Best way to connect

Whats the best way to connect to openhab over internet ?
My router is RT66 running tomato firmware which takes care of dns server and opening ports
i have forwarded a port to my raspberry server but am still unable to connect to it have had a look at the guide but got a bit lost any pointers in the right direction would be helpful
Thanks
Stuart

Maybe easier to just use the my openHAB cloud service to safely open your openHAB setup to the internet.

3 Likes

I like to have full control myself without having to rely on others

The fact that you are asking this question is strong evidence that you do not possess the skills required to expose any service like this to the internet safely.

Creating a port forward on your firewall like this is opening the door to anyone to come and attack you. And don’t think you can hide easily. Go search for your IP address on shodan.io. All someone has to do is search for all IP addresses with port 8080 or port 8443 open (please tell me you are at least exposing the encrypted port) and you are now a target.

So you need to know how to protect that port with encryption and authentication/authorization. You need to know how to verify that the encryption and authentication is working and not easily bypassable. You need to know how to monitor that port and identify when you are under attack and discover when an attack was successful.

It is almost a full time job. Unless you want to change your hobby from home automation to network security, don’t do it.

That being said, the recommended approaches for remote access, in order of preference:

  1. Use myopenhab.org (this is the only way to get support for Google Assistant, Alexa, or to use the openHAB Channel in IFTTT)
  2. Install your own version of the openHAB Cloud Service on AWS or some other cloud hosting service and use that
  3. OpenVPN or some other private VPN service (Tomato can run an OpenVPN service I believe). Require password and cert authentication. You will need to monitor this service like a hawk. If the version of OpenVPN supports it, set up the OpenVPN port to not respond in a scan so it doesn’t show up in shodan.io and other databases.
  4. SSH tunnels, require only cert authentication or both cert and password; avoid password only authentication. If possible, set up the ssh port to not respond to a scan so it doesn’t show up in shodan.io and other databases.
  5. ngnx or Apache reverse proxy using a LetsEncrypt certificate for encryption and configured to add authentication (see https://www.openhab.org/docs/installation/security.html). This WILL show up in shodan.io and other databases so you must be extra vigilant in monitoring this port.

Never never ever expose a non-encrypted and/or non-authenticated port to the internet. And for the time being there is no authentication in OH so never never ever expose OH to the internet directly.

4 Likes

i can open and close the port in the router remotely as needed so not to worried about it being exposed as will only need to open if i want to change thermostat settings so option 5 will be the best for me by the look of it

thanks for the advice Stuart

That approach will not provide as much protection as you think. I can’t remember the last figure I saw but it was around 15 seconds for a well known port (which 8080 and 8443 are) to start to be probed and attacked once exposed to the Internet. But this was a figure from at least three years ago. It is probably much faster now.

wont be using that port with forwarding in the router can forward any port to any port ie can do 4000 to 8080 and wont be used very often but thanks again

Just to check I’m not exposed, been several weeks, I was surprised at the amount of info found in the US only. Some interesting mqtt topics floating around.:hushed:

Thanks for the reminder to check.:smiley:

@stuart22
Don’t do it.
It doesn’t matter it will used often or not. The port will remain opened and vulnerable.
Listen to @rlkoshak, he works as a sec admin for a govt department and he knows what he is talking about.
If you punch a hole in your firewall, you WILL be hacked. It’s only a matter of time.

3 Likes

thanks for the replys i will setup a vpn within my router as tomato has openvpn built in