Hi all,
I’m investigating a use case to install a Iotawatt at a remote location, and I want to be able to securely access the Iotawatt remotely.
In accordance with earlier discussions (for example here: Remote access of base unit) I currently open port 80 in the ISP router at the remote location and I set a password on the Iotawatt. However, all traffic is unsecured and the solution only works if I can access the ISP router settings.
I’m investigating an alternative solution, where I put a Raspberry Pi (or similar) next to the Iotawatt, where the RPi acts as a router and VPN and/or reverse proxy with SSL.
The RPi would expose a Wifi access point to which the Iotawatt connects. The RPi would be connected to the local LAN either through Ethernet or Wifi (in that case i would need an extra Wifi USB stick in the RPi).
I would go for a dockerized solution on the RPi (Raspbian with Docker or BalenaOS), as it would allow other applications to run as well.
I thought it would be interesting to share here my use case as it gets shaped. I’m hoping to hear your feedbacks and experiences.
The setup has big advantages as it enables secure communications, doesn’t need interventions on the ISP router (opening ports etc), and I can remotely access my Iotawatt (web interface) and Raspberry Pi (SSH) without hassle.
OS to run on RPi: Running Raspbian+docker versus BalenaOS. BalenaOS would be ideal for remote fleet management, but I have no experience so far.
VPN versus reverse proxy with SSL? (I read some preference towards OpenVPN in other topics like here: IoTaWatt Remote Access, but I would like to better understand the trade-off w.r.t. reverse proxying)
Any insights? If you have example code to share, would be interesting as well.
I think @brettbeeson and @blitz1986 have some experience in these topics. Your input and feedback would be very welcome.
Good Morning,
I currently access Iotawatt both thru a vpn and I can access thru nginx reverse proxy with a .htpass file for authentication. (running on a Rpi) Both ways are secure but I use the vpn more because it allows me to remotely connected to all my local resources. The absolutely easiest way is to get a Rpi 3+ setup and run this command: “curl -L https://install.pivpn.io | bash” then forward port 1194 to the Rpi in your Router. More info here https://www.pivpn.io Port 80 open on your router pointing to anything on your local network is bad bad bad.
Edit: I run Raspbian on the Rpi. Not familiar BalenaOS. I have Docker compose installed on the Pi as well running other Grafana, influxdb, telegraf…
Thanks for your input. I’ll have a look at PiVPN. However I’m looking for a solution where I don’t need to access or alter the local ISP modem/router settings (e.g. opening ports), as I won’t alwasy have access + every house has a different setup.
Hi Michael. I’ll outline my system which might suit or could be adapted. Neither require ISP changes. They just need internet access (e.g. via wifi). They work with inbound-blocking firewall too. They both need a server - this might seem like a con, but an AWS or similar micro instance is free/cheap.
Option 1: autossh rings a AWS server which is accessible anywhere.Details here. Pros: easy to setup if you’re familiar with SSH. Cons: doesn’t scale; need to SSH in.
Option 2: OpenVPN. A AWS server runs a VPN network. Easier than it sounds to setup. I use this now and am depreciating Option 1. Details here. Once a pizero is on the VPN, you can access like a local computer. I run nginx and forward port 80 to iotalocal.local. Pros: seamless Cons: complex for a single unit
Once I got to 30+ units, I moved to Ansible to control the configuration as I got sick of ssh’ing to every unit to apt upgrade or whatever.
Have a look at something like Itarian remote control. I manage computers and use this. The software will need to run on a local computer and Itarian allows you to connect to the desktop and manage local devices such as the Iotawatt. Itarian is free up to a certain number of connections. Very secure and no changes made to the ISP router. Also I have a couple places with cellular ISP’s configured as Brett explained in his post using AWS
. Good luck.
My bet is to set up a VPN using an efficient protocol like Wireguard (I used this set up successfully for different purposes).
You only need a central server (can be a cheap VPS on any major provider i.e. AWS, Microsoft Azure, OVH, Hetzner, maybe 5 EUR / 4 USD a month). This server must run any Linux distribution of your choice (Ubuntu or Debian, for example).
All the devices must have installed Wireguard. It’s available for Windows, MacOS, Linux, Android and iOS. Those “satellite” devices will be connected to the “central” Wireguard instance, located on the VPS server with a static IP with the port 51820 open (the AWS node on my diagram).
Configuring the server to be able to forward the traffic, you’ll be allowed to connect from 10.10.10.3 to 10.10.10.5, using SSH as if the device was on your local home network