I’m looking for a solution to connect to my home network while away. I have several machines I could use to do it, but they’re all behind my ISP router. I can port forward, but I haven’t had luck with creating a DMZ.
I’m fairly experienced on a hobby level with Linux, but I’m still a bit of a novice beyond basic networking.
I’ve been trying to find and understand a self hosted VPN solution that would allow my laptop to refer to my home LAN IP addresses for various services. I’d like to remove a few port forwards and replace them with a single certificate based solution I connect to when I need the services.
Is SSH tunneling an option to do this? Is there a good VPN solution for a device behind my ISP router and NAT? I’m not sure I fully understand what SSH tunneling is.
Laptop is Fedora 35
Servers are RHEL 8.5 and Raspbian
Forget about the ssh tunnel. Effectively you’d be needing to portforward ssh towards a system in your network. Then you’d setup a ssh tunnel from cliwnt end (so needs a ssh client) and then send all traffic that needs to reach a system or service in your home network through that tunnel. Works great in environments where there is no other option to make use of services except for ssh. Security officers don’t like the idea in corporate environments because it allows for traffic that no-one can see as it is all tunneled but is really great if you don’t have systems in between that can run a graphical interface to run an gui application. You can then send all traffic through as many in between systems also running sshd to your own laptop or pc or whatever that is initiating the 1st step in the tunnel. Used it for example to get to the cloud, with 3 or 4 jumphosts in between…
In your case however it opens up ssh to the internet (even if you’d obfuscate it a bit by running it on another port on the outside and then forward it to the system running the sshd service).
You would have to make sure that any accounts that can be connected to must use ssh passphrases only and accept no longer passwords to make sure only you can connect to protect against password hammering. And other protection like automatically incressing the retry times by (temporary) locking accounts.
I rather have a vpn server act as the portal to my network as it has security as the primary as focus, more so even than ssh. So if you don’t know ssh tunneling yet, don’t bet on it for what you try to achieve. If you do it wrong, your home network is much more prone to become compromised than when using a vpn service, especiialy a simplified approach like what pivpn offers using server and client certificates and all required configuration…
Check out Tailscale. Seriously, it’s dead simple to set up and use, and it worked like a charm. Their free tier allows for one user and up to 20 devices. And it doesn’t require any port forwarding.
I personally do this with SSH. But, I am an old curmudgeon from the days when your options for setting this kind of remote access at home were limited and I stick to what I know works, as opposed to what is best today.
I have both Tailscale and ZeroTier installed with both being set up to give me full access to my network. I have both pointing to my internal DNS server which contains details of the services and devices on my network. I haven’t had to open any ports on my router to do this.
One caveat is that when connected to some public WiFi hotspots Tailscale/ZeroTier are blocked. I have found that Tailscale works on more public WiFi than ZeroTier.
For SSH tunnelling you’d need to expose port 22 on your router. You can SSH over Tailscale/ZeroTier but it is done just as you would on your local network.
all answers are great, but you dont specify what exactly you want to archive. 1) “I’m looking for a solution to connect to my home network while away”, " home LAN IP addresses for various services" AND . 2) “I can port forward, but I haven’t had luck with creating a DMZ.” with “SSH Tunneling” is completely different things (at least for me).
If 1) - access to network - its about VPN; if its about “ISP router” its possible you dont have access and cant do port-forwarding on it, device on home network with vpn cant liste on port, its require vpn to work as vpn endpoint for laptop (wireguard on laptop → wireguard on vps → wireguard home) or solutions like tailscale)
if 2) - access specific service at home - its depends on service, for ssh or http[s] or rdp, as already mentioned, cloudflare (if you do trust them), or, if using vps, there’s many ways, like simple nginx reverse-proxy (over vpn or tunnel), or … ssh/any other tunnel, or google/duckduckgo “awesome-tunneling” lists
Tailscale all the way. Probably my favorite, as it uses WireGuard. Just look up a YouTube tutorial, or don’t. It’s really simple to use not gonna lie. Just sign into https://tailscale.com and it shows you instructions on how to install on your linux/windows/mac device, and I have 17ms ping between devices with the server which is impressive.
This. And to make it including ad blocking, search wirehole, it’s a docket conpose containing WireGuard, Pihole and a dns provider. I use it on my phone, where it always turns vpn on automatically unless I’m on my home network.
Also use split tunnel so downloads are going outside of the vpn, so it doesn’t throttle internet speed through the vpn.
Also, if you’re on a Debian distribution (Ubuntu, PiOS, Standard Debian, etc.), PiVPN (designed to be used raspberryPi) makes the setup a snap. It works with just about any Debian distribution, intel or arm.
This is what I currently do to access machines within the network. I have a dedicated jump host and use portforwarding to get to it. SSL terminated nginx reverse proxy to reach the web GUI’s of other services like Home Assistant. I’d prefer the blanket solution to be my computer just “appearing” on my home network from afar. I’m going to look to take a look into pivpn and wireguard. I’m averse to using a third party VPN (which is why I haven’t just gone with OpenVPN)