RASPBERRY PI REMOTE ACCESS · SSH · VNC · PI CONNECT · TAILSCALE
HARDWARE REF v1.0

METHOD OVERVIEW

METHODLOCAL ONLYREMOTEGUISETUPNOTES
SSHYesWith port forwardNo (CLI)EasyBest for headless admin
VNC (RealVNC)YesVia RealVNC CloudYesEasyBuilt into Raspberry Pi OS
Pi ConnectNoYes — officialYes (shell + screen)EasyOfficial RPi remote service — free tier
TailscaleN/AYes — mesh VPNVia SSH/VNC over tunnelMediumBest for persistent remote access
ngrokNoYes — tunnelNo (CLI)EasyQuick tunnels — free tier limited
Reverse SSHNoYesNo (CLI)MediumRequires a remote VPS with static IP

SSH

ENABLE SSH
LOCAL
Three methods to enable

METHOD 1 — RASPI-CONFIG

sudo raspi-config
# Interface Options > SSH > Enable

METHOD 2 — HEADLESS (SD card)

# Create empty file on boot partition
touch /boot/ssh
# or on /boot/firmware/ for Pi OS Bookworm+
touch /boot/firmware/ssh

METHOD 3 — SYSTEMCTL

sudo systemctl enable ssh
sudo systemctl start ssh
CONNECT
LOCAL
# Basic connect
ssh pi@raspberrypi.local
ssh pi@192.168.x.x

# With key
ssh -i ~/.ssh/id_rsa pi@raspberrypi.local

# Copy file to Pi
scp file.txt pi@raspberrypi.local:~/Desktop/

# Copy file from Pi
scp pi@raspberrypi.local:~/file.txt .

# Mount Pi filesystem locally
sshfs pi@raspberrypi.local:/ /mnt/pi
KEY-BASED AUTH (recommended)
# Generate key on your client
ssh-keygen -t ed25519 -C "hylas-pi"

# Copy public key to Pi
ssh-copy-id pi@raspberrypi.local

# Or manually:
cat ~/.ssh/id_ed25519.pub | \
ssh pi@raspberrypi.local \
"mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

# Then disable password auth on Pi:
sudo nano /etc/ssh/sshd_config
# PasswordAuthentication no
sudo systemctl restart ssh
SSH CONFIG SHORTCUTS
# ~/.ssh/config on your laptop
Host pi
HostName 192.168.1.x
User pi
IdentityFile ~/.ssh/id_ed25519
ServerAliveInterval 60

Host pizero
HostName 192.168.1.y
User pi
IdentityFile ~/.ssh/id_ed25519

# Now just:
ssh pi
ssh pizero

PI CONNECT (OFFICIAL RPi REMOTE SERVICE)

RASPBERRY PI CONNECT
OFFICIAL · connect.raspberrypi.com
Free tier available · Requires account at connect.raspberrypi.com · Raspberry Pi OS Bookworm or newer

INSTALL & ENABLE

# Install Pi Connect
sudo apt update
sudo apt install rpi-connect

# Or for lite/headless (screen sharing unavailable):
sudo apt install rpi-connect-lite

# Enable service
systemctl --user enable rpi-connect
systemctl --user start rpi-connect

# Sign in from Pi terminal
rpi-connect signin
# Follow URL to link device to your account

# Check status
rpi-connect status
rpi-connect id

FEATURES

FEATUREFULLLITE
Remote shell (SSH over web)YesYes
Screen sharing (VNC)YesNo
Wayland supportYesN/A
Works headlessYesYes
Multiple devicesYesYes
Access from connect.raspberrypi.com — login with your Raspberry Pi account. Works through NAT, no port forwarding required. Uses WebRTC.
Free tier allows 1 device, 5 connections/month. Paid tier for more. Data transits RPi servers — use for non-sensitive admin only.

TROUBLESHOOT

# View logs
journalctl --user -u rpi-connect -f

# Sign out
rpi-connect signout

VNC (REALVNC)

ENABLE VNC SERVER
LOCAL
sudo raspi-config
# Interface Options > VNC > Enable

# Or via systemctl:
sudo systemctl enable vncserver-x11-serviced
sudo systemctl start vncserver-x11-serviced
VNC requires a desktop environment. For Pi OS Lite, use x11vnc with Xvfb for headless display.
HEADLESS VNC (no monitor)
# Force a virtual resolution on headless Pi
sudo raspi-config
# Display Options > VNC Resolution > 1920x1080

# Or edit /boot/firmware/config.txt:
hdmi_force_hotplug=1
hdmi_group=2
hdmi_mode=82 # 1920x1080 60Hz
After setting virtual resolution, VNC works without an HDMI monitor attached. Pi must be in desktop mode (not lite).

TAILSCALE (MESH VPN)

INSTALL TAILSCALE
VPN MESH
# Install
curl -fsSL https://tailscale.com/install.sh | sh

# Authenticate
sudo tailscale up
# Follow URL to authorise device

# Enable autostart
sudo systemctl enable tailscaled

# Check IP
tailscale ip -4

# Status
tailscale status
USING TAILSCALE
# SSH via Tailscale IP (100.x.x.x)
ssh pi@100.x.x.x

# SSH via MagicDNS hostname
ssh pi@raspberrypi.tail-xxxx.ts.net

# VNC over Tailscale
# Point VNC viewer to Tailscale IP

# Exit node (route all traffic through Pi)
sudo tailscale up --advertise-exit-node
# On client: Tailscale > Use exit node > Pi
Free for personal use, up to 3 users / 100 devices. Works through CG-NAT. No open ports, no DynDNS, no port forwarding needed.

REVERSE SSH (VPS TUNNEL)

PERSISTENT REVERSE TUNNEL
Requires a VPS with a static IP (e.g. Hetzner, DigitalOcean, Oracle Free Tier)

ON THE PI

# Open reverse tunnel on boot
ssh -fNR 2222:localhost:22 \
user@vps.example.com \
-i ~/.ssh/vps_key

# AutoSSH for persistent reconnect
sudo apt install autossh
autossh -M 0 -fNR 2222:localhost:22 \
user@vps.example.com \
-i ~/.ssh/vps_key \
-o ServerAliveInterval=30 \
-o ServerAliveCountMax=3

FROM ANYWHERE (via VPS)

# SSH to VPS first
ssh user@vps.example.com

# Then jump to Pi via reverse tunnel
ssh pi@localhost -p 2222

# Or in one command from anywhere:
ssh -J user@vps.example.com \
pi@localhost -p 2222
Add autossh as a systemd service for reliable reconnection after reboots or network dropouts. Set GatewayPorts yes on the VPS /etc/ssh/sshd_config if you want direct internet access to the tunnel port.

HEADLESS FIRST-BOOT SETUP

RASPBERRY PI IMAGER — HEADLESS CONFIG
Pre-configure before writing SD — no keyboard/monitor needed
  1. In Raspberry Pi Imager, click the gear / settings icon (or press Ctrl+Shift+X)
  2. Set hostname, username, password
  3. Configure WiFi SSID and password
  4. Enable SSH with password or public key
  5. Set locale/timezone
  6. Write image — config is stored in firstrun.sh on boot partition
# After first boot, find Pi on network:
ping raspberrypi.local
# or use nmap to scan subnet:
nmap -sn 192.168.1.0/24
On Pi OS Bookworm, the default user is no longer pi — you set the username in Imager. SSH is enabled automatically if configured in Imager.

STATIC IP / HOSTNAME

DHCP RESERVATION (router)

Preferred — assign a fixed IP from your router's DHCP config by binding to the Pi's MAC address. No Pi-side config needed. Check your router's DHCP > Address Reservation page.

# Find Pi MAC address
ip link show eth0
ip link show wlan0

STATIC IP ON PI

# /etc/dhcpcd.conf (older Pi OS)
interface wlan0
static ip_address=192.168.1.50/24
static routers=192.168.1.1
static domain_name_servers=1.1.1.1

# Bookworm — use nmcli:
nmcli con mod "preconfigured" \
ipv4.method manual \
ipv4.addresses "192.168.1.50/24" \
ipv4.gateway "192.168.1.1"
nmcli con up "preconfigured"
HYLAS SECURITY // PICONNECT v1.0INTERNAL — HARDWARE REFERENCE