I use syncthing to back up my files to a Raspberry pi.
I want to access the GUI interface of the Raspberry pi from outside my local lan. What is the best way to do so? I was thinking on installing Tailscale but I am not clear how to access the GUI.
The best (more secure IMO, no need to trust another profitable third-party) way : install ssh server on the PI , set it up in /etc/ssh/sshd_config to prevent password authentication (PasswordAuthentication no) and create a key pair in the mac (ssh-keygen) whose you will copy the public part (content of default generated id_rsa.pub file) to the pi in ~/.ssh/authorized_keys (one single line per authorized key).
You must leave the ST GUI access set to 127.0.0.1:8384
You have already set the pi LAN IP address as static or created a DHCP lease for it in your home router/gateway, and while still in the gateway settings, create a port forward to the pi’s sshd server for WAN access, e.g. ([any]:22922>>>192.168.1.120:22). So no need for a dedicated port forward for the ST GUI, the above single one can even be used to access the full PI desktop, regards to VNC RDP to pi’s localhost. Then:
Add 2 lines in the mac’s /etc/hosts file, one for the pi LAN ip, one other for your home’s WAN ip, e.g.
#strange aliases below to ease ssh... command single letter autocompletion, adapt as you like
192.168.1.120 pi guipi
80.170.26.34 wanpi remotepigui
Set/create the mac’s ~/.ssh/config file:
#common
User pi
#hosts specific
#simple terminal
Host pi
#nothing to specify here
Host wanpi
Port 22922
#gui access
Host guipi
LocalForward=8384 localhost:80
LocalCommand=firefox localhost:8384
Host remotepigui
Port 22922
LocalForward=8384 localhost:80
LocalCommand=firefox localhost:8384
#replace "localhost:8384" above with "https://localhost:8384" if you enabled HTTPS for the GUI in ST settings.
From the WAN you get the ST gui this way from within a terminal:
I do this. It’s really easy to setup. Just put the tailscale ip for your divice in the syncthing address for that device. I normally do it after the normal address. That way it will search normal and if that does not work it will look for the tailscale ip.