[HN Gopher] Access your Raspberry Pi without a public IP
___________________________________________________________________
Access your Raspberry Pi without a public IP
Author : ghoshbishakh
Score : 21 points
Date : 2024-10-18 19:02 UTC (3 days ago)
(HTM) web link (pinggy.io)
(TXT) w3m dump (pinggy.io)
| supportengineer wrote:
| How/why would I trust "xrdp" and/or pinggy.io? It sounds like I'm
| allowing them unfettered access into my home network.
| josephcsible wrote:
| xrdp is the standard Linux RDP server and is probably provided
| by your distro, which you have to trust anyway. And that `ssh
| -R` command only gives pinggy.io access to the host:port you
| specify, not your entire network.
| dlachausse wrote:
| In theory what you're saying is true, but in practice if
| someone gains access to a machine on your network it becomes
| significantly easier to gain access to additional machines on
| your network.
| hedora wrote:
| It's had remotely exploitable vulnerabilities in recent
| years, and I know of no Linux distribution that configures it
| to listen on an external port by default.
|
| Pinggy does seem to support incoming IP whitelists, at least.
| resoluteteeth wrote:
| > However, all of these methods usually require port forwarding,
| which can pose security risks.
|
| Except that pinggy appears to be an ngrok clone which is
| basically equivalent to port forwarding in terms of security
|
| If you don't want to expose the port for security reasons you are
| better off using tailscale/zerotier/wireguard
| mossTechnician wrote:
| How do you tell Pinggy is closer to ngrok than Tailscale? To me
| (I've never used any of these services) they all look more or
| less the same, with slightly different interfaces. I wouldn't
| know _how_ to distinguish a more secure option from a less
| secure one.
|
| I see somebody else also mentioned Raspberry Pi itself has a
| similar service.
| abound wrote:
| > How do you tell Pinggy is closer to ngrok than Tailscale?
|
| Taking a quick look at the article, it seems like you route
| traffic _through_ Pinggy, whereas Tailscale is mostly (minus
| the TURN stuff) peer to peer with some NAT-busting
| PLG88 wrote:
| The main difference is that Pinggy works via a public IP,
| whereas Tailscale is a private network overlay. Pinggy
| falls into the bucket of solutions like ngrok, zrok,
| Tailscale 'Funnel', Cloudflare Tunnel etc.
| PLG88 wrote:
| Except its not. Port forwarding exposes your local environment
| to the internet, unrestricted. Pinggy (and other sharing
| platforms - https://github.com/anderspitman/awesome-tunneling)
| share a resource on a public IP, which should be at the very
| least behind basic auth. The 'better alternative' you describe
| is an overlay network. These things have different purposes.
| resoluteteeth wrote:
| OK, looking into it more it appears that pinggy actually has
| pretty good options for adding authentication (I guess that's
| what you were referring to by basic authentication, not just
| the service being exposed having basic authentication) and
| based on that it does seem that it could be more secure than
| just forwarding the port if the service being exposed doesn't
| have built in authentication, and that would make me a lot
| more tempted to use it.
|
| The article for some reason didn't explain that at all or
| show examples using pinggy's authentication features. If the
| article had talked about that, the assertion about being more
| secure would have made a lot more sense.
| PLG88 wrote:
| Agreed. It surprises me that many of these services do not
| either lead with auth or have it as an important secondary.
| For many, port forwarding is a pain, so it solves that, but
| the security IMHO is just as important.
|
| It's a shame lists like -
| https://github.com/anderspitman/awesome-tunneling - do not
| call this out. fwiw, the one I work on, zrok.io (in truth,
| I work on its parent project, OpenZiti) has that hardening
| and auth because we believe its vital.
| james_pm wrote:
| Or just use https://www.raspberrypi.com/software/connect/
| dlachausse wrote:
| Thank you! I never knew about this.
| ghoshbishakh wrote:
| Oh! Something like this exists! Thanks for sharing.
| ta988 wrote:
| How is it different from tmate that allows to use ssh keys for
| auth?
| waingake wrote:
| Here is a much better technique which only relies on SSH
| https://www.jeffgeerling.com/blog/2022/ssh-and-http-raspberr...
| emmelaich wrote:
| If you do this or similar, choose very good passwords because it
| is certain to be probed.
|
| Also consider using the whitelist option.
| sleepybrett wrote:
| tailscale/wireguard
| morninglight wrote:
| AT&T Archives on YouTube.
|
| https://www.youtube.com/playlist?list=PLDB8B8220DEE96FD9
| Its_Padar wrote:
| These are certainly good ways to go about it, but
| https://www.raspberrypi.com/software/connect/ does exist and is
| completely free and pretty easy to use
___________________________________________________________________
(page generated 2024-10-21 23:00 UTC)