[dls2016]

I setup an RPI in a field at my dad’s w/ 900MHz internet bridge and wanted 24/7 remote access but didn’t want to pay for and configure VPN. At first I opened a router port but the RPI showed access attempts every few minutes, which was troubling. Learned enough about ssh tunneling to setup a systemd service to auto-attach the RPI to an AWS instance. (Also have an RPI on the bench attached as well.)

I always laugh when I ssh into AWS, then into the RPI (over the internet and then a 900MHz bridge). Then sometimes I ssh or ftp into a data logger running in the field. Good times and has worked relatively flawlessly for a few months. (I don’t have any uptime metrics for the network connection but no noticeable problems.)

I’m planning a few more which would be much more remote. Any other suggestions for managing such a setup? Some sites may have cellular connections and so I’m not sure I want 24/7 ssh tunnel (though I don’t think it uses too much data).

Edit: I see others recommending WireGuard for similar situation. Never heard of it will check out.

[aaaaaaaaaaab]

>At first I opened a router port but the RPI showed access attempts every few minutes, which was troubling. Learned enough about ssh tunneling to setup a systemd service to auto-attach the RPI to an AWS instance.

What was the gain here exactly? The same port scanners are hitting your AWS instance now. If it concerned you before with the RPi (which it shouldn’t btw), I don’t see why it wouldn’t concern you with the AWS instance as well…

[dls2016]

I’m currently in a low-user situation and can lock that down AWS instances by IP.

My concern is that I'm running an experiment and don't want things corrupted by some script kiddies simply because I'm not a great network/Linux admin. This merely reflects my lack of knowledge... hence my ask. (Which I guess people hate enough to downvote? haha ok)

[aaaaaaaaaaab]

That’s pretty simple to do with Linux too… Just install ufw and set it to deny by default, then open the SSH port to only your IP. No need to go through AWS for that.

[dls2016]

Didn't know about ufw, but I'm not on the same network as the RPI and don't have a static IP. And the RPI was already uploading data to an AWS instance.

[aaaaaaaaaaab]

Sorry, then I don’t know what you’ve meant by “lock that down AWS instances by IP”.

[dls2016]

Using an AWS security group. I'm a basic b** as the kids say.

[dls2016]

And remove the word "that".

[axegon_]

> I setup an RPI in a field at my dad’s w/ 900MHz internet bridge and wanted 24/7 remote access but didn’t want to pay for and configure VPN.

Hah, same. Didn't really go that deep into the failed login attempts though: private key authentication + I have a static IP so iptables is sufficient. In addition I have a script that sends a text to my phone each time someone logs into any of my computers/servers(even if it's me) and if not, I have one or two kill switches at my disposal.

[_2d30]

Wireguard is great. Checkout Tailscale to manage key exchange for you automagically. I just set it up across my home network and devices and it’s shockingly easy. For personal/hobby projects it’s free.