Use openhabian in a restrictive network

I plan to run openhabian in a restrictive network. This includes only proxy connections and for example ntp to internal time server is allowed. Everything I’m used to from Pi OS doesn’t seem to work here.

Is my plan feasible?

I have tried so far static ip, proxy settings, and ntp on internal. Everything that usually works, does not seem to be provided here. So at the moment i have no chance to test it because the restrictive network do not allow it :frowning:

Anything i can do?

For me the question is not clear. Would you like to know how to initially setup ( download ) openhabian in such an environment because the download / installation already does not work or do you have a basic installation and you need advice how to run the instance of openhab.

Thanks for your answer, I should have been more specific :wink:

I’m talking about the already successfully flashed image
openhabian-pi-raspios32-202203300347-git1305ac7-crcc3eb5287.img
that I would now like to put into operation.

However, this does not succeed because the installation routine at the 1st start obviously does not cope with the fact that only proxy connections are allowed. This is noticeable among other things by ntp settings are ignored and the installer claims there would be no internet connection and opens an AP in the background without asking. So it seems for me the usually settings (proxy, ntp, static ip) are all ignored and dont work here?

NTP does not work via a proxy. NTP uses UDP network traffic.
You need to use a NTP server in your local network then. You may use your network equipment like router to setup your own NTP service.

Neither in the docs of openhabian nor in openhabian’s scripts I see any hint about that network traffic will be routed via a proxy to be used by openhabian.
This means that you need to do this setting on your own.
This procedure is described e.g. at https://kifarunix.com/configure-apt-proxy-on-debian-10-buster/

Did you do try that ?

While in theory Inet access ain’t needed, neither openHABian nor the underlying Raspi OS are designed or even tested to work in a that restrictive environment. No one can tell what’s all the bits and pieces you need to adapt to make it work there. I’m forecasting you will be hitting many issues and. Not just during initial setup of box and OH but also during operations.
This is not going to be fun,
No I’d claim your idea is not feasible. Don’t trick yourself into believing that it could be just because of some apparent initial success. Lots more issues still looming.

I’ve never tried it with OH but I routinely have to deal with this sort of thing in air-gapped networks (not even a proxy is available). Based on what I know of OH and openHABian I would also say this is not going to be feasible, at least not without a lot of work.

You might be able to set it up in a “normal” network to start with. Once everything is installed and upgraded as you want it, only then move the setup to the restricted environment. But that then sort of breaks the security of having the restrictive network in the first place.

This has been the bane of my existence in the past. Pretty much everyone just assumes that every machine has access to the Internet all the time. I once had to spend a week researching because the only known way to install a service (Chef for the curious, and this was a long time ago) was to download their install.sh script and run it. That script pulled all the dependencies and everything else individually from all over the Internet and I had to identify each and every one.

1 Like

I already use one.

yes, tried apt.conf and /etc/environment, visudo


As i mentioned before i have never had any [not solvable ;-)] problems using a proxy.

So let me name this as openHABian are not designed or even tested to work in a restrictive environment :frowning: Ok, bad news…

However, I cannot understand a design decision. If for whatever reason someone is in such a network and uses the lan interface (static ip) then must atleast a message there something like “There is a problem with your internet connection, should we open a AP to configure your wifi?” and not simply open an unprotected AP without warning… for my understanding this is horrible wrong!

Thats what i thought first :wink:

Thats i thought second :wink:

Totally agree!

Iam new in Home Automation, time will tell how far i get with openhab (together with proxy and…)

Thanks for all your answers.

One thing to be added, I think. Many bindings use cloud APIs, as vendors don’t support local control. Therefore permanent internet access for your openHAB would be needed. I always try to follow the „Intranet of Things“ mantra and choose stuff with local API, but it was not always possible…

No then you’re wrong in expecting the thing should work in that environment.
openHABian is purpose built, and its purpose is to ease Home Automation. That, among other stuff, means it is not meant to be run in a restrictive env like yours. If it was really Home Automation we’re talking, your network wouldn’t be restrictive. Your environment isn’t a Home then. That means that if you still try by taking the pill, it’s off-label use. That’s what the drug wasn’t developed to be used for, that’s what it isn’t tested to be effective in.
That now for sure does not turn design decisions into “horribly wrong” ones just because those imply you cannot use it the way you hoped you could.
It’s quite the opposite. Testing and eventually adapting openHABian to make it work in such an environment would have been a horribly wrong decision because it would have removed focus from and shifted our limited resources (developer’s time and energy) away from working on openHABian become what it is today, a reliable basis for your home automation.
And who to benefit from this ? A handful of people at most.

Frankly, when you’re new to a game, you shouldn’t be judging the experienced players’ design decisions. Good luck though.

Ok you feel offended because i said something about your “baby” thats ok feel angry if you like :wink:

New or not new you opened someone secured door without asking and think thats the best choice. I think thats horrible wrong.

Whose door and why opened ? And no, I didn’t.
It’s any user’s responsibility to select and configure the software he wants to use.

2 Likes

openHABian is designed to be installed and configured headless: no keyboard, no monitor plugged in. There would be no way to answer that question to open the AP. The purpose of the AP is so in the event of a problem you can still connect to that headless machine and maybe fix what’s wrong.

Again, openHABian is not designed for the environment you are trying to use it in so it’s going to do things that normally would not be a good idea in that environment. But in the typical home use case with a headless machine, opening that AP is a really good idea. Otherwise there is no way to connect to it at all.

This behavior is clearly documented:

After these stages it checks for connectivity to the Internet and if that fails, it’ll open a Wi-Fi hotspot that lets you manually connect your system to a WLAN (Wi-Fi) of yours to jumpstart networking. Remember that once the hotspot is started, it’ll hide once you have successfully used it to connect your Wi-Fi interface but it’ll return should your Wi-Fi connectivity break down.

About the only thing I can think of that might make sense is to only open that AP when DHCP failed on the ethernet wired port. If you are wired and DHCP successfully allocated an IP and everything, it’s reasonable to assume that the device can be reached so there is no need to open the WiFi AP.

No

OpenHABian is just a way to setup openHAB on a SBC

You should create your own secure OS env and install openHAB on top of that.

This is true

OpenHABian is just a way to configure your system how you want it easier for beginners.

Lots of them have forwarded there external port 80 to their openHAB page. Probably because they read some blog post that’s 5 years old written by a teenager on how to get home automation on your phone from anywhere. Just search on Shodan and you will find many home automation systems you can play with.

This is not a openHAB problem or openHABian problem. Its open source software that you can do anything with. If that opening it up to the whole world to control your front door lock then go for it.

Run openHAB on a server on the internet and tunnel into it

Static IP isn’t supported with the image. That’s also documented where Rich pointed at.

You could even install openHABian on top of your own OS.
It would provide (almost) all of its benefits but would not touch the base server’s networking.

And - normally needless to say - to RTFM before use.