To facilitate remote tech support, we need a server some place safe, like this one. We also need to give the Raspberry Pi a username and password so it can log in (this article was used as a guide).

But why would we want to do this? I am looking to deploy a Raspberry Pi at my parent’s house as a bird box camera, however, this requires getting into it backwards via their Virgin Super Hub. In order to do that I would require: 1. Port Forwarding, 2. Knowing the IP address, and 3. having only one R-Pi in the system. In short, it would be difficult; the advantage of remote access is that if I update the code, I can log into the R-Pi remotely in order to deploy it.

1. On my server we create a new user:

   sudo adduser -p Pass User

   We create a new user, that we will use for nothing else, so we can revoke access if we lose the Pi.

2. Assuming the Pi is already set up (if not have a look here, here and perhaps here), SSH into it to create a SSH certificate:

   cd ~/
   mkdir .ssh
   cd .ssh
   ssh-keygen -t rsa

   Choose no pass phrase when asked and accept the default filename of id_rsa

3. now its time to move the public key to the server

   scp id_rsa.pub <user>@<yourhost>:.ssh/newkey

   (will require your password)

4. While we could use the same key file for all Raspberry Pi’s, it makes more sense to have one key per device (this makes it easier to revoke). SSH into the server as the user, and then:

   cat .ssh/newkey >> .ssh/authorized_keys

5. Creating the reverse SSH tunnel.
   Sneaking back onto the pi we now type:

   ssh -N -R 1337:localhost:22 <user>@<host>

   where 1337 is a port that you want to use (one port per R-Pi).

6. Once that is up and running, log into the server as any other user, and run the command

   ssh -l pi -p 1337 localhost

   You will now be logged into the Raspberry Pi sat next to you via your server, wherever that may be. (May be wise to change the Raspberry Pi password!).

7. Now we are happy its all working we can make it persistent (always on), we create a file called “CreateSSHTunnel.sh” on the raspberry Pi with the following:

   #!/bin/bash
   createTunnel() {
     ssh -N -R 1337:localhost:22 <user>@<host>
     if [[ $? -eq 0 ]]; then
       echo Tunnel to jumpbox created successfully
     else
       echo An error occurred creating a tunnel to jumpbox. RC was $?
     fi
   }
   
   /bin/pidof ssh
   if [[ $? -ne 0 ]]; then
     echo Creating new tunnel connection
     createTunnel
   fi

   and then make it executable

   chmod +x CreateSSHTunnel.sh

8. To Automate it we need to add it to the Cron Tab

   crontab -e

   We will make it check for the tunnel being up every minute, and if not, attempt to bring it up. We will also output the errors to a log file (tunnel.log) so we can keep an eye on things, we need to append the following to the bottom:

   */1 * * * * ~/CreateSSHTunnel.sh >> ~/tunnel.log 2>&1

Now whenever I want to log into the Remote Pi, wherever it is I just SSH into my server, and type
“ssh -l pi -p 1337 localhost”, it will then prompt me for my password, (I could set up more SSH keys, to avoid this password requirement for automating via SSH, SCP or RSYNC but at the moment I don’t need to).