Is there a way to safely use the Remote Binding over the Internet? [Solved]

Add-ons Bindings
5

The way to connect 2 devices safely over an untrusted network IS by using a VPN. Wireguard gives you an interface on both sides and you simply route whatever you want over that tunnel.

The safest type of service is one that isn’t available at all on the internet, so if you have the option of just tunneling everything you need over WG (or any other VPN tunnel for that matter) and not have anything else exposed, then that’s definitely the recommended option.

Not that this needs to turn into an advertisement for wireguard, but it will allow you have multiple tunnels and therefore interfaces. So you could use your home firewall to connect either directly to the device on the other side or the firewall on the other side as well as having your personal device(s) create separate tunnels when you’re not at home.

You could use anything else (OpenVPN, tailscale, tinc, IPsec) but if you have wireguard running, stick to that.

6

@BigGeorgeTx since your installations are pretty far from each other I doubt if they have anything in common. Why you try to get remote connection between these?

7

Good question - what is the use case?

I have two uses in mind.

  1. Some services that I use both places that are used by some bindings get cranky if they are polled too frequently, and having two different instances polling doubles the load and increases the risk they will time out.
  2. I want them to have a health check on each other, so that I can tell or be notified when one system is down.

There may be better ways to address each of those issues, but the Remote openHAB Binding seems to open the door for both of them.

8

Thanks @pacive . This looks like the solution I had in mind.

After skimming it and playing Duck Duck Go with it, the lightbulb moment for me was that all Wireguard connections are peer-to-peer, so I just need to add the configuration for one more peer on each machine, with the new peer being the other machine. I already have the port open and forwarded for Wireguard that I use with my laptop, tablet or phone.

I will study the DigitalOcean How To and my existing Wireguard configuration and see if I can figure out how to add the new connection.

9

I will turn this into an advertisement for Tailscale. It is a network overlay on top of wireguard and it’s super simple to set up and use. If setting up wireguard or any other VPN system on your own feels daunting, I recommend giving them a look. And it works without opening any ports on the firewall.

One “thinking outside the box” solution could be to use MQTT with a cloud MQTT provider (e.g. CloudMQTT). Using the MQTT EventBus you could link the two instances over the internet without opening any ports and messing with VPN.

You’ve already got Wireguard going so definitely go with that as it offers other benefits but I wanted to mention this option for future readers.

1 Like
10

If you have myopenHAB cloud setup for your remote server, I believe you just have to use your myopenHAB URL (and HTTPS) when setting up your thing for the remote openHAB binding. This is the easiest way which is secured too.

1 Like
11

As a reminder this enhancement available since several months:

1 Like
12

The myopenhab.org approach though gets a bit more complicated because there might be two layers of authentication to get through. First authentication with the myopenhab.org service and second authentication with the openHAB REST API itself.

I tried to help someone do some REST requests through myopenhab.org and we got stuck on that part. Though the Remote openHAB add-on has more ability to handle that than curl does.

13

Yes this is correctly managed by the binding. You have to provide username and password as settings in this case.

2 Likes
14

Thanks. I missed that option, which sounds very simple. Though adding a peer to Wireguard looks like it won’t be too difficult. I may try both and report back.

15

Thank you for this! I previously had port 443 forwarded to my OH server (protected by client cert auth through nginx), and also port 500 open for L2TP/IPSec on my router for when needing ssh access etc. After reading up on Tailscale however, I decided to go with that instead and close down all ports. Will keep the IPSec open a while longer until I have tested it thoroughly, but initial tests seem promising!

16

I’d say that main thing of tailscale is orchestration they built on top of wireguard. Normal wireguard requires you to keep configs and forwarding rules in sync. It is manageable for semi static setups. You can route VPN traffic through one coordinator node.
The NAT hole punching which tailscale do can be avoided with wireguard tunneled over TCP. It does limit its maximum speed, but that’s in practice what I had to do in order to get wireguard working with installations I have beside cellular network.

Cheers,
Łukasz

17

Well its prime benefit is to ease setup and maintenance to an extent that you don’t even have to care about IP addressing or firewalling.
Which is even more beneficial to people that “just” want to run OH and don’t know how to handle all of that themselves. It is even comfortable for those who do, and it avoids human errors in doing so.

And just on a sidenote, it can do a lot more like routing control, DNS and centralized user specific VPN wide filtering. That latter I like a lot.

FWIW, tailscale can be installed from openHABian menu.

?? at the cost of some statically exposed port and the need to configure forwarding
I wouldn’t know how to overcome any firewall without some entry hook, and these are prime targets for the bad guys out there.
And the ‘hole punching’ is just to open the wireguard-protected channel.

18

If you’ll have a closer look on what tailscale does - they do TCP as well, cause this is most reliable way for clients to establish initial connection to their server. You can’t rely on UDP as first touch in multiple cases cause it will fail due to multiple reasons (hence whole hole punching idea).
I don’t get whole mysticism of why opening a port on an VPN server is a danger. This is what servers were made for. It is important for clients to stay hidden. With TCP it works even without hole punching. :wink:

19

Well … my understanding is that the “hole punching” (which you seem to consider something insecure and bad per se ?) is only temporary and an additional layer just needed to establish the wireguard-protected channel.
I don’t want to turn this into some sophisticated security discussion but the thing is without this layer, the port on the VPN server is a visible entry hook.
Yes clients should be hidden but (also) hiding the VPN server (router) is even better.
Note my assumption in the most common setup with wireguard VPN server = VPN router (tunnel endpoint, port usually forwarded on firewall which BTW also is hole punching) while with Tailscale, there’s an external VPN server (not a tunnel endpoint) for the initial preparations like key exchange and tunnel creation.

If you run any such peer-2-peer setup in the wild and have an IPS then you will notice many attack attempts on ports 59000 (wireguard) or 500 (IPsec) (port numbers are from memory, too lazy to lookup).

And the main looming danger is the admin user.
In our home automation context it’s often amateurs to configure the VPN server/router, doing all sorts of amateur errors like keeping default passwords or demo certs or fully expose the server IP.
Plus it’s a lot to configure, lots of room for errors, plus human mistakes are common, even for pros.
All of this Tailscale protects you from simply because a) it does most stuff automatically and b) there is no amateur-operated entry point for attacks.

20

I can add that I took the very big risk of switching a remote machine (over 100 miles away) from OpenVPN to Tailscale and it worked like a champ. I sshed to the machine over OpenVPN, installed Tailscale, ran tailscale up, verified that it was online and reachable via the Tailscale IP and closed down OpenVPN. Very smooth and pain free.

This is why I recommend it. Even reading the sentences…

will scare away a whole bunch of users. It’s well beyond what many users are capable of or are willing to learn how to do.

VPNs are great! If you have the time and the skills to set it up and manage it at that low of a level more power to you. In fact Tailscale may be to confining for you and may not be a good fit. But software/services like Tailscale brings all the benefits of VPN with none of the complexity which is huge. It’s really as simple (on Linux) as installing it and running tailscale up.

Indeed, I meant to mention that. If I didn’t I apologize because it’s a very important point.

I don’t think it’s mysticism but it is a security “low hanging fruit”. If one exposes a port, even a VPN port, to the Internet, then the automated attack systems will wee that port and commence the attacks. If one uses a different from the default port that provides a little bit of protection against those sorts of automated attacks. If your port doesn’t appear at all then that’s even better. If there is no port detected then there is no way to probe it to see what’s running there. There is no way to deploy metasploit to try out the known vulnerabilities for that service.

It’s not perfect security by any means but it’s reasonably effective against some of the most common attacks vectors.

21

Guys, with whole respect OP already has a VPN setup which works for him. I feel welcome that you wish to continue topic given scare low amount of new messages on this forum.

I rather consider it subject of extract friction which is impacted by actual network setup. Each network is different hence making a successful hole punching is a challenge. That’s why making a run with tcp is the most reliable way.

Hence it is easier to manage security of singular port and singular service than bunch of random ports across random services. I run wireguard myself, I did use ssh tunnels and with even a bit of self consciousness it can be made good enough so none of robots will crack it.

We don’t talk here about user errors but you advertising tailscale. Making arguments about default passwords within the context of vpn setup does not bring any value.

Hence for security reasons we agreed to have port 80 for http services. :wink: I get that VPN is different sort of service since it gives you the access to network and not only single application exposed by http server.

I appreciate your enthusiasm towards tailscale yet keep in mind it is a commercial product and not open source project. As experience says in multiple fields - if a service is free then you are the product. Even if tailscale is based on wireguard which is open, it still has closed bits.
I don’t think you would be so “hooray” if I would bring other commercial service offered for free to OH users and start advertising it in multiple topics to everyone because of smooth experience it gives.

Hence please enjoy the tailscale and keep calm.

22

If it was a service that takes something that is out of reach for most users to set up and use on their own and makes it so they can set it up and use it on their own then yes, I would welcome it and help promote it myself. I won’t apologize for trying to help users on this forum.

Raspberry Pi OS has closed bits too, should we not recommend it? Should we not build openHABian on it? InfluxDB, MySQL, Grafana and others have commercial versions. Should we not recommend their use?

You don’t like Tailscale. That’s fine. But I will continue to promote its use for those of whom setting up Wireguard or OpenVPN or some other purely open source option is out of reach. Better to use something that has closed bits than to put an unprotected openHAB on the internet directly.

Their business model is pretty much the same as any open source type company including many commonly used by OH users today such as Grafana, Influxdb, etc. as well as services many here use like CloudMQTT. They offer a free tier with limited capability with paid plans for those with higher needs.

All of the Tailscale client software is open source with a BSD 3-clause license. The “closed bits” is the coordination server, for which there are people who have already written and released alternatives that are fully open source (e.g. GitHub - juanfont/headscale: An open source, self-hosted implementation of the Tailscale control server). There’s no vendor lock-in here.

23

Please don’t use this comparison cause then you are spreading a large misinformation. In any of above cases situation is completely different. For Grafana MySQL and InfluxDB you can run whole thing on premises without letting them touch outside network and share any statistical information.
In case of CloudMQTT you have an online message broker which does not run agent in your local network (you manage an agent connected to it). More over none of these is managing your network traffic. Comparing also operating system which may include some proprietary drivers for specific hardware, user wish to use, is far abbreviation.

I don’t have any problem with Tailscale. I just reminded you that each free service is paid in some ways. Ways which you might not know upfront. Professionals and infrastructure which work on their product has to be paid by real money and not thankfulness. I saw multiple messages of yours advertising Tailscale and only first time see headscale mentioned. You’re making progress. :wink:
Here, in privacy concerned corner of universe, its worth to keep balance.

24

OK, you don’t like my comparisons. I don’t see them as spreading misinformation. Your objection was that Tailscale is a company offering something for free with some proprietary bits and a paid tier. All the software I mentioned also offer something for free with some proprietary bits with a paid tier where they make their money.

Maybe a more apt comparison would be Bitwarden.

At least in the US each company is required by law to disclose what information they collect and what they are allowed to do with it. Tailscale’s disclosure can be found at Privacy Policy · Tailscale

The relevant bits include:

We collect and use information only on behalf of our Customers, and do not use such information for any other purpose except as set out in this privacy policy or as required or permitted by applicable laws.

To create and administer your account: You do not have to create a Tailscale account to visit our website or download our client applications. However, you will be required to create an account in order to use the Tailscale Service. To create and administer your account, we will collect information such as your email address, as well as your first and last name. We will ask you to authenticate, using your email address, with your domain’s corresponding OAuth2 or SAML provider.

When you log into our product through these third-party sites, we may collect certain information associated with your account on the third party’s site (e.g., name, username, email address, profile picture, gender) in order to create and manage your account, or as part of the operation of the third party’s website, plug-in or application.

We collect information about our Customers’ use of the Tailscale Service, including information about each device used (such as the type of device hardware, hostname, all IP addresses, internal and private network routing information, operating system version, cryptographic public key, user agent (where applicable), the version of the Tailscale software installed, aggregate usage information (such as timestamps and connection logs between devices, as well as the sum of data transferred between devices by a given user), language settings, and the date and time the app accesses our servers). We use this information to provide, monitor, and manage the quality of our services, as well as to provide technical assistance. In some cases, The Tailscale Service uses this information to assist in establishing connections between pairs of devices.

We do not sell or disclose your personal information to third parties without your consent, except as set forth below or as required or permitted by law.

Service providers: Your personal information will be transferred (or otherwise made available) to certain third parties that provide services on our behalf. We use service providers to provide services such as hosting the website, operating certain of its features, processing payments, providing authentication services, data analysis to better understand and improve product and website usage, and providing advertising and marketing services. Our service providers are only provided with the information they need to perform their designated functions and are not authorized to use or disclose personal information for their own marketing or other purposes. Our service providers may be located in the U.S., Canada or other foreign jurisdictions.

Legal and compliance: We and our Canadian, U.S. and other foreign service providers may provide your personal information in response to a search warrant to other legally valid inquiry or order, or to another organization for the purposes of investigating a breach of an agreement or contravention of law or detecting, suppressing or preventing fraud, or as otherwise may be required or permitted by applicable Canadian, U.S. or other law or legal process, which may include lawful access by U.S. or foreign courts, law enforcement or other government authorities. Your personal information may also be disclosed where necessary for the establishment, exercise or defence of legal claims and to investigate or prevent actual or suspected loss or harm to persons or property.

Sale of business: We may transfer any information we have about you as an asset in connection with a proposed or completed merger, acquisition or sale (including transfers made as part of insolvency or bankruptcy proceedings) involving all or part of Tailscale Inc. or as part of a corporate reorganization or other change in corporate control.

tl;dr: they collect what they need to make the service work and monitor the health and status of the system. They share just what is required by their service providers to do their job or where required to by law. And of course if they are bought, the data goes to the new company.

This is not a company that makes money off of selling information about its customers. They make money because if you are trying to use it for anything more than a home network you will need to pay for a plan.

Believe it or not I really did do my homework on this. I’m not just blindly promoting them. I looked at who they are, where they came from, the company’s history, how it works technically, the licenses, privacy policy, and more.

I’ve also set up and used OpenVPN configured by hand, Wireguard configured by hand, PIVPN, various OpenVPN wizards on various firewalls and gateways.

Tailscale is the first where I was able to send an email to my dad with three simple steps to install it and get connected that he was able to follow. This is the same person who I constantly have to answer “I saved a file, where did it go?” questions. And so I promote it to users for whom setting up a VPN using these other methods is too hard for them or too daunting.

Of course not. Why would I? If a user has the ability to install and set up headscale they would have the ability to set up Wireguard or OpenVPN in the first place and wouldn’t need Tailscale. And if they wanted Tailscale but not want to use their “closed bits”, they can do the same search in DuckDuckGo that I did after reading in Tailscale’s own documentation that it’s possible to code your own coordination service.

I’ve never said everyone should use Tailscale. I didn’t recommend the OP switch to Tailscale. I’ve always said people who are unwilling or unable to deal with the complexities of setting up a VPN on their own should look at Tailscale. And I stand by that recommendation. And I will keep making that recommendation.