JBanaszak Posted September 25, 2020 Share Posted September 25, 2020 Hello all. I am a few months from relocating to warmer climates for the winter and leaving my ISY/Polisy to watch over things at the main house for several months. I am trying to come up with the best option to access my Polisy remotely to respond to power failures, do routine updates, restart node servers, etc. I would like expert input from this group in two areas: Do I have a complete list of viable options Pros, cons, comments on viability, and direct experience with any of the options In the order of my level of expertise, I can see (or imagine) the following options for remote access to the Polisy: A. Direct port forwarding to the Polisy. I have tried this and it works as expected. I am aware of the security risks but have a pretty robust firewall solution and ports open for other reasons. This is the simplest solution (for me with my current knowledge) but more or less defeats the purpose of keeping ISY/Polisy communications on the local network B. Running a VNC server somewhere on my network and using remote access to that device to login to the Polisy locally. I have some experience in this area from managing industrial products requiring remote access. It would be easy for me to set up on a repurposed Mac mini or similar. Would it be possible to run a VNC server on Polisy itself? C. Use network resources and ISY programs to run SSH commands on the Polisy over the local network, which I could then manage/control via Portal access to the AC. Now I am getting out of my league…..is this possible? If so, where could I learn more about it? D. Ask nicely/hope/convince UDI to add Polisy control (e.g., reboot, update, restart node server, etc.) to the node server menu in the AC, which can be accessed remotely via the Portal. Now I am really dreaming as I do not know the level of effort required on their end, if this is on the roadmap already, high enough priority, etc. (or if it is even possible, although I suspect it could be since we can already send other commands like query, etc.) E. Ask nicely/hope/convince UDI to add Polisy remote access to the Portal. Same uncertainties as outlined in D. F. Other options? Thank you in advance for ideas, comments, and suggestions. Jim Link to comment Share on other sites More sharing options...
mwester Posted September 25, 2020 Share Posted September 25, 2020 F. Use a VPN. You may need to upgrade your router(s), but that would be the most secure and most useful solution. Link to comment Share on other sites More sharing options...
JBanaszak Posted September 25, 2020 Author Share Posted September 25, 2020 12 minutes ago, mwester said: F. Use a VPN. You may need to upgrade your router(s), but that would be the most secure and most useful solution. Thanks for the reply. Yes I would need to upgrade my router to do this. Link to comment Share on other sites More sharing options...
MrBill Posted September 25, 2020 Share Posted September 25, 2020 1 hour ago, JBanaszak said: A. Direct port forwarding to the Polisy. I have tried this and it works as expected. I am aware of the security risks but have a pretty robust firewall solution and ports open for other reasons. This is the simplest solution (for me with my current knowledge) but more or less defeats the purpose of keeping ISY/Polisy communications on the local network B. Running a VNC server somewhere on my network and using remote access to that device to login to the Polisy locally. I have some experience in this area from managing industrial products requiring remote access. It would be easy for me to set up on a repurposed Mac mini or similar. Would it be possible to run a VNC server on Polisy itself? For option A: I highly recommend opening random high numbered ports like 51734 for example ( port numbers max at 65535 ) that redirect to the intended localip:port. It's not as safe as a better option, but large carriers do shut down port scanners that are scanning many ports, so playing hide and seek does add quite a bit more security than actually opening port 443 or 4443(a common 443 replacement), or say 80, 8080, etc-- or any port below about 5000 where port hunters will hunt. Option B: I actually have an ISY program that boots (turns on power to) a windows computer and runs a script on my ubiquiti router to open (port forward) a pre-determined high numbered port that redirects to 3389 (RDP). This was my sole answer for accessing the admin console on vacations before I had portal. At the time I also had a WiFI plugstrip connected via my nextdoor neighbors WiFi to reboot the cable modem. Since I now only take an iPad (no laptop) when I travel this method is still how I access the admin console should I need. Option F: VPN is actually the best solution, I run one directly on my ubiquiti router. Link to comment Share on other sites More sharing options...
jfai Posted September 25, 2020 Share Posted September 25, 2020 You can run the VPN server on the router, on an RPi, on a NAS device, or some other always-on network node. Ensure that the host device is powered by an UPS, as should your router, Polisy, ISY, and other network-critical devices. I'm recommending OpenVPN. Link to comment Share on other sites More sharing options...
JBanaszak Posted September 25, 2020 Author Share Posted September 25, 2020 Thanks for the suggestions @MrBill and @jfai Link to comment Share on other sites More sharing options...
Whitehambone Posted September 26, 2020 Share Posted September 26, 2020 I found WireGuard running on a RPi 4 to be an affordable option. I tried OpenVPN and WireGuard, WireGuard is much faster no new router needed. You can run it on other platforms as well. https://www.wireguard.com https://www.raspberrypi.org/forums/viewtopic.php?t=277111 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.