AutoSSH + GatewayPorts on a public server has been solid for me. Setup is a service file on the private machine and "GatewayPorts yes" in sshd_config of the public computer. Plus there's no keep alive traffic. Combine it with dynamic DNS, a web proxy and Lets Encrypt for access to a website running on the remote computer.<p>from the systemd service file:<p><pre><code> Environment=AUTOSSH_GATETIME=0
ExecStart=/usr/bin/autossh -M 0 -N -q -o "ServerAliveInterval 60"
-o "ServerAliveCountMax 3" -o "ExitOnForwardFailure yes"
-p 3004 -l pi exampmle.org
-R 3006:127.0.0.1:3006 -R 8080:127.0.0.1:8080
-i /home/pi/.ssh/id_rsa</code></pre>
Quite neat, and solves a big problem I had (devices at customers sites). However for me it would be very hard to trust you (security and availability wise).<p>I opted (some months ago when the problem arose), to simply set up a private VPN server, and every device I have at customers connects to it. That way, I can simply `ssh device.cust.vpn.mycompany.tld` and I'm in.
Very neat, but SSH already has capabilities built-in to handle this scenario without harming security or increasing complexity.<p>To add to <i>irq-1</i>'s excellent response, another autossh method is to autossh from the device into a remote relay server (ie jumpbox) that forwards the local port back to the local ssh server running on the device, which can now be listening on localhost.<p>You can try this out in literally ONE COMMAND LINE (below) and automate it quickly without installing any additional software (except perhaps autossh, which is usually in your distribution's repositories).<p><pre><code> device (autossh) -> jumpbox <- you
</code></pre>
You can also use Userify (<a href="https://userify.com" rel="nofollow">https://userify.com</a>) or similar to keep keys synchronized on the device and jumpbox in this scenario. (Userify only needs outbound https.)<p>Use RemoteForward (-R) on the autossh command line for this. See man page for ssh(1) and especially the RemoteForward section under ssh_config(5) for details.<p>Example:<p><pre><code> # on the device:
$ ssh jumpbox -R 22001:localhost:22
</code></pre>
Now you can just log into the jumpbox on port 22001 using SSH's built-in tun support (-w) in your SSH client (or forward your agent by passing -A when logging into the jumpbox, but this could be hijacked by an attacker who'd compromised the jumpbox, so do -w instead.)<p>That's all. You can automate this with ssh_config, autossh, etc, and also lock down the remote host authorized_keys file and use a restricted shell.
You don't seem to mention pricing at all beyond the "5 devices and 5Gb/mo free". That would be useful to what I expect your main audience to be (people for whom the other obvious alternative is a cheap VPS and either OpenVPN or more manually setup SSH tunnelling).
Using curl piped to sudo bash can be a security risk, as used to install the demo.<p># curl -sSL <a href="https://get.ondevice.io/|sudo" rel="nofollow">https://get.ondevice.io/|sudo</a> - bash<p>A fairly balanced post and mitigation options:<p><a href="https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install" rel="nofollow">https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-p...</a>
On a side-note, I was (pleasantly) surprised to recently learn that if you have macs set up with Back To My Mac, you'll get an "iCloud BTMM" IPv6 encrypted tunnel where all your devices appear via dns-sd, even across the internet: <a href="https://apple.stackexchange.com/a/53776" rel="nofollow">https://apple.stackexchange.com/a/53776</a>
The Teredo protocol (implemented by miredo-client on GNU/Linux) provides a simple way to get a public dynamic IPv6 address on a host behind NAT. Combined with dynamic DNS this solves the problem of accessing my devices from anywhere I need to.
a while ago I found out that you could do this by running a tor hidden service on the device. If I needed it, I think I'd rather use that, or a reverse tunnel than going through a third party.
Instead of wrapping SSH calls with an additional command, would it be possible to use a ProxyCommand? This way, anything working with "ssh" would work out of the box.
Similar to StrongDM, except it does less. SDM implements the SSH protocol which allow both session logging (for audit and training purposes) and on-prem deployment. It supports all SSH services such shell (for interactive operation) exec (for remote scripting, like ansible and scp) and subsystems (like sftp). And on top of that it supports DB connections through the same tunnel (again with query logging for audit purposes).<p>The on-prem part is really neat.<p>Disclaimer: I work at StrongDM.<p>Edit: fixed typo
The tor option has already been mentioned. The other useful option if you don't have your own server with static addresses is dynamic DNS and then simply set up a VPN or reverse SSH connections to the dyndns hostname on your DSL or whatever. Certainly more sensible than a cloud service with a hilarious 5GB traffic limit that also unavoidably adds unnecessary latency to the connection.
I've contemplated doing something similar. Except the way I'd do it is statically link OpenSSH and Tor into a single portable binary. Then create an onion service to a local sshd. Then just provide the onion address (still would use traditional auth). Of course lots of configurability. This has lots of benefits of course and can be completely self contained and ephemeral.
At a previous job we had the same setup to SSH to our customer's embedded devices for diagnostics. Incredibly useful. I've been playing with the idea to provide this as a service since then, interesting to see if this is viable.
Check out ZeroTier [1]. You can place all your devices on a virtual LAN. Not affiliated.<p>[1] <a href="https://zerotier.com/" rel="nofollow">https://zerotier.com/</a>
Seems very much like Gravitational Teleport -
<a href="https://gravitational.com/teleport/" rel="nofollow">https://gravitational.com/teleport/</a>