Issue of the topic:
I am a beginner and I hope I am posting in the right area (apologies if not), and I have searched to see if anyone has accomplished this but I have not found anything.
I have a cellular enabled raspberry pi 3B+( by using sixfabs 4G/LTE Base Shield V2 and the EC25 Mini PCle 4G/LTE Module). I want to enable openhab in homes that do not have access to Ethernet nor WiFi (the elderly do not need internet for example). Currently openhabian is configured to look for Ethernet and you can change this to WiFi by adding the ssid of your wife network using openhabian-config . How can I configure openhab to use the cellular network from Tmobile/Sprint/AT&T for example. I can use [sudo ifconfig] to find the the current ip address on the pi once it connects to the cellular network.
Note: I realize that if im using a cellular network I would probably not be able to access the openhab UI via the local 8080. This is okay, I will write up some code that would send the data I need (most likely a SQL with the event log) via an http: request to a local server I have.
OH is not designed to be placed on the Internet directly; since your scenario is what it is you may want to place a static IP on the Pi ethernet interface and setup an OpenVPN client, or at the very least SSH tunneling. Either option you will also need to setup ufw to prevent access attempts to the Pi.
Hmm, yes that makes sense for security reasons. If I did use a vpn and used a static IP, do you then think it will work with cellular internet. I have seen some threads on securing OH to prevent access. I will also will have a password on it.
So here’s your big challenge. Let’s ignore the security problems for a moment.
First, cellular data tends to be expensive and openHABian downloads something like one gig or more when it sets itself up. You would be far far better off setting up openHABian once on wifi (at home). Then configure that already set up image to use the cellular network. Then clone THAT already set up SD card for use in the RPis that actually get deployed.
The next big challenge is, again ignoring security, how are you going to access this device? The cellular network is going to assign some IP address to the device and you don’t know ahead of time what that IP address will be nor do you have any control over what that IP address will be. So how do you discover what publicly facing IP address your RPi was assigned? What do you do when it changes?
This one is probably easier to solve. I’d recommend using myopenhab.org for remote access to OH itself and one of the various remote access services for RPi that are offered. Then you don’t need to know what the IP address of the RPi ends up being. Also, that lets you address security by setting up the host firewall to reject ALL incoming connections. You can do this because OH initiates the connection to myopenhab.org and the RPi will initiates the connection to the remote access service.
Just a username and password is not sufficient protection to put any computer on the Internet nakedly. And, not to be harsh, but if you had the knowledge and skills to protect and monitor a computer directly exposed to the internet you wouldn’t be asking this question. It takes a lot of work and a lot of continuous monitoring to do this safely and even companies with whole teams of experts fail to do this safely.
A VPN is another way. The RPi will only be exposed to the Internet for a brief moment while booting while it works to establish the connection to the VPN. Once it connects to the VPN, the remote RPi will appear as part of your local network and if properly configured, will not be exposed to the internet.
But don’t ignore that brief exposure to the internet. There are literally tens of thousands of active bots out there that can detect and attack your machine within a second of your machine appearing on the network. The briefness of the connection is only a very tiny bit of protection.
Again, a firewall like UFW can help as you can configure it to reject connection attempts except from certain IP addresses. That would essentially only allow connection from your LAN making it refuse all connections during that brief moment when it is connection through the VPN.
Doing this and doing it safely is hard. Doing it without the protection from a residential gateway is even harder. Good luck!
Thank you Rich! I was not aware of myopenhab.org . This is a great way to access the pi remotely as you said. I just set it up and I am playing with it now. (I may be doing something wrong, but if i try to look at the frontail log is times out). Could I find the IP address of the pi from myopenhab.org?
The plan was to do as you said, initially download openhabian via Ethernet and then configure it to use cellular. The configuring it to work on cellular is what confuses me, but I assume is possible. Do you have any advice for this?
I most likely will not remote access the pi or the openhab UI often. My plan was to write some code via rules to send me events/logs that are triggered to a secure remote server via http requests.
(MY GOAL: I want to be able to passively monitor my grandparents, and use habits such as walking in and out of the bathroom, etc, as determinants of their overall health)
If I succeed in this endeavor I will update this post with my tips for others.
You aren’t doing anytjing wrong. myopenhab.org only proxies OH traffic. Frontail is a third party tool and so not available.
Not that I know of. You can set up an Exec binding and Rule to run ifconfig and send you the result in an email or notification or something.
None, I’ve never done it nor seen it done.
I do the same for my dad. I use a VPN to connect the RPi I have deployed at his house to my home network and I use the MQTT 1.x Event Bus configuration to have his OH instance report to my main OH instance. Then I have Rules to send me alerts when, for example, the motion sensor has not triggered in too long of a time.
Right now it’s very unintrusive but I will add more stuff when/if his heath turns for the worse.
There is a solution already available to report a public IP within OH, I modified the setup to send me a telegram notification so I know if I get an IP change and my dynamic DNS doesn’t update correctly.