Remote access with 4G router

Hello,
This is not a mycodo specific issue. I wanted to ask what is the easiest way to access mycodo remotely when the RPi is connected to a 4G router with no public IP.

Ideal situation
I would like to access mycodo from anywhere e.g. by typing https://mycodo.mygreenhouse.com in a browser.
Problem

Mycodo is usually accessed by port forwarding from the router to the RPi. This works easily on the local network and can work on the external network as long as the router has a public IP. 4G routers may not have public IPs due to CGNAT (Carrier grade network address forwarding) which allows multiple SIM cards to share the same IP address. This prevents port forwarding from working and thus access from outside the network.
I have a domain which allows for the URL redirect to the router so this is not an issue.

Potential solutions

  1. Switch from 4G to DSL - not really possible due to the fact that the RPi and router are sitting in a remote area (a farm)
  2. Host mycodo on a cloud platform - would need a lot of development for a relatively small issue?
  3. Obtain a static 4G IP from the carrier - I’m digging into it but it’s unlikely to be possible
  4. Use a VPN: my router (TP Link MR640) has some VPN capabilities, but I’m not sure how to set up the VPN (on the router? on the RPi? How does that interact with port forwarding? etc.).

Appreciate the input in advance !

1 Like

Found this, sounds like VPN is probably the most viable option. There are many good packages available for Raspberry Pi to do this.
How to Implement Remote Access to a 4G Router

By far the easiest solution is a reverse proxy. This doesn’t require configuring any of the networking hardware that your remote system is behind or even knowing the IP of the remote system. I use reverse proxies for several of my remote systems and I can set them up beforehand and once I give them internet access, wherever that is, behind any and all types of convoluted networking, I can immediately access them without issue, both SSH and HTTPS.

What I’ve been using is the open source frp. I use it so much, I even sponsor the developer. This great piece of software needs more publicity.

1 Like

Thanks Kyle. This would work great – I’ve used nginx for a reverse proxy to great effect too. I’m concerned about the need for a public IP, could you help me reconcile

This doesn’t require configuring any of the networking hardware that your remote system is behind or even knowing the IP of the remote system

and what I’m reading from the GitHub of frp:

On server B, modify frpc.ini to put in your frps server public IP as server_addr field:
frpc.ini [common] server_addr = x.x.x.x
server_port = 7000

Sorry if this is a stupid question.

The remote system has the frp client configured to connect to your frp server. You must host the server on one of your systems that you know the IP address of. In order to prevent issues when your home server IP address changes, you can configure your frp client to connect to a domain you control (I do this) or use any of the free DDNS services that give you a domain you can update with your latest IP of your server. You can have a script even automate this process whenever your IP changes. I also use a VPS to host my frp server (actually the same one this forum is hosted on) so I don’t have to worry about maintaining the server hardware. I can even redirect all my clients to a different server by changing the IP the domain forwards to if I wanted to move the frp server to different hardware or IP address (without having to reconfigure any of the clients).

Once all your frp clients (remote systems) are connected to your single frp server, you merely connect with SSH or HTTPS to the configured ports of the IP of your frp server and it will tunnel the connection to the appropriate frp client port (in this case SSH or HTTPS).

So at a minimum, you will need the server to have a public IP, either for your home network if hosting at home, or you can purchase a cheap VPS. Either of these can have a DDNS domain forward to your frp server IP, which all your frp clients can connect to.

1 Like

Thanks, that is very helpful. I managed to set up the connection, but the domain resolution ends with a SSL protocol error. How do you manage the SSL encryption? I am assuming the lack of certificates is the issue here. I have seen people using nginx as intermediate to FRP but that sounds like an unnecessary layer.

Here is my setup. I only use frps (server). Adding anything else is an unnecessary complication and I won’t be able to assist.

frps.ini (server config):

[common]
bind_port = 6200
authentication_method = token
token = super_secret_token_here
authenticate_heartbeats = true
authenticate_new_work_conns = true

frpc.ini (client config, on remote Pi):

[common]
server_addr = domain_name_to_your_frps_server.com
server_port = 6200
authentication_method = token
token = super_secret_token_here
authenticate_heartbeats = true
authenticate_new_work_conns = true

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 5001

[https]
type = tcp
local_ip = 127.0.0.1
local_port = 443
remote_port = 5002

Then, all you need to do is connect with an SSH client to user@domain_name_to_your_frps_server.com:5001 to SSH into the Pi, or in a web browser go to the address https://domain_name_to_your_frps_server.com:5002 to access the Mycodo web interface.

Here are two systemd service files I made so you can auto-start the server and client on your systems:

frp-server.service:

[Unit]
Description=frp server
StartLimitIntervalSec=0

[Service]
Restart=on-failure
RestartSec=90
ExecStart=/usr/sbin/frps -c /etc/frp/frps.ini
ExecReload=/usr/bin/frps reload -c /etc/frp/frps.ini

[Install]
WantedBy=multi-user.target

frp-client.service:

[Unit]
Description=frp client
StartLimitIntervalSec=0

[Service]
Restart=on-failure
RestartSec=90
ExecStart=/usr/sbin/frpc -c /etc/frp/frpc.ini
ExecReload=/usr/bin/frpc reload -c /etc/frp/frpc.ini

[Install]
WantedBy=multi-user.target

Make sure you copy the config file to /etc/frp (or wherever you want), copy or create a symbolic link of frps or frpc to /usr/bin, then enable and start with the commands:

sudo systemctl enable /path/to/frp-server.service
sudo service frp-server start
1 Like

Works like a charm - I must have messed up the config files somewhere along the way. I changed the client remote port to 443 just for easier access and it still works. Thanks a lot again !
I’ll be in touch soon about plugging in an IP camera with ONVIF into mycodo – hope I’ll be able to contribute more this time around…

1 Like

Should I configure the frp client and server on one raspberry pie with mycodo installed?

No, that is not how it works at all. Server and client must be on separate devices. You should refer to the frp documentation for setup.

What I use is a program call ZeroTier. Add the program within the Pi and what ever other device your was to add to the network to communicate. It like a virtual network!