Remote Access Using SSH Tunnel on Android

For whatever reasons some people may not want to use myopenhab.org to access their system remotely (you really should use myopenhab.org), can’t or don’t want to set up a reverse proxy, and can’t or don’t want to set up a VPN like openVPN. This tutorial will show how to access openHAB using the openHAB Android App through an SSH tunnel.

Prerequisites

  • ssh is setup and configured on some machine on your network; this tutorial will assume ssh is configured using keys instead of passwords (please please please use keys and turn off passwords if you expose ssh to the Internet)

  • the router is configured to forward traffic from some port to port 22 on your ssh server; the port exposed to the Internet need not be the default port 22

  • you have a static IP address or a dynamic dns name that lets you reach your home router outside your network

  • you are running Android with JuiceSSH Pro installed; the free version does not support port forwards

Optional

  • Tasker

  • JuiceSSH Tasker Plugin

SSH

This tutorial will not cover setting up ssh on your server. It need not be set up on the same machine as your openHAB server but it needs to be able to see openHAB on the LAN.

As mentioned above, I highly recommend setting up ssh keys and configuring the server to only allow logging in via said keys rather than allowing passwords.

Finally, set up the port forward on your gateway.

Google has tons of tutorials for setting up ssh with keys. This is one:

JuiceSSH Pro

  1. If not already installed install JuiceSSH and complete the in app purchase of Pro

  2. Copy the ida_private key from your ~/.ssh folder (or where ever you created it) to your phone

  3. Open JuiceSSH and tap “Connections”

  4. Scroll to the right to the “Identities” tab and press the yellow + button

  5. Give the Identity a nickname, enter the user name, and set the password (if you ignored my previous warnings) or the private key. If you choose “Smart Search” it will search your file system for id_rsa files and you can simply select the private key file you copied to your device. Tap the checkmark at the top of the page.

  6. Scroll to the left to the "Connections: tab and press the yellow + button to add a new connection.

  7. Give the connection a nickname, verify the type is SSH and enter your static IP address or dynamic DNS server name for the address. Select the identity you just created for “Identity” and if you exposed a non-standard port number on your router’s port forward change the port. Tap the checkmark at the top of the page.

  8. Scroll to the left to the “Port Forwards” tab and press the yellow + button.

  9. Name the port forward “openHAB”, select the connection you just created and verify the Mode is “Local”. Put 8080 in the “Port (from):”, the host or IP address of openHAB on your LAN for “Destination”, and “Port (to):” to 8080. If you choose, you can use a different port in “Port (from)” and if you changed the default ports for OH you need to use what you changed it to in “Port (to)”.

  10. Press the check mark at the top of the page.

  11. Test the connection by scrolling to the right to the “Connections” tab and tapping the connection you just created. If it works you will see a lot of stuff scroll by and end up with a shell login.

  12. Activate the port forward by tapping the toggle icon next to the forward you just created in “Port Forwards”. You will see a persistent notification as long as the port forward is active.

openHAB App

  1. Open the openHAB app settings.

  2. Change “openHAB Remote URL” to http://localhost:8080 or what ever port you chose for “Port (from)” above.

  3. Make sure “Username” and “Password” are empty.

While not on your LAN the openHAB app will not attempt to connect to OH through the SSH tunnel.

At this point, you can just remember to turn on the SSH tunnel before using OH or leave the tunnel always running. But we are all about automation here so…

Tasker with the JuiceSSH Tasker Plugin

This section will set up a profile that automatically connects the JuiceSSH Tunnel when the openHAB app starts. The naive approach would be to create a Profile that kicks off when openHAB starts but because JuiceSSH opens its own windows it causes the task to immediately exit causing all sorts of problems.

  1. Slide to the right to the Tasks tab and press the + button to create a new Task. Name it “openHAB”

  2. Add a task and select “Plugin” -> “JuiceSSH Tasker Plugin” from the list.

  3. Tap the “Configuration” and select “Port Forward” and tap the yellow arrow button.

  4. Select openHAB from the list of Port Forwards and tap “Save”.

  5. If necessary, add a “Task” -> “Wait” next if the Port Forward seems to take more than half a second or so to connect.

  6. Add an “App” -> “Launch App” task and choose openHAB from the list.

  7. Press the square grid icon at the bottom center and select “Application Icon” -> openHAB

  8. Test the task and adjust the Wait as necessary.

  9. Close out of the Task editor be tapping the left arrow icon and activate the changes by tapping the check mark icon.

  10. Press the home button and add a Task Shortcut widget to your home screen, selecting the “openHAB” as the Task.

Optional

If you want to tear down the SSH tunnel when you close the openHAB app,

  1. Create a new Profile and select “Application”. Select “openHAB” from the list and make sure “Activity” and “Invert” are selected at the bottom. Tap the left arrow at the top.

  2. Create a new Task and repeat steps 3 and 4 above.

Conclusions

I’m not sure I would recommend this as the best way to remotely access your OH on an Android phone. It is a little clunky and if the tunnel is not fully established before the openHAB app tries to connect it complains with “Cannot connect to http://localhost:8080” and, my favorite error message, “Not Acceptable”.

However, when all other options are unavailable, it is better than nothing by far. The connection itself it secure and as far as the openHAB app is concerned you are on your local network so Webviews and the like will work just fine.

Good luck!

2 Likes

advanced stuff, nicely done @rlkoshak !

…old school mode! :slight_smile: (the old name of the openHAB Android app)

1 Like

Seems like I’m always the last one to know. Updated the article accordingly.

1 Like