paulbates Posted September 8, 2015 Posted September 8, 2015 FYI for dyndns customers. I went for the dyndns paid for service last year @ $25. I got a notice today that my auto renewal didn't work. When I logged in to check, it said my account was now set up for auto renewal, but its now $40 a year.... http://dyn.com/dns/ I've taken the hint and gone no-ip. It took 5 minutes including updating my router. It's free
larryllix Posted September 8, 2015 Posted September 8, 2015 No-IP changed the name of my URL from my nickname to my last name when I was on vacation and then discontinued my service because the new rules they instated, while I was away, said I had to check in every month. Since I had only a few minutes of access time at a high cost on a cruise boat I couldn't. They then shut off my account totally due to not following their new policy In short the free service promised on the box with the router purchase let me down after a few months when I actually needed it. I just don't trust cloud services to be reliable period anymore. If money is not object then open just your wallet wider and hope they play nice. I have discussed this with my ISP and they are considering creating their own for their customers. Hell I don't even have to sign in for all my stats, data email. They know what line it is coming in on. Pretty hard to tee into a fibre optics line. My ISP supplying DDNS would be perfect. It may be cheaper to get a static IP address and avoid be more self dependant. Mine hasn't changed for a few years as I never release it.
paulbates Posted September 8, 2015 Author Posted September 8, 2015 Good point. I checked my router, and it has a built DDNS service that I requested right from the router's DDNS page. Easiest of all, no set up or accounts. Paul
MWareman Posted September 8, 2015 Posted September 8, 2015 I use dns.he.net (also free, but can also use your own custom domain). This allows me to use a wildcard SSL certificate and do cool tricks with hosting multiple things behind a single IP/SSL. Not quite as widely supported, but you can use dnsomatic.com to update it for you. he.net is Hurricane Electric - one of the larger transit carriers globally. The service has been flawless for years now.
apostolakisl Posted September 8, 2015 Posted September 8, 2015 I use the paid no-ip. I paid $34.95 for 2 years and for that I get 25 dns names. I have had it for many years and am quite pleased with it. With 25 names I have set up my parents, my office, my home, and my church with multiple accounts. They have a number of features I don't use, but the one I do use is port assignment. So, in other words, I can put various computers/devices in my home on their own ports and give them a name through no-ip that makes sense and I don't have to remember any port numbers.
MWareman Posted September 9, 2015 Posted September 9, 2015 the one I do use is port assignment. So, in other words, I can put various computers/devices in my home on their own ports and give them a name through no-ip that makes sense and I don't have to remember any port numbers.That must work by redirection or framing - DNS does not do ports.Either solution has privacy implications, since the redirect or frame is served by the provider. Not saying its not a great solution - but its not for me.
larryllix Posted September 9, 2015 Posted September 9, 2015 That must work by redirection or framing - DNS does not do ports. Either solution has privacy implications, since the redirect or frame is served by the provider. Not saying its not a great solution - but its not for me. No-IP DDNS just passed the port numbers through their conversion like it was part of the URL when I was using it. https://myname.mynetgear.com:12345 All my devices use ports as they can only comm with/through one IP address. Ports are required to talk to multiple devices through one IP address on one router. The router can convert those, again, to an internal IP address and/or port number.
paulbates Posted September 9, 2015 Author Posted September 9, 2015 It would be interesting to see what you guys have for requirements to consume these remote solutions? Mine: Administration: I'm need to get access to a handful of web configuration pages, ssh / x for 2 pis and, of course, the ISY Admin. I will only do this from known systems I control. Primarily I just look in on things. Mobile. My automation is mostly automated, so little need for remote control. Things like thermostats come with their own apps, integrating it all is not of high value to me. In addition, we change phones and OS's frequently, and my work drives the Phone/OS choice for me. I have a handful of HAD pages that can be used on any mobile device and just in the house for some functions like dampers, attic fan, etc. I have the same for sprinkler zones for maintenance. The solution choices I know are: Inject the remote client into the LAN with port forwarding and using x/RDP inside the LAN. This works surprisingly well with the Pi 2B. I just can't get the Admin console to run on the PI, so I have another port forwarded in to it and run it on a remote system. I'm doing this now. ..Or.. Use a VPN solution to extend the entire LAN out to the remote client. My router provides VPN servers and I am experimenting with that as my new end state solution. I need a new tablet and getting a windows 10 version, and one of its jobs will be to remotely administer the ISY. I'm curious what your requirements / approach are, and comments on my approach. Paul
MWareman Posted September 9, 2015 Posted September 9, 2015 No-IP DDNS just passed the port numbers through their conversion like it was part of the URL when I was using it. https://myname.mynetgear.com:12345 All my devices use ports as they can only comm with/through one IP address. Ports are required to talk to multiple devices through one IP address on one router. The router can convert those, again, to an internal IP address and/or port number. So its using a redirect then. The DNS protocol simply cannot pass port numbers to browsers in response to a name request without a port. They must be resolving to one of their (static) IPs then issuing a 3xx redirect to the destination specified with the port.
MWareman Posted September 9, 2015 Posted September 9, 2015 @paulbates, I run an Apache proxy with a wildcard SSL certificate on it. Then a ddns service (using DNS.he.net) pointing to it, followed by a bunch of CNAME DNS records (with the ddns name as the target). The Apache proxy receives the request, negotiates SSL, reads the name and passes the request to the specific named instance. There I authenticate (if necessary) and pass the request to the back end server. I have about 40 discrete host names going to different devices - all behind a single IP/SSL cert.... My ISY (of course!), a MythTV back end, several MythTV frontends (need API access), my Foscam (I add SSL to these...). The list goes on... but you get the idea. At work I run F5 SSL accelerators/load balancers. These are way too expensive for home use - but I've replicated to same basic functionality with Apache instead.
bernieb Posted September 9, 2015 Posted September 9, 2015 MWareman ... This sounds like it would be the way to go in order to protect from outside intrusion .... Is this what's called Reverse Proxy? I would really be interested in looking more into this. Any good "How-To" sites that woudl explain a step by step way of configuring this that you know of? Bernie
paulbates Posted September 9, 2015 Author Posted September 9, 2015 Michael, a couple of additional questions: I have a an external client that I want to use to run the admin console in the reverse proxy scenario. One of the dns names you are referring to would point at an SSL session that is 443 on the ISY, and I configure the ISY finder with that dns name, is that how it works on the client side? I have an Rpi that could probably handle this type of load, but I would have to move it to the DMZ. What's the implication for the LAN based web services already running on it? Does the device moved into the DMZ need to be dedicated as a proxy device? Paul
Scott847 Posted September 9, 2015 Posted September 9, 2015 It would be interesting to see what you guys have for requirements to consume these remote solutions? Mine: Administration: I'm need to get access to a handful of web configuration pages, ssh / x for 2 pis and, of course, the ISY Admin. I will only do this from known systems I control. Primarily I just look in on things. .... The solution choices I know are: Inject the remote client into the LAN with port forwarding and using x/RDP inside the LAN. This works surprisingly well with the Pi 2B. I just can't get the Admin console to run on the PI, so I have another port forwarded in to it and run it on a remote system. I'm doing this now. ..Or.. .... I'm curious what your requirements / approach are, and comments on my approach. Paul Paul, for remote access to Raspberry Pi's I'm currently using autossh. Autossh sets up an ssh tunnel to an external server and then you use a normal ssh connection tool like PuTTY to connect to the external server, which in turn routes your ssh traffic to the RPi. This avoids the need to set up any port forwarding on the local network where the RPi resides. Some background on this is at https://raymii.org/s/tutorials/Autossh_persistent_tunnels.html. My setup is pretty close to this except I use Supervisor to start Autossh on the RPi at boot instead of /etc/rc.local. For remote access to the ISY I've been using the UDI ISY Portal at https://my.isy.io/index.htm. After logging into the portal there's an ISY Information option that shows the URL to use for connecting the ISY Administrative Console through the portal.
paulbates Posted September 9, 2015 Author Posted September 9, 2015 Thanks Scott-, a couple of questions about autossh: I leave the Pi on my LAN and not in the DMZ, correct? Normal lan web services I run from it will continue to function locally? I am a traveler and need to come into my network from the outside at random times for brief periods to check on it. I will be initiating a session from a laptop or windows tablet that isn't connected all of the time, and the connection always initiated from the outside. It seems like from the description that I would need to get into my local network remotely to start the SSH session back to the portable device I am trying to use to get in to the network? This is a tricky topic and there's a lot I don't understand yet. Paul
Scott847 Posted September 9, 2015 Posted September 9, 2015 Thanks Scott-, a couple of questions about autossh: I leave the Pi on my LAN and not in the DMZ, correct? Normal lan web services I run from it will continue to function locally? I am a traveler and need to come into my network from the outside at random times for brief periods to check on it. I will be initiating a session from a laptop or windows tablet that isn't connected all of the time, and the connection always initiated from the outside. It seems like from the description that I would need to get into my local network remotely to start the SSH session back to the portable device I am trying to use to get in to the network? This is a tricky topic and there's a lot I don't understand yet. Paul Yes, the Pi stays in the LAN, not DMZ, and everything continues to work normally. Autossh on the Pi maintains a TCP ssh connection to an always-on external server, which is waiting for you to connect to it from wherever you are. Instead of starting a PuTTY, FileZilla, or any ssh connection directly to the RPi you instead use the IP address and port you set up on the external server. PuTTY then behaves exactly as if you were directly connected. If you only have RPi's at a single site this is probably more difficult than simply port forwarding ssh (port 22) on the local router to your Pi on the LAN. The big benefit of autossh is when you have RPi's at multiple sites, especially when you don't have access to the router to set up port forwarding into the RPi. I'm currently using Linode for the always-on external server. Amazon AWS could also be used, among many others.
paulbates Posted September 9, 2015 Author Posted September 9, 2015 Ok Thanks Scott. I'm still leaning towards VPN access from a dedicated mobile W10 device, with the Admin client loaded on it. My access needs are for access from any number of locations at random times. There will be know way to configure my network to know this. There is a little bit of set up for VPN, but then I can do what I need. My router supports this and has a ton of available compute cycle, so I'm optimistic that this will work for me. Some testing left to do.. Paul
Scott847 Posted September 9, 2015 Posted September 9, 2015 Ok Thanks Scott. I'm still leaning towards VPN access from a dedicated mobile W10 device, with the Admin client loaded on it. My access needs are for access from any number of locations at random times. There will be know way to configure my network to know this. There is a little bit of set up for VPN, but then I can do what I need. My router supports this and has a ton of available compute cycle, so I'm optimistic that this will work for me. Some testing left to do.. Paul VPN should be a great solution for you. I'm using the Community version of OpenVPN running on Windows for access through my home router running OpenWRT.
apostolakisl Posted September 9, 2015 Posted September 9, 2015 That must work by redirection or framing - DNS does not do ports. Either solution has privacy implications, since the redirect or frame is served by the provider. Not saying its not a great solution - but its not for me. It is a port 80 redirect. I guess the original reason was for isp's that block port 80, but no matter, you can put whatever port you want and it overrides the default port 80 of http to whatever you want. As far as I know, it only works for http. But I am rather certain it is a dynamic dns function, not some other trick. After typing in the url that has the port 80 redirect, your browser shows the wan ip and port number you specified just like you did it manually xxx.xxx.xxx.xxx:yyyy. So my browser actually went to the site located at that ip and port.
paulbates Posted September 11, 2015 Author Posted September 11, 2015 VPN should be a great solution for you. I'm using the Community version of OpenVPN running on Windows for access through my home router running OpenWRT. Scott Thanks. I have an Asus with the Merlin wrt fw. It's a reasonable balance of interface, config tweaking, performance and security. It has openvpn servers. Paul Sent from my iPhone using Tapatalk
apostolakisl Posted September 11, 2015 Posted September 11, 2015 Scott Thanks. I have an Asus with the Merlin wrt fw. It's a reasonable balance of interface, config tweaking, performance and security. It has openvpn servers. Paul Sent from my iPhone using Tapatalk Do you keep a computer running at home? It would be very easy to use remote desktop or team viewer to get secure access to your home network. Remote desktop just needs a port forward and team viewer needs nothing.
paulbates Posted September 11, 2015 Author Posted September 11, 2015 Do you keep a computer running at home? It would be very easy to use remote desktop or team viewer to get secure access to your home network. Remote desktop just needs a port forward and team viewer needs nothing. Thanks for the suggestion. I had a windows 7 server when I had homeseer, and RDP'd into it on a non-standard port. However my goal was to shut it down and it was retired after migrating to the ISY. There are 2 desktops, but they are set to go into standby mode. The family uses them frequently too, and I stopped RDP'ing to them for that reason. I'm signed up for the ISY Portal beta for remote admin portal access, and will also continue RDP'ing to the pi for web managing services, like xxxlink, router, NAS, etc, from the outside. These services need little attention and I don't visit them often in steady state; the proxy route won't be worth it for me. The VPN will be a backup in case a heavier hand is needed.
apostolakisl Posted September 14, 2015 Posted September 14, 2015 There are 2 desktops, but they are set to go into standby mode. You can always use wake on lan if you don't want to burn the power.
paulbates Posted September 14, 2015 Author Posted September 14, 2015 You can always use wake on lan if you don't want to burn the power. That can be tricky from the outside, WOL are mac frames, not IP packets. There's a catch 22 getting that sent from the outside, to set up communications so I can get access... The option I know is to open my routers admin pages to the outside world. It has a page for WOL management. I'm not willing to open it up, even TLS and obscure port. its more that family members use the computers... so I either come into an active session, or get texts, etc about being in there when somebody needs the system. I just set up the portal beta... pretty nice. I need to try the Admin console from a remote location, I have been at home the last few weeks.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.