Connecting to machine without static IP

vmiheer

miheer vaidya

Posted on April 14, 2022

Connecting to machine without static IP

So I needed to access a computer without static IP from internet. Here's the way to accomplish it.

  1. Get no.ip ddns account. Create a ddns host and preferably create AAAA record which allows both IPv4 and IPv6.
  2. Hopefully your router has ddns support. Thankfully google fiber had it. It will be buried under "advanced" but most likely it should be there. Goto step 4.
  3. If the router doesn't have ddns support, you can install the ddns client, don't install no.ip client. Configure it using this article. Note, ubuntu package installation will ask most of these questions.
  4. Add the no.ip configurations in your router. By this point you should reach your router from outside world but not actually reach your machine.
  5. In router configuration, find a way to forward a port. Here we will forward ssh port to outside.

Advanced/Anxious steps

  1. In sshd.conf add an additional port to run ssh server on.

    port 22
    port 10101
    
  2. We will use port 22 from connecting to the computer from within network but when we want to access computer from outside of network we will use 10101 port instead. You might ask why not just use router to do this redirection from 22 to 10101 or other port number? Read on :).

  3. Create duo account. Setup your machine to use duo. Steps differ if you are targeting unix/windows. You can instead use google authenticator but I am not fan of adding 6 digits for each login. AFAIK Microsoft authenticator doesn't support non-windows systems otherwise Microsoft Authenticator also uses passwordless 1 tap authentication.

  4. Now use Match clause in sshd_config to make sure all external accesses are guarded by duo_login. This tells sshd that if connection is coming from the port 10101, make sure public key matches and duo_login is satisfied and password authentication is not allowed.

    # sshd.conf
    ...
    # put at the end of file
    Match LocalPort 10101
    AuthenticationMethods "publickey,keyboard-interactive"
    PasswordAuthentication no
    
  5. Restart sshd service

    service sshd restart
    

Hope you find it useful!
āœŒ

šŸ’– šŸ’Ŗ šŸ™… šŸš©
vmiheer
miheer vaidya

Posted on April 14, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related