.
      – jpaugh
      2 days ago






    • 4




      The two and only correct answers are VPN or SSH tunnels...Some VPN protocols aren't very good either at preventing MITM...
      – trognanders
      yesterday






    • 5




      SSH is way cheaper, more convenient, and easier to set up and probably the better option in this scenario
      – rahuldottech
      yesterday










    • @jpaugh: VPN does not involve any 3rd party services. While I'll readily agree that SSH can be made to work, it is nowhere near the same as VPN when it comes to ease of setup, no-extra-installs-no-hoops universal availability, and last but not least, seamless usability. Now, about RDP... you are of course joking, right? Not only is it the pristine implementation the probably most exploited software in the world (or at least in the top-5), but also the protocol itself is inherently insecure, using broken (workable, not theoretical) ciphers, and a TLS version which was superseded a decade ago.
      – Damon
      yesterday






    • 4




      -1 simply for "one and only" in the title, SSH with port forwarding is also completely valid and probably safer since you don't necessarily have to give remote access to your entire network, just one port of one device, and most likely it's easy to configure and you aren't relying on a router's random software implementation of a rarely used feature.
      – Bill K
      yesterday















    up vote
    10
    down vote













    The one and only correct answer can be "VPN".



    Simply using IPv6 would "work" (assuming the router isn't configured to firewall off the device, and all of ISP, device, and laptop support IPv6), but it is a terrible idea for the same reason port forwarding is.



    Other than promoted by the well-known IPv6 propaganda, you actually do not ever want any of the devices on your LAN being uniquely identifiable or even accessible from the internet. No, that is not a good thing.



    Port forwarding would "work" with good old IPv4, but it makes the device accessible not only to you but to everybody. Nobody knows, so that's no problem, right?

    Well, there's an army of automated port scanners running 24/7 and scanning random addresses/ports in the hope anything, anywhere might possibly answer, so generally having any device that will answer to an external request online isn't optimal. If a device will happily have itself programmed according to what comes in via the network, that's a recipe for desaster.

    The above is in principle true for VPN as well, but it's pretty much as good as you can get, if you want access. The only truly safe thing is no internet connection at all, which is not a practical option for obvious reasons. The next safest thing to "no internet" is VPN. Exactly one port on exactly one device (well, it depends, up to three ports), exposing VPN and nothing else, port-forwarded to the internet.



    VPN lets you -- but nobody else -- access a device on your LAN via the internet as if you were on the same LAN (although a bit slower). It prevents unauthorized access, it provides confidentiality, and data integrity.



    Virtually every no-shit router supports at least one flavor of VPN out of the box. Unluckily, depending on what router model you have, it may be a poor flavor of VPN or it may be poorly documented how to configure the remote computer. Still, despite the possible hassle of figuring out how to configure it -- if you have nothing better, that's by far the best option!

    Most common NAS boxes support two or three no-suck methods of VPN, and every $20 credit-card sized 3 Watt computer can run a VPN server, no problem. Even many modern mobile phones support VPN without having to install extra software, so you can even access your home network when you're using your phone's mobile internet (via private hotspot, even).



    For example, L2TP/IPSec may not be the most awesome choice, but it's 99% good and takes one minute to set up on my Disk Station and on my Samsung phone. Another minute if my Windows laptop is to use it as well (independently of the phone). No extra software needed.

    OpenVPN takes like 3-5 minutes of setup because you'll have to download install the client software on the laptop. But in the greater picture, a 5 min setup counts as "zero", compared to being completely unsafe.






    share|improve this answer

















    • 5




      Buying 3rd-party services is not the only answer. You can get the same effect with SSH or RDP.
      – jpaugh
      2 days ago






    • 4




      The two and only correct answers are VPN or SSH tunnels...Some VPN protocols aren't very good either at preventing MITM...
      – trognanders
      yesterday






    • 5




      SSH is way cheaper, more convenient, and easier to set up and probably the better option in this scenario
      – rahuldottech
      yesterday










    • @jpaugh: VPN does not involve any 3rd party services. While I'll readily agree that SSH can be made to work, it is nowhere near the same as VPN when it comes to ease of setup, no-extra-installs-no-hoops universal availability, and last but not least, seamless usability. Now, about RDP... you are of course joking, right? Not only is it the pristine implementation the probably most exploited software in the world (or at least in the top-5), but also the protocol itself is inherently insecure, using broken (workable, not theoretical) ciphers, and a TLS version which was superseded a decade ago.
      – Damon
      yesterday






    • 4




      -1 simply for "one and only" in the title, SSH with port forwarding is also completely valid and probably safer since you don't necessarily have to give remote access to your entire network, just one port of one device, and most likely it's easy to configure and you aren't relying on a router's random software implementation of a rarely used feature.
      – Bill K
      yesterday













    up vote
    10
    down vote










    up vote
    10
    down vote









    The one and only correct answer can be "VPN".



    Simply using IPv6 would "work" (assuming the router isn't configured to firewall off the device, and all of ISP, device, and laptop support IPv6), but it is a terrible idea for the same reason port forwarding is.



    Other than promoted by the well-known IPv6 propaganda, you actually do not ever want any of the devices on your LAN being uniquely identifiable or even accessible from the internet. No, that is not a good thing.



    Port forwarding would "work" with good old IPv4, but it makes the device accessible not only to you but to everybody. Nobody knows, so that's no problem, right?

    Well, there's an army of automated port scanners running 24/7 and scanning random addresses/ports in the hope anything, anywhere might possibly answer, so generally having any device that will answer to an external request online isn't optimal. If a device will happily have itself programmed according to what comes in via the network, that's a recipe for desaster.

    The above is in principle true for VPN as well, but it's pretty much as good as you can get, if you want access. The only truly safe thing is no internet connection at all, which is not a practical option for obvious reasons. The next safest thing to "no internet" is VPN. Exactly one port on exactly one device (well, it depends, up to three ports), exposing VPN and nothing else, port-forwarded to the internet.



    VPN lets you -- but nobody else -- access a device on your LAN via the internet as if you were on the same LAN (although a bit slower). It prevents unauthorized access, it provides confidentiality, and data integrity.



    Virtually every no-shit router supports at least one flavor of VPN out of the box. Unluckily, depending on what router model you have, it may be a poor flavor of VPN or it may be poorly documented how to configure the remote computer. Still, despite the possible hassle of figuring out how to configure it -- if you have nothing better, that's by far the best option!

    Most common NAS boxes support two or three no-suck methods of VPN, and every $20 credit-card sized 3 Watt computer can run a VPN server, no problem. Even many modern mobile phones support VPN without having to install extra software, so you can even access your home network when you're using your phone's mobile internet (via private hotspot, even).



    For example, L2TP/IPSec may not be the most awesome choice, but it's 99% good and takes one minute to set up on my Disk Station and on my Samsung phone. Another minute if my Windows laptop is to use it as well (independently of the phone). No extra software needed.

    OpenVPN takes like 3-5 minutes of setup because you'll have to download install the client software on the laptop. But in the greater picture, a 5 min setup counts as "zero", compared to being completely unsafe.






    share|improve this answer












    The one and only correct answer can be "VPN".



    Simply using IPv6 would "work" (assuming the router isn't configured to firewall off the device, and all of ISP, device, and laptop support IPv6), but it is a terrible idea for the same reason port forwarding is.



    Other than promoted by the well-known IPv6 propaganda, you actually do not ever want any of the devices on your LAN being uniquely identifiable or even accessible from the internet. No, that is not a good thing.



    Port forwarding would "work" with good old IPv4, but it makes the device accessible not only to you but to everybody. Nobody knows, so that's no problem, right?

    Well, there's an army of automated port scanners running 24/7 and scanning random addresses/ports in the hope anything, anywhere might possibly answer, so generally having any device that will answer to an external request online isn't optimal. If a device will happily have itself programmed according to what comes in via the network, that's a recipe for desaster.

    The above is in principle true for VPN as well, but it's pretty much as good as you can get, if you want access. The only truly safe thing is no internet connection at all, which is not a practical option for obvious reasons. The next safest thing to "no internet" is VPN. Exactly one port on exactly one device (well, it depends, up to three ports), exposing VPN and nothing else, port-forwarded to the internet.



    VPN lets you -- but nobody else -- access a device on your LAN via the internet as if you were on the same LAN (although a bit slower). It prevents unauthorized access, it provides confidentiality, and data integrity.



    Virtually every no-shit router supports at least one flavor of VPN out of the box. Unluckily, depending on what router model you have, it may be a poor flavor of VPN or it may be poorly documented how to configure the remote computer. Still, despite the possible hassle of figuring out how to configure it -- if you have nothing better, that's by far the best option!

    Most common NAS boxes support two or three no-suck methods of VPN, and every $20 credit-card sized 3 Watt computer can run a VPN server, no problem. Even many modern mobile phones support VPN without having to install extra software, so you can even access your home network when you're using your phone's mobile internet (via private hotspot, even).



    For example, L2TP/IPSec may not be the most awesome choice, but it's 99% good and takes one minute to set up on my Disk Station and on my Samsung phone. Another minute if my Windows laptop is to use it as well (independently of the phone). No extra software needed.

    OpenVPN takes like 3-5 minutes of setup because you'll have to download install the client software on the laptop. But in the greater picture, a 5 min setup counts as "zero", compared to being completely unsafe.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered 2 days ago









    Damon

    3,37031623




    3,37031623








    • 5




      Buying 3rd-party services is not the only answer. You can get the same effect with SSH or RDP.
      – jpaugh
      2 days ago






    • 4




      The two and only correct answers are VPN or SSH tunnels...Some VPN protocols aren't very good either at preventing MITM...
      – trognanders
      yesterday






    • 5




      SSH is way cheaper, more convenient, and easier to set up and probably the better option in this scenario
      – rahuldottech
      yesterday










    • @jpaugh: VPN does not involve any 3rd party services. While I'll readily agree that SSH can be made to work, it is nowhere near the same as VPN when it comes to ease of setup, no-extra-installs-no-hoops universal availability, and last but not least, seamless usability. Now, about RDP... you are of course joking, right? Not only is it the pristine implementation the probably most exploited software in the world (or at least in the top-5), but also the protocol itself is inherently insecure, using broken (workable, not theoretical) ciphers, and a TLS version which was superseded a decade ago.
      – Damon
      yesterday






    • 4




      -1 simply for "one and only" in the title, SSH with port forwarding is also completely valid and probably safer since you don't necessarily have to give remote access to your entire network, just one port of one device, and most likely it's easy to configure and you aren't relying on a router's random software implementation of a rarely used feature.
      – Bill K
      yesterday














    • 5




      Buying 3rd-party services is not the only answer. You can get the same effect with SSH or RDP.
      – jpaugh
      2 days ago






    • 4




      The two and only correct answers are VPN or SSH tunnels...Some VPN protocols aren't very good either at preventing MITM...
      – trognanders
      yesterday






    • 5




      SSH is way cheaper, more convenient, and easier to set up and probably the better option in this scenario
      – rahuldottech
      yesterday










    • @jpaugh: VPN does not involve any 3rd party services. While I'll readily agree that SSH can be made to work, it is nowhere near the same as VPN when it comes to ease of setup, no-extra-installs-no-hoops universal availability, and last but not least, seamless usability. Now, about RDP... you are of course joking, right? Not only is it the pristine implementation the probably most exploited software in the world (or at least in the top-5), but also the protocol itself is inherently insecure, using broken (workable, not theoretical) ciphers, and a TLS version which was superseded a decade ago.
      – Damon
      yesterday






    • 4




      -1 simply for "one and only" in the title, SSH with port forwarding is also completely valid and probably safer since you don't necessarily have to give remote access to your entire network, just one port of one device, and most likely it's easy to configure and you aren't relying on a router's random software implementation of a rarely used feature.
      – Bill K
      yesterday








    5




    5




    Buying 3rd-party services is not the only answer. You can get the same effect with SSH or RDP.
    – jpaugh
    2 days ago




    Buying 3rd-party services is not the only answer. You can get the same effect with SSH or RDP.
    – jpaugh
    2 days ago




    4




    4




    The two and only correct answers are VPN or SSH tunnels...Some VPN protocols aren't very good either at preventing MITM...
    – trognanders
    yesterday




    The two and only correct answers are VPN or SSH tunnels...Some VPN protocols aren't very good either at preventing MITM...
    – trognanders
    yesterday




    5




    5




    SSH is way cheaper, more convenient, and easier to set up and probably the better option in this scenario
    – rahuldottech
    yesterday




    SSH is way cheaper, more convenient, and easier to set up and probably the better option in this scenario
    – rahuldottech
    yesterday












    @jpaugh: VPN does not involve any 3rd party services. While I'll readily agree that SSH can be made to work, it is nowhere near the same as VPN when it comes to ease of setup, no-extra-installs-no-hoops universal availability, and last but not least, seamless usability. Now, about RDP... you are of course joking, right? Not only is it the pristine implementation the probably most exploited software in the world (or at least in the top-5), but also the protocol itself is inherently insecure, using broken (workable, not theoretical) ciphers, and a TLS version which was superseded a decade ago.
    – Damon
    yesterday




    @jpaugh: VPN does not involve any 3rd party services. While I'll readily agree that SSH can be made to work, it is nowhere near the same as VPN when it comes to ease of setup, no-extra-installs-no-hoops universal availability, and last but not least, seamless usability. Now, about RDP... you are of course joking, right? Not only is it the pristine implementation the probably most exploited software in the world (or at least in the top-5), but also the protocol itself is inherently insecure, using broken (workable, not theoretical) ciphers, and a TLS version which was superseded a decade ago.
    – Damon
    yesterday




    4




    4




    -1 simply for "one and only" in the title, SSH with port forwarding is also completely valid and probably safer since you don't necessarily have to give remote access to your entire network, just one port of one device, and most likely it's easy to configure and you aren't relying on a router's random software implementation of a rarely used feature.
    – Bill K
    yesterday




    -1 simply for "one and only" in the title, SSH with port forwarding is also completely valid and probably safer since you don't necessarily have to give remote access to your entire network, just one port of one device, and most likely it's easy to configure and you aren't relying on a router's random software implementation of a rarely used feature.
    – Bill K
    yesterday










    up vote
    2
    down vote













    Host a VPN, either in a router/security gateway appliance, or another box with port forwarding to that box. Whenever you want to work remotely, connect to the VPN, and you will see the embedded device as if it were on a local network. It would probably be a good idea to place the embedded device in an isolated subnet, to help prevent attacks on your main network if the VPN or the embedded device is compromised.






    share|improve this answer








    New contributor




    Michael P is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      up vote
      2
      down vote













      Host a VPN, either in a router/security gateway appliance, or another box with port forwarding to that box. Whenever you want to work remotely, connect to the VPN, and you will see the embedded device as if it were on a local network. It would probably be a good idea to place the embedded device in an isolated subnet, to help prevent attacks on your main network if the VPN or the embedded device is compromised.






      share|improve this answer








      New contributor




      Michael P is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















        up vote
        2
        down vote










        up vote
        2
        down vote









        Host a VPN, either in a router/security gateway appliance, or another box with port forwarding to that box. Whenever you want to work remotely, connect to the VPN, and you will see the embedded device as if it were on a local network. It would probably be a good idea to place the embedded device in an isolated subnet, to help prevent attacks on your main network if the VPN or the embedded device is compromised.






        share|improve this answer








        New contributor




        Michael P is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        Host a VPN, either in a router/security gateway appliance, or another box with port forwarding to that box. Whenever you want to work remotely, connect to the VPN, and you will see the embedded device as if it were on a local network. It would probably be a good idea to place the embedded device in an isolated subnet, to help prevent attacks on your main network if the VPN or the embedded device is compromised.







        share|improve this answer








        New contributor




        Michael P is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer






        New contributor




        Michael P is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered 2 days ago









        Michael P

        211




        211




        New contributor




        Michael P is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        Michael P is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        Michael P is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






















            up vote
            1
            down vote













            Make Windows PC without IDE into a Linux PC in a reasonably secure configuration with sshd running. Port forward from your router to the SSH port on the Linux machine. Use SSH tunnels to connect to the embedded device IP. Then when programming on your remote machine with an IDE, you will connect to localhost instead of the LAN IP.



            Listening on the internet with a hardened service like SSH is reasonably safe. Listening directly on the internet with development anything is a fabulously bad idea. SSH is a gatekeeper. If you make sure to verify the host key, it protects against MITM absolutely. It uses good cryptography. The tunneling setup does not involve routing or bridging but instead looks as if you are connecting directly from the SSHD machine. This is vastly simpler to setup correctly.






            share|improve this answer





















            • You can... Just run an SSH server on Windows, you don't need Linux here.
              – rahuldottech
              yesterday










            • "Then when programming on your remote machine with an IDE, you will connect to localhost instead of the LAN IP." This bit doesn't make sense to me, elaborate?
              – rahuldottech
              yesterday










            • @rahuldottech SSH port forwarding works at the tcp level. On the server the sshd opens connections to the resource on the local lan and forwards the contents of that socket over SSH. On the remote machine the ssh client listens on a localhost port. When you connect to localhost on that port it is the SSH client, and it just hooks the tcp connections together. Kinda weird but really versatile since there is no ip routing!
              – trognanders
              yesterday

















            up vote
            1
            down vote













            Make Windows PC without IDE into a Linux PC in a reasonably secure configuration with sshd running. Port forward from your router to the SSH port on the Linux machine. Use SSH tunnels to connect to the embedded device IP. Then when programming on your remote machine with an IDE, you will connect to localhost instead of the LAN IP.



            Listening on the internet with a hardened service like SSH is reasonably safe. Listening directly on the internet with development anything is a fabulously bad idea. SSH is a gatekeeper. If you make sure to verify the host key, it protects against MITM absolutely. It uses good cryptography. The tunneling setup does not involve routing or bridging but instead looks as if you are connecting directly from the SSHD machine. This is vastly simpler to setup correctly.






            share|improve this answer





















            • You can... Just run an SSH server on Windows, you don't need Linux here.
              – rahuldottech
              yesterday










            • "Then when programming on your remote machine with an IDE, you will connect to localhost instead of the LAN IP." This bit doesn't make sense to me, elaborate?
              – rahuldottech
              yesterday










            • @rahuldottech SSH port forwarding works at the tcp level. On the server the sshd opens connections to the resource on the local lan and forwards the contents of that socket over SSH. On the remote machine the ssh client listens on a localhost port. When you connect to localhost on that port it is the SSH client, and it just hooks the tcp connections together. Kinda weird but really versatile since there is no ip routing!
              – trognanders
              yesterday















            up vote
            1
            down vote










            up vote
            1
            down vote









            Make Windows PC without IDE into a Linux PC in a reasonably secure configuration with sshd running. Port forward from your router to the SSH port on the Linux machine. Use SSH tunnels to connect to the embedded device IP. Then when programming on your remote machine with an IDE, you will connect to localhost instead of the LAN IP.



            Listening on the internet with a hardened service like SSH is reasonably safe. Listening directly on the internet with development anything is a fabulously bad idea. SSH is a gatekeeper. If you make sure to verify the host key, it protects against MITM absolutely. It uses good cryptography. The tunneling setup does not involve routing or bridging but instead looks as if you are connecting directly from the SSHD machine. This is vastly simpler to setup correctly.






            share|improve this answer












            Make Windows PC without IDE into a Linux PC in a reasonably secure configuration with sshd running. Port forward from your router to the SSH port on the Linux machine. Use SSH tunnels to connect to the embedded device IP. Then when programming on your remote machine with an IDE, you will connect to localhost instead of the LAN IP.



            Listening on the internet with a hardened service like SSH is reasonably safe. Listening directly on the internet with development anything is a fabulously bad idea. SSH is a gatekeeper. If you make sure to verify the host key, it protects against MITM absolutely. It uses good cryptography. The tunneling setup does not involve routing or bridging but instead looks as if you are connecting directly from the SSHD machine. This is vastly simpler to setup correctly.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered yesterday









            trognanders

            23825




            23825












            • You can... Just run an SSH server on Windows, you don't need Linux here.
              – rahuldottech
              yesterday










            • "Then when programming on your remote machine with an IDE, you will connect to localhost instead of the LAN IP." This bit doesn't make sense to me, elaborate?
              – rahuldottech
              yesterday










            • @rahuldottech SSH port forwarding works at the tcp level. On the server the sshd opens connections to the resource on the local lan and forwards the contents of that socket over SSH. On the remote machine the ssh client listens on a localhost port. When you connect to localhost on that port it is the SSH client, and it just hooks the tcp connections together. Kinda weird but really versatile since there is no ip routing!
              – trognanders
              yesterday




















            • You can... Just run an SSH server on Windows, you don't need Linux here.
              – rahuldottech
              yesterday










            • "Then when programming on your remote machine with an IDE, you will connect to localhost instead of the LAN IP." This bit doesn't make sense to me, elaborate?
              – rahuldottech
              yesterday










            • @rahuldottech SSH port forwarding works at the tcp level. On the server the sshd opens connections to the resource on the local lan and forwards the contents of that socket over SSH. On the remote machine the ssh client listens on a localhost port. When you connect to localhost on that port it is the SSH client, and it just hooks the tcp connections together. Kinda weird but really versatile since there is no ip routing!
              – trognanders
              yesterday


















            You can... Just run an SSH server on Windows, you don't need Linux here.
            – rahuldottech
            yesterday




            You can... Just run an SSH server on Windows, you don't need Linux here.
            – rahuldottech
            yesterday












            "Then when programming on your remote machine with an IDE, you will connect to localhost instead of the LAN IP." This bit doesn't make sense to me, elaborate?
            – rahuldottech
            yesterday




            "Then when programming on your remote machine with an IDE, you will connect to localhost instead of the LAN IP." This bit doesn't make sense to me, elaborate?
            – rahuldottech
            yesterday












            @rahuldottech SSH port forwarding works at the tcp level. On the server the sshd opens connections to the resource on the local lan and forwards the contents of that socket over SSH. On the remote machine the ssh client listens on a localhost port. When you connect to localhost on that port it is the SSH client, and it just hooks the tcp connections together. Kinda weird but really versatile since there is no ip routing!
            – trognanders
            yesterday






            @rahuldottech SSH port forwarding works at the tcp level. On the server the sshd opens connections to the resource on the local lan and forwards the contents of that socket over SSH. On the remote machine the ssh client listens on a localhost port. When you connect to localhost on that port it is the SSH client, and it just hooks the tcp connections together. Kinda weird but really versatile since there is no ip routing!
            – trognanders
            yesterday












            up vote
            -1
            down vote













            I have recently come across a better solution for personal only remote access. First let's discuss the scope of the problem. There are three issues that come into play: the nat, the ip address, and the security. For example in the common cases where you wish to run a ssh or web server on a home network the traditional approach is port forwarding and dynamic dns and industry standard best practices for security. This has disadvantages for your case as your device does not have standard security. This can be mitigated by using ssh port forwarding as opposed to opening your device to the internet, but you still have to deal with nat traversal since your device (and the ssh server on your raspberry pi you are about to set up) does not have a publicly reachable IP address and the IP address of your router is subject to change (assuming there is only one nat between you and the internet) you still would need to setup port forwarding (or in the case of multiple routers, multiple port forwarding) and dynamic dns so you can still reach your ssh server.



            There is however a simpler solution, and believe it or not that is tor hidden services. tor hidden services basically act as a port forward, but automatically handles nat traversal, and does not have a changing address so dynamic dns is not needed. There are of course issues of the onion address being hard to remember, but If you are the only user, you can write it down in one of your project files. I would recommend still paring this with a ssh server to provide authentication, but you may decide that the long onion address is enough. Also tor hidden services provide encryption of the entire link except for the last hop so the only way to get better is end to end encryption, but that would depend on the device you are programing.






            share|improve this answer

















            • 4




              Using onion services will only make this way more complicated with no added benefits. Tor can be useful. Won't be in this case.
              – rahuldottech
              2 days ago















            up vote
            -1
            down vote













            I have recently come across a better solution for personal only remote access. First let's discuss the scope of the problem. There are three issues that come into play: the nat, the ip address, and the security. For example in the common cases where you wish to run a ssh or web server on a home network the traditional approach is port forwarding and dynamic dns and industry standard best practices for security. This has disadvantages for your case as your device does not have standard security. This can be mitigated by using ssh port forwarding as opposed to opening your device to the internet, but you still have to deal with nat traversal since your device (and the ssh server on your raspberry pi you are about to set up) does not have a publicly reachable IP address and the IP address of your router is subject to change (assuming there is only one nat between you and the internet) you still would need to setup port forwarding (or in the case of multiple routers, multiple port forwarding) and dynamic dns so you can still reach your ssh server.



            There is however a simpler solution, and believe it or not that is tor hidden services. tor hidden services basically act as a port forward, but automatically handles nat traversal, and does not have a changing address so dynamic dns is not needed. There are of course issues of the onion address being hard to remember, but If you are the only user, you can write it down in one of your project files. I would recommend still paring this with a ssh server to provide authentication, but you may decide that the long onion address is enough. Also tor hidden services provide encryption of the entire link except for the last hop so the only way to get better is end to end encryption, but that would depend on the device you are programing.






            share|improve this answer

















            • 4




              Using onion services will only make this way more complicated with no added benefits. Tor can be useful. Won't be in this case.
              – rahuldottech
              2 days ago













            up vote
            -1
            down vote










            up vote
            -1
            down vote









            I have recently come across a better solution for personal only remote access. First let's discuss the scope of the problem. There are three issues that come into play: the nat, the ip address, and the security. For example in the common cases where you wish to run a ssh or web server on a home network the traditional approach is port forwarding and dynamic dns and industry standard best practices for security. This has disadvantages for your case as your device does not have standard security. This can be mitigated by using ssh port forwarding as opposed to opening your device to the internet, but you still have to deal with nat traversal since your device (and the ssh server on your raspberry pi you are about to set up) does not have a publicly reachable IP address and the IP address of your router is subject to change (assuming there is only one nat between you and the internet) you still would need to setup port forwarding (or in the case of multiple routers, multiple port forwarding) and dynamic dns so you can still reach your ssh server.



            There is however a simpler solution, and believe it or not that is tor hidden services. tor hidden services basically act as a port forward, but automatically handles nat traversal, and does not have a changing address so dynamic dns is not needed. There are of course issues of the onion address being hard to remember, but If you are the only user, you can write it down in one of your project files. I would recommend still paring this with a ssh server to provide authentication, but you may decide that the long onion address is enough. Also tor hidden services provide encryption of the entire link except for the last hop so the only way to get better is end to end encryption, but that would depend on the device you are programing.






            share|improve this answer












            I have recently come across a better solution for personal only remote access. First let's discuss the scope of the problem. There are three issues that come into play: the nat, the ip address, and the security. For example in the common cases where you wish to run a ssh or web server on a home network the traditional approach is port forwarding and dynamic dns and industry standard best practices for security. This has disadvantages for your case as your device does not have standard security. This can be mitigated by using ssh port forwarding as opposed to opening your device to the internet, but you still have to deal with nat traversal since your device (and the ssh server on your raspberry pi you are about to set up) does not have a publicly reachable IP address and the IP address of your router is subject to change (assuming there is only one nat between you and the internet) you still would need to setup port forwarding (or in the case of multiple routers, multiple port forwarding) and dynamic dns so you can still reach your ssh server.



            There is however a simpler solution, and believe it or not that is tor hidden services. tor hidden services basically act as a port forward, but automatically handles nat traversal, and does not have a changing address so dynamic dns is not needed. There are of course issues of the onion address being hard to remember, but If you are the only user, you can write it down in one of your project files. I would recommend still paring this with a ssh server to provide authentication, but you may decide that the long onion address is enough. Also tor hidden services provide encryption of the entire link except for the last hop so the only way to get better is end to end encryption, but that would depend on the device you are programing.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 2 days ago









            hildred

            495312




            495312








            • 4




              Using onion services will only make this way more complicated with no added benefits. Tor can be useful. Won't be in this case.
              – rahuldottech
              2 days ago














            • 4




              Using onion services will only make this way more complicated with no added benefits. Tor can be useful. Won't be in this case.
              – rahuldottech
              2 days ago








            4




            4




            Using onion services will only make this way more complicated with no added benefits. Tor can be useful. Won't be in this case.
            – rahuldottech
            2 days ago




            Using onion services will only make this way more complicated with no added benefits. Tor can be useful. Won't be in this case.
            – rahuldottech
            2 days ago


















             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1374979%2freaching-a-device-in-my-lan-from-the-internet%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Сан-Квентин

            8-я гвардейская общевойсковая армия

            Алькесар