It’s been more than four years since I wrote about securing my home PC, back in India. Since then, I’ve both upgraded the operating system, and also changed the internet provider. The change of ISP also merited a change in the router, and I had not even the time to inspect the hardware, much less configure it to allow remote access, before I returned to Sweden. This meant that like earlier, I had to coax someone back home in India to help me get it done, and that someone this time around, was my wife!

I knew I hadn’t had the time to activate any iptables-based firewall on my home PC before I left, so any access control would only be at the router level, and I expected it to drop everything from outside-in, but thought it wouldn’t hurt to try. I first asked my wife to run netcat with some high numbered ports, which I tried to access, using the public IP of the router (or so I surmised) she obtained using whatismyip.com. The netcat command was like this

netcat -l -p 50000;

My attempts to contact it resulted in timeouts. Hmm. I then got her to open an ssh-tunnel for me, by sshing into my raspberry pi box at home in Sweden. The command looked like this:

ssh -f -N -R 20000:localhost:22 user@myrpi 

I asked my wife to also run top in the terminal she’d sshed into, to ensure the connection wouldn’t get terminated to quiescence. I was then able to login into my box, and use the tunnel, to ssh back home. Having got there, I was able to tunnel out the router’s http port, to be able to change the router settings. When I looked however, I saw that the router didn’t have a public IP at all, but was instead behind a second VPN router; so much for my attempts to access my machine from outside-in. I read up online that the customer care for ACT Fibernet (my ISP in India), is quite terrible, so getting them to understand what I wanted would be like scaling a miniature Mt Everest, so I gave up, and instead set up a small agent on my raspberry pi, which could be queried by my linux box in Bangalore, using ssh-key for auth. Let’s call the machines BLR-box (Bangalore) and LPI-box (Linköping) for convenience. On the LPI-box, I restricted the ssh-key of the BLR-box user to executing two commands only, in sequence.

1. The first command would check a certain file for a particular value, to see if I wanted a tunnel opened; if the value in the file on the LPI-box matched the value present in the cron-executed script on the BLR-box, it would open an ssh-tunnel, as shown above.
2. The second command would simply overwrite the contents of the check file, to prevent a subsequent cron-run from attempting to open another ssh connection. This ensures that a connection is only opened when I need one, and ask for it.

I did some testing, and was satisfied that it seemed to work fine. This’ll allow me to keep my BLR-box updated, and install stuff that my parents might require. Even if my parents switch to using a tablet to communicate with me, and for video calling etc, it’ll always be useful to have a working and current linux box there that I can control, should I need to do so.