Remote Access to Jetson Nano over the internet

Hi there, I would like to setup remote access to the Jetson Nano in a secure way for the following use cases.

  • Remote Access to command line only - SSH. How can I do this securely? (VPN provider or something?)
  • Remote Access to Desktop GUI (remotely see what the nano desktop is showing) - Again how can I do this securely?

The host and the nano will be on different networks, so I will have to go through the internet. Also, I have setup a static IP on the nano for the network it is attached to.

Any help would be greatly appreciated.

Cheers.

First you need to generate a key. You can do this on windows with PuTTYgen or on linux with ssh-keygen. Either way you end up with a private key and a public key. You keep the private key with you on your phone/laptop/whatever and copy the contents of the public key (or the box in puttygen where it says to copy from) into the ~/.ssh/authorized_keys in the user on the nano you wish to log into (example /home/someuser/.ssh/authorized_keys). You can also use ssh-copy-id to accomplish the task if you’re on linux, the ssh daemon is already running on the nano, and you allow password authentication.

To use your private key in Putty, browse to it here:

Once you can log in with the key and it doesn’t prompt you for the user password (it will still prompt you for the key’s passphrase if you used one, which you absolutely should to prevent key theft) you can edit your /etc/ssh/sshd_config file as follows:

Once you save that file, run “sudo systemctl restart sshd” to apply those changes. What those changes mean is that you can no longer log in with a password but must always log in using the key.

To access that nano from the internet. You will then have to:

  1. assign a static ip to your nano through your router (sometimes this is in the DHCP section) and
  2. forward a port from some external port number to the nano’s static ip and tcp port 22

These two steps will be different depending on your router/firewall and can range from very simple to very frustrating depending on the sadism of the developers.

Then you should be able to access your nano by doing “ssh -p (port) username@(external ip addresss)” just as you would on your local network. If you want to make your nano even more secure you can install a tool like fail2ban which will ban any repeated failed login attempts.

If your external IP is dynamic (likely), you may also wish to purchase a domain and set up a dynamic dns provider (noip or similar). Then you can do ssh user@somedomain.tld instead of fussing with an external IP that won’t stand still.

From a Linux host you should be able to simply add -X to the ssh command and then you’ll be able to run any GUI apps remotely (it should be allowed by default), however ssh -X probably won’t work well for any graphically demanding apps like those requiring 3d or video capabilities. The good part about ssh -X is that you don’t even need the GUI (X) running on the nano itself. To turn it off temporarily you can do “systemctl isolate multi-user.target” and free a ton of ram. On windows you can use VcXserv or Xming to connect. A test app i usually use is “gedit”. If you get “Gtk-WARNING **: 14:01:14.787: cannot open display:” then X isn’t being forwarded or you forgot to add -X to your ssh command.

If you need to see the desktop remotely, there isn’t really a good, performant, solution currently. Your best bet is some VNC over a VPN, but I think all encode video using software, rather than the Nano’s encoder hardware. Other threads cover this in detail. For graphics, like accessing the camera, you might consider forwarding a video stream separately the same way you forwarded the ssh port. You can simply forward RTSP without TLS but your risk anybody being able to access your camera feed if they intercept your credentials or guess your password.

To do that (more) securely for video, you’ll need to generate a tls certs using openssh and set up RTSP over TLS. Gstreamer supports this, but the documentation on how to do this is opaque. It should be similar to how TLS for the docker daemon is set up if you’ve ever done that. To access it remotely you’ll probably need a domain for that, since the host-name needs to match the generated certificate. You could also VPN in if your router supports it directly or you already have a tunnel set up.

I hope that answers your questions. Please let me know if you have any issues with ssh or key authentication. I certainly didn’t get it right on my first try.

2 Likes