We have moved at community.getvera.com

Author Topic: Direct access when away without going through Vera servers.  (Read 4552 times)

Offline Timon

  • Full Member
  • ***
  • Posts: 164
  • Karma: +3/-9
Direct access when away without going through Vera servers.
« on: November 22, 2015, 01:33:06 pm »
Assuming one uses a long and random password what are the security issues in bypassing Vera servers? Is a secure link used?

It seems that access would be much quicker than going through Vera servers plus if they are down you can still access home.

Offline integlikewhoa

  • Master Member
  • *******
  • Posts: 5630
  • Karma: +158/-382
Re: Direct access when away without going through Vera servers.
« Reply #1 on: November 22, 2015, 02:03:23 pm »
Assuming one uses a long and random password what are the security issues in bypassing Vera servers? Is a secure link used?

It seems that access would be much quicker than going through Vera servers plus if they are down you can still access home.

Best/Safest way would be to setup a VPN at home and on your phone. Connect via VPN to your local home network when away then just use a local connection in the APP.

Offline RichardTSchaefer

  • Community Beta
  • Master Member
  • ******
  • Posts: 10091
  • Karma: +764/-143
Re: Direct access when away without going through Vera servers.
« Reply #2 on: November 22, 2015, 05:53:48 pm »
Unless you are NETWORK knowledgeable ... down't even try to allow your Vera, IP Camera's, or many of the other Internet gadgets attached to you network to have access from outside your network. There are a some documented procedures that demonstrate how to do this ... but if you follow them it's equivalent to leaving your house with flashing lights outside your home with the doors wide open and a sign that says "Help Your Self, I'm not Here!"

It is too easy to make a mistake and have your entire home computing resources become vulnerable.  Not only can you compromise the integrity of your personal computing resources on your LAN ... but Vera would make a nice target to be used as a BOT to launch attacks on others and have it trace back to you.

Vera took a big public relations hit in the past when it was demonstrated how some of their security could be compromised. Changes in UI6 and UI7 was a response to these vulnerabilities.

A VPN (Virtual Private Network) is a valid solution. But usually beyond the skills of most users. There are no simple guides to this ... It's a function of the router you have, the type(s) of remote access you want (i.e. Apple IOS or OSX, Android, Windows, Browser on Arbitrary device, ....)

 

Offline Timon

  • Full Member
  • ***
  • Posts: 164
  • Karma: +3/-9
Re: Direct access when away without going through Vera servers.
« Reply #3 on: November 23, 2015, 11:56:57 am »
Being a retired network, administrator guy I'm not worried about setting the network up to handle the problem. I'm more concerned if the app talks to vera using a encrypted socket. If so then as long as you limit direct access only through that socket one should be fine.

That said, a VPN connection would be much more secure. I've had VPN setup on my network in the past but that was an old router. I'd get a SonicWall TZ SOHO business class office router but I'm not yet in the mood to spend as much as they want for one when you include the yearly support fees so I'm looking for a good alternative.

Offline RichardTSchaefer

  • Community Beta
  • Master Member
  • ******
  • Posts: 10091
  • Karma: +764/-143
Re: Direct access when away without going through Vera servers.
« Reply #4 on: November 23, 2015, 03:07:40 pm »
It's not encrypted.
Remote access goes to a web server running onVera as well as to port 3480. Older software may use one another port.

You can send commands via that port that are excused as ROOT on the Vera hardware.

As is said if you provide external access to the Vera port you can compromise your entire LAN.

Offline mcalistair

  • Full Member
  • ***
  • Posts: 179
  • Karma: +6/-3
  • "Luctor et Emergo"
Re: Direct access when away without going through Vera servers.
« Reply #5 on: November 23, 2015, 05:32:05 pm »
I'd get a SonicWall TZ SOHO business class office router but I'm not yet in the mood to spend as much as they want for one when you include the yearly support fees so I'm looking for a good alternative.

Where are you located? Here in Europe proper routers with proper VPN sell starting from around 100 to around 250 dollars, without any fees.
« Last Edit: November 23, 2015, 05:33:51 pm by mcalistair »
1x Vera3@UI5 = PROD (1x Edge@UI7 = SandBox ), 15x ZWAVE Devices, 8x 'legacy' X10 devices controlled via Visonic PowerMax Alarm Panel Plugin, 5x Philips HUE devices, 1x iTach IP2CC, 1x Netatmo Weather Station, AltUI

Offline Timon

  • Full Member
  • ***
  • Posts: 164
  • Karma: +3/-9
Re: Direct access when away without going through Vera servers.
« Reply #6 on: November 23, 2015, 08:50:51 pm »
I'd get a SonicWall TZ SOHO business class office router but I'm not yet in the mood to spend as much as they want for one when you include the yearly support fees so I'm looking for a good alternative.

Where are you located? Here in Europe proper routers with proper VPN sell starting from around 100 to around 250 dollars, without any fees.
I'm in the US. SonicWall is a professional firewall/router so it carries a higher price than home routers. The TZ is the lowest priced in the line. For this class device you pay a yearly support fee which includes software updates and equipment repair/replacement. That's typical of professional devices.

My old VPN router was about $150 but it's old and doesn't have the current protocols. I'm looking at what's available for home VPN routers. If push come to shove a SonicWall will run about $500 configured the way I would want it.

Offline integlikewhoa

  • Master Member
  • *******
  • Posts: 5630
  • Karma: +158/-382
Re: Direct access when away without going through Vera servers.
« Reply #7 on: November 24, 2015, 12:26:52 am »
I'd get a SonicWall TZ SOHO business class office router but I'm not yet in the mood to spend as much as they want for one when you include the yearly support fees so I'm looking for a good alternative.

Where are you located? Here in Europe proper routers with proper VPN sell starting from around 100 to around 250 dollars, without any fees.
I'm in the US. SonicWall is a professional firewall/router so it carries a higher price than home routers. The TZ is the lowest priced in the line. For this class device you pay a yearly support fee which includes software updates and equipment repair/replacement. That's typical of professional devices.

My old VPN router was about $150 but it's old and doesn't have the current protocols. I'm looking at what's available for home VPN routers. If push come to shove a SonicWall will run about $500 configured the way I would want it.

Push comes to shove any 50.00 router with DDWRT would be more then enough, and if you want a business class, for 100.00 (or less) you can get a Ubiquiti Edge series Router.

500.00 and a annual fee for a home/small business class your just being silly.

Offline logread

  • Full Member
  • ***
  • Posts: 214
  • Karma: +7/-1
Re: Direct access when away without going through Vera servers.
« Reply #8 on: November 24, 2015, 01:38:37 am »
FYI I am running an OpenVPN server directly on my Vera (Opkg package exists even on the MCV version of OpenVPN) without a dedicated router. Certainly not business grade but more than enough for my main use, i.e. remote maintenance of my vacation home Vera (eg. SSH access, logs check, etc...) and it looks secure enough to me at least (only VPN port forwarded, rsa keys only stored on trusted clients - my iphone, ipad and laptop).

 I posted about this on the forum a while back if you are interested.
Vera Lite UI7, Fibaro FGS-221, FGS-212, FGSS-001, FGK-101, FGWPE/F-101, FGMS-001, Aeon HEM G2, GreenWave PowerNode 6,  Everspring ST-814, SE-812, Swiid SwiidInter.
Raspberry Pi2 Raspbian w/ openLuup. AltUI, SV Thermostat, Virtual Switch, Weather (openWeather), System Monitor (openSysMon), HomeWave.

Offline mcalistair

  • Full Member
  • ***
  • Posts: 179
  • Karma: +6/-3
  • "Luctor et Emergo"
Re: Direct access when away without going through Vera servers.
« Reply #9 on: November 24, 2015, 02:02:41 am »
Push comes to shove any 50.00 router with DDWRT would be more then enough, and if you want a business class, for 100.00 (or less) you can get a Ubiquiti Edge series Router.
500.00 and a annual fee for a home/small business class your just being silly.

I fully agree with integlikewhoa, I have a Mandatory ISP provided FritzBox ADSL/Modem Router (approx $150,-) and its has the possibility of simultaneous multi-user IPSec VPN.
The DDWRT I also know and is also very capable and configurable. So a good VPN solution for Home or SOHO shouldn't have to be expensive.
1x Vera3@UI5 = PROD (1x Edge@UI7 = SandBox ), 15x ZWAVE Devices, 8x 'legacy' X10 devices controlled via Visonic PowerMax Alarm Panel Plugin, 5x Philips HUE devices, 1x iTach IP2CC, 1x Netatmo Weather Station, AltUI

Offline Timon

  • Full Member
  • ***
  • Posts: 164
  • Karma: +3/-9
Re: Direct access when away without going through Vera servers.
« Reply #10 on: November 27, 2015, 01:05:46 pm »
When you've use professional firewall routers you tend to get spoiled. I really like the SonicWall routers but they are pricey even at the SOHO level. If someone want's to give me one with the options I like for Christmas I wouldn't turn it down even if I had to pay the yearly maintenance fee.

My old router was a Netgear VPN router. It still works but doesn't have WiFi so I took it out of service several years ago.

My current router is a 2nd Generation Apple Airport Extreme which has both 2.4 & 5 GHz plus a guest SSID plus I can add a Airport Express as a true access point and have a better coverage that you can get with the base station alone. The AXEB has been a fine router but it's missing features that I now want like VPN.

So the search is on for a new replacement but it has to be one that allows for an Access Point to attach to the base station and automatic transfer as devices moves between them. BTW, I'm not talking about a WiFi extender. WiFi Extenders are crap that just slow the network down.

Offline integlikewhoa

  • Master Member
  • *******
  • Posts: 5630
  • Karma: +158/-382
Re: Direct access when away without going through Vera servers.
« Reply #11 on: November 28, 2015, 10:02:36 am »
I use ubuiquiti Unfi Ap's with a ubiquiti router.