So I needed to access a computer without static IP from internet. Here's the way to accomplish it.
- Get no.ip ddns account. Create a ddns host and preferably create
AAAA
record which allows both IPv4 and IPv6. - Hopefully your router has ddns support. Thankfully google fiber had it. It will be buried under "advanced" but most likely it should be there. Goto step 4.
- If the router doesn't have ddns support, you can install the ddns client, don't install no.ip client. Configure it using this article. Note, ubuntu package installation will ask most of these questions.
- Add the no.ip configurations in your router. By this point you should reach your router from outside world but not actually reach your machine.
- In router configuration, find a way to forward a port. Here we will forward ssh port to outside.
Advanced/Anxious steps
-
In
sshd.conf
add an additional port to run ssh server on.
port 22 port 10101
We will use port 22 from connecting to the computer from within network but when we want to access computer from outside of network we will use
10101
port instead. You might ask why not just use router to do this redirection from 22 to 10101 or other port number? Read on :).Create duo account. Setup your machine to use duo. Steps differ if you are targeting unix/windows. You can instead use google authenticator but I am not fan of adding 6 digits for each login. AFAIK Microsoft authenticator doesn't support non-windows systems otherwise Microsoft Authenticator also uses passwordless 1 tap authentication.
-
Now use Match clause in sshd_config to make sure all external accesses are guarded by duo_login. This tells sshd that if connection is coming from the port 10101, make sure public key matches and duo_login is satisfied and password authentication is not allowed.
# sshd.conf ... # put at the end of file Match LocalPort 10101 AuthenticationMethods "publickey,keyboard-interactive" PasswordAuthentication no
-
Restart sshd service
service sshd restart
Hope you find it useful!
✌
Top comments (1)
github.com/crowdsecurity/crowdsec