1

Here is my setup: I have a machine I would like to be able to reach from the internet from outside my home over a single port (for example, for SSH-ing into it). The machine is behind my home router (I have full control over it, this if fine), and my ISP uses dynamic IPs, with NAT on their end (carrier-grade NAT). So, my public IP is both changing (which I am used to and can solved by using a DDNS service like dedyn.io), but in addition my public IP is shared between several customers (which is the issue I do not know how to solve).

My question is: is there a way, somehow, to still allow me to reach my machine on a single specific port, by "doing something similar to" publishing to the DDNS service both an IP, and a port that I know will be routed back to my home router on a specific port, that I can then route back to my machine? (I understand this mixes concepts from different networking stack level, like DNS vs protocol)

I do not know how to address this question and if this is doable or not. If not, I can think about other ways to make my machine reachable (through an onion service for example; any other suggestions that would come free of charges? I do not want to be relying on a "jump reverse ssh tunnel machine" on the cloud, as I do not want to pay for it).

Note: question moved from https://networkengineering.stackexchange.com/questions/79902/is-it-possible-to-access-a-machine-behind-an-isp-nat-by-publishing-somehow-ip-a , according to feedback received in comments.

Daniel B
  • 60,360
  • 9
  • 122
  • 163
Zorglub29
  • 113
  • 1
  • 5
  • There are lots of duplicates for this question here on this site. Here's just one I found quickly. https://superuser.com/questions/277218/ssh-access-to-office-host-behind-nat-router – music2myear Sep 11 '22 at 13:55
  • 1
    Does this answer your question? [SSH access to office host behind NAT router](https://superuser.com/questions/277218/ssh-access-to-office-host-behind-nat-router) – music2myear Sep 11 '22 at 13:55
  • I changed the title a little to use the “correct term”. // Tailscale is free for home users. Perhaps it’s suitable for you? – Daniel B Sep 11 '22 at 14:32
  • Before marking as a duplicate, note how OP doesn’t want to spend any money on a VPS or the like. A simple reverse tunnel won’t cut it either, because this is not a site-to-site situation. – Daniel B Sep 11 '22 at 14:59
  • These answers do not answer my question, as they assume some additional servers set up (https://superuser.com/questions/277218/ssh-access-to-office-host-behind-nat-router , which is the one quoted by the two first comments, assumes a server that can be used as a hop server / reverse ssh tunnel point; I know how to ssh -L and ssh - R , this does not solve my issue, I want without a hop server :) ). – Zorglub29 Sep 11 '22 at 18:17
  • (but pwnat is a valid answer to me : ). – Zorglub29 Sep 11 '22 at 18:25

3 Answers3

3

You could try pwnat.

This is an open-source tool that addresses this problem, and whose aim is to allow any number of clients behind NAT to communicate with a server that also behind NAT, without using port forwarding on any router. The server does not need to know anything about the clients trying to connect.

I haven't found a compiled version of pwnat, so you will need to compile it from source.

The method used by pwnat is unbelievably clever, but there is no guarantee that it will work with your environment.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • Thanks, I will definitely look at this into details (had a quick look, it was fun that they mentioned that "there is no middle man, no proxy, no 3rd party, no UPnP/STUN/ICE required, no spoofing, and no DNS tricks", as I was starting to think about "controlled" MIZM techniques to get this done ^^ ). – Zorglub29 Sep 11 '22 at 18:14
1

My question is: is there a way, somehow, to still allow me to reach my machine on a single specific port, by "doing something similar to" publishing to the DDNS service both an IP, and a port that I know will be routed back to my home router on a specific port, that I can then route back to my machine? (I understand this mixes concepts from different networking stack level, like DNS vs protocol)

Generally, no, for two reasons:

  1. Most software (including SSH) won't even ask DNS for the port number. They ask DNS for a list of addresses (A/AAAA records) and there's no space for ports in them.

    It is possible to publish arbitrary data in DNS, e.g. using SRV or TXT records (if your DDNS service allows those), but you'll still need a custom wrapper around the client to make it pull the port from DNS automatically. For OpenSSH this is relatively easy (ProxyCommand would be a good start), for other software less so.

  2. DDNS services cannot make an address or a port accessible from outside – the only thing they do is assign a name to it. And most ISPs implementing CGNAT don't provide customers with any TCP port that'll be accessible from outside. (Like your own home router, they only accept packets corresponding to an already established flow, and unlike your home router, they almost never allow customers to request inbound port-forwarding via UPnP or similar.)

    In my experience, even CGNATs that use a 1:1 mapping (i.e. do not actually share an address between several customers at one time) often deliberately don't allow inbound connections even if it would be technically possible.

through an onion service for example; any other suggestions that would come free of charges? I do not want to be relying on a "jump reverse ssh tunnel machine" on the cloud, as I do not want to pay for it

There are several options, but all of them (including Tor onion services) necessarily boil down to setting up some kind of long-lived connection through someone else's infrastructure and then using that as a reverse tunnel.

(At least 3 large "cloud server hosting" companies offer a small VPS completely for free, so you can set up a "jump reverse ssh tunnel machine" there.)

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
0

So called "overlay" networks can be a solution. Examples are ZeroTier, Tailscale, Nebula(by Slack), Innernet, Ngrok and it's alernatives.

Some of the solutions mentioned tick all requirements:

  • Zero config/opening ports
  • Allows roaming across networks(an overlay network is what's being used for addressing)

Cloudflare tunnels has been cropping up however it's a closed source solution and in addition to they can see all your traffic as it traverses their networks(not saying they're bad folk!).

How's the latter known? There's a diagram that shows it and they a feature to enable secure traffic(TLS certs) to/from local devices and restrict who can access them. Your traffic isn't secure as it's only http but is now being bolstered/upgraded by a cert Cloudflare's creating and access being checked(authentication).

https://developers.cloudflare.com/assets/handshake_hufad68abf6107ffc2ef859ebe1b42b6e2_299675_1768x1102_resize_q75_box-3f75968f.jpg

Adrian Teri
  • 1
  • 2