We have moved at community.getvera.com

Author Topic: HOWTO: Disable remote access on UI4  (Read 22953 times)

Offline johnes

  • Hero Member
  • *****
  • Posts: 630
  • Karma: +7/-7
Re: HOWTO: Disable remote access on UI4
« Reply #30 on: October 07, 2014, 02:48:56 pm »
So if you disable access to your local vera unit to MCV servers, does that mean that you can't use the Android app then to connect, even if you know your public IP address?

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3260
  • Karma: +192/-9
Re: HOWTO: Disable remote access on UI4
« Reply #31 on: October 07, 2014, 06:46:20 pm »

So if you disable access to your local vera unit to MCV servers, does that mean that you can't use the Android app then to connect, even if you know your public IP address?

That's right. Not that remote access apps could usefully use the knowledge of your public IP address anyway.

(In case you were thinking it: do NOT forward ports at your router to expose Vera at your public IP address. Vera has no authentication so you would be allowing anyone in the world to control your Vera.)

Offline johnes

  • Hero Member
  • *****
  • Posts: 630
  • Karma: +7/-7
Re: HOWTO: Disable remote access on UI4
« Reply #32 on: October 07, 2014, 11:19:45 pm »
I'd love to know how the information gets transmitted back and forth between the local vera, MCV, and the phone. 

Thanks for that tip, by the way... but my home IP requires a username/password... are you suggesting that that's not enough (honest question)

But If I had a VPN connection to my home, I would be able to use that local IP address.  Would AutHomationHD support that scenario?

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3260
  • Karma: +192/-9
Re: HOWTO: Disable remote access on UI4
« Reply #33 on: October 08, 2014, 12:35:57 am »
In short, both your Vera and your phone make outgoing connections to Micasaverde's remote access server. The Vera does it through an SSH tunnel, which you can see if you log into your Vera's command line and run the ps command. Your phone makes an HTTPS connection to the same server, supplying a username and password. The remote access server authenticates the phone and connects it to the Vera SSH tunnel. This is similar in principle to a lot of other remote access products that companies sell for you to, say, view your computer's desktop on your phone.

The VPN approach is great. I've used it with HomeWave. I bet there's a way to make it work with AutHomation too.

Unless you've specifically added username+password authentication to incoming connections at your router, port forwarding will just let anything through. In practice, authentication wrapped around port forwarding is rare because it usually interferes with the underlying protocol (HTTP in this case) and renders it inoperative. You might be able to salvage a bit of security by using IP filtering rules or port knocking, but if you are going to go to that effort then you may as well just set up a VPN.

Other topics in this same subforum go into this stuff at length, so if you want more detail have a poke around and read what's already been said. Anything 3 years old or newer is still relevant.

Offline crackers8199

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
Re: HOWTO: Disable remote access on UI4
« Reply #34 on: October 13, 2014, 08:06:26 pm »
authomation works over vpn, i just set it up that way.  configure authomation to only use local access, turn off auto-switching, and make sure you're connected to the vpn before opening the app...works just fine.

just so i make sure after reading this that i've disabled remote access correctly...i went through the following steps:

- ssh into veralite as root
- change RA_DISABLED to 1 in /etc/cmh-ra/cmh-ra.conf
- killed the SSH process
- edit /etc/cmh/users.conf to be a single # character

that should be all i need to do, right?

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3260
  • Karma: +192/-9
Re: HOWTO: Disable remote access on UI4
« Reply #35 on: May 27, 2015, 07:50:14 am »
Thanks to algetnkjba for updating the steps needed to disable the remote tunnel in UI7.  See this topic for the details.