I checked out my Internet service provider’s document and finally found out a problem. I can’t access all ports on my public IP address but I can still use a NAT FRP service like ngrok.
I created a paid account on a frp provider’s website and my test application ran well. (can be accessed on the public network)
However, it has some limitations:
The provider allows me to use the following methods: http, tcp, ftp
I can only start a maximum number of 8 frp tunnels. Each tunnel can expose one port to the public network.
The service is accessed by a domain name. I can only create 5 http domains, 2 tcp domains and 2 ftp domains. Every frp tunnel can only use one of them, and cannot duplicate with an existing tunnel.
The tcp tunnel’s domain and port is randomly generated. For example, when I start a ssh tunnel with my local port 22, I may need to access it with this command: ssh -p 10313 35.tcp.(provider domain).top
I’m going to run the yunohost on my raspberry pi 4b with 8G RAM. So I want to know the ports to open and the essential post-install steps.
Note: The frp service I use seems like a service based on ngrok itself. And it uses a config file which is also like ngrok config file.
I was unfamiliar with “NAT FRP” in the title, and looked it up. For other visitors of the thread, it’s a reverse proxy. I didn’t know ngrok or Rathole either, but they seem to be alternatives.
seeing the long list of limitations, “how cheap” is this commercial service, to be able to beat a $1/month VPS with wireguard to your server?
However, reading your post a second (and third) time, did you intend the thread as a notification, or is there a question buried in there?
Actually, what I intend to say is that I want to allow SSH access on other ports. For example, I can access my website portal via Http at website.example.domain while using SSH service via tcp at another domain like something.tcp.domain
I simply want to know whether it is possible to achieve that. If it is possible, then what I mentioned above will be a good solution to those users who uses ngrok or similar services to build their own websites at home.
Ngrok is a cross-platform tool that securely exposes local development environment applications to the internet. It creates secure tunnels, enabling external users to easily access locally running web applications, APIs, etc. Compared to purchasing cloud computing servers, Ngrok requires no complex environment configuration, is ready-to-use instantly, and has lower costs. Additionally, it supports HTTP/HTTPS, TCP protocols, provides real-time logs, custom domain names, and other functions, making it suitable for rapid debugging, demonstrations, and sharing local projects. (AI generated introduction)
Ah, ok. I think there is a misunderstanding. First some open doors, that probably are nothing new for you. It is the ‘regular’ situation, with your Yunohost at home and no obscuring technologies in the middle:
You could have multiple domains with many subdomains on a single Yunohost
That single Yunohost has, usually, a single IP address per family (IPv6 & IPv4)
DNS allows to point a domain name to an IP
Your DNS provider will have A/AAAA records for all (sub)domains in your Yunohost pointing to the IP of your Yunohost
Any traffic to sub.domain.tld and to damoin.tld and to manodi.tld will, after consulting DNS, be directed to your Yunohost
DNS, basically, does not know about ports. The client connects to its intended port after being directed (by DNS) to the correct IP (all the same for all those domains on your YNH):
In case of a webbrowser, it will connect on port 80/443 by default
On ports 80/443, nginx is configured to listen for incoming traffic
When traffic arrives, it will ‘ask’ for which domain the traffic is intended; if the destination is configured, it will be send to the (web)service running on that (sub)domain
In case of a standard SSH session, it will connect on port 22
SSH does not care what domain you entered client side, it will only check whether the session is allowed to continue
connecting as sysdl@manodi.tld → IPv4 11.22.33.44 → SSH on Yunohost answers
connecting as sysdl@damion.tld → IPv4 11.22.33.44 → SSH on Yunohost answers
connecting as sysdl@sub.domain.tld → IPv4 11.22.33.44 → SSH on Yunohost answers
Now you propose two changes:
run SSH on an alternative port: change the portnumber in /etc/ssh/sshd_config and restart the SSH service
create a tunnel between a commercial provider and your Yunohost: I have no experience with this kind of service, or this unknown provider
Seeing frp is open source, and from my understanding consists of two simple binaries, it seems a waste to pay a provider for an account (or it must be the creator of the software to sponsor them), and still using a VPS with wireguard from there to your Yunohost would, I think, be more flexible and less hassle (no per-service tunnel to configure).
Actually the service provider has already set up DNS records correctly. The time I write this post I’ve got 2 tunnels(http amd tcp) online already and they have been kept online flawlessly. Meanwhile, the connection is stable and fast.
I think the rest I need to do is:
tweak the ssh configuration file and set the target port
set up the domain on my provider’s website
start the local tunnel service and test it out
Initially I want to set up these on a VPS or something like cloud computing, but the providers in my region offered an awful price(1 month cloud computing price=1 year frp service price).
Meanwhile, purchasing a domain and setting it up properly is (perhaps) a time-consuming job, since I need to set DNS records correctly and obtain a license(this rule only exist in my region). So instead I used the frp service to set up my website more conveniently and make full use of my raspberry pi 4.
I’m going to try that out later and see whether it will work.
Nice that you could get things working, seeing the circumstances.
If there is something you can tell about the connection that your ISP provides (perhaps double NAT, or a router/modem that is not user-accessible, or other horrors than can be found around the world), and how you overcame the problems, it may help others (and at least give a nice read )
Good luck on further configuration, and give a shout if help is needed!
)