Installation at remote site using RPi and VNC?

[Sunray]

Hello, 

Sorry if this has been brought up already. I plan to install a Raspberry Pi running Weewx at a remote cold cabin, where the time and conditions for local configuration and troubleshooting are limited. So ideally I'd like to bring a pre-configured RPi to the cabin and just plug it into the existing LAN router where the weather station (Davis Vantage Vue with Weatherlink IP) is already running. 

Then, ideally, using a remote desktop running e.g. VNC Viewer, do as much as possible of the setup remotely from the warmth of my home. 

A question to you experts: is this feasible at all ? What are the minimum setup steps that must be done locally at the cabin?  I guess the key steps  are 1) to find out the local IP addresses of the weather station and the RPi, and then 2) get the weather station to talk to the RPi and then 3) to  get the virtual desktop of the RPi to become accessible on the internet. Then I could control Weewx from home. 

Anybody done this or can help otherwise? Many thanks in advance! 

[galfert]

Sure it is doable. But ensure that your IP address for your Weatherlink IP has a reservation by your router.

Not sure which flavor of VNC you intend to use. The new RealVNC is very nice and offers remote capability without needing to open and forward firewall ports. But you should really test that before you leave that it works. While on site you could use your cellular if it has hotspot feature capability so that you can test connect from the Internet.

You could make sure remote access works by also setting up direct connection.....Give IP reservation to the Pi and then open and forward VNC ports 5900 and 5800.  Then make sure you have a good Dynamic DNS service configured. Most good routers now offer this service for free. Alternatively to make things more secure you could instead of opening VNC ports you could set up OpenVPN on the router and then VPN in. TIP - when using a VPN you should change the default subnet to something other than the default 192.168.1.x and make it something unique like 192.162.15.x. So don't use 192.168.0.1 and don't use 192.168.1.1 as those are common and they will prevent your VPN connection from allowing you to reach destinations when it is likely that the remote location also uses 192.168.1.x or 192.168.0.x.  What this means is that you need both networks to use a different subnet for things to work.

One more thing....enable SSH on the Pi too so that you can use that instead of VNC as often all you need is a terminal prompt.

[vince]

On Wednesday, December 9, 2020 at 8:11:23 AM UTC-8 Sunray wrote:

A question to you experts: is this feasible at all ? What are the minimum setup steps that must be done locally at the cabin?  I guess the key steps  are 1) to find out the local IP addresses of the weather station and the RPi, and then 2) get the weather station to talk to the RPi and then 3) to  get the virtual desktop of the RPi to become accessible on the internet. Then I could control Weewx from home. 

Definitely feasible.

(3) is the scary one.  You're going to be attacked by bots and script kiddies so often it will be mind-boggling.   You'll have to harden anything exposing open ports to Internet and be 'perfect' the first time in doing so.   For ssh have key-only logins, no passwords permitted.   I don't know how you could do VNC securely, but I'd think you need some kind of VPN gateway set up, 'also' done *perfectly* the first time.  You'll see attacks within just a few seconds/minutes from the bots.  Really.

Re: addressing, if you could statically configure your boxes that would be a huge help.  Static is best.  If you could use the same addresses on both LANs that might help too (ie, build on your LAN and get it working, then move the gear to the cabin and power it up), although that might create problems with routing.  Maybe set it all up statically at home, edit the addresses just before shutting it down to move the gear, and cross your fingers you didn't typo something :-)

For dev/test of the VPN software, I'd figure it out with a bunch of VMs and virtual networks in VirtualBox.   Draw a picture.  Set up the virtual networks like you'd have on both home+cabin LANs.  Have just one network as a simulated Internet.   Install your VPN software on both endpoints.   Test that you can route end to end across the VPN tunnel.

You didn't mention what you're using for firewalls on your LAN or cabin so we can't help much there.  Obviously you'll need to punch some port/protocol holes in both firewalls to let the VPN traffic through, maybe the ssh traffic too if you don't want to run that through the tunnel too.

The gory details are complicated.  You might want to ask in reddit in /r/homelab or /r/homenetworking for thoughts.

It's definitely doable, but there are a lot of moving parts to get right, and right away.  You don't want to be shields-down ever even for a few minutes.

[weather list]

Two other considerations:

Power supply: give some thought to a solar system to power the Pi. If it is as remote as it sounds, it sounds as if outages might easily occur? A solar system might even power the Davis unit; I don’t know the Envoy but if it uses alkaline batteries I am not sure of their tolerance for prolonged cold.

Wi-fi: not sure if you’re using wi-fi to connect any of the devices but if so, set the wi-fi router to a fixed channel, in addition to doing the IP address reservation. The fixed channel trick can make it easier for wi-fi systems to connect again after power stutters.

--
You received this message because you are subscribed to the Google Groups "weewx-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to weewx-user+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/152e6b22-17bf-4476-8983-a306dd8915can%40googlegroups.com.

[vince]

I asked around and a coworker suggested just opening ssh up on the firewalls on both end (carefully) and running VNC over ssh.   If you did that you could set your home firewalls to permit just the 'one' ip on the other side in.  That would be pretty good.

Alternately I think today's VPN software is WireGuard but I haven't used it.

But without knowing what you'd want the cabin weewx to actually make available, it's hard to speculate whether you need a full up VPN tunnel or not.

[Greg Troxel]

Sunray <win...@gmail.com> writes:

> Sorry if this has been brought up already. I plan to install a Raspberry Pi
> running Weewx at a remote cold cabin, where the time and conditions for
> local configuration and troubleshooting are limited. So ideally I'd like to
> bring a pre-configured RPi to the cabin and just plug it into the existing
> LAN router where the weather station (Davis Vantage Vue with Weatherlink
> IP) is already running.
>
> Then, ideally, using a remote desktop running e.g. VNC Viewer, do as much
> as possible of the setup remotely from the warmth of my home.

My version of ideal is ssh access only to the command line and no GUI
involved. I have a RPI3 running weewx, and it has no keyboard and no
display. I log into it over ssh and have done everything from the
command line. (The only trouble has been from SD card flakiness and
then I need to pull the card and repair it from another system.)

If you are going to have a remote system learning to use the command
line is worth it.

> A question to you experts: is this feasible at all ? What are the minimum
> setup steps that must be done locally at the cabin? I guess the key steps
> are 1) to find out the local IP addresses of the weather station and the
> RPi, and then 2) get the weather station to talk to the RPi and then 3) to
> get the virtual desktop of the RPi to become accessible on the internet.
> Then I could control Weewx from home.

My advice is:

wire the RPI3 to the router

wire the weatherlink IP to the router if you possibly can

Either install a big solar/battery system or get a good UPS. Test the
UPS as well as reading the manual to make sure it will power up again
after a long outage, if you lose power and get it back.

put the weatherlink IP and the RPI3 on static addresses on your lan.

set up port forwarding for something (port 22 maybe) to port 22 on the
RPI3. Do not open up other ports.

Set up dynamic DNS on the router so you can find the public IP address.

set up something on the RPI3 to at least once a day do something like
"wget https://your.webserver.example.com/phonehome-cabin" so you can
find the IP address when the dynamic DNS breaks

Set up tor on your RPI3 to offer ssh as a hidden service, and test
connecting to it from your machine at home.

Get a USB SSD and configure the Pi to boot from the uSD and mostly use
the SSD. If you don't do this configure weewx to generate html into
a /tmp ramdisk so it isn't needlessly churning the uSD card


----------------------------------------
brief tor hints (may need adjusting from NetBSD to GNU/Linux) -- further
tor is off topic here and there are lots of docs on the net

in .ssh/config, and nc is openbsd's netcat which has support for socks5

--------------------Host *.onion
ProxyCommand nc -xlocalhost:9050 -X5 %h %p
# Use %n, to name control sockets foo.onion, so they aren't too big.
ControlPath ~/.ssh/controlmasters/%r@%n:%p

Host rpi3.onion
Hostname abcdefg.onion # copy from the address in hidden_service dir
--------------------

in torrc:

--------------------
HiddenServiceDir /var/chroot/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22
--------------------

[John Kline]

> My version of ideal is ssh access only to the command line and no GUI
involved.

+1
And get a firewall and VPN in.

> On Dec 9, 2020, at 11:04 AM, Greg Troxel <g...@lexort.com> wrote:
>
> 

> --
> You received this message because you are subscribed to the Google Groups "weewx-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to weewx-user+...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/rmilfe6ol6h.fsf%40s1.lexort.com.

[vince]

On Wednesday, December 9, 2020 at 8:11:23 AM UTC-8 Sunray wrote:

Sorry if this has been brought up already. I plan to install a Raspberry Pi running Weewx at a remote cold cabin

Forgot to ask.

What exactly do you want this remote setup to do ?

Are you going to want to view a weewx-hosted web ?

And how cold is the cold cabin ?

Reason I'm asking is that a standalone weewx 'should' run very stably if you have good power there.   If you spun up a minimal 4 $/month Amazon Lightsail system to rsync to, you could make all your cabin=>internet traffic outbound assuming you have a firewall at the cabin.  That would be very easy and super secure....unless you thought the setup would be too bouncy due to power outages and the roads impassible for too long...

 

[mwall]

On Wednesday, December 9, 2020 at 11:11:23 AM UTC-5 Sunray wrote:

Anybody done this or can help otherwise? Many thanks in advance! 

excellent suggestions in this thread, especially using only ssh for access.  you can always tunnel over the ssh connection for vnc or to probe/diagnose other parts of the remote network.

tor is great, but you can also map port 22 on the pi to some other high port on the public-facing router.  that will stop a lot of the brute force ssh attacks.  definitely use certificate-only authentication - no passwords.

test the catch-up capabilities while you are on site.  weewx was designed to get data from any logger, so you should not have any gaps in data, even if the computer running weewx is down for awhile.  but test it to be sure, and be sure that your logger interval is short enough to get the data you want, but long enough to get through the longest outage you anticipate.

if you have solar+battery in place, then the weak link will typically be your internet provider at the remote site.  while you are on site, do some testing of the cable modem or cell uplink or satellite uplink.  be sure that it will come back online after power failure, and be sure that your router will properly re-negotiate with your ISP hardware when everything comes back.

avoid auto-configuration software such as NetworkManager or fakehwclock.  you'll want your systems to remain exactly as you configured them.

rpi should boot automatically when it gets power, but for anyone using intel-based hardware, be sure to set the power-on policy in the bios.  in some bios this setting is rather obscure, but you want it to be always on.

definitely do the periodic probe to a web server whose logs you can query - dyndns can be pretty reliable, but then someone forgets to pay the bill, or a dns table gets messed up somewhere, or ...

of course, there are also all of the mother nature things to watch out for - lightning strikes, critters chewing through network or power cables, salt water penetrating your supposedly waterproof poe connections, temperatures exceeding 50C in your enclosure after spiders build webs across all of the ventilation ports, UV degradation of your sensor shields ...

m

[Bill Arthur]

Many good ideas here.

My suggestion:
Set up an identical package at home. Same model pi, same ip address, same weather station setup.
That way you can update, reconfigure and test your setup and just carry the sim chip on a visit to your remote site.

[Ralph Underwood]

What's wrong with using VNC? I use it to get to two remote Weewx running RPi. With the RPi, VNC has a deal to access up to five computers for free.

[Tim Tuck]

On 10/12/20 1:59 pm, Ralph Underwood wrote:

> What's wrong with using VNC? I use it to get to two remote Weewx
> running RPi. With the RPi, VNC has a deal to access up to five
> computers for free.
>
>

Hi Ralph,

VNC requires a GUI, e.g. desktop packages need to be loaded for VNC to
work. This vastly increases the attack surface for hackers.

Desktop GUIs are not required on servers, least of all something as
simple and tiny as weewx.

If you must have a GUI for your server, use a BUI something like Webmin
or Cockpit that can be secured properly. Both lightweight compared to X!

SSH with keys, is the best option for a remote system for CLI.

Oh yes... and SSH is free and included with every linux/unix for an
unlimited number of servers.

When building a system exposed to the internet you always start with the
"minimal install" group as provided by all vendors. You then add only
the packages you need to get your server/services working. This makes
for a small tight system with a minimal attack surface and limits the
amount of things to keep patched.

Depending on what OS you are using you should also have something like 
LivePatch, yum-cron, Ksplice, Autonomous Linux, etc. to keep your system
up-to-date with critical security updates even when you're not paying
attention to it.

And.... you should be using a cron'd Rsync over SSH to keep a backup
off-site just-in-case the flash fails. Or at least some other automated
backup methodology.

cheers

Tim

[Sunray]

Many many thanks for all your useful comments! One of the suggestions which I find very good is to first build up and test the system at home. The hardware problem, however,  is that my Vantage Vue weather station is at the cabin, online to Weatherlink.com, and I'm not that keen to unplug it and bring it home for the duration of the testing. 

To get around that, I wonder what would be the simplest possible replacement "weather station sensor" which I could connect to the weewx-RPi testbed at home in order to send some test weather data to the RPi and onwards. (In principle even a $2 temperature sensor directly connected to the RPi, as in many RPi tutorials, would serve that purpose). Any experience of that? 

I'll have to think about your excellent VNC vs SSH vs VPN suggestions. I was hoping not to have to do any special configurations of the LAN router, either at home or at the cabin. But I may have to rethink. In terms of need for protection, the value of the weather data is perhaps not that important, but I certainly don't want to leave any holes from which malicious entities may enter my laptop during the summertime when I spend more time at the cabin and connect to the cabin's LAN. 

Yes, in terms of uptime, I've had some power breaks, and fried two power adaptors due to lightning during the last 4 years or so the station has been active. An UPS or even a surge protector would certainly have been useful. FYI, the Vantage weather station is connected to the router by cable, and I plan the same for the RPi - no WiFi except for the laptop during my summer visits. 

Once again many thanks, the project continues...

[p q]

Build and test using the Simulator weather station which simulates having a real station hooked up. Switch the driver to the driver for your real station when you hook it up for real. 

My weather station computer is in my home office and I still use this method because I want to have peace of mind while I try new things. 

--
You received this message because you are subscribed to the Google Groups "weewx-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to weewx-user+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/e19bf7b9-6571-4131-ae36-3b80b7a7d404n%40googlegroups.com.

[Greg Troxel]

Sunray <win...@gmail.com> writes:

> Many many thanks for all your useful comments! One of the suggestions which
> I find very good is to first build up and test the system at home. The
> hardware problem, however, is that my Vantage Vue weather station is at
> the cabin, online to Weatherlink.com, and I'm not that keen to unplug it
> and bring it home for the duration of the testing.
> To get around that, I wonder what would be the simplest possible
> replacement "weather station sensor" which I could connect to the weewx-RPi
> testbed at home in order to send some test weather data to the RPi and
> onwards. (In principle even a $2 temperature sensor directly connected to
> the RPi, as in many RPi tutorials, would serve that purpose). Any
> experience of that?

The most important thing to work out is reliable remote access to the
system. You can install weewx and debug it remotely over ssh just
fine. But if you can't login over ssh, you are stuck. So concentrate
on the remote access part.

> I'll have to think about your excellent VNC vs SSH vs VPN suggestions. I
> was hoping not to have to do any special configurations of the LAN router,
> either at home or at the cabin. But I may have to rethink. In terms of need
> for protection, the value of the weather data is perhaps not that
> important, but I certainly don't want to leave any holes from which
> malicious entities may enter my laptop during the summertime when I spend
> more time at the cabin and connect to the cabin's LAN.

I don't know why you are trying to avoid configuring the router. fixed
IP addreses assigned by DHCP is normal, and so is forwarding ssh to one
of them. Given that the router is .1, I would assign .2 to the pi and
.3 to the weatherlink. Configuring the router is far far easier than
dealing with all the problems of reverse tunneling back in via some
cloud mechanism from the device reaching out.

When you do the static config, keep using dhcp on the pi, and set up tor
like I suggested. That way when the router is replaced or reconfigured
and changes LAN addresses, you will still be able to access the pi from
outside.

Overall, do not underestiamte the importance of being able to log in,
and the ways in which trouble can happen.

[vince]

On Thursday, December 10, 2020 at 5:25:50 AM UTC-8 Sunray wrote:

I wonder what would be the simplest possible replacement "weather station sensor" which I could connect to the weewx-RPi testbed at home in order to send some test weather data to the RPi and onwards.

Which pi ?   The one at home or the one at the cabin ?  What are you sending from-where to-where ?

If you just want to test weewx, that's what the simulator is for.

 I was hoping not to have to do any special configurations of the LAN router, either at home or at the cabin.

You're going to have to do 'something' to let your ssh or VPN or VNC traffic in.    Reserve the static addresses for the weather gear when you do that.

Yes, in terms of uptime, I've had some power breaks, and fried two power adaptors due to lightning during the last 4 years or so the station has been active. An UPS or even a surge protector would certainly have been useful. FYI, the Vantage weather station is connected to the router by cable, and I plan the same for the RPi - no WiFi except for the laptop during my summer visits.

You always want at least a surge protector with all your electronics plugged into it, as  minimum.

[Andy]

I used to have ssh on an alternate port (tcp/2222) open to the internet. Static IP on raspberry pi with port forward in router. SSH on the pi was configured for SSH key based authentication only. No password logins allowed. Fail2ban running also. 

Getting the source ip of failed logins and putting them on a map resulted in this. Quite a few attempts in 15 days

how to build the map here

I now only allow port 2222 in from specific IP's

Andy

[vince]

Indeed.   I used to fail2ban ssh attempts from other than my home ip 'one' address.  I had over 100 countries hitting me, with the vast majority the usual APT countries we've all read about.   That said, geoip fencing is an inexact science and it's not that hard to make it look like a different source address.

I only let in US+CA+AU to my website due to too many attacks, by adding geoip fencing to nginx which is pretty easy to set up.   I also have a custom fail2ban to ban anybody trying to look for php/wordpress stuff as that's a big attack vector by the bots and script kiddies attacking websites.

I've locked myself out of my AWS box a couple times via messing up fail2ban blocks of ssh incoming, requiring me to just nuke+rebuild it, so I probably need another solution there.   Thinking of just permitting my LAN ip there once again, if I can come up with a second path in just-in-case.  Maybe I'll try WireGuard there and let my home box tunnel into the cloud VM.  Maybe.  I'll have to think about it some more.

It's an arms race and it's tiring even needing to fight it...

[Sunray]

Progress report : Success!

I was able to visit the cabin today for two hours (cold!) and installed the RPI  hardware. After some headscratching due to a security camera on the same LAN, I was able to establish a RealVNC Connect session between the RPI connected by cable on the cabin's LAN and my laptop running on my cellphone's wifi hotspot. This enabled me to find out all necessary IP addresses including the Vantage Vue's Weatherlink IP address, which I needed for the WeeWx setup.

I then did the reconfiguration of WeeWx from Simulator to Vantage Vue but did not manage to get a html update. A reduction of the Vantage's archiving interval from 2 hours to 5 minutes did not help. I could, however, using the weewxd command see that the LOOP packets now originated from the weather station and not simulated. So it looked promising!

Back home, error messages suggested database errors. After some study I changed in the config file:

• Driver model_type changed from 2 to 1
• Archive record generation from hardware to software.

After these changes the html generation works fine!

 

Thank you everyone for your advice and suggestions! I have one immediate issue - the wind direction graphs only display on a 16-point scale (22.5 degrees intervals).

My next project will be to try to implement a realtime wind display (displaying each LOOP packet's data - advice welcome!) and to publish the weather data in a safe way.

[Sunray]

Correction, the wind direction problem affected only the data archived in the WLIP logger before Weewx came on line. 

But another issue is that the Weewx traffic seems to block the WLIP logger from doing its regular uploading of data to Davis Weatherlink.com. Any advice on this ?

[Andy]

I just set up an open-vpn server and a raspberrypi as the vpn client. The pi will try to reconnect if the connection dropped.

Andy