Whether you're wont to show a friend your latest project, setting up a local server for a NAS (Network-Attached Storage), creating a media player to replace a streaming service, or just play around, today we're discussing how to securely access your local environment from a distance.
What are all options possible?
You've got various options available to safely access your local environment from a distance. Here, we'll explore three notable options, discussing how to set them up, their security implications, as well as their advantages and disadvantages:
- Port forwarding
- Cloudflare Tunnel
- Reverse SSH Tunneling
Port forwarding
Probably the most prevalent option (unfortunately) today is port forwarding. The idea is to open a port on your router to the outside world so that anyone can access it.
How do you open a port on the router?
Before I explain how to open a port on the router, I would just like to say that there is a possibility that the ISP does not allow you to do this because their network uses CGNAT (which means that you share an IP address with several users). If you are not sure, it would be best to contact the ISP first and see if port forwarding is possible, if not, if they can provide you with that option (sometimes it is free, sometimes they will charge you extra if you want this feature).
So let's continue. In most cases, you will have to connect via a cable (not via WiFi), since most routers today have the option to log in to the Admin panel via WiFi.
- Open "http://192.168.0.1/" in your browser and log in to the admin panel
- Go to the "Port forwarding" page
- Enter which port you want to open (and which port to watch when someone enters that open port)
- Save the change and that's it. When you go to "http://your-ip:open-port" you should see your localhost
If it does not work for you, it is very possible that your ISP does not support opening ports and you will have to choose another option.
Conclusion
This was straightforward, but... Opening a port through a router means that anyone in the world will be able to access your local machine, potentially resulting in security breaches. From facing DDoS attacks targeting your IP address, which could prompt your IPS to block your internet, to the risk of someone hacking into your local server for network monitoring purposes, the complications are countless. While this option may be the simplest, it's undoubtedly the least secure, and I would not recommend it.
Cloudflare Tunnel
Cloudflare is a web infrastructure and website security company that offers CDN services, DDoS mitigation, internet security, and distributed domain name server services. It serves as a reverse proxy for websites, caching website data, and filtering out threats to enhance website loading speed and defend against attacks.
Cloudflare also provides the option to tunnel a local service through their servers, effectively and securely exposing the local server to the outside world.
It's crucial to understand that using Cloudflare requires you to have a domain set up with them, making it a prerequisite for this functionality to work.
How do you configure Cloudflare Tunnel?
- Log in to Cloudflare
- Go to the Cloudflare Zero Trust section in your dashboard
- Go to "Networks -> Tunnels" page and select "Cloudflare" as connector
4. Enter the name of your tunnel
5. Choose your OS (recommended to use Docker). I will use Docker, so when he selects the option run the tunnel script on your local server
6. Choose which subdomain and domain you want to connect to the localhost port
7. Save and if you did everything like I did, you will see that your tunnel is "healthy" and when you go to the entered subdomain, you should see your localhost
Conclusion
Although owning a domain (typically around $10 per year) is a requirement, using Cloudflare Tunnel remains one of the top choices for most individuals. It offers extensive flexibility, security features, and a wide range of options such as analytics, DDoS protection, and caching, all of which come at no cost.
However, it's essential to be aware that Cloudflare Tunnel does not support streaming, as doing so may lead to Cloudflare banning your account.
It's worth noting that Cloudflare hides your private IP address behind its network, significantly enhancing your security compared to directly opening ports on your router, where your IP address is exposed to everyone.
Reverse SSH Tunneling
Reverse SSH Tunneling is a method used to establish a secure connection from a remote server back to a local machine.
It's worth noting that you'll need a server from a VPS provider (I recommend Hetzner) through which you'll tunnel traffic to your local server. This technique is highly secure because it leverages the fundamental SSH protocol, encrypting all traffic and keeping your local IP address hidden.
How do you configure Reverse SSH Tunneling?
- Generate an SSH key on the local server using ssh-keygen
- Transfer the public SSH key from the local server to the remote server and append it to the "authorized_keys" file. This enables the local server to connect to the remote server via SSH without requiring a password, as the SSH key serves for authentication
- Configure NGINX on the remote server to act as a proxy, redirecting traffic from a specified port or domain to another port. Optionally, you can set up a DNS entry for your domain. Below is an example NGINX configuration:
server {
listen 80;
server_name localhost.darkotodoric.com;
location / {
proxy_pass http://localhost:1337/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
error_log /var/log/nginx/localhost.darkotodoric.com_error.log;
access_log /var/log/nginx/localhost.darkotodoric.com_access.log;
}
4. On the local server, initiate SSH tunneling with the following command:
ssh -R 1337:localhost:80 remote_user@remote_server_ip
5. Assuming all configurations are correct, traffic from "localhost.darkotodoric.com" should now be forwarded to "localhost:80"
To ensure a stable connection, especially in the event of network interruptions, consider setting up SSH tunneling as a service on Linux. Here's an example of how the service should be configured:
[Unit]
Description=autossh
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
ExecStart=/usr/bin/ssh -o "StrictHostKeyChecking=no" -o "ServerAliveInterval 10" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure=yes" -T -N -R1337:localhost:80 remote_user@remote_server_ip
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
Conclusion
While requiring your own remote server, "Reverse SSH Tunneling" offers a straightforward, secure, and reliable method to expose your local server to the world without any limitations.
Conclusion
My advice is to avoid "Port forwarding" on the router due to potential security vulnerabilities. When considering the other two options, your choice should be guided by your specific needs and intentions. If you intend to run a local media server for streaming video content, "Reverse SSH Tunneling" is the way to go, as Cloudflare doesn't support streaming (at least not for free) through their platform. However, for any other purpose, "Cloudflare Tunnel" is an excellent solution. It's simpler to set up and comes with a host of features like analytics, security, caching, DNS configuration, DDoS protection, and more, all provided free of charge.
Top comments (1)
For securely accessing your local environment remotely, I recommend either setting up a Cloudflare Tunnel for comprehensive security features and flexibility, or using Reverse SSH Tunneling for robust encryption and IP protection, depending on your specific needs like streaming or general access. Avoiding direct port forwarding on your router is crucial to prevent potential security risks.