1

Scenario

  • Multiple IoT devices, owned by different customers, running behind different NAT LANs.
  • Customers wanting to remotely access their IoT devices.
  • IoT devices have an onboard hand-rolled web server.
  • Customers currently remotely access their IoT devices via temporarily allocated (as in per connection) WAN non-CGNAT IPv4 addresses (which only one cellular carrier in the country provides).

Constraints

  • IoT devices are running bare metal firmware on minimal hardware (~8MB flash) and hence cannot run any client software (other than absolutely necessary firmware modifications).
  • IPv6 is not feasibly supported by the firmware.
  • Many of the devices are in quite remote locations and hence adding another physical device (e.g. to run something like Ngrok) is not really feasible.

Question

How do we escape the vendor lock-in of the single cellular provider, while still providing our customers remote access to their IoT devices?

Ideally we would set up a centralised reverse proxy for our customers to use, but typically reverse proxies require known upstream host addresses. In our case our upstreams would be IoT devices behind NAT LANs.

Is there an existing software/service that functions as a reverse proxy, but where the upstreams dynamically "present themselves" (to the reverse proxy)?

pleasedesktop
  • 111
  • 2
  • Can the devices run something like `netcat` ? – Eugen Rieck Dec 19 '19 at 22:25
  • Unfortunately not, they are running a proprietary application on bare metal (i.e. not Linux or other kernel). – pleasedesktop Dec 20 '19 at 04:27
  • What you are asking for is for the device to connect out in an effort to bypass NAT. The devices are proprietary and incapable of doing that. So you will either need to use port forwarding and dyndns or you are going to have to stick a helper device on the network that allows remote access in some way. Possibly a VPN back to a central location where you provide customers access. If you do use a reverse proxy, port forwarding and dyndns could work, and be secure because you could block all IPs except for your reverse proxy server on the customers firewall. – Appleoddity Dec 20 '19 at 04:30
  • We can alter the firmware running on the devices, I just meant proprietary as in not running Linux or something other open source system. Helper devices are unfortunately out of the question. I don't understand your suggestion about port forwarding and dynamic DNS. The units are often behind carrier-grade NAT, so port forwarding is not really an option and hence dynamic DNS doesn't help either (assuming I have interpreted your suggestion correctly). – pleasedesktop Dec 20 '19 at 12:25

1 Answers1

0

Maybe give a look on frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet. It also provides compiled ARM binary.

Link to Github Project: https://github.com/fatedier/frp

Kiritow
  • 11