remote connection

SSH and HTTP to a Raspberry Pi behind CG-NAT

For a project I'm working on, I'll have a Raspberry Pi sitting behind a 4G LTE modem:

Raspberry Pi 4 with 4G LTE modem and antenna on desk

This modem is on AT&T's network, but regardless of the provider, unless you're willing to pay hundreds or thousands of dollars a month for a SIM with a public IP address, the Internet connection will be running behind CG-NAT.

What this means is there's no publicly routable address for the Pi—you can't access it from the public Internet, since it's only visible inside the cell network's private network.

There are a few different ways people have traditionally dealt with accessing devices running through CG-NAT connections:

  1. Using a VPN
  2. Using a one-off tool like ngrok
  3. Using reverse tunnels, often via SSH

And after weighing the pros and cons, I decided to go with option 3, since—for my needs—I want to have two ports open back to the Raspberry Pi:

SSH in a Locked-Down Network

Recently, during one job for a client, I needed to work for a length of time in a location that had quite severe network restrictions—in addition to a proxy server, the location blocked every port besides 80, 25, 443, and 8080. In order to use secure shell (SSH) to login to my work web server, I needed to use one of those ports (I used nmap to find open ports on my end).

Luckily, I gained access to another network for a short time, and used that connection to update my work web server to allow SSH over port 8080 (in addition to the standard, port 22). I edited the /etc/ssh/sshd_config file so it reads:

Port 22
Port 8080

(the Port 22 line was commented out, originally).

Then I simply used the -p (port) directive when logging in via SSH:

$ ssh -p8080 username@example.com