Access a Raspberry Pi From Anywhere Without Port Forwarding

So you have a Raspberry Pi or two and want to run them headless and access them from any computer connected to the internet in the world. You don’t have to set up port forwarding or pay for a dynamic DNS service. All you need to do is set up a VPN on any server with a static IP address and you can SSH into your Raspberry Pi from anywhere anytime.

The first thing you need to know is that yes, you will probably need to pay for something here. If you already have a VPS or cloud server then you can set that up with some simple VPN software and you won’t need to pay for anything you’re not already paying for. Your current VPS will certainly be able to handle the load of just a few connections to a few Raspberry Pi’s without affecting any of your existing services on that server. If you don’t already have a VPS then you’ll either want to purchase one for as low as $5 a month or, if you don’t want to deal with setting this up yourself, check out some tutorials on port forwarding or dynamic DNS. The Raspberry Pi website has links to officially supported services that’ll let you connect to your Pi over the open internet. If you’re up for some simple package installations and configurations then keep reading.

Set up a VPN

The first part of this is to create a VPN on your web server. The idea here is that you have a server hosted somehwere like on AWS, Linode, or DigitalOcean and you use that as the VPN host. That’s your remote host. Your Raspberry Pi’s are your VPN clients. You can set things up so that any computer you own can access the Pi’s, the Pi’s can connect to each other, you connect to your Pi’s through your remote web server, or all three. I personally have a VPS that is my remote host. I SSH into that remote host which is running a private VPN network connected to each of my Pi’s. I then SSH from that remote host into my Pi’s. I am in the process of setting up my home laptops to be part of the VPN network so I don’t need to do this but if you happen to be on a computer that you don’t own or isn’t part of the VPN network, you can always SSH into the VPS and then from the VPS SSH into your Pi’s from anywhere in the world.

There are several articles that outline how to set this up so I won’t do it here. I’ll refer you to the best references I know of. See this Digital Ocean guide to setting up a Tinc VPN and this blog post that describes exactly what I was trying to accomplish.


Sorry, I’m not in the mood for writing up a full tutorial tonight but you should have been able to set things up using the links I provided. Are you having issues with your VPN? I sure did. There are a few things you need to remember if you set up your VPS securely. Did you set up a firewall on your VPS? Is your VPS running other services on the 10.0.0.x/32 subnet?

First off, make sure that port 655 is open to the types of traffic you want forwarded to your Pi’s. You’ll at least want UDP and TCP traffic to be allowed. I personally used ufw to open up port 655 for all traffic. If you are using ufw on Ubuntu just enter ufw allow 655/udp && ufw allow 655/tcp. You can open that up even more if you need to but that should allow your VPN clients (Raspberry Pi’s) to connect to your VPN host (your VPS).

Still not working? Try changing the subnet your VPN is operating on. All of the tutorials tell you to use the 10.0.0.x/32 subnet but sometimes that is blocked or your host is using that IP range for services running on the server. I ended up changing the subnet to the 192.168.0.x/32 subnet. If you go this route you’ll need to update the following files to get this to work:

  • /etc/tinc/your_network_name/tinc-up – on each host and client, change the IP to use the IP that the computer you’re currently on should be using to connect. Generally you can just change everything except the last octet. For example, becomes Use this pattern for all of the other files…
  • /etc/tinc/your_network_name/* – In every file in this directory, change the Subnet value to 192.168.0.x where x corresponds to whichever machine the file you’re in is referencing.

To sum up, you’re basically just changing 10.0.0.x to 192.168.0.x in every Tinc config file referenced in the tutorials I linked to.

Is the tincd test command not working? Getting some sort of “No device on /dev/tun/” error on your Raspberry Pi? Just reboot the Pi and run the Tinc command again. For reasons I don’t know yet, you just have to reboot the Pi to get new Tinc configs to work.

I hope that helped. I didn’t want to write up a whole guide here because a) it’s late and I’m lazy and b) there are already great articles on this out there. I’m just adding value in the troubleshooting department. Enjoy. Hope it worked.

Web development

« What's Next?