Domoticz security

[jantje]

Hi there... I have a Synology Domoticz installation and also a OpenVPN server... On my router only the OpenVpn port is open. I can with my mobile and the OpeVPN client access the local network on the syno and access domoticz, with the domoticz client and browser (http). Very usefull is the posibility within domoticz to set access from local networks with no username and password. But this is for anybody i give openvpn access to the local network ? This is not a good idee.... Has someone an idee to prevent this ?

[FireWizard]

Hello,

Your question has nothing to do with a technical security solution but with organisation.

Imagine your house.
For the ease of use (quicker access) all your filing cabinets, linnen wardrobes and safes are unlocked.
That saves time if you want to have access, otherwise you have always to search for a key.

How do you think that you can prevent foreigners to look into your cabinets, wardrobes and safes, if you give them the key of your front door.

That is the same with domoticz.
For the ease of use you have the possibility to log into domoticz without username/password.
But you give foreigners VPN access.

So the solution is simple.
Either you reintroduce the username/password for Domoticz or you limit the access for foreigners to your LAN.

Regards

[renerene]

But you give foreigners VPN access

How?
I don't get it. OpenVPN is the front door lock, strongly encrypted with username and password.

[Update] Ah, the intention of the original poster is to share the openVPN keys. Yes in that case use domoticz password.

[FireWizard]

Hi,

You got it!

There exists always a conflict between ease of use and security for a user.
That you close you firewall completely, except for OpenVPN user makes your LAN network very secure.
This makes it possible that e.g. Domoticz can be accessed without password, if you are connected to your LAN.

But if you want to grant access to other people they have the same rights and so the can log in to Domoticz without password

But this is for anybody i give OpenVPN access to the local network?

That is what I mean with the fact that you can protect your house as much as you like, but if your share the key with many others, many people have access. I assume, this is not what you want.

Regards.

[waaren]

That is what I mean with the fact that you can protect your house as much as you like, but if your share the key with many others, many people have access. I assume, this is not what you want.

I am by no means an expert in this area but isn't it possible to have your VPN server assign different static IP's based on the used VPN key ?
If that is still possible you can just open 127.0.0.1 and the assigned static IP for yourself in domoticz

To misuse your way of describing it in laymen's terms: all keys fit on the front door but the lock on domoticz is only open for your key (= static IP.)

To be clear, I never used this myself so I could be wrong !

[FireWizard]

Hi waaren,

I'm not aware, that this is possible. But if I'm wrong, please let me know.

However, it is possible to assign a static IP address to an OpenVPN client.
See various articles on the Internet.
If you put that IP address in the list of IP addresses, which can login without username/password.

I never did it, but maybe it is working.

Regards