I am very happy with the way my.openHAB lets me remotely access my system, receive notifications, etc… I was even more happy when I suddenly realized that I could actually acccess my sitemaps - something that was not immediately clear to me,
As I understand it, the last point is achieved by letting my.openHAB acts as a HTTP proxy relaying this communication between the cloud and my local system using a secure tunnel.
Now, the only thing that remains on my wish list is to be able to do remote maintenance on my local system. Would it be possible to enable a proxy function for VNC through my.openHAB for this purpose?
Is there anything (e.g. technical issues, security issues, etc.) preventing this?
I’d let the experts weigh in by I think that would be way outside the boundary of what my.openHAB should do. VNC is pretty insecure and I personally wouldn’t want it opened up to the internet directly like that. If you must use VNC, it is far better to tunnel it through an SSH session.
I may be wrong but I thought my.openHAB was actually based on using a secure connection from my client PC (e.g. at work) to the my.openHAB cloud server and another secure conncetion from my.openHAB to my local openHAB instance.
If so, I don’t see the security issues with going through my.openHAB. I agree that it is probably a bit “outside the boundary”, though.
I can certainly use ssh directly from a remote client to my local openHAB box, however, that would require me to open ports in my residental gateway. I am by no means a seurity expert but I believe the collective vote of the “internet” (by Googling the topic) is to avoid opening ports in your gateway unless there is no other option.
The alternative would be to use a cloud service where both units (remote client and local openHAB box) connects to the cloud server and communication between the two is bridged. In this way there are only outgoing connections going through my gateway.
Enter the idea of letting my.openHAB support such bridging of communication. Writing this I realize that what I really want/need is SSH to my local openHAB box. I jumped a step to far - and thereby confused the matter - by referring to VNC.
I have changed the subject of the topic to indicate SSH instead of VNC.
True, if this were implemented to tunnel the VNC traffic through the encrypted my.openhab.org traffic it would indeed be secure. But I still maintain that this is outside the scope of what my.openhab.org would do. I;'m not sure they would want to spend the time to implement or the computer resources necessary to support this for all their users. There are dozens of other ways to do this outside of my.openhab.org. Though I’m just a user so who knows what the developers think.
There are ways to mitigate the risk created by opening a port to the internet for SSH. One is to use a non-standard port, though that is pretty weak protection. A stronger protection is to configure your ssh so it only allows logons from computers that present the right certificate. Then it requires a cracker to both discover your opened port and have possession of your certificate.
Finally, if you still want to avoid opening a port, you can set up a VPN connection. I know there is more than one service that will let you do this but I’ve only had experience with LogMeIn’s Hamachi which worked very well but at the time didn’t have a free Android client so I don’t use it anymore. There are similar services like TeamViewer which might work as well.
Thank you for providing good comments and thoughts on the topic. Funny you should mention Teamsite. That was exactly what I was using before, but I have now switched to using Raspberry Pi as platform for my openHAB server, and as far as I can work out Teamsite is not an option on this platform - at least not yet.
I will have a look at LogMeIn’s Hamachi service - and similar services if I can find them.
I had a lot of success with Hamachi on the Raspberry Pi, Windows, and Mac. I believe they now support Android and iOS now too. This tutorial should get you started on the Raspberry Pi. Having set both Hamachi and OpenVPN up, I can say Hamachi is way way easier to set up and configure than OpenVPN, which is what I use now.
@rlkoshak, do you mind sharing some information about your setup using OpenVPN? Do you need to open ports in your home router for incoming connections to utilize this, or are you using an outgoing connection to some “service point”?
I didn’t want to have to rely on a third party so I did indeed open a port for OpenVPN to accept the incoming connections. However, I have it configured so each device that connects has its own certificate and it only accepts connects from clients with a known cert. That mitigates the fact that the port is open on the Internet.
I followed the tutorial here to set it up. Setting it up and configuring it on the clients is a little bit awkward but once it is set up it works well and supported on all the platforms I have (iOS, Android, Windows, Linux, OSX).
Computer security is all about accepting risk and in this case I’m willing to accept the risk of having the open port on my firewall with this mitigation in place.
A lot of people have routers that support OpenSSH or have installed a third party firmware like DD-WRT or Tomato so that might be a route for you. At the time I set it up my router only had support for tap type connections but the Android client only supports tun type connections so I had to set up my own server.
We need more details. Are the GPIOs on the same machine as OH and you want to use my.openHAB to proxy ssh? Or is OH on a different machine and you want it to issue commands to your GPIOs over ssh?
In the former you can’t. You can use the GPIO binding and expose them as switches, contacts, etc on your sitemap though. My.openHAB only supports proxying the openHAB web server.
In the latter you can use the Exec binding and/or executeCommandLine actions to issue the command. Just be aware that you need to make sure the openHAB user has all the right certs and permissions. You also need to set up the certs so the openHAB user does not need to log in to the ssh machine. Again, all of this is exposed via items on your sitemap.
I do apologize but it looks like I don’t need to use openHAB (server). I was just looking for away to use the Airdroid application for OpenHAB. but thank you for replying. I ended up going with Tasker and ConnectBot. If there is ever away to just push ssh connections to my server from the openHAB Android application. i would be thrilled since you guys have a great interface.
I’m afraid that is likely to never happen. The openHAB interfaces are inextricably tied to OH and were not designed nor intended to act as the UI for anything else. The UIs are essentially dynamically created based on your openHAB configuration as opposed to manually configuring the UI to work with OH or anything else.
Search the forum though as there are several threads discussing alternative UIs people are using for openHAB (usually interacting via the REST API). There might be a UI discussed that would work better for you.
Finally, thanks for the link. I have been using JuiceSSH but always to enter the same few commands (usually things like resetting Plex). If I could automate it through Tasker that would be awesome!
For openHAB 2 you can use the My.openHAB section of the migration tutorial here:
As discussed above, this cannot be done through My.openHAB. You either need to open a port in your router to allow access to your sshd running on the server or set up OpenVPN. I’ve a link to the tutorial I followed at the time above for OpenVPN.