Securely Access Your Pi From Anywhere in the World

I have few applications running round the clock on the Pi. Whenever I got out of my house, it became very difficult to check on the Pi's health and status. I subsequently overcame the minor hurdle using ngrok. Accessing the device from outside gives rise to questions of security which I dealt with by enabling the 2FA (2 factor authentication) or 2 step authentication. So here are the steps below for you to access your Pi from outside with an added layer of security.

Some prefer written material and some video guides. If you are one among the many who prefers a video guide check out these videos for step-by-step instructions.

Open a terminal on your Pi and run the following commands one after the another to download and prep the ngrok application

cd /home/pi/

wget "https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-arm.zip"

sudo unzip ngrok-stable-linux-arm.zip

Now you should have a folder labeled ngrok on the /home/pi/ directory.

Optionally, you can remove the original downloaded zip file to save some space

sudo rm /home/pi/ngrok-stable-linux-arm.zip

Now get the additional files to help you setup ngrok as a service

git clone  https://github.com/shivasiddharth/ngrok-service

Head over to ngrok's website and sign in. If you don't have an account, signup for one.

On your ngrok dashboard and under the authentication tab, you should find your Authtoken like how its shown below.

On a terminal on your Raspberry Pi, run the following to setup your authtoken.

/home/pi/ngrok authtoken "YOUR AUTHTOKEN COPIED FROM ngrok DASHBOARD"

You should get an acknowledgement like shown below.

Copy the tunnels from the sample ngrok configuration file (ngrok-sample.yml) in the /home/pi/ngrok-service/ folder.

Open the default configuration file using:

sudo nano /home/pi/.ngrok2/ngrok.yml

Paste the tunnels that you just copied from the sample. Feel free to remove the other tunnels that you may not need other than the SSH.

Now verify if the tunneling is working by starting the ngrok application using

/home/pi/ngrok start -all

Run the commands one after the another to setup ngrok as service

sudo chmod +x /home/pi/ngrok-service/scripts/service-installer.sh

sudo /home/pi/ngrok-service/scripts/service-installer.sh

sudo systemctl enable ngrok.service

sudo systemctl start ngrok.service

Temporarily stop ngrok service untill the two factor authentication setup is completed.

sudo systemctl stop ngrok.service

Enable SSH if not already done using:

sudo systemctl enable ssh

sudo systemctl enable ssh

sudo systemctl stop ssh

Enable two factor challenge. Open ssh config using:

sudo nano /etc/ssh/sshd_config

Change ChallengeResponseAuthentication from the default no to yes.

Save the config file and exit.

Install google pluggable google authentication module

sudo apt install libpam-google-authenticator 

Run the following to start authenticator module

google-authenticator

Download Google Authenticator app on your mobile and link the PAM module by scanning the QR code on screen.

Configure PAM to add the two factor authentication.

sudo nano /etc/pam.d/sshd

Add the following line to the beginning

 auth required pam_google_authenticator.so

This can be added below or above @include common-auth

Restart the services

sudo systemctl restart ssh

sudo systemctl restart ngrok.service

And that is a wrap