Actually I’ve just added a new feature to openHABian. It’s using the (free) Tailscale demon and their (commercial) service to interconnect units. It’s essentially a framework to manage WireGuard tunnels.
Great thing is it takes care of all that encapsulation stuff to run a unit behind a NAT firewall.
Here’s an explanation. For personal use, their service is also free of charge.
1 Like
@mstormi VERY interesting, thank you!
I tried it out using a free 3-connection account with OpenVPN Cloud, and it seemed to work OK. OpenVPN3 didn’t appear to be supported on Buster though, despite it being in the list (“no package called openvpn3”).
The process was pretty simple: create a network with some users, add a few devices per user, download the .ovpn config file and rename it to .conf in the program’s dir. Test with openvpn --config /etc/openvpn/blah.conf and then just do systemctl enable openvpn@blah to make it run at boot. Everything’s on the same network, so the VPS server can make calls directly into the services (yes!!!). Assuming every MDU has its own VPN for separation and security, scaling isn’t too tricky.
Tailscale looks incredibly powerful, and that blog goes into a lot of detail about the problems with normal VPNs. I definitely want to compare these two properly.
Both of these look fine for personal networks of 10 or less devices. OpenVPN Cloud is free for personal, as is Tailscale. But it’s a bit like Home Assistant after that, and starts to cost heavily. As i understand it this morning from reading, Wireguard is designed to out-perform OpenVPN, but the latter is arguably better known and trusted by IT techs (i’m a dev, so i don’t want to have to be dealing with this).
Once you have the IP of the OpenHAB box and can reach the REST API, you’re good. It’s relatively easy to build an API on top of that like SmartThings’ version. Something like https://traefik.io/ is helpful.
Now the next step in dealing with replacing SmartThings - and you’re basically replacing the hub as well - is the Z-Wave and Zigbee problem. I’ve got the Z-Wave Me Pi module (no Zigbee, buggy) to test, and have been running with the GoControl USB (ugly as hell, discontinued, Zigbee doesn’t work).
OpenHAB seems really buggy with these protocols and hardware, but maybe that’s just my own lack of understanding. That said, the sheer list of things it has on top is fantastic. Remote access is the key to making it work at enterprise level IMO. Once you can SSH in, you can add new things to 100 boxes if you wanted to.
Well both are site2site VPNs so if you have 10+ sites you will have outgrown that “personal” use case and have become a commercial provider, won’t you ? So IMHO just fair to charge for it then and IIRC is wasn’t really expensive something like $20 a month (I am in no way associated with that company).
openHABian also has an option to install and configure a standalone WireGuard (without the Tailscale management framework) so if you don’t mind to do the config works you can also go with that for free.
openHABian also has an option to install a preconfigured nginx (although you would probably not need that if you have the VPN).
Not at all - that’s your lack of experience there. I have been running an openHAB RaZberry myself for years and still do.
Oh it’s definitely meant to be commercial grade, for sure. It’s worth pointing out that Tailscale requires an identity provider like Gmail, Office365 etc and doesn’t do individual accounts. But it’s all the same thing really: enabling remote access so web apps can talk to the device or interface itself. One location, like a block of apartments, means 3-4 VPN connections per unit, meaning potentially 500-1000 VPN endpoints to manage.
That inhibits its scalability in a big way. Personally i have a huge problem with these big tech companies and the data they process, so i’d like to avoid them if possible.
Couple of other things:
-
Remote persistence: how easy is it to get OpenHAB to store its settings remotely in something like Mongo or Redis? Should be just a case of changing the host? Or better to store locally and mirror/replica to a remote?
-
Remote logging: does the logger support anything like Graylog Extended Log Format (GELF) so you can send output to a server like Seq (https://datalust.co/seq)?
The Z-Wave Pi module (Razberry2) is driving me absolutely mad. Trying to get either the USB to work on both ports, or the serial module to work as one, seems to be a real uphill struggle.
Isn’t there a SmartThings binding for OH where you could use your hubs as zwave controllers feeding OH? That should make migration a little less painful.
I use VSCode remote development for accessing remote sites all you have to do is forward the port in the router.
Just change the host
Also this may be of some use.
Just connects to the hub i think, which is what i want to get away from. But appreciate the suggestion!
Thanks for those! Is the remote essentially a P2P kinda arrangement?
I am not sure it is fully baked yet. No encryption. I have OH2 and OH3 running in Docker containers on the same host. The remote OpenHAB binding keeps losing connection.
It removes the Samsung cloud component from the equation and lets you migrate away from the hubs after you get more familiar with OH.
1 Like
It uses http and the same REST API used by the user interfaces. I understand it also receives events from the OH2 server.
From a dev perspective for others looking at doing this, the theory of replacing SmartThings API is relatively simplistic.
Let’s say you have 100 OpenHAB devices, each of them on a VPN with a reachable IP. As long as you know the IPs and can identify which device is which, you can map user accounts with them. So in creating an API, you need your users to be associated with, or have permissions to, one or more devices - each with a JWT token to authenticate with.
If our VPN IP range of our devices is 10.0.0.1 - 10.0.0.100, the calls are easy:
GET http://10.0.0.1:8080/rest/items/My_Item" --> user A has permissions on this
GET http://10.0.0.2:8080/rest/items/Another_Item" --> user A has permissions on this also
GET http://10.0.0.3:8080/rest/items/Other_Item" --> user B has permissions on this
GET http://10.0.0.4:8080/rest/items/Random_Item" --> user C has permissions on this
// and so on
All that’s required is to know which host URL to call, as the parent API is a wrapper around the OpenHAB API.
Tailscale a big tech company ??
It’s a couple of nerds trying to turn their contribution to the Open Source world into some money. The identity provider is for your admin ID only. Just create a functional account and you’re set there.
HTTPS is now supported.
As mentioned in the Git issue, DEBUG logs could probably help the analysis.
Not Tailscale. Google, Microsoft, etc. I’m all for what Tailscale is doing. Just don’t want to deal with big “identity providers” like these now their true colours are on full display. I’m actively removing them from projects we work on and services we use.
It appears you are using this in the enterprise.
There are people here (developers) that offer enterprise level services apart from this forum. some use OH based solutions. PM me if you want me to connect you with a couple of them.
There are very few here on the forum experienced with using smart home technologies in a commercial setting.
Not yet, but soon. We have a lab set up to toy with some of this to figure out better ways to do things. The offer is appreciated though!
1 Like
Interesting article for those interested in doing more with OH:
“Scaling Home Automation to Public Buildings: A Distributed Multiuser Setup for OpenHAB 2” by Florian Heimgaertner, Stefan Hettich, Oliver Kohlbacher, and Michael Menth
(University of Tuebingen, Department of Computer Science, Tuebingen, Germany)
Looking at the University site it was envisioned to interconnect several campus buildings. so the public Internet was not involved from a security perspective.