We have moved at community.getvera.com

Author Topic: Vera Edge and ntp (firewalling vera completely from the internet)  (Read 5270 times)

Offline TheKorn

  • Jr. Member
  • **
  • Posts: 51
  • Karma: +3/-2
I wanted to firewall off my Vera Edge completely from the internet (I'm professionally security paranoid, and a device that tunnels home automatically is a huge no-no).  Really the only problems with cutting off internet access entirely are that anything that requires you to log in (say to view logs) breaks, you can't backup your vera config to micasaverde servers, your vera will never notify you of firmware updates, tech support can't tunnel in, and every time you reboot your vera it has no idea what time it is.

Well you can log in via ssh and look at logs so that's no big deal.  Vera not having a backup of my config is actually how I'd prefer it.  Not having my Vera nag me of every last firmware update is a huge plus in my book.  Not having a backdoor for tech support without my deliberately opening it is desired.  So that just left the last issue, having my Vera get the time on a reboot.

I already have a local ntp server (many people do or could, if they're running windows boxes or custom firmware on their router like dd-wrt), so all I need to do is tell vera to use my local ntp server.  All the documentation I can find only applies to UI5 and/or vera 2s, so figured I'd document it here for UI7 and/or the Vera Edge.

To set your vera to use a local ntp server:

  • SSH into your vera as root.  (See documentation elsewhere for your password.)
  • TERM=vt100; export TERM
  • cd /etc/config
  • vi ntpclient
  • (change to reflect your local ntp server, then save the file)
  • cd /etc/config
  • vi system
  • (change ntp section to reflect your local ntp server, then save the file)
  • reboot

Done!  Now your vera will talk to your local ntp server instead of trying to reach out over the internet.  (Done on version 1.7.1248 .)

To verify it's working, once you've rebooted:

Code: [Select]
ps aux | grep ntp

you should see two lines (ntpd and ntpclient) that should reflect the changes you made to the files above.
« Last Edit: July 15, 2015, 06:46:13 pm by TheKorn »

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +249/-120
Re: Vera Edge and ntp (firewalling vera completely from the internet)
« Reply #1 on: July 15, 2015, 08:39:53 pm »
Nice!

Are you up for writing a similarly simply how-to on setting up VPN access for smartphone apps to reach your secured Vera?


Offline mcalistair

  • Full Member
  • ***
  • Posts: 179
  • Karma: +6/-3
  • "Luctor et Emergo"
Re: Vera Edge and ntp (firewalling vera completely from the internet)
« Reply #2 on: July 16, 2015, 04:19:35 am »
Nice!

Are you up for writing a similarly simply how-to on setting up VPN access for smartphone apps to reach your secured Vera?

It's impossible to write a:
"simply how-to on setting up VPN access for smartphone apps to reach your secured Vera"
...because it depends on:
1. Your VPN Server Device/Type
2. Your Smartphone Brand/OS
3. If you use built-in VPN or a Dedicated app (is related to point 1 and 2).

There is no 'common divisor' for all users on this forum regarding VPN.
But you could open a dedicated Thread where we all can share our VPN configurations and ideas  :D ;)

Cheers
« Last Edit: July 16, 2015, 04:23:14 am by mcalistair »
1x Vera3@UI5 = PROD (1x Edge@UI7 = SandBox ), 15x ZWAVE Devices, 8x 'legacy' X10 devices controlled via Visonic PowerMax Alarm Panel Plugin, 5x Philips HUE devices, 1x iTach IP2CC, 1x Netatmo Weather Station, AltUI

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +249/-120
Re: Vera Edge and ntp (firewalling vera completely from the internet)
« Reply #3 on: July 16, 2015, 08:29:22 am »
It's impossible to write a:
"simply how-to on setting up VPN access for smartphone apps to reach your secured Vera"
Well, sure. With that attitude.    ;D

Offline TheKorn

  • Jr. Member
  • **
  • Posts: 51
  • Karma: +3/-2
Re: Vera Edge and ntp (firewalling vera completely from the internet)
« Reply #4 on: July 16, 2015, 09:19:47 am »
Well, sure. With that attitude.    ;D

Unfortunately, he's right; asking for a simple way to set up a vpn is like asking for a simple way to cure cancer.  Lots of cancers, lots of methods of curing them!  So the best you can really do (due to all the variables) is really point to the how-to work already done by others; it's a massive subject in its own right!

Personally, I use openVPN on my tomato router.  It needs a (free) client for Android, but it works quite well and is secure.  Some people use PPTP because it's easier to set up, but the problem is that PPTP is thoroughly broken from a security standpoint; one guy even runs a commercial PPTP decryption service.  (And that same guy's thoughts on PPTP, which are illuminating and true!)  So using PPTP is better than using nothing, but only just.

If that has successfully scared you off of PPTP (it should!), then there are two links for setting up OpenVPN I can recommend, depending on what software your home router is using:

Easy openVPN on dd-wrt
OpenVPN for TomatoUSB

Beyond that, far too many variables to have a universal recommended approach.

Offline mcalistair

  • Full Member
  • ***
  • Posts: 179
  • Karma: +6/-3
  • "Luctor et Emergo"
Re: Vera Edge and ntp (firewalling vera completely from the internet)
« Reply #5 on: July 16, 2015, 02:15:45 pm »
Well, sure. With that attitude.    ;D
Haha, actually expected that reply  :P

Unfortunately, he's right;
Thanks for the backup  8)

... adding to that....

My VPN solution is in my VDSL Modem/Router combo. I have a "FRITZ!Box Fon WLAN 7360".
It is equiped with an option to configure named users.
All named users can be configured for VPN access via IPSec Protocol
We have 4 Apple (2x iPad and 2x iPhone) configured to use this VPN (Built-In VPN stack in IOS).
In the Past I also used my Laptop to login to the VPN. There I used the Application Shrew Soft VPN Client
Documentation for this specific solution can be found here

Cheers guys!
1x Vera3@UI5 = PROD (1x Edge@UI7 = SandBox ), 15x ZWAVE Devices, 8x 'legacy' X10 devices controlled via Visonic PowerMax Alarm Panel Plugin, 5x Philips HUE devices, 1x iTach IP2CC, 1x Netatmo Weather Station, AltUI