The problem:
I manage computers for some loved ones from whom I now live several states away. All devices are linux environments and basically serve as home theater and light duty SOHO.
They have been running for several years without incident, but do require intervention for the “hard” stuff like major release upgrades. (And perhaps I like to slip some entertainment media onto their shared drive from time to time).
And I’d like to have an avenue to do this that doesn’t necessarily involve planning a road trip.
Candidate solution(s):
Deploy a micro PC to sit on their network, whose sole purpose is as a headless SSH server. I would intend to SSH into that device, and from there SSH across the LAN to the necessary computers. The rationale is that I would only have one device answering the door, so to speak, at port 22, greatly simplifying port forwards and any need for static IPs.
With dual stack IPv4 + IPv6 internet service, would it be better that I attempt this through IPv6?
The micro PC would be scripted to retrieve the current public IP address every X hours and email it to me.
Another idea is to configure the immediate SSH box behind a Tor SSH hidden service or a I2P eepsite SSH. This way it would maintain a persistent, reachable address without requiring some cobbled together script & email IP notification.
Why not use Tailscale on each device?
No need to expose any ports, no need for a bastion, no need for any complicated method of retrieving their public IP address, can use ACLs to restrict their access to other devices on the tailnet (if they’re tech-savvy enough to go looking at the tailnet in the first place).
Essentially, as long as they have internet and Tailscale is running, you’ll be able to connect to their device without exposing anything over the internet.
Or eventi host your own tailscale with headscale
Any reason you can’t use a locally hosted VPN? That would be my solution for something like this. Either use tailscale or use a wireguard VPN and a dynamic DNS service.
Later on I might consider adding some PiKVMs in order to be able to more safely reboot/troubleshoot/access BIOS.
That is a lot of effort to go through to avoid using a VPN.
Yep, a bastion is what you’re looking for. I use an rpi + a Dynamic DNS record in a script on the pi to automatically update firewall and ssh rules if my IP updates. Of course, you may need to do some configuration depending on their network setup.
TIL jump hosts are an existing concept