Smarthome Security

Hi everyone,

I am reading about home automation for quite some time and i am really fiddling with the idea of starting my own project, preferably utilizing the OpenHAB environment. First of all, i would like to explain my current position in ‘coding’ and ‘home automatization’. TL/DR: I’m green.

My non existent/experience

I am not completely new to writing code, as i do regularly need to perform some more or less complicated computations, thus i’m familiar with the very general idea of coding in several (mostly statistical, or at least thats what I use them for) languages, like R or python. I also know, that I am capable of “googling” how to get stuff done, as i’ve already setup my raspberry pi and fiddled around with it in terms of jumping around with happiness when i got it to display some number on a 7 segment display without a specific guide which would teach exactly how to do this one thing. On the other hand, i am really new to the linux environment and to coding beyond statistics in general, thus I’m completely bypassed by the general knowledge of ‘what is ok’ and ‘what is risky’.

My plan is to step-by-step create a complete smarthome as a hobby, which I’ve already started doing by managing the simple things (very basic door-sensor connected to RBP which currently can’t do more than tell RBP that the door is open and then nothing happens).

However before i start implementing all of the cool features and playing around with it, i would like to know if there is (and if yes, how?) an option to secure the server from the outer internet and keep it restricted, while also allowing it “reading” access to it. I would love to be able to setup a display in the hall, that would just show the upcomming trams to my station, which would obviously require it to be connected to the internet, however i don’t want anyone (yes, i’m paranoid) to be able to switch the colour of my kitchen light to green.

There is also the problem that i would love to have the option to (by myself) unplug the kitchen top in case i left it running (not even mentioning the app sending me a notification that i did so), but again, i want to be the only one with this option. Is this achievable? How?

And my last question is regarding the wifi. A lot of the smart things are unable to connect to 5gH local network. Is it possible for the pie to be connected to two networks simultaneously? As i would need to be on the same network as pie with my smartphone, to be able to control it, but i really want that to be the 5gH. Is there another solution?

Thank you very much in advance for any response.

Best regards,
very interested potential fellow home automator.

P.S.: Sorry, but the “Details” part is working properly only in preview, i didn’t manage to get it working in the actual post

[quote=“Lukas1, post:1, topic:31166”]
i would like to know if there is (and if yes, how?) an option to secure the server from the outer internet and keep it restricted, while also allowing it “reading” access to it.[/quote]

This depends on your network security settings. By default, you will have “read” access for your (W)LAN devices and no “write” access from the Internet (unless you explicitly allow this in your border Router / Gateway / Firewall)

openHAB follows the concept of “Intranet of Things”. This means that it doesn’t depend on an external (internet based) service to operate.

You could configure your openHAB2 system to deliver notifications (e.g. emails) based on events without opening up remote access to it.
Another way: If you want to allow remote access via the mobile app to your system… you will have to allow incoming connections from the internet. There are ways to control the access to minimize the risk. See: Note: For LAN access from the mobile app… it works “out of the box”… no need to implement extra security :slight_smile:

(assuming that the smart things that you refer to are 2,4GHz based)
Does your WLAN Access Point support both 2,4GHz and 5GHz frequencies? If yes: then you don’t have much to worry about. You can setup your (W)LAN with an IP subnet that is accessible from all devices (wired, wireless on 2,4G and wireless on 5G)

1 Like

Thank you very much for this reply, yes, i was indeed talking about 2.4 giga hertz things, sorry for the unclear answer.
I am looking forward to studying the document you linked in your response, however as I really don’t want to allow something i should not have, i will probably stick with the “read” mode only.

OH runs on most OS’s. If you are more comfortable on OSX or Windows you can happily run OH there instead.

An excellent start. You want to slowly grow on this little bit by little bit learning as you go. Maybe get your Pi to report the state of the door over MQTT. Then configure OH to use MQTT, receive that message and use a Rule to tell you when the door has been open for over an hour.

Incremental steps will give you lots of wins as you go without overwhelming you with having to learn everything all at once.

Assuming you haven’t set up anything special to allow Internet traffic to get past your firewall (by default firewalls in most consumer gateways will block all incoming traffic) this is how it behaves by default. Your OH server can reach out to the bus website just like you can from your computer but soem random computer on the net cannot connect your your machine unless you go out of your way to expose it to the internet.

So not you are requiring access to your system remotely. This means you need to expose your system to the internet in some way. Luckily there are reasonably safe options. Perhaps the easiest is to use This is a service provided by the foundation that lets your openHAB server securly connect to the servers and lets authorized users (i.e. only you or people for whome you create user/password accounts) bring up the web UIs.

Another alternative, which is more risky, is to set up a reverse proxy with encryption certs and user/password authentication to access your server directly. I would not recommend this approach unless you understand the risks.

Tutorials for both approaches are in the docs.

Yes but it isn’t easy. Does your wifi router not put both bands on the same network? I have a dual band network as well but everything can see everything else regardless of which band (or wired) it is connected on. Of course I could set it up to segregate the devices but by default most wifi routers I’ve ever seen will treat every device as on the same LAN regardless of how they connect to the network.

Thanks, the thing with the segregated deviced on the local network was really bugging me as you told me it should work the same way as seeing wired printer with a computer that is connected via wireless connection and i just found out my wifi router had this feature enabled for some reason (probably as it is provided by the landlord company and by default they disabled 5gig (who knows why), and when allowing 5gig i must have messed it up).

Running the OpenHAB on macOS or windows machine is not really an option for me, because i don’t want to leave any of those on 24/7 and once i figure out (follow a step by step manual) how to install it on RBP it will be working identically as far as i know.

As i said before, for now i will definitely refrain from setting any remote access and i will go for this feature at the moment when i will know what i am doing.

Thank you guys once more for the reply’s.

1 Like

I recommend openHABian.

I already have a linux distro (raspbian) on my pie, as i did start off by just twiddling around with it and i kinda like the fact, that i finally got used to what it looks like, thus i will probably stick with it for now. But thank you for the advice! :slight_smile: