Connecting to Domoticz behind non public IP - More than one

On various Hardware and OS systems: pi / windows / routers / nas, etc

Moderator: leecollings

Post Reply
superczar
Posts: 65
Joined: Wednesday 14 January 2015 12:08
Target OS: Raspberry Pi / ODroid
Domoticz version:
Location: India
Contact:

Connecting to Domoticz behind non public IP - More than one

Post by superczar »

First up, I really love domoticz – After running a production system in my primary home for more than a year (DOM1), I now intend to use domoticz for my secondary home (DOM2) and an outhouse (DOM3)
The problem with the latter locations is that the internet connection available is a basic connection behind a NAT.
Thus there is no way I can connect to DOM2 and DOM3 externally directly.
One alternative is to use my.domoticz.com but unfortunately it works extremely slow in India (probably latency with the European servers)

I am ready to rent out a VPS assuming I can create some sort of a proxy on the VPS that DOM1, 2 and 3 connect to.
Subsequently I can connect to the VPS which in turn routes the request to 1, 2 or 3

Maybe some kind of a mydomoticz service instance running on this VPS or perhaps some other solution?
User avatar
bbqkees
Posts: 407
Joined: Sunday 17 August 2014 21:01
Target OS: Linux
Domoticz version: 4.1x
Location: The Netherlands
Contact:

Re: Connecting to Domoticz behind non public IP - More than

Post by bbqkees »

Cant you do a portforward?
Bosch / Nefit / Buderus / Junkers / Worcester / Sieger EMS bus Wi-Fi MQTT Gateway and interface boards: https://bbqkees-electronics.nl/
superczar
Posts: 65
Joined: Wednesday 14 January 2015 12:08
Target OS: Raspberry Pi / ODroid
Domoticz version:
Location: India
Contact:

Re: Connecting to Domoticz behind non public IP - More than

Post by superczar »

bbqkees wrote:Cant you do a portforward?
No, the ISP at DOM2 /DOM3 locations does not give out public IPs but rather NATted private IPs
User avatar
jvdz
Posts: 2189
Joined: Tuesday 30 December 2014 19:25
Target OS: Raspberry Pi / ODroid
Domoticz version: 4.107
Location: Netherlands
Contact:

Re: Connecting to Domoticz behind non public IP - More than

Post by jvdz »

You shouldn't need a separate public IP address when you use a unique port on the public side and NAT/Portforward that the private ipaddress for the domoticz server...right?

Jos
New Garbage collection scripts: https://github.com/jvanderzande/GarbageCalendar
superczar
Posts: 65
Joined: Wednesday 14 January 2015 12:08
Target OS: Raspberry Pi / ODroid
Domoticz version:
Location: India
Contact:

Re: Connecting to Domoticz behind non public IP - More than

Post by superczar »

jvdz wrote:You shouldn't need a separate public IP address when you use a unique port on the public side and NAT/Portforward that the private ipaddress for the domoticz server...right?

Jos
Yes, but please read the original post.
The ISP does the NATting - I do not have control over the ISP and thus there is no way I can reach the Domoticz server at DOM2/DOM3 from outside directly.
The only possibility I see is that DOM2/DOM3 initiate a connection from their end to either a public VPS or to a server I can run at the primary location (DOM1)
Public access to DOM2/DOM3 is brokered by my own server

Think of it is as something similar to the way IoT devices like Belkin WEMO or IP Cameras manage WAN side connectivity without any portforwarding/Dynamic DNS
superczar
Posts: 65
Joined: Wednesday 14 January 2015 12:08
Target OS: Raspberry Pi / ODroid
Domoticz version:
Location: India
Contact:

Re: Connecting to Domoticz behind non public IP - More than

Post by superczar »

gordonb3 wrote:Unsure what the VPS would be needed for. If you can access your primary home server through the public network (either by fixed IP or DDNS service) it will be sufficient if your other two locations can set up a VPN connection to the server in your primary home. You can then proxy the requests using whatever web server you like best (e.g. apache, nginx). I read an entry that the latest version of domoticz supports setting an alternate web root, so you could even concentrate the locations on a single https host.
Thanks - The only reason I was thinking of a VPS was for improved reliability but yes, I can do the same via the primary home server also
So to summarize what you are saying, I should create an always on VPN connection between location 2 and 3 to location 1
Plus I use apache or nginx to act as a reverse proxy to route requests to location 1 directly or via the VPN to 2 or 3 as required

Anything in particular I should look up in google for such a use case?
superczar
Posts: 65
Joined: Wednesday 14 January 2015 12:08
Target OS: Raspberry Pi / ODroid
Domoticz version:
Location: India
Contact:

Re: Connecting to Domoticz behind non public IP - More than

Post by superczar »

gordonb3 wrote:None that I can think of right now. I guess nginx is likely the simplest to configure. Note that you should not reverse proxy, i.e. not translate any links. If the paths are not identical on the proxying server as they are on the target domoticz UI it will not work (I tried - and tried). I guess the troublesome part may be the VPN. If you decide to go for a net to net VPN the IP ranges need to be different on the three member sites, but some ISPs lock the routers they provide to a specific range. In this case you'll need to buy different routers, but that can also simplify the task at hand if you buy routers that have built-in VPN.

In any case, whatever I'd tell you how I would do it, there's probably 50 other methods to achieve the same.
Thanks - I think I have got on the right track
For now, I am simply going to do a reverse SSH tunnel the local domoticz ports from DOM2 and 3 to 2 different ports on DOM1 (say 8081 and 8082)
That way, I get to see DOM2 and DOM3 on DOM1:8081 and 8082
superczar
Posts: 65
Joined: Wednesday 14 January 2015 12:08
Target OS: Raspberry Pi / ODroid
Domoticz version:
Location: India
Contact:

Re: Connecting to Domoticz behind non public IP - More than one

Post by superczar »

For posterity's sake , let me just add how I configured this:

1) Signed up for a free VPS on Amazon Webservices - Set it up as a Ubuntu Micro instance
2) Configured the SSH service on the VPS to allow Port forwarding (add a line "Gateway Ports yes" to /etc/ssh/sshd_config)
3) On all domoticz instance, Installed AutoSSH (tool to monitor and reinitiate SSH if it fails)
4) Add a line to startup scripts for AutoSSH to start the following SSH session at startup

Code: Select all

ssh -R 8080:localhost:8080 [email protected]  
(remote port: local IP:localport )
cato
Posts: 13
Joined: Friday 15 May 2015 8:21
Target OS: Raspberry Pi / ODroid
Domoticz version: 2.25
Contact:

Re: Connecting to Domoticz behind non public IP - More than one

Post by cato »

I need to do a similar setup since I have a raspberry+domoticz with a 3G connection (no public IP), hence I cannot connect from outside the LAN.
I am planning to do a ssh reverse tunnel from this raspberry to another one that has a public IP. Suppose the one in the 3G network is Pi-A and the other Pi-B.
If the autoSSH setup described here works by connecting to port 8081 on Pi-B I should get the domoticz inteface running on port 8080 of Pi-A.

My question is: when I am within the LAN of Pi-A can I get the interface on the local port 8080 or I am forced to go through Pi-B since the channel is always in place?
I was thinking I could use https (port 443) locally and 8080 remotely but I suspect that 443 is then forwarded to 8080 and in that case it would not work.

Thanks for any hint.
RPi 2 + RazBerry
Toni
Posts: 66
Joined: Monday 20 July 2015 14:12
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Connecting to Domoticz behind non public IP - More than one

Post by Toni »

cato
Posts: 13
Joined: Friday 15 May 2015 8:21
Target OS: Raspberry Pi / ODroid
Domoticz version: 2.25
Contact:

Re: Connecting to Domoticz behind non public IP - More than one

Post by cato »

Thank you for the pointer Tony, but I would prefer keeping my data on hosts that I control. Despite the https network connections, with mydomoticz the data is going to an intermediate server administered by a third party.
I will look more into the security issues of that solution but I would also like to try the SSH reverse tunnel on my own machines and I still look for
the answer to my question above.
RPi 2 + RazBerry
Toni
Posts: 66
Joined: Monday 20 July 2015 14:12
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Connecting to Domoticz behind non public IP - More than one

Post by Toni »

Yes, I understand your point. Actually I'm just developing a remote-controlled heating system for a holiday cottage (the point is to be able to switch between maintenance heating (~ +10 C) and normal heating remotely, and to control both electric radiators and the air-to-air heatpump).

Solutions which work without Dynamic DNS and port forwarding, even with a Raspberry Pi: It is also possible to run a VPN server on the Raspberry, I have successfully tried https://www.softether.org/. SoftEther has its own dynamic DNS support, but you can also use any other dynamic DNS system (as a Finn I use the free dy.fi service). It's a bit of a hassle to have this configured, and you need to have port forwarding for the ports the VPN protocol uses in your router. It's also a bit of a hassle to configure the VPN, but in my case the result was a fully working L2TP VPN server. L2TP is nice on Windows devices, as it doesn't require any VPN client installation, just configuration (L2TP client is built in starting from Windows 8 (if not even earlier), including Windows Phone 8).

OpenVPN is a good choice as well, I've tried that out on my Linksys WRT54GL router, with the DD-WRT firmware.

(Oh yes, should have read the first mail more carefully, the VPN server idea will not work if you don't have a public IP)
Sneezydevil
Posts: 111
Joined: Monday 18 January 2016 9:56
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Connecting to Domoticz behind non public IP - More than one

Post by Sneezydevil »

I use autossh myself for a location with a 4g dongle.

And you can still use 8080 when on location.

You can also do one then more forward for example:

Code: Select all

ssh -R 40433:localhost:433 -R 48080:localhost:8080 [email protected]


In the example I use a different port on the remote host running the nginx proxy, this way I can have nginx listen on port 443 and 8080.

You could even forward ssh itself for some remote debugging.
cato
Posts: 13
Joined: Friday 15 May 2015 8:21
Target OS: Raspberry Pi / ODroid
Domoticz version: 2.25
Contact:

Re: Connecting to Domoticz behind non public IP - More than one

Post by cato »

Sneezydevil, thank you for confirming I can still use the port locally. However I have some problems setting up the reverse tunnel: I use on Pi3g (this is the Pi without public IP that is running domoticz exposing it to local port 8080)
ssh -R 8081:localhost:8080 me@myPublicIP-Pi -p222
(myPublicIP-Pi is configured to accept out-of-Lan ssh connections on port 222)
in principle now I should be able to open a browser and find my remote domoticz typing the url http://myPublicIP-Pi:8081
However the browser does connect to anything.

Do I need to setup something else?
myPublicIP-Pi is running a VPN server and another domoticz but not using port 8081 When pointing my browser to it I first connect to the VPN so it is like I am in the local Lan and there should not be any problem with reachability of port 8081

any hint?
Thank you!




Sent from my iPad using Tapatalk
RPi 2 + RazBerry
cato
Posts: 13
Joined: Friday 15 May 2015 8:21
Target OS: Raspberry Pi / ODroid
Domoticz version: 2.25
Contact:

Re: Connecting to Domoticz behind non public IP - More than one

Post by cato »

I answer myself in case others may have the same problem.
What was missing was editing sshd_config file in the myPublicIP-Pi machine to insert the option
'GatewayPorts yes'
This way the tunnel can be used also from other machines that can reach myPublicIP-Pi:8081
RPi 2 + RazBerry
dakipro
Posts: 49
Joined: Thursday 17 December 2015 22:24
Target OS: Raspberry Pi / ODroid
Domoticz version: 3.5877
Location: Norway
Contact:

Re: Connecting to Domoticz behind non public IP - More than one

Post by dakipro »

Has anyone tried "DATAPLICITY" to connect to the domoticz remotely?
I tried remot3.it (earlier weaved) and installation goes fine but for whatever reason pi doesn't appear into my account. Also my.domoticz.com is very very unstable for me, each reset of modem (which is not something I control) causes domoticz to go offline.

Then I read here https://www.raspberrypi.org/documentati ... -Internet/ about the Dataplicity
https://docs.dataplicity.com/docs/how-it-works
and it looks like a simpler version of weaved, without login panel (which is convenient for my wifes mobile). Only concern is that domoticz is basically open to the web if you know the right url.
Could this be avoided by having a password in domoticz for only that type of connection? It looks to me that it "simulates" local connection, thus domoticz might not be able to identify where does connection comes from (if it is local or remote). They do suggest firewall for ngin-x, but I have zero experience with security and firewalls and things.

What do you think, would the approach be possible / secure / smart to implement?
Raspberry Pi 2 B - MySensors (dimmers, switches, motion, temperature, lux, humidity sensors)
zWave (220v switches)
various 433 via RFLink
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest