5

Here is my setup: I have a machine I would like to be able to reach from the internet from outside my home over a single port (for example, for SSH-ing into it). The machine is behind my home router (I have full control over it, this if fine), and my ISP uses dynamic IPs, with NAT on their end (carrier-grade NAT). So, my public IP is both changing (which I am used to and can solved by using a DDNS service like dedyn.io), but in addition my public IP is shared between several customers (which is the issue I do not know how to solve).

My question is: is there a way, somehow, to still allow me to reach my machine on a single specific port, by "doing something similar to" publishing to the DDNS service both an IP, and a port that I know will be routed back to my home router on a specific port, that I can then route back to my machine? (I understand this mixes concepts from different networking stack level, like DNS vs protocol)

I do not know how to address this question and if this is doable or not. If not, I can think about other ways to make my machine reachable (through an onion service for example; any other suggestions that would come free of charges? I do not want to be relying on a "jump reverse ssh tunnel machine" on the cloud, as I do not want to pay for it).

Note: question moved from https://networkengineering.stackexchange.com/questions/79902/is-it-possible-to-access-a-machine-behind-an-isp-nat-by-publishing-somehow-ip-a , according to feedback received in comments.

Danny Beckett
  • 1,419
Zorglub29
  • 153

4 Answers4

4

You could try pwnat.

This is an open-source tool that addresses this problem, and whose aim is to allow any number of clients behind NAT to communicate with a server that also behind NAT, without using port forwarding on any router. The server does not need to know anything about the clients trying to connect.

I haven't found a compiled version of pwnat, so you will need to compile it from source.

The method used by pwnat is unbelievably clever, but there is no guarantee that it will work with your environment.

harrymc
  • 498,455
1

My question is: is there a way, somehow, to still allow me to reach my machine on a single specific port, by "doing something similar to" publishing to the DDNS service both an IP, and a port that I know will be routed back to my home router on a specific port, that I can then route back to my machine? (I understand this mixes concepts from different networking stack level, like DNS vs protocol)

Generally, no, for two reasons:

  1. Most software (including SSH) won't even ask DNS for the port number. They ask DNS for a list of addresses (A/AAAA records) and there's no space for ports in them.

    It is possible to publish arbitrary data in DNS, e.g. using SRV or TXT records (if your DDNS service allows those), but you'll still need a custom wrapper around the client to make it pull the port from DNS automatically. For OpenSSH this is relatively easy (ProxyCommand would be a good start), for other software less so.

  2. DDNS services cannot make an address or a port accessible from outside – the only thing they do is assign a name to it. And most ISPs implementing CGNAT don't provide customers with any TCP port that'll be accessible from outside. (Like your own home router, they only accept packets corresponding to an already established flow, and unlike your home router, they almost never allow customers to request inbound port-forwarding via UPnP or similar.)

    In my experience, even CGNATs that use a 1:1 mapping (i.e. do not actually share an address between several customers at one time) often deliberately don't allow inbound connections even if it would be technically possible.

through an onion service for example; any other suggestions that would come free of charges? I do not want to be relying on a "jump reverse ssh tunnel machine" on the cloud, as I do not want to pay for it

There are several options, but all of them (including Tor onion services) necessarily boil down to setting up some kind of long-lived connection through someone else's infrastructure and then using that as a reverse tunnel.

(At least 3 large "cloud server hosting" companies offer a small VPS completely for free, so you can set up a "jump reverse ssh tunnel machine" there.)

grawity
  • 501,077
0

So called "overlay" networks can be a solution. Examples are ZeroTier, Tailscale, Nebula(by Slack), Innernet, Ngrok and it's alernatives.

Some of the solutions mentioned tick all requirements:

  • Zero config/opening ports
  • Allows roaming across networks(an overlay network is what's being used for addressing)

Cloudflare tunnels has been cropping up however it's a closed source solution and in addition to they can see all your traffic as it traverses their networks(not saying they're bad folk!).

How's the latter known? There's a diagram that shows it and they a feature to enable secure traffic(TLS certs) to/from local devices and restrict who can access them. Your traffic isn't secure as it's only http but is now being bolstered/upgraded by a cert Cloudflare's creating and access being checked(authentication).

https://developers.cloudflare.com/assets/handshake_hufad68abf6107ffc2ef859ebe1b42b6e2_299675_1768x1102_resize_q75_box-3f75968f.jpg

Adrian Teri
  • 1
  • 2
0

Many retail ISP home plans usingh CG-NAT nowdays will block incoming ports including 80, 443 etc, anyway. However, some have the option to opt-out of CG-NAT allowing for unique dynamic or static IP addressing, which is sometimes necessary for some medical devices or home security systems.

0x1801ce
  • 183