Remote openHab instance VPN L2TP call to a local VPN Server

Hi everyone,

Here is my setup, I have an openHab instance installed on a Raspberry Pi at home that works pretty well and always connected to openHab cloud connector.
Now I would like to install a separated openHab instance, again using a Raspberry Pi at the boat where the internet is available using a 4G router. As you probably know, most of the 4G ISPs provide internet under a double NAT etc. so there is no way to have either a static IP or dynamic DNS. I didn’t like to use cloud connector at the boat installation, I would prefer to use the remote openHab binding and just bring the “things” I want to my current home sitemap.
At home, I also have a PPTP VPN server on the router side, so I can call a connection and get into my local subnet.
Here is the question, is there any way I can install a PPTP Client on the remote openHab instance (boat) so I could do the rest?

Any response would be really appreciated.

I don’t see why not. You don’t say what kind of computer the remote one is but if it can run OH it can run VPN software.

As for how to do it? :person_shrugging: It’s not really an openHAB question. PPTP is pretty old and basic by VPN standards so I’m sure it’s supported but I’m also sure it’ll be fiddly to set up. But what client software you use and how to set it up is pretty much going to be done at the operating system level and be operating system specific and largely be transparent to OH itself.

Most people who set up VPNs like this these days use OpenVPN, Wireguard, or my personal favorite Tailscale which is a network overlay based on Wireguard. Of the three, Wireguard is by far the easiest to set up and use.

Note, if you have two separate accounts on, you could use the Remote openHAB add-on through the cloud server as an option as well.

1 Like

If you mean the local VPN server, runs on a Ubiquiti device like a UDM,
So you suggest wireguard for the remote openHab instance…
Does wireguard support PPTP call as a client to a remote server?

No, OpenVPN and Wireguard are wholly separate protocols from PPTP. They would be used instead of PPTP, not with PPTP.

For Tailscale, you install the client on some machine on the boat (doesn’t have to be the openHAB machine) and you install it on some machine at home (doesn’t have to be the firewall or router). Started with the right command line arguments and all the machines on your boat will be able to see all the machines on your LAN, no NAT, port forwarding, or anything else required on your part (note it does depend on the Tailscale services but it’s all open source so you could run your own service if you wanted).

Using Wireguard directly or OpenVPN requires more configuration and opening a port on your firewall to your LAN that the boat would connect to. PPTP would work the same, only you’ll have to find and configure a client that will work on your own. This is the first I’ve ever even seen it mentioned here on this forum so there are likely very few if any people who use it here (note that openHABian supports Wireguard and Tailscale out-of-the-box).

Thank you for the explanation, yes I searched before I post this, and I couldn’t find something similar.
The options you describe sounds very nice, but first I’d like to use my current setup with the PPTP server at home, at the same time I am running the other services using the VPN server and I would prefer not to customize everything from the beginning.
So if I am understanding correct, I’ll have to find a PPTP client to install at the remote Raspberry Pi and connect to the local PPTP server.

Correct. And again, this is all done at the OS level. OH doesn’t know nor does care that a VPN is in the mix.

1 Like

don’t have experience of stability fo OS-based VPNs. My company VPN drops out from time to time while working… :frowning:
But I have a site2site VPN via my “FritzBoxes”: you’ll only need one with an static IPv4 (or IPv6 with latest firmware) and the other LTE-based Box can then use an NATted shared IPv4. That’s really stable and even if one of the Boxes reconnects, the site2site VPN gets re-established in no time. That way I could use my local MQTT and/or remote OpenHAB for that.

…and that’s the other “cloud-based” solution: using an publicly availabe MQTT server for communication between to (then completely separate) local networks. Before I used the site2site VPN I experimented with that solution and it worked also pretty good. But: VPN is more “secure” - even if I only exchanged temperatures and door/window states. (but also: Wifi sockets for remote pre-heating)

1 Like

I’ve never had Tailscale nor OpenVPN fail except when rebooting or upgrading. I found OpenVPN to be a bit of a power hog on my phone and Tailscale to be less so but still takes a noticeable chunk of battery if I leave it on all the time.

YYMV but given all the many many things that have gone wrong for me over the years, VPN isn’t one of them.

Company VPNs often have a timeout which forces you to reconnect. That’s a deliberate choice made by the company and it is a security mitigation.

1 Like

Or use a dynDNS service, this can be configured in the FritzBox as well, using it here for my cross-side VPN’s

1 Like

even with a dynDNS you’ll need at least one FritzBox with a public IP. I’m using MyFritz-Service from AVM. I don’t trust “free” dynDNS-services… :wink:

That is a good point. With OpenVPN and PPTP you will need either a static IP or some sort of dynamic DNS service and a port forward. Tailscale uses a discovery service which eliminates the need for both. I pay for my own domain and it supports dynamic DNS but I use it for other things, not the VPN.

1 Like

I am using a paid service, but not AVM. You configure the service directly in your FritzBox and you don‘t need a static IP, just configure your VPN Clients (phone or other FritzBox) to call the host alias, not a hardcoded IP.

The connection I’m trying to establish is the L2TP and NOT PPTP…
I can’t believe that I made this mistake :zipper_mouth_face: :face_with_peeking_eye:, I am using my Unifi router as a VPN Server the last 3 years to log in remotely using mobile device and macbook… I have set up a Layer 3 L2TP and for some reason I confused.
I guess it is pretty much the same thing tho, I’ll get back with an update. I will also change the title of the post in case someone search about it… :face_with_peeking_eye:
Thank you all for your response.

I strongly recommend not use just L2TP. To quote from wikipedia:

In computer networking, Layer 2 Tunneling Protocol (L2TP ) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption (‘hiding’) only for its own control messages (using an optional pre-shared secret), and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2 (which may be encrypted), and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.[1]

The key part is

does not provide any encryption or confidentiality of content by itself

L2TP is a building block for creating a VPN. It is not sufficient in and of itself to be a VPN. To make a simile, it’s like encrypting the call set-up and tear down messages when making a phone calling but not the actual phone number and audio of the call, and that’s where all the useful info resides. Obviously it’s a bit more complicated than that but the idea is L2TP provides almost no meaningful protection of your data by itself. That’s why it’s pretty much always paired with something like IPSec.

If you really are looking at L2TP/IPSec, that’s sort of OK, though this combo is itself pretty old and inefficient and not as secure as more modern VPN technologies. It’s also more complicated because you have two things to set up and configure but often the clients make that relatively easy.

If not and you are just talking about L2TP, your time would be much better spent moving everything to a full VPN solution now rather than spending the same or more amount of work trying to get L2TP working which actually provides almost no security to this connection.

Just for comparison, here’s a complete Tailscale tutorial:

  1. Create an account on
  2. Install Tailscale (instructions for lots of platforms
  3. Run the client. On linux/BSD sudo tailscale up. On Windows double click the executable. It will ask you to log in using the credentials you used to create the Tailscale account.

That’s it. Do that on both openHAB running machines and they will be able to see each other over Tailscale. No port forwards. No configuration outside of command line arguments.

If you want to have both OH instances see all the machines on both ends, see Subnet routers and traffic relay nodes · Tailscale though unless you have more than 20 machines it’s easier to just install it on each machine.

1 Like

I’ve had on my mind for this sort of thing, but haven’t had a good use case to experiment with it.

+1 for tailscale recommendation. It is so extremely easy to set up, free, and doesn’t stop you from continuing to use your existing VPN for the stuff you’re already using it for.

1 Like

Wouldn’t be easier…
Thanks a lot! A ton of work has been avoided…

up and running already…

1 Like