How to Setup a Forever Free SSH access to Raspberry Pi without port forward

7 min read

My home ISP is using private IP for internet access meaning I can’t port forward from the router since the public IP actually used by multiple clients / houses meanwhile having dynamic IP cost me double, so my options are using ngrok or dataplicity or reverse tunnel to a VPS a rather expensive yet convenient. However stumbled upon this medium blog https://medium.com/@devinjaystokes/how-to-setup-an-ad-blocking-wireguard-vpn-server-with-pihole-in-the-cloud-for-free-e814e45aac50 got me thinking, hey with the always-eligible-free plan I can SSH my Pi anywhere now, or even better MOSH!!

CONFIGURING SERVER

Go ahead register the oracle cloud following the previous blog mentioned, however since I’m in Asia I am using the server in Japan the closest one that has always-free-eligible tier. There are selection of countries pick the closest one so you can have the best ping.

You can also follow the previous blog on how the setup the VM one thing to note though please just select Canonical Ubuntu 20.04 or even better CentOS although in this blog I am using Ubuntu 20.04. The reason why not choosing Ubuntu 18 is because it always resulting to Ubuntu 18.04 Minimal image and it rather a hassle way to start.

You can stop following the previous blog until it says check “Skip source/destination check” from edit VNIC. After that you can SSH your freshly brewed Ubuntu 20.04. If you have downloaded the private key from the previous step you can copy the key to ~/.ssh/ and don’t forget to chmod 600 to the file. After that run below command to SSH:

ssh -i ~/.ssh/ssh-key-2020-09-04.key [email protected]

next let’s change the user ubuntu password this is useful later when we are going to create a service.

$ sudo su
$ passwd ubuntu
$ [type your new password]
$ exit

Instead of using ssh reverse tunnel we are going to use Fast-Reverse-Proxy for this go ahead download whatever version is the latest from here https://github.com/fatedier/frp/releases/latest for your Ubuntu make sure download frp_X.XX.X_linux_amd64.tar.gz to download copy the link and use wget for example:

wget https://github.com/fatedier/frp/releases/download/v0.33.0/frp_0.33.0_linux_amd64.tar.gz
$ tar -xvf frp_0.33.0_linux_amd64.tar.gz
$ cd frp_0.33.0_linux_amd64
$ nano frps_custom.ini

and paste below, do any change if you feel like it, however the mandatory here is to change the token and dashboard password:

[common]
# A literal address or host name for IPv6 must be enclosed
# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
bind_addr = 0.0.0.0
bind_port = 7000

# udp port to help make udp hole to penetrate nat
bind_udp_port = 7001

# udp port used for kcp protocol, it can be same with 'bind_port'
# if not set, kcp is disabled in frps
kcp_bind_port = 7000

# set dashboard_addr and dashboard_port to view dashboard of frps
# dashboard_addr's default value is same with bind_addr
# dashboard is available only if dashboard_port is set
dashboard_addr = 0.0.0.0
dashboard_port = 7500

# dashboard user and passwd for basic auth protect, if not set, both default value is admin
dashboard_user = admin
dashboard_pwd = [email protected]

# enable_prometheus will export prometheus metrics on {dashboard_addr}:{dashboard_port} in /metrics api.
enable_prometheus = true

# dashboard assets directory(only for debug mode)
# assets_dir = ./static
# console or real logFile path like ./frps.log
log_file = ./frps.log

# trace, debug, info, warn, error
log_level = info

log_max_days = 3

# auth token
token = URGENT_CHANGE_THIS_TO_YOUR_OWN_FAV_TOKEN_KEYWORD

next let’s create a service for this

$ sudo vi /etc/systemd/system/frps.service

and paste below (don’t forget to fix the path):

[Unit]
Description=FRP Server
After=network.target

[Service]
ExecStart=/path/to/frps -c /path/to/frps_custom.ini
Restart=on-abort

[Install]
WantedBy=multi-user.target

Next let’s enable the service:

$ sudo systemctl enable frps

start / stop / restart / check status:

$ sudo service frps start
$ sudo service frps stop
$ sudo service frps restart
$ sudo service frps status

You can also check the log see if server run successfully:

$ cat /path/to/frps/frps.log

next we need to tell firewall that port 7000 is listening and open it.

$ sudo iptables -I INPUT 1 -p tcp --dport 7000 -j ACCEPT

while we are at it let’s reserve some port as well:

$ sudo iptables -I INPUT 1 -p tcp --dport 7500 -j ACCEPT
$ sudo iptables -I INPUT 1 -p tcp --dport 2200 -j ACCEPT
$ sudo iptables -I INPUT 1 -p udp --dport 61001 -j ACCEPT

however doing it in Ubuntu will not be permanent, if you reboot the server, the port will go back to closed. To make it permanent do:

$ sudo su
$ apt install iptables-persistent
$ iptables-save > /etc/iptables/rules.v4
$ exit

Not only that you have to set the instance in oracle cloud to listen to port 7000/TCP


While we are at it, let’s reserve some port to be open, click on +Additional Ingress Rule and add below:

  • 7500, TCP, FRP Dashboard
  • 2200, TCP, FRP SSH
  • 61001, UDP, FRP MOSH

That’s all that we need from FRP Server! Next let’s move on to raspberry pi

CONFIGURING CLIENT

If you haven’t install mosh on raspberry pi, please do now, check Tips and tricks for your Raspberry Pi

download whatever version is the latest from here https://github.com/fatedier/frp/releases/latest for your Raspberry Pi make sure download frp_X.XX.X_linux_arm.tar.gz and make sure the version you are downloading are the same with the server to download copy the link and use wget for example:

wget https://github.com/fatedier/frp/releases/download/v0.33.0/frp_0.33.0_linux_arm.tar.gz
$ tar -xvf frp_0.33.0_linux_arm.tar.gz
$ cd frp_0.33.0_linux_arm
$ nano frpc_custom.ini

and paste below, do any change if you feel like it, however the mandatory here is to change the token make sure it’s the same with the token you setup on the server and don’t forget to set your Oracle Instance IP Public:

[common]
server_addr = XXX.XXX.XXX.XXX
server_port = 7000
token = URGENT_CHANGE_THIS_TO_YOUR_OWN_FAV_TOKEN_KEYWORD

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 2200

[mosh]
type = udp
local_ip = 127.0.0.1
local_port = 61001
remote_port = 61001

next you can test run to see it can connected to the server

/path/to/frp/frpc -c /path/to/frp/frpc_custom.ini

if you see login to server success and start the proxy success something like below then congrats! you can go to the next step

next let’s create a service for this

$ sudo vi /etc/systemd/system/frpc.service

and paste below (don’t forget to fix the path):

[Unit]
Description=FRP Client
After=network.target

[Service]
ExecStart=/path/to/frpc -c /path/to/frpc_custom.ini
Restart=on-abort

[Install]
WantedBy=multi-user.target

Next let’s enable the service:

$ sudo systemctl enable frpc

start / stop / restart / check status:

$ sudo service frpc start
$ sudo service frpc stop
$ sudo service frpc restart
$ sudo service frpc status

That’s it you can connect to Raspberry Pi from anywhere in the world over the internet.

You can try SSH your Raspberry Pi like below:

ssh [email protected] -p 2200

where XXX.XXX.XXX.XXX is the IP public of your Ubuntu oracle instance

Or why not mosh?

mosh --ssh='ssh -p 2200' -p 61001 [email protected]

Since mosh is working with SSH you need to specify SSH port and since port 22 is already used SSH your Ubuntu oracle instance in this example I use port 2200 as the alternative feel free to change to anyport that you prefer and also that by default mosh UDP port is 60000-61000 to not disrupt mosh connection to your Ubuntu Oracle Instance we use the non default port which is 61001 so you need to specify that as well when you connect with mosh.

With FRP basically you can tunnel any service to Ubuntu Oracle instance as long you know the port.

Also don’t forget to access you FRP server dashboard by going to: http://XXX.XXX.XXX.XXX:7500/

Enjoy!