How to access a private network behind a router? Can't port forward

Question

I have a video surveillance system (a bunch of IP cameras, with private IPs) behind a router in a distant location. The only ISP that's available at that location has provided me with a 3G/4G USB dongle (so basically mobile Internet). Apparently this dongle (which connects to the router) does some routing/magic by itself (and is not configurable) so I can't use the router to do port forwarding (not in anyway that helps at least). This means that while the cameras have Internet access (so can push information to me), I can't access them directly over the Internet (so basically, no live feeds).

I'm thinking of getting around this by putting a low power computer (software doesn't really matter much in this question, but I'll use Linux) in the same subnet as the IP cameras - let's call this computer A; I also have a VPS rented somewhere that is publicly accessible via the Internet - let's call it B.

I think that this setup should allow me to work around the issue with my live feeds. At least conceptually if I get A to open a tunnel to B then via B I should have access to A's network.

Presuming the above works (I don't see why not, but .. that's why I'm asking) can you guys recommend a system that can accomplish the above with at little fuss as possible? I mean .. should I set-up a VPN with A as a VPN client and B as a VPN server; then anyone who wants to view the cameras simply connects to the VPN server installed on B?

I think this should work, but maybe there's an easier way than setting up VPN on every computer from where I want to check the cameras.

I'm not directly interested in the software (I'm sure that exists and I'll manage to configure it) but rather the networking concepts.

The ideal situation would be that I'd connect to B on (for example) port 8080 and that traffic will automatically be routed from B through a tunnel to A, at which point A will feed data obtained from camera "1" through that connection; then 8081 from camera "2" and so on.

Answer 1

Assuming the VPS runs Linux as well, I'd setup some SSH tunnels from A to B with B acting as a gateway. That way, you could tell B to listen on port 8080 which then corresponds to the IP of IP camera one

So from the A box, run ssh with these parameters
ssh -nNT -R 8080:ipcam1:<ipcamport> -R 8081:ipcam2:<ipcamport> <VPS IP>

Hopefully your VPS has a static IP address.
Also hopefully you have full control over your VPS as you will need to modify the SSH daemon to enable GatewayPorts to allow other computers to connect through B to reach A.

In Debian, the GatewayPorts option is specified in /etc/ssh/sshd_config.
Adding GatewayPorts yes at the end of that file should suffice, and then restarting the ssh daemon for the change to take effect.

Answer 2

If there's a system has ssh installed on it, behind the 3G/4G router then you could ssh out from this system to another system that's outside the 3G/4G router and setup a reverse SSH tunnel.

This tunnel would then allow you to access a port@host on the external machine, which would give you access to a port@host behind the 3G/4G router.

$ ssh -f -N -T \
    -R 8080:cam1:<cam's port> \
    -R 8081:cam2:>cam's port> \
   <hostname of external system>

See these questions to allow the ssh server behind the router the ability to access ports beyond its localhost. The feature is called GatewayPorts within sshd_config.

• Broadcast port to other computers after SSH reverse tunnelling
• ssh to private-ip

Be sure to read that second link, titled: ssh to private-ip, I cover in extreme detail how to do what you want and how to setup GatewayPorts etc. and how to test the whole setup out.