Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What is the easiest way to connect two systems behind firewalls?
3 points by loudthing 58 days ago | hide | past | favorite | 7 comments
Forgive my ignorance on this subject but I'm curious what others on HN have to say. I'll admit I've never been that familiar with advanced networking concepts like this, and I'm testing the waters on this site with regards to best practice discussion threads like this.

I've long had a fascination with the concept of easily establishing a TCP or UDP connection easily over the internet between two systems (Linux, Windows, Mac, iOS, Android, embedded Linux, embedded C, etc.) without having to resort to port forwarding.

For example, I've come to really like VNC Connect, which is a built in service installed on Raspberry Pi devices. In an attempt to help out my less-than-techsaavy parents, I've installed Raspberry Pi's on their networks at two of their houses (snowbirds) so I can remotely assist with anything from internet issues to helping them set up surveillance cameras. Having the ability to VNC to a Raspberry Pi on any internet connected network from any other internet connected network without port forwarding, or even having to know the internet facing IP address is a god send.

I've also in the past served as an industrial controls engineer, where often after I would finish integrating a system at a site, I would install an internet hardware appliance that would allow me to establish a VPN connection to the remote control network over the internet from anywhere else in the world (e.g. https://www.ewon.biz/products/cosy). Doing so made troubleshooting with my customer's controls engineers much easier since I had access to their local network without having to configure port forwarding or know their internet facing IP address.

My questions then are: 1) is this concept something that has an actual name? I've heard of this ability referred to as a "reverse proxy" or a "no config direction connection". 2) is there an existing open source project or methodology that allows for this sort of connection that is agnostic of platform? For example, if I didn't want to pay for RealVNC's exorbitant pricing plans for more than 5 devices, could I configure some sort of setup with an AWS instance that automatically connects clients on separate networks together? (So I could have 100 Raspberry Pi's out on different local networks that could be access by me through VNC on my laptop/phone?)

There's lots of interesting ways to do stuff like this, and I'm quite positive I can't think of them all in this reply. You mentioned not wanting to do port forwarding but all methods will require port forwarding in some form or fashion. Sometimes this is done automatically with the protocol that opportunistically opens a port or you do it manually. There is ways to do things like Port knocking or sending some sort of signal to the firewall and then it will allow the port to be forwarded.

You mentioned also the easiest way and that gets a little more tricky as to what easiest means to you. So in a setup that I do I use PFsense firewalls and I set up port forwarding based on the source DNS name. This allows me to use dynamic DNS to assign that name to whatever IP my management station is on wherever it may be at the current time. The firewalls then allow that IP to be forwarded to something on the other side which could be VNC or an RDP system or something I could SSH into. This is very easy and it avoids the complexity of a VPN at each endpoint that I would need to manage. There are some downsides to this and some risks. If someone was to determine there's a DNS name and hijack the DNS they can simply remap it to their own system. Of course there is a second layer because even when the ports are forwarded and allowed there is authentication that needs to be taken place as well but there is still the possibility of the exploits against whatever we're forwarding through too. So it does rely on a bit of obscurity of having to know that this innocuous dynamic DNS name allows connectivity to these also unknown endpoints. You kind of have to weigh the pros and cons of it. Is it good enough for home connectivity or management of something that has low risk information on it should it be compromised? Yes I think it's probably good enough for that. If you're talking about a corporation with highly sensitive information then it's probably not good enough for that.

Thanks for the detailed response. I appreciate this.

I've been wanting to play around with pfsense for a while, I'll have to give this a shot.

I've found a project that I think is similar to what I'm looking for (https://github.com/fatedier/frp), but I'm really looking for something that would allow me to VNC to a remote system from a mobile device. I.e. expose a remote connect to a system via VNC through a standard URL.

https://tailscale.com works beautifully for that, with minimal setup.

Can't believe I've never heard of this. Thanks!

Zerotier and tailscale

Thanks for the response. I hadn't heard of Zerotier. Going to check it out.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact