Shell/SSH Access to Dynamic IP
This is not hosting related, more like IoT/network centric question, I know LES and LET technically strong with technical and network related topics, I am not one of you expert here.
We have couple of IoT Edge devices deployed [BeagleBone Industrial] which are running Linux on ARM SBC. They need configuration and tweaking some times, but located 100 km to 500 km distance where our technical team is working.
We need below capabilities,
- We need to configure the software configuration/update sofwares [some jar files/XML/JSON/YML]
- Restart if something not working [few server and collectors]/ need ssh [ssh is good to troubleshoot]
- Upload/Download files [ftp/http]
- Access to web server running on edge device from remote browser
The devices are using 4G LTE, or Ethernet provided by customer, or WIFI provided by customer as end point. None of them has static ip, it is nearly impossible to pursue them to buy static IP. The stack is build on Java if that matters running on Linux 4.x kernel, mostly Debian flavoured linux, now working on a yacto based distribution.
What is the best way to resolve all/case-by-case way the problems stated above?
Comments
If you look at protocols like COAP or LWM2M all initiation for connections are done at the client (device) side, simply because of how cellular networks work. Things like updating firmware and application specific configuration is something that should be embedded into your firmware and should be supported by the protocol you're using to communicate with your IoT devices. When the device is first turned on for example, you might want it to connect to a server and fetch the configuration and latest firmware, based on it's unique identifier. Depending on your setup you might want to check for configuration and firmware updates every 24 hours or whatever interval suits your use case. There's rarely a straight forward answer to this interval as it very much depends on your requirements.
In the case of COAP and LWM2M, a server-sided queue is maintained that holds certain requests (e.g. configuration or firmware updates, requests to read sensor data, etc). An IoT device then wakes up once every few minutes and does a quick call to the server to see if there's anything in the queue for this particular device, immediately going back to sleep afterwards. This is how small IoT devices over low power cellular networks still last for half a decade on a single battery charge.
dynamic sub domains like dyndns running on the device?
Namecheap offers a dynamic update on domains using their DNS. it is as simple as a http request.
“Technology is best when it brings people together.” – Matt Mullenweg
Zerotier or Tinc. Never used tinc before, but I'm using Zerotier to access a NAT based system, and It's awesome.
This is more of Gateway, capable of handling Linux and Java Stack [512 MB RAM to 4 GB RAM], for the configuration, we have a web service, web app, accessing them would benefit us for easy validation of running application after configuration tweak.
In the case of a gateway you should be able to open a persistent TCP connection initiates by the gateway and go from there.
There's a few solutions already named in this thread that would do exactly that.
How about SSH remote forwarding?
Get the best deal on your next VPS or Shared/Reseller hosting from RacknerdTracker.com - The original aff garden.
+1 for ZeroTier. Using it on a lot of NAT VMs that I want running in a DC but not publicly accessible w/ port forwards for security reasons (RDP, applications with sensitive data, etc).
I've also got a raspberry pi and a small server "colo'd" with friends, I can admin them and run my backups, etc through a tunnel without having to setup port forwards on crappy ISP-provided routers.
🦍🍌
Thanks for the recommendations.
I will be looking to Zerotier thanks @sanvit, @Harambe @Solaire for the tips.
I see commercial licensing is expensive at our case, may not be needed as we just use the system, not to embed/re-brand it.
I see a most viable option that is to pay, "A small $5 USD per month cloud node can easily run a network controller for several thousand network members", does it mean it cost really only $5 a month?
So you can self-host the controller or just use their hosted one. I just use their hosted stuff. They're just saying you could run it on a $5/mo VPS if you wanted to self-host.
The hosted option is free for 100 devices per account. So you can create unlimited networks with 100 devices for $0. If you need more than 100 it's $29/mo for unlimited devices.
You don't need the commercial licensing for what you're doing. That's only if you're selling a device or software and you want to license their tech to go in it.
Sounds like you probably have <100 total since you said 'a couple' so the free plan should work fine. Device = anything connected to the network, so that includes you + technicians + whoever else's computer/phone that need to be able to access your edge devices.
🦍🍌
I haven't used Zerotier; but I have solved this problem multiple times. Ultimately I would expect you dont want the systems routable to one another. Customer 1 and Customer 2 likely are not allowed to communicate (or really even know of eachothers existance).
With that in mind, something simpler (a secure bridgehead server with something like autossh or stunnel) with certificate based authentication is extremely easy to roll out, and extremely robust. The point to point tunnels are not inter-system routable, and theres no peering transparency except from the bridgehead. You can easily make this highly available in many ways.
The "developer" solution for this is more of a "command and control" model, where you have a public endpoint that can issue commands that the IOT devices pickup and execute. Even something like Amazon Systems Manager can manage non-cloud systems, and offers much of the functionality you want and has security such as session logging, automation, etc.
Ionswitch.com | High Performance VPS in Seattle and Dallas since 2018
If you want to keep each IOT systems unroutable to other IOT systems, you can create multiple networks in the Zerotier controller and designate one device (e.g. the computer you use to access all IOT systems) to be present in all networks.
The all seeing eye sees everything...
Another option is DynamicDNS. Periodically have the device refresh it's IP address, and you can access the device via it's hostname.
Wireguard or reverse SSH tunnels could be alternatives to ZeroTier.
Keep in mind, a VPN to the device might be considered a liability, and it's probably better to make the servers passive and the devices active. The devices push data to and pull data from the mothership rather then the other way around.
IETF says you can use global IP multicast. It'll take some effort to ask ISP to actually enable multicast through.
ServerFactory aff best VPS; HostBrr aff best storage.
Ah! Thanks for the correction.
Ionswitch.com | High Performance VPS in Seattle and Dallas since 2018
Buy a cheap 3$/year nat VPS, run wireguard on it, and have whatever your device is connect to it and expose its stuff. Remember to enable keepalives because some NAT close the port when there isn't enough activity.
Similar, but different.
First, get a cheap vps with fixed ip.
Then forward ports using reverse SSH tunneling.
Here is a guide I wrote:
https://somik.org/persistent-reverse-tunnel-using-autossh/
If it’s not broken, keep fixing it until it is. Blink twice if you agree.
One question is how does sensor devices know the IP and port of the server. Putting them in the configuration would make it difficult to change VPS provider.
Getting “fixed” IP isn’t going to help if you want to switch VPS provider, unless you own the IP.
The answer: DNS SRV record.
The SRV record contains both IP and port information. As long as you own the domain, you can move the server to any VPS on any port.
ServerFactory aff best VPS; HostBrr aff best storage.
I solve all my dynamic IP problem with Tor, simply by setting up onion services.
That way
For lower latency or higher bandwidth apps, I tweak the settings or specify my own server as a single hop relay. If you only need you and your team to have access to the devices I think using Tor is a very good idea. Here is the official guide https://2019.www.torproject.org/docs/tor-onion-service.html.en but feel free to ask if you have any difficulty setting it up.
Well that's somewhat like leaving the front door open because you're going to come back with groceries tomorrow, but ok.
My pronouns are like/subscribe.
Your simplest solution is to curl an url every minute with your system id and IP address, and then then have a hook to update your ansible hosts file based on that
If you plan to move to yocto and also being a beagle bone it will be very hard to implement a complex solution, but you can consider running openvpn on them in this way access will be easier if they are placed behind firewalls.
Instead of ip specify a hostname and have it point to your server