External access to Miniserver

[Simon Still]

What's people's feeling about this now?  (thinking on this based on the DOS post below) 

So far I've kept mine LAN only but there are times when external access would be useful.  Is there a best practice guide beyond Loxone's instructions?

[sk]

I believe it would be safer to have an SSL connection. I tried to make Apache Reverse proxy work with SSL and web sockets on a pi acting as a bridge (current mini server isn't powerful enough for SSL) but there was a lot of code in the loxone mini server site that couldn't be by passed. The new site is more difficult as they have used some other libraries for the site. It would be better if they upgraded the miniserver and used some industry wide standards.

[seb303]

Wouldn't a VPN / SSL tunnel be an easier way to allow secure remote access?  Obviously the disadvantage is the need to set up the VPN on the client as well.

The current Miniserver/WebUI does use a kind of encryption for the username/password data at least, although subsequent data and commands are sent unencrypted, so it would in theory be possible for someone in the right place on the network to intercept and inject the WebSockets connection.  Depends what your Miniserver is controlling - is an attacker going to go to all that trouble just to get control of your lighting and heating for example?

Regarding the DOS attacks: a VPN would give protection.  But I think using a non-standard port is probably enough.  There's no suggestion that the DOS attacks are actually targetting the Miniserver specifically, nor that there's a way to gain access to it - although obviously it's a pain when it reboots itself due to connection overload and all the lights in the house turn off!

[Andrew B]

I've been struggling with this, particularly since I've been lately working in the network security domain. I've also been struggling since my ISP cable modem port forwarding is broken in some obscure way.

The posts you refer to further validate my concerns, as does the news recently that IoT devices are being hacked and hijacked into BotNets.

My current thinking is that the best approach is to set up a VPN and constrain what remote users can access, but let them at the miniserver's web port.

[sk]

Agree VPN would be the safest option but it relies on VPN being reliable enough for a web socket connection. Open VPN is the best but relies on some tech knowledge on setting up the server and still relies on you opening up ports which again can be affected by DDOS attacks.

Apache can be limited to implement throttling e.g. Three connections. If a ddos attack did occur only your router and apache on the pi/other server would end hit. The miniserver wouldn't be hit by more than three connections.

[Dup]

Loxone is  one of a few, whis hasnt P2P connection - access without public IP. What is best and simple solution? Thank you

[Rob]

I'm trying to set up remote access so that i can use config to complete my system setups when i am away from home for a few days over the next weekend.

I've followed the Loxone documentation but get an error message saying that a connection is not allowed (quoting my ISP WAN address).

Does anyone have a simple step by step idiots guide i can follow just in case im doing something wrong.

I have a Virgin fibre suerhub in case that makes a difference

Rob

[David Wallis]

A non standard port is not good enough.. simple NMAP will find that and you can do host type discovery too and then target it specifically..

With regards to the SSL - ive used nginx as an SSL reverse proxy with letsencypt certs before - but this will probably break the apps if they dont support communicating over ssl (ive never tried with loxone)

David

[David Wallis]

Where are you trying to connect from (IE not work where IT will block that?)

On your superhub you need to enable port forwarding of whatever port you are using IE 80 to your miniservers IP address on the same port.

Or pick a random external port say 24222 and forward this to miniserver ie 192.168.1.77 on port 80

David 

[Rob]

I am connecting over a normal internet connection (mobile broadband) not through work so should be no blocking.

This is what I have set up in my superhub and in Config i have also set port on dns.loxonecloud.com as 50000.

When I try to connect externally i get the following error message

[Duncan]

depending on the router options, this might open port 50000 outside to port 50000 on the internal ip address of the miniserver, where it isnt listening

my router allows outside port 50000 to be mapped to port 80 inside, the one on which the miniserver listens by default. if your router cant remap ports, then you only have the option of forwarding port 80 (bad idea) or changing the default port internally to the one used outside (50000) then you will have to reconfigure your internal apps to use the new interal port.

failing that you could vpn into your home network (assuming your router supports that) then use the local internal network address - this is very secure for the odd time you want to connect config software from outside, but a bit of a pain for using the app

have you checked out the server network config page? - try adding the correct port to the external access setup using loxone cloud dns and see if that helps