Alternatives to autossh + crummy systemd unit

Jump to latest Follow Reply
K

koala

Ars Tribunus Angusticlavius
7,579
  • #1
    I'd like to set up a RPI at a relative's house. (The RPI will likely run Debian + TVHeadEnd.)

    I'd like to have remote access to the RPI.

    A simple way to achieve this would be to create a systemd unit that runs autossh to a public host and reverse tunnels 22. I can set up that quickly.

    An alternative would be to set up a true VPN. I actually already have two VPNs in my infra, but this wouldn't be pleasant:
    • I use ocserv/Cisco Anyconnect for remote access. But it's set up for PAM Linux user password authentication (actually, FreeIPA users), and I don't think that's suitable for this use case. Also I'm lazy to add another authentication method (although FreeIPA has a CA and it would be nice to set up cert-based authentication, but it seems too much work).
    • I use tinc for connecting networks in a mesh setup. But set up is through Ansible playbooks which I would need to expand considerably for a "roaming" device. Plus provisioning/testing with RPIs is a bit annoying.
    I don't want to rely on third-party services (I should learn Tailscale at some point, but I'm not in the mood right now. Other services are a no). Setting up another VPN seems overkill.

    I just kinda wish autossh shipped a systemd unit ready to go, I guess. But is there something plug and play which maybe only requires ssh?
     
    K

    koala

    Ars Tribunus Angusticlavius
    7,579
  • #4
    After ruminating this a bit, I think I'll do the following...

    Use an EFI chainboot microSD to boot to a USB drive. I already had planned to use an USB drive for storage, so this is fine. I can burn a Debian cloud image to the USB drive, and bake in cloud-init configuration to do the bootstrapping. This can set up an SSH tunnel to get access to the RPI's SSH port, no matter where it boots, and with that in place, I can use my existing configuration management setup (and join it to a VPN. the SSH tunnel would stay in for emergencies, I guess).

    This would allow me to prepare everything from my laptop, and set up things without ever connecting the Raspberry to other anything than power and the network. All parts are "serious" projects, the only dubious one is the EFI images, but I guess that's fine.

    The other drawback is that cloud-init does not do wireless networking configuration, and I want to add a few wireless network credentials, so that bit will be somewhat unnecessarily elaborate, but I can bear with that.

    The theory sounds nice. I already tested EFI chainbooting some time ago. Let's see if I get some time to play with this...
     
    You must log in or register to reply here.
    Jump to latest Follow Reply
    Jump to latest Follow Reply