Exposing OpenHAB 2 to the internet

scurrier03 · January 5, 2017, 6:08am

I do not see much on the forums about the security of OpenHAB when exposed to the public internet.

What’s the current guidance on exposing OpenHAB 2 to the internet?
Can it be very secure by taking only the obvious setup steps to employ certificates?
What are the gotchas and things to watch out for?
Are the security features of OpenHAB supplied by bog-standard open source implementations or by roll-your-own implementations developed by the OpenHAB devs?

I have OpenVPN, but would like the improved convenience and “always on” functionality of accessing OpenHAB outside of the VPN.

I have a PKI (so can easily make certificates), but I don’t know how secure the certificates are with the Android app (stored in the Android keychain?) and I don’t know what the risks are even if the certs are airtight.

Thanks for reading.

mstormi · January 5, 2017, 8:29am

The OH 1.x ‘security’ is documented here.
See links there to cert creation and Jetty config. You can import certificates into HABdroid.

However, last time I tried (quite some while back, admitted) I failed to get the corresponding cert based authentication working on the jetty web server side.
Generally speaking, I see little point in using PKI. You’re the only user, aren’t you ? PKI is on managing identities.
As long as you take care of general security guidance such as to use SSL and safe passwords, for authentication of a single user, a password is fine, too, in particular if you own client AND server side.

On 4), it’s standard stuff. OpenSSL, Jetty and the Java classes aren’t specific to OpenHAB.

Benjy · January 5, 2017, 8:59am

Note that that wiki is mainly aimed at openHAB 1.x although a few things apply to openHAB 2.0

Authentication within eclipse smarthome is being worked on, but for now protecting your server and its communication can be as simple as [setting up a secure reverse proxy] (http://docs.openhab.org/installation/nginx.html).

maxplay · January 27, 2017, 9:32pm

Hi all, i’m sorry maybe this is not the best place to ask …i’m using openhab 1.8.3 so maybe i should create another post…let me know or admin please just move it

I’ve read and followed guides but i don’'t quite get the appropiate answers. So i hope someone can help me out

my doubt is about Internet access to my OpenHAB Server; access through the Android app or the Web browser

I’m running openhab 1.8.3 on raspberry Pi
i’ve read https://github.com/openhab/openhab1-addons/wiki/Security
in config file i’ve security = ON
i also use: users.cfg
i can connect using http and https (8443)
Still don’t get 100% the idea of the Reverse Proxy…
I’ve followed jpmens guide on installing my own TLS certificates; and it seems to work ok…although i don’t see the point of doing this …

So i would like to connect with my Android phone, using the openhab App:

should i open my 8443 router/firewall port (forward it to my raspberry?)
What about the SSL options in the Android app, should i enable it? is there a guide on this? should i create new .p12 files and copy them to the phone?
what is the best/secure way of using the app from outside my network ? (from internet)

besides…following the link Security …i doubt if installing a new app in my phone to generate a VPN to my Server, or to use myopenhab service, and i said before, i don’t quite see the security of using a Reverse Proxy (i really don’t understand how that could provide more security…)

Any help is appreciated!!!
thanks!!!

mstormi · January 27, 2017, 9:42pm

The Reverse Proxy is meant for use with openHAB 2 as that does not have the security features of openHAB 1 such as user/password authentication and to restrict the range of IPs allowed to access. So in that case, you would implement authentication in the Reverse Proxy, and you can use user certificates for that.
In a 1.8.3 context, user certificates are pretty useless as jetty does not allow for cert based authentication.

maxplay · January 27, 2017, 10:04pm

@mstormi Thank you very much!

So i would discard the Reverse Proxy as i’m using 1.8.3 right now

As i understand:

i should keep using users.cfg
i will connect to URL using https on port 8443
because of that i will have to open 8443 and redirect it to the openhab server
restrict access for some IPs in my firewall

in the end:

try the connection from the openhab Android app to that https URL completing user and pass (without using/installing SSL certificates)

Any other advice is welcome!
Max

scurrier03 · January 28, 2017, 4:54am

If you’re opening something that is only password protected to the internet, you might want to think twice about that. I’d at least ensure that login attempt rate limiting is happening and that a few successive failures result in banning the IP so no more attempts can occur.

maxplay · January 29, 2017, 3:12am

Yes that’s true; i will stick to that for sure (probably with fail2ban…)

Are you doing external access to your openhab home/server also? android app? if so, can you share your experience? how to? or what are you using to secure the access?

Anyone else?

thank you very much!!!
Max

scurrier03 · January 29, 2017, 4:39am

I haven’t had a need yet but I started this thread because I am considering
doing so in the future with openHAB 2. I’d probably do reverse proxy and
certs. I already have a VPN but may not want to have to be connected to it.

ssvenn · January 29, 2017, 7:08am

For what it’s worth, running OpenVPN on my router and connecting to it with the iPhone client has worked really great for me. I set it up so it forces DNS through the tunnel, then the OpenHAB app is able to resolve the server name just like if it was connected through local wifi.