Remote access & fleet management solution

Hi all,
I’m investigating a use case to install a Iotawatt at a remote location, and I want to be able to securely access the Iotawatt remotely.

In accordance with earlier discussions (for example here: Remote access of base unit) I currently open port 80 in the ISP router at the remote location and I set a password on the Iotawatt. However, all traffic is unsecured and the solution only works if I can access the ISP router settings.

I’m investigating an alternative solution, where I put a Raspberry Pi (or similar) next to the Iotawatt, where the RPi acts as a router and VPN and/or reverse proxy with SSL.
The RPi would expose a Wifi access point to which the Iotawatt connects. The RPi would be connected to the local LAN either through Ethernet or Wifi (in that case i would need an extra Wifi USB stick in the RPi).

I would go for a dockerized solution on the RPi (Raspbian with Docker or BalenaOS), as it would allow other applications to run as well.

I thought it would be interesting to share here my use case as it gets shaped. I’m hoping to hear your feedbacks and experiences.
The setup has big advantages as it enables secure communications, doesn’t need interventions on the ISP router (opening ports etc), and I can remotely access my Iotawatt (web interface) and Raspberry Pi (SSH) without hassle.

Visual representation:

I’m currently making some trade-offs:

  • OS to run on RPi: Running Raspbian+docker versus BalenaOS. BalenaOS would be ideal for remote fleet management, but I have no experience so far.
  • VPN versus reverse proxy with SSL? (I read some preference towards OpenVPN in other topics like here: IoTaWatt Remote Access, but I would like to better understand the trade-off w.r.t. reverse proxying)

Any insights? If you have example code to share, would be interesting as well.

I think @brettbeeson and @blitz1986 have some experience in these topics. Your input and feedback would be very welcome.

Best regards,
Michaël

Good Morning,
I currently access Iotawatt both thru a vpn and I can access thru nginx reverse proxy with a .htpass file for authentication. (running on a Rpi) Both ways are secure but I use the vpn more because it allows me to remotely connected to all my local resources. The absolutely easiest way is to get a Rpi 3+ setup and run this command: “curl -L https://install.pivpn.io | bash” then forward port 1194 to the Rpi in your Router. More info here https://www.pivpn.io Port 80 open on your router pointing to anything on your local network is bad bad bad.
Edit: I run Raspbian on the Rpi. Not familiar BalenaOS. I have Docker compose installed on the Pi as well running other Grafana, influxdb, telegraf…

Jamie

Thanks for your input. I’ll have a look at PiVPN. However I’m looking for a solution where I don’t need to access or alter the local ISP modem/router settings (e.g. opening ports), as I won’t alwasy have access + every house has a different setup.

Hi Michael. I’ll outline my system which might suit or could be adapted. Neither require ISP changes. They just need internet access (e.g. via wifi). They work with inbound-blocking firewall too. They both need a server - this might seem like a con, but an AWS or similar micro instance is free/cheap.

Option 1: autossh rings a AWS server which is accessible anywhere.Details here. Pros: easy to setup if you’re familiar with SSH. Cons: doesn’t scale; need to SSH in.

Option 2: OpenVPN. A AWS server runs a VPN network. Easier than it sounds to setup. I use this now and am depreciating Option 1. Details here. Once a pizero is on the VPN, you can access like a local computer. I run nginx and forward port 80 to iotalocal.local. Pros: seamless Cons: complex for a single unit

Once I got to 30+ units, I moved to Ansible to control the configuration as I got sick of ssh’ing to every unit to apt upgrade or whatever.

Good luck! Cheers, Brett

1 Like

Have a look at something like Itarian remote control. I manage computers and use this. The software will need to run on a local computer and Itarian allows you to connect to the desktop and manage local devices such as the Iotawatt. Itarian is free up to a certain number of connections. Very secure and no changes made to the ISP router. Also I have a couple places with cellular ISP’s configured as Brett explained in his post using AWS
. Good luck.

Jamie