Does anyone know how to configure Openhab behind a FIOS router (and/or the router) for remote REST access?

I have a remote OH2 site behind a FIOS router. I can port-forward 8080 and 22 and successfully get http and ssh respectively to the running app, but when I try the REST interface from the UI grid it “freezes” with the header only — never returns the list of top-level REST categories.

cmdline netstat on the ssh’ed instances doesn’t show anything obviously different, but I could be missing something.

Have you looked into the OpenHAB cloud connection? You would be able to send the REST commands to a openHAB cloud and it would sync the change into the system behind the FIOS router; and best of all no port forwarding is necessary.

If you upgraded to M7: It suffers from: https://github.com/openhab/openhab2-addons/issues/4302
upgrade to M8 if this is the case.

Please don’t port forward OH directly to the internet. It has absolutely no protection and honestly would not take much to completely pwn your system through OH.

There is no encryption when you port forward 8080, no authentication and authorization for either 8080 or 8443, and there is no way to just expose the REST API. And even if you could limit it to just the REST API, there is almost nothing you can’t do though the REST API.

For remote access I recommend the following in order of preference.

  1. myopenhah.org
  2. Create your own instance of Cloud Server on AWS or Azure or the like
  3. OpenVPN
  4. SSH tunnels using cert authentication, not just username and password.
  5. Installing your own instance of Cloud Server locally and exposed that to the internet. Use LetsEncrypt certs.
  6. Set up a reverse proxy using nginx or apache and implement authentication and authorization they’re. Use LetsEncrypt certs.

I strongly recommend exposing OH directly to the internet.

TOTALLY agree. However, :

  1. This is an experimental installation. Uninhabited remote site. STILL…
  2. Port-forwarding is only active when I am actively using it.
  3. For some things (e.g. openhabian-config for version upgrades, tweaks; git push/pull ) you need CL access. SSH over a transiently exposed port and used cert authentication is used.
  4. 8080 is transiently used to check that OH came up and to change some configs.
  5. REST is supposedly currently the only way to get zwave lock password assignments (Paper UI shows 2A 2A 2A… Does not seem to be working in RC btw.

So if you already have the ability to SSH, why not tunnel through the ssh connection? Even limiting the amount of time it is exposed to the internet providers exceptionally limited if not no protection. Zmap can scan the entire IP v4 address space from a single computer in under an hour. Once detected an attack can be launched and completed in microseconds.

I just don’t see any advantage to exposing OH to the internet under these circumstances and especially since you already have a secure way to access the machine through ssh. Just open a tunnel and you can access OH’s 8080 port through the tunnel and avoid the risk?

Tunnels can be set up through putty, the command line and many other ways and there are tons of tutorials on the internet. You can even set up an ssh timer on your Android phone using juicessh (I don’t know about iPhones). I wrote a tutorial on that here somewhere awhile back.