Introduction: Securely Access Your Pi From Anywhere in the World
I have few applications running round the clock on the Pi. Whenever I got out of my house, it became very difficult to check on the Pi's health and status. I subsequently overcame the minor hurdle using ngrok. Accessing the device from outside gives rise to questions of security which I dealt with by enabling the 2FA (2 factor authentication) or 2 step authentication. So here are the steps below for you to access your Pi from outside with an added layer of security.
Step 1: Video Guides
Some prefer written material and some video guides. If you are one among the many who prefers a video guide check out these videos for step-by-step instructions.
Step 2: Prep Ngrok
Open a terminal on your Pi and run the following commands one after the another to download and prep the ngrok application
sudo unzip ngrok-stable-linux-arm.zip
Now you should have a folder labeled ngrok on the /home/pi/ directory.
Optionally, you can remove the original downloaded zip file to save some space
sudo rm /home/pi/ngrok-stable-linux-arm.zip
Now get the additional files to help you setup ngrok as a service
Step 3: Step Ngrok
Head over to ngrok's website and sign in. If you don't have an account, signup for one.
On your ngrok dashboard and under the authentication tab, you should find your Authtoken like how its shown below.
On a terminal on your Raspberry Pi, run the following to setup your authtoken.
/home/pi/ngrok authtoken "YOUR AUTHTOKEN COPIED FROM ngrok DASHBOARD"
You should get an acknowledgement like shown below.
Copy the tunnels from the sample ngrok configuration file (ngrok-sample.yml) in the /home/pi/ngrok-service/ folder.
Open the default configuration file using:
sudo nano /home/pi/.ngrok2/ngrok.yml
Paste the tunnels that you just copied from the sample. Feel free to remove the other tunnels that you may not need other than the SSH.
Now verify if the tunneling is working by starting the ngrok application using
/home/pi/ngrok start -all
Step 4: Setup Ngrok As Service
Run the commands one after the another to setup ngrok as service
sudo chmod +x /home/pi/ngrok-service/scripts/service-installer.sh
sudo systemctl enable ngrok.service
sudo systemctl start ngrok.service
Temporarily stop ngrok service untill the two factor authentication setup is completed.
sudo systemctl stop ngrok.service
Step 5: Setup Two Factor Authentication
Enable SSH if not already done using:
sudo systemctl enable ssh
sudo systemctl enable ssh
sudo systemctl stop ssh
Enable two factor challenge. Open ssh config using:
sudo nano /etc/ssh/sshd_config
Change ChallengeResponseAuthentication from the default no to yes.
Save the config file and exit.
Step 6: Configure Google Authenticator
Install google pluggable google authentication module
sudo apt install libpam-google-authenticator
Run the following to start authenticator module
Download Google Authenticator app on your mobile and link the PAM module by scanning the QR code on screen.
Configure PAM to add the two factor authentication.
sudo nano /etc/pam.d/sshd
Add the following line to the beginning
auth required pam_google_authenticator.so
This can be added below or above @include common-auth
Step 7: Restart Ssh and Ngrok
Restart the services
sudo systemctl restart ssh
sudo systemctl restart ngrok.service
And that is a wrap