Author Topic: Secure Remote Connections  (Read 1962 times)

Jason

  • Jr. Member
  • **
  • Posts: 57
Secure Remote Connections
« on: November 12, 2018, 02:35:56 PM »
Due to some concerns with port forwarding, I tried out using web services that uses secure tunneling.

I tried out remote.it and remote-iot.com.

  • remote.it
    • pro
      • feels like more control
    • con
      • more control -> more setup, must use terminal to setup each port/service you want to accessible remotely (ie: https/vnc/ssh ...)
  • remote-iot.com
    • pro
      • easy to install, only takes a few command line inputs
    • con
      • default (only option?) to have all ports on device open/accessible remotely

Pricing plans
  • remote.it
    • free for non commercial use, unlimited devices
    • $2/month per commercial device
    • Or $50/month seat license for commercial with unlimited devices, economical at 25 or more devices
  • remote-iot.com
    • free for non commercial use, up to 5 devices
    • $1/month per enterprise device, no seat needed
    • $0.1/month per business device, but starting with 200 devices ($20/month)

First impressions - Once I figured out how to use remote.it's command line interface, I liked the extra step in setting up what ports were remotely accessible.  To set up a connection to access the IoT Gateway, you need to use option 4) Custom (TCP), not it does not use a web browser N, protocol name https, port 443, name [insert your name here].  Then you can use the online remote.it gui to launch a connection.  They will give an address like: proxy13.remot3.it:123456  To access this, put https://proxy13.remot3.it:123456 in your browser address bar, don't forget the https:// part.   
remote-iot.com was also nice to use one I got it figured out.  It does only allow 5 devices to be connected, but that is probably more than enough for most, also since there isn't a seat license, it is likely cheaper for most if/when they go commercial.

Is anyone else interested in using tunnels like this instead of port forwarding and would there be more intrest in a more indepth tutorial on how to set this up?
« Last Edit: November 12, 2018, 02:45:24 PM by Jason »

Felix

  • Administrator
  • Hero Member
  • *****
  • Posts: 6866
  • Country: us
    • LowPowerLab
Re: Secure Remote Connections
« Reply #1 on: November 13, 2018, 03:29:17 PM »
Great
How exactly are the internal ports 80/443 on the Pi, accessible?
It sounds more like a reverse proxy to me.

You mention using web services and some scripts (that set it all up?).
Do you know what is the mechanism that makes it more secure?

Stereodude

  • NewMember
  • *
  • Posts: 26
Re: Secure Remote Connections
« Reply #2 on: November 13, 2018, 05:27:09 PM »
Why don't you just shift the ports in your router so they're not at the expected ports from an external side?  I do that for some other protocols in my router.

HeneryH

  • Full Member
  • ***
  • Posts: 229
Re: Secure Remote Connections
« Reply #3 on: November 13, 2018, 05:30:40 PM »
Why don't you just shift the ports in your router so they're not at the expected ports from an external side?  I do that for some other protocols in my router.
This is a pretty weak protection because Bots just scan all ports in a scripted manner so bad actors will find open ports whether you use standards or not.

Stereodude

  • NewMember
  • *
  • Posts: 26
Re: Secure Remote Connections
« Reply #4 on: November 13, 2018, 05:31:32 PM »
This is a pretty weak protection because Bots just scan all ports in a scripted manner so bad actors will find open ports whether you use standards or not.
Well, that's what strong passwords are for.

Jason

  • Jr. Member
  • **
  • Posts: 57
Re: Secure Remote Connections
« Reply #5 on: November 13, 2018, 11:09:01 PM »
Felix - you might be right about the reverse proxy.  I don’t really know all that much about networking or how it makes the ports 80/443 available. I am not sure if it really is any more secure.

One reason to do this for me is that I haven’t always been allowed to port forward with the different networks I have been on.
« Last Edit: November 13, 2018, 11:11:18 PM by Jason »

HeneryH

  • Full Member
  • ***
  • Posts: 229
Re: Secure Remote Connections
« Reply #6 on: November 14, 2018, 10:50:31 AM »
Jason,
  The core issue here is that most local networks have one single entry/exit point from/to the internet.  This is fine for any outgoing connection requests from local network devices.  All outgoing requests go through that one entry/exit point and appear to come from the single IP address assigned to that device (your single public facing IP address).  Who cares though if all outgoing requests have the same IP.

The problem is incoming connection requests...  How do we configure the system so that incoming connection requests are handled in a proper and secure manner?

There are a variety of ways.

  • Port forwarding is simple and done on the router.  Nearly 100% if routers can handle this.  You need to be careful though that you only forward to devices that are secure.  Many IoT devices have terrible track records with security.
  • Reverse proxies are servers that can be set up to do the equivalent routing and have more flexibility.  Common reverse proxies run on Linux machines using a web server such as Nginx.  These tend to be more secure and trustworthy.  Both this and the first option require no special actions on the part of the client. You would still need to set up your router to port forward all incoming traffic to the reverse proxy machine.
  • Virtual Private Networks (VPNs) are most secure and when you tunnel in through a VPN is then makes your remote computer act like it is on the home network.  You would need to set up the VPN server then set the router to route any incoming VPN connection requests to the VPN server.  The problem here is that your remote client needs to take actions to connect to the VPN and is it not for tech challenged people.

You also talk about ports 80 and 443.  These are just standard ports for http web protocol and the secure https protocol.  If you want to use 443 SSL, you just need to make sure that your reverse proxy or port forwarding properly handle https in addition to the 80.

Jason

  • Jr. Member
  • **
  • Posts: 57
Re: Secure Remote Connections
« Reply #7 on: November 16, 2018, 09:56:45 AM »
I heard back from Remote-IoT.  “The device need send keep live message. The server act as a proxy server. ” where the device is this case is a raspberry pi acting as a gateway and the server is “a secure AWS [Amazon Web Service] IoT cloud platform”.

Since some networks don’t allow any access to the router, ie schools, landlords/roommates, and work places, this seems to be a good solution for some use cases.

Jason

  • Jr. Member
  • **
  • Posts: 57
Re: Secure Remote Connections
« Reply #8 on: November 26, 2018, 10:12:10 PM »
I have been trying out both remote.it and remote-iot.com for about a week now.  So far I have found remote.it is much more mobile friendly and because of that, it is currently my preferred service. But both have been working well to connect to the gateway app without port forwarding.