If you're looking for security:
Keep the TV off your network entirely.
Use the Pi as a media computer.
If you're looking for security:
Keep the TV off your network entirely.
Use the Pi as a media computer.
This 100% this
Are you connecting from a public network or something? like a hotel wifi or other?
The easiest solution would be to setup the pi as your router and use a VPN like wireguard (wg-easy) or tailscale.
if it is a public network, you can double NAT. There's dedicated boxes like the GL.inet travel routers that support wireguard/openVPN and beta for tailscale. they have some features that work well with captive portals.
If it's a home network, you can probably use your PI as a entry/exit node or VPN client instead of using ssh.
It's for a home network, I managed to get it working using port forwarding through SSH thanks to suggestions. I'm not sure what the difference is with using the pi as an entry/exit node, that is what I was trying to do with the SSH forwarding. VPN is also possible but it it would also need to be set up to go through the pi
I'm not entirely sure about the technical differences but from my understanding VPN connections are preferred. From a security perspective, ssh has some more considerations since it's easier to detect it's open, and you should lock down root access and other privileged accounts. but SSH seems simpler to actually get working vs a VPN solution which would probably require a reverse proxy or something to get the TV working.
For example, compromising a ssh service gives you access to the shell immediately vs wireguard or similar that historically (from my knowledge) has had fewer critical vulnerabilities that could lead to remote code injection or access. This is also why many corporate and best practices recommend layering ssh through a private VPN like IPsec, OpenVPN, wireguard, etc.
in practice it's most likely fine as long as
That's some good suggestions and a few things I hadn't considered. A VPN is also possible, although setting up the port forwarding might be a bit more complicated
Can you provide more detail? What are the networks/routers/vlans? Which network is the RPi on? What is your ssh command? Is that ufw command on the RPi or the router?
Ok there is a TV and a pi on network 1 and a server on network 2, the pi can connect to the server through SSH or VPN or whatever is needed. The TV would like to connect to the server, however it can't run a VPN or anything like that so exposing the server would be a risk.
The SSH command on the pi is SSH -L 1234:localhost1234 remote_server
The ufw command was run on the pi, with the intention to allow the TV to access the forwarded port on the pi
ssh -L 1234:localhost:1234 remote_server binds the RPi's localhost:1234 to remote_server's localhost:1234. You want to bind the port to something on the RPi that the TV can hit, so something like ssh -L 192.168.1.5:1234:localhost:1234 remote_server, where 192.168.1.5 is the RPi's address.
I think you also want -N on the ssh command.
That worked thanks, I didn't know you could put an address like that in the -L command, and the -N is correct here too
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil.
No spam.
Posts are to be related to self-hosting.
Don't duplicate the full text of your blog or readme if you're providing a link.
Submission headline should match the article title.
No trolling.
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.
AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!