Security experts: using 'ngrok' to access Raspberry Pi server remotely - how safe?

[Alex Gibson]

Hi network security nerds…

 

I would be grateful for your thoughts on using the combination of a Raspberry Pi on my local network running the ‘Octopi’ OS distribution, which runs an ‘Octoprint’ server.

https://octopi.octoprint.org/

 

…with this service intended to make local things accessible to the internet.

https://ngrok.com/

 

Here’s some evidence that Adafruit have done this sort of thing before.

https://learn.adafruit.com/monitor-your-home-with-the-raspberry-pi-b-plus/access-your-pi-from-anywhere

 

Obvious stuff:  I would set up the raspberry pi with a decent username and password, and within the Octopi server I will set up a user/pass so nobody can start moving or heating my printers from the internet.

 

Please can people share any fact/experienced based pointers regarding the ngrok service?

 

Thanks

 

Alex

[Stephen Cornes]

So full disclosure, never used ngrok.

I set up SSH and use SSH tunnels to remotely do all sorts of stuff on my home pies. From looking at ngrok its advantages would be that you don't need to configure a dynamic dns service and you don't need to edit your home router configuration. Or rather if you cant do those then ngrok looks like a good solution.

Otherwise I would say using a third party like ngrok is only going to slow things down and what is to stop them looking at your traffic for 'shaping' or ads.

Setting up SSH and using SSH tunnels was a learning challenge for me but worthwhile. Also you can use key pairs and do away with usernames and passwords. 

Are you just looking to be able to print at home from anywhere?

[Andy Hayward]

SSH tunnels with certificates for auth.

ngrok sounds like a good idea; but ...

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to reading-hackspace+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Alex Gibson]

I'm looking to monitor the Octopi camera and control the printer remotely.

I have some printer control Pis on corporate networks and more on my domestic Sky broadband.

I also just discovered a new plugin for OctoPi - Anywhere.  It seems to do almost exactly what I wanted plus give a dashboard view which is almost perfect - except I can't yet get it to play nicely with all video streams from all Pis 

Now there seems to be 

Tapped on my mobile phone.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.

[Keegan Neave]

I've been using octopi since I got my printer and I used ssh tunnels to start with but since repurposed a pi 1 as an open VPN server. Works a treat with my phone.

[dz]

+1 for VPN in, openVPN works , make sure its patched for CVE-2017-7521 or any others ;)

never heard of ngrok, guess its a question of trust , everything you do on their side can be eavesdropped so ... 

just my £0.02

dz

[Stuart Ward]

Alex

I had a look through the FAQ and some of the Documentation. So I presume the main need for this is corporate networks where they have proxy controls for internet access. While I see no problem with this and it will work, it is bypassing a key control on those networks. Make sure that their IT Security are happy with this. ( I would never allow )

It is username and password authenticated, so make sure you are using a 16 character randomly generated password. I would also look at the https options, but that will involve using untrusted certs.

ssh with key authentication, or an openvpn tunnel are the standard way of doing this, but these will require port forwarding so you can make the connection. keep the ngrok software updated, and keep an eye on the security news for issues.

Stuart

--
Stuart Ward M +44 7782325143

[Stuart Ward]

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ngrok

not showing problems at the moment...

--
Stuart Ward M +44 7782325143

[Alex Gibson]

Brilliant, thanks Stuart.

 

So would I be right to say that on the face of it, it looks OK to you, but the caution you reserve is in case there is an issue at NGROK itself, rendering it or future downloads from it insecure?

 

I’m currently trialling ‘OctoPi Anywhere’ which is a new plugin for OctoPi, using a service called ‘getanywhere.io’.   This is even better in theory, as it integrates nicely, but I can’t yet view the remote Pi on the corporate network via this, nor can I see local or remote pi’s on my mobile phone, which is the point…

 

Cheers

Alex

--

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.

[Alex Gibson]

Brilliant – thanks Stuart, this gives me a risk mitigation action if I use this service…

 

Cheers

Alex

 

From: stuart....@gmail.com [mailto:stuart....@gmail.com] On Behalf Of Stuart Ward
Sent: 15 July 2017 12:40
To: Reading Hackspace
Subject: Re: [RDG-Hack] Security experts: using 'ngrok' to access Raspberry Pi server remotely - how safe?

 

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ngrok

--

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.

[Stuart Ward]

Some caution on how you set this up is needed, I am assuming you are only allowing the specific port that you need, I am sure it is possible to set this up badly.

Stuart

--
Stuart Ward M +44 7782325143

--

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hackspace+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hackspace+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hackspace+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hackspace+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hackspace+unsubscribe@googlegroups.com.