Here is my setup, I have an openHab instance installed on a Raspberry Pi at home that works pretty well and always connected to openHab cloud connector.
Now I would like to install a separated openHab instance, again using a Raspberry Pi at the boat where the internet is available using a 4G router. As you probably know, most of the 4G ISPs provide internet under a double NAT etc. so there is no way to have either a static IP or dynamic DNS. I didn’t like to use cloud connector at the boat installation, I would prefer to use the remote openHab binding and just bring the “things” I want to my current home sitemap.
At home, I also have a PPTP VPN server on the router side, so I can call a connection and get into my local subnet.
Here is the question, is there any way I can install a PPTP Client on the remote openHab instance (boat) so I could do the rest?
I don’t see why not. You don’t say what kind of computer the remote one is but if it can run OH it can run VPN software.
As for how to do it? It’s not really an openHAB question. PPTP is pretty old and basic by VPN standards so I’m sure it’s supported but I’m also sure it’ll be fiddly to set up. But what client software you use and how to set it up is pretty much going to be done at the operating system level and be operating system specific and largely be transparent to OH itself.
Most people who set up VPNs like this these days use OpenVPN, Wireguard, or my personal favorite Tailscale which is a network overlay based on Wireguard. Of the three, Wireguard is by far the easiest to set up and use.
Note, if you have two separate accounts on myopenhab.org, you could use the Remote openHAB add-on through the cloud server as an option as well.
No, OpenVPN and Wireguard are wholly separate protocols from PPTP. They would be used instead of PPTP, not with PPTP.
For Tailscale, you install the client on some machine on the boat (doesn’t have to be the openHAB machine) and you install it on some machine at home (doesn’t have to be the firewall or router). Started with the right command line arguments and all the machines on your boat will be able to see all the machines on your LAN, no NAT, port forwarding, or anything else required on your part (note it does depend on the Tailscale services but it’s all open source so you could run your own service if you wanted).
Using Wireguard directly or OpenVPN requires more configuration and opening a port on your firewall to your LAN that the boat would connect to. PPTP would work the same, only you’ll have to find and configure a client that will work on your own. This is the first I’ve ever even seen it mentioned here on this forum so there are likely very few if any people who use it here (note that openHABian supports Wireguard and Tailscale out-of-the-box).
Thank you for the explanation, yes I searched before I post this, and I couldn’t find something similar.
The options you describe sounds very nice, but first I’d like to use my current setup with the PPTP server at home, at the same time I am running the other services using the VPN server and I would prefer not to customize everything from the beginning.
So if I am understanding correct, I’ll have to find a PPTP client to install at the remote Raspberry Pi and connect to the local PPTP server.
don’t have experience of stability fo OS-based VPNs. My company VPN drops out from time to time while working…
But I have a site2site VPN via my “FritzBoxes”: you’ll only need one with an static IPv4 (or IPv6 with latest firmware) and the other LTE-based Box can then use an NATted shared IPv4. That’s really stable and even if one of the Boxes reconnects, the site2site VPN gets re-established in no time. That way I could use my local MQTT and/or remote OpenHAB for that.
…and that’s the other “cloud-based” solution: using an publicly availabe MQTT server for communication between to (then completely separate) local networks. Before I used the site2site VPN I experimented with that solution and it worked also pretty good. But: VPN is more “secure” - even if I only exchanged temperatures and door/window states. (but also: Wifi sockets for remote pre-heating)
I’ve never had Tailscale nor OpenVPN fail except when rebooting or upgrading. I found OpenVPN to be a bit of a power hog on my phone and Tailscale to be less so but still takes a noticeable chunk of battery if I leave it on all the time.
YYMV but given all the many many things that have gone wrong for me over the years, VPN isn’t one of them.
Company VPNs often have a timeout which forces you to reconnect. That’s a deliberate choice made by the company and it is a security mitigation.
That is a good point. With OpenVPN and PPTP you will need either a static IP or some sort of dynamic DNS service and a port forward. Tailscale uses a discovery service which eliminates the need for both. I pay for my own domain and it supports dynamic DNS but I use it for other things, not the VPN.
I am using a paid service, but not AVM. You configure the service directly in your FritzBox and you don‘t need a static IP, just configure your VPN Clients (phone or other FritzBox) to call the host alias, not a hardcoded IP.
PLEASE FORGIVE ME…
The connection I’m trying to establish is the L2TP and NOT PPTP…
I can’t believe that I made this mistake , I am using my Unifi router as a VPN Server the last 3 years to log in remotely using mobile device and macbook… I have set up a Layer 3 L2TP and for some reason I confused.
I guess it is pretty much the same thing tho, I’ll get back with an update. I will also change the title of the post in case someone search about it…
Thank you all for your response.
L2TP is a building block for creating a VPN. It is not sufficient in and of itself to be a VPN. To make a simile, it’s like encrypting the call set-up and tear down messages when making a phone calling but not the actual phone number and audio of the call, and that’s where all the useful info resides. Obviously it’s a bit more complicated than that but the idea is L2TP provides almost no meaningful protection of your data by itself. That’s why it’s pretty much always paired with something like IPSec.
If you really are looking at L2TP/IPSec, that’s sort of OK, though this combo is itself pretty old and inefficient and not as secure as more modern VPN technologies. It’s also more complicated because you have two things to set up and configure but often the clients make that relatively easy.
If not and you are just talking about L2TP, your time would be much better spent moving everything to a full VPN solution now rather than spending the same or more amount of work trying to get L2TP working which actually provides almost no security to this connection.
Just for comparison, here’s a complete Tailscale tutorial: