Access resources on local LAN from a shared remote

2024-05-12 04:12 WIB - Hendrik Lie

We have certain resources accessible only from home LAN, and we want to connect to them from anywhere. Given that we have a high availability cloud server, we can use it as a reverse proxy to access specific services we wanted to access. A custom configuration is required, and will be outlined in the article below.

Problem

Certain resources, such as a wireless internet router configuration, is typically only accessible under LAN. Exposing those resources directly to the internet is impractical because it has no static IP. Another alternative would be to have an accessible, reachable local device that can access the LAN resources to act as a proxy to access them on our behalf.

Solution

There are two known possible configurations to connect to a resource available only in a certain LAN from outside.

1. The first one is to let another local device to perform reverse SSH tunnel that maps a remote port to a certain device in its LAN. Then we configure a reverse proxy in the remote to make it accessible from the remote’s webserver.
2. The second one is just like the first one, except that instead of configuring a reverse proxy at the remote, we set up a local forwarding from another machine to the remote machine, mapping the exposed remote port to another port in the local machine (outside the LAN).

We will explore both configurations as they shared the same initial setup. Therefore this solution section will be divided into three parts: the first part is where we configure the machine inside our target LAN that we can control, the second part is where we configure a reverse proxy in our remote server, and the third part is where we configure external devices to access the LAN services from outside.

The Device From Within Target LAN

It is actually quite straightforward, as all we need to do is to prepare a reverse SSH tunnel targeting a locally available service, and make it available on a port in the remote server. The setup is already being described in great length on this article.

For example if we want to access our home router, we want to use a computer inside the same network as our home router, and set up a reverse SSH tunnel:

$ ssh -TNv -R 8090:192.168.100.1:80 user@remotehost

Basically we make 192.168.100.1:80 in our local network be accessible from remotehost at an arbitrary port (in this example, we use port 8090). Remember this port as we are going to simply write it as is in the following sections.

Alternatively, we can just add that to our SSH config file ~/.ssh/config:

# file ~/.ssh/config

Host cloud-tun
    User                user
    HostName            remotehost
    RemoteForward       8090 192.168.100.1:80
    ServerAliveInterval 120

Therefore we can just issue:

$ ssh -TNv cloud-tun

The Reverse Proxy On Remote Server

On our server, we can have something like the following configuration:

# Redirect specific sites to use https
# Courtesy of:
# https://serversforhackers.com/c/redirect-http-to-https-nginx
server {
    listen 80;
    listen [::]:80;

    server_name myrouter.domain.tld;

    return 301 https://$server_name$request_uri;
}

# Separate server block for http and https
# The block below only accepts ssl connection
# The block above basically redirects to this block
# Courtesy of:
# https://bobcares.com/blog/nginx-multiple-domains-ssl/
server {
    listen [::]:443 ssl;
    listen 443 ssl;

    server_name myrouter.domain.tld;

    include certs_params_domain.tld_wildcard;

    location / {
        proxy_pass http://127.0.0.1:8090;
        include proxy_params;
    }
}

Then we just have to point our browser to our domain, for example https://myrouter.domain.tld and our router is accessible there.

The Device From Outside Target LAN

It is actually quite straightforward, as all we need to do is to prepare a SSH tunnel connecting a certain local port to a specified port at remote. Again, the setup is already being described in great length on this article.

For example if we want to access our home router and we already configured the device within the same network as our target service, we can connect to the service with any device as long as we configured the following SSH tunnel:

$ ssh -TNv -L 8080:localhost:8090 user@remotehost

Note that the service we want to use in this article is being made available at port 8090 of server remotehost.

Alternatively, we can just add that to our SSH config file ~/.ssh/config:

# file ~/.ssh/config

Host cloud-tun
    User                user
    HostName            remotehost
    LocalForward        8080 localhost:8090
    ServerAliveInterval 120

Therefore we can just issue:

$ ssh -TNv cloud-tun

After we set up the tunnel, we can just point our browser to http://localhost:8080.