Author Topic: Securing and stabilizing the Vera by taking it off the grid  (Read 3653 times)

Offline rafale77

  • Hero Member
  • *****
  • Posts: 1113
  • Karma: +52/-21
I have been working on slowly making my vera plus just a bridge due to its hardware limitations, disproportionately overambitious integration and poor core software development.
As the next step in this journey, now that I have absolutely no plugin integration requiring internet access, I have decided to block all internet traffic to and from the vera unit and see how it fares and wanted to share my experience and maybe get inputs from people who have already done so:

1. First thing to do is to disable the auto-update from the apps which are left. For me it was easy as I only have ALTUI, System Monitor and one instance of the countdown timer left.
2. Ohh I forgot those 2 absurdly useless plugins from vera: The Sercomm IP Camera and the Amazon Alexa Helper. I tried deleting them thinking they could not be re-downloaded after my vera has no internet access. Well I was right but the vera after about a minute post luup reload tries to get them again, post an "error in scene or plugin" in the luup task bar (The blue message bar) and I discover that it  disables its network socket. Basically all scenes continue to work unless it is required to send anything over http. The log shows that there is an AutoPluginInstall function which failed. I decided to let it redownload them and now I am seeing
Code: [Select]
This plugin is automatically available on all Vera controllers and does not need to be manually enabled. on the "my apps page" for these two plugins. I can't say I am pleased. MCV: Your hardware is not capable of handling all the integrations you are throwing at it. Please allow your customers not to download software they do not use. Or if you want to do so, upgrade your hardware by 2-3 generations on memory and CPU. Heck, my coffee machine has more processing power and memory than the vera.
3. The vera seems to be... less prone to random luup reloads. I am running the bet 26b firmware.
4. My access through VPN and Homewave to the vera is now much faster through VPN having bypassed the mcv cloud server.
5. No more "your vera is offline-online" nonsense. It is permanently offline  :P
6. I setup all my notifications through Homeassistant and Pushover which is much more reliable and has less latency.
7. I think the system is more secure now having cut off one uncontrolled access path to my home.
8. Great reliability improvements overall as I won't have unwanted downloads onto my Vera updating files sending data etc.
9. I lose the daily automatic backup and log transfer... So I have to backup locally and log onto a USB stick.
10. As many people already know here, keeping time between reloads is a big issue for the vera. I did set it to read time from my local NTP server so it doesn't need to access a public NTP. What puzzles me is, the vera updates the user json file regularly. It is how it is able to remember status of devices between reloads. Why not get the time from the last modified date of the user json file by default before going for the NTP server??? At least it won't be off by 19 years.

Overall pretty happy with the outcome and I may keep it longer than I initially thought if it stays this way.
« Last Edit: May 24, 2018, 07:02:38 pm by rafale77 »
openLuup (96 devices, 128 scenes, 20 apps) controlling HomeAss + VeraPlus (133 zwave nodes, 8 Zigbee nodes, 200 devices, 25 scenes , 1 app) Bridged to Homekit and Alexa

Offline therealdb

  • Jr. Member
  • **
  • Posts: 97
  • Karma: +1/-0
  • Automate all the things!
Re: Securing the Vera by taking it off the grid
« Reply #1 on: May 13, 2018, 06:09:49 am »
What puzzles me is, the vera updates the user json file regularly. It is how it is able to remember status of devices between reloads. Why not get the time from the last modified date of the user json file by default before going for the NTP server?

Last year I had to deal with sporadic internet access and frequent reboots due to construction and change in my electrical setup. I opened a ticket and they told me that persistent time was in their radar. One year later, no joy.
Vera Edge, Fibaro FGRM 222 (12), Fibaro FGS 223 (20), Fibaro FGS 222 (5), Fibaro Universal Binary Sensor (2), Fibaro Plug (3), NeoCoolCam Door Sensor (3), NeoCoolCam PIR (1), Nest (3), Raspberry PI running my own integrations, Harmony Hub, OpenSprinkler, Personal Weather Station

Offline rafale77

  • Hero Member
  • *****
  • Posts: 1113
  • Karma: +52/-21
Re: Securing the Vera by taking it off the grid
« Reply #2 on: May 13, 2018, 08:33:14 pm »
So even with the two rogue apps installed, I am still occasionally seeing Luup reloads failing to complete. It seems to be timing out. In which case I have to disable my firewall blocking rules just for it to complete reload and then re-enable. I am suspecting it to be due to ALTUI. Will see with more testing. That being said, I have not seen a single sponteneous unwanted luup reload which is encouraging.
openLuup (96 devices, 128 scenes, 20 apps) controlling HomeAss + VeraPlus (133 zwave nodes, 8 Zigbee nodes, 200 devices, 25 scenes , 1 app) Bridged to Homekit and Alexa

Offline rafale77

  • Hero Member
  • *****
  • Posts: 1113
  • Karma: +52/-21
Re: Securing the Vera by taking it off the grid
« Reply #3 on: May 14, 2018, 01:31:52 pm »
One further update: I had a scene mistakenly run this morning because of a failing
Code: [Select]
return luup.is_night() returning true when it is supposed to be false.

When I go run this in the test Lua code, it returns correctly and the time on the vera is correct.

This is going to push me to move my time related scenes from the vera to openLuup.
I am 100% convinced now that the reliability issues of the vera are related to the UI7 trying to do too many things on a very limited CPU. I believe that the scene failed because it Luup.is.night code did not return fast enough for the scene to continue correctly. I am still quite frequently seeing the UI missing zwave sensors untrip messages. It happens on all kinds of sensors, not a single type. It is also very inconsistent: The same sensor untrips fine for days and just once out of the blue would remain tripped until I go back and trip the sensor and untrip it but walking in front of it or opening and closing a door. It ultimately is problem of jobs and threads running out of sync with others and a fundamental architectural design flaw of the UI and gets worse as the system grows and more functionalities and integrations are added. I do not believe that there is an issue with the zwave or zigbee radio or network since the inconsistencies occurs even when they are not involved. A number of complex plugins which had occasional reliability issues, run perfectly once moved to openLuup. I also am convinced the many random Luup Reloads are triggered due to accumulation of errors related to job completion timing issues.



openLuup (96 devices, 128 scenes, 20 apps) controlling HomeAss + VeraPlus (133 zwave nodes, 8 Zigbee nodes, 200 devices, 25 scenes , 1 app) Bridged to Homekit and Alexa

Offline rafale77

  • Hero Member
  • *****
  • Posts: 1113
  • Karma: +52/-21
Re: Securing the Vera by taking it off the grid
« Reply #4 on: May 18, 2018, 01:16:18 am »
One interesting discovery... When the vera runs a luup reload without internet, it actually skips the loading of a few things. One of them is its lua socket so it is essentially not capable of reaching other ethernet connected devices through lua code. So I am currently having to open access to the vera, run a luup reload and then close access again. This is a bit absurd, not having internet access or access to the vera server does not mean we don't want the vera to communicate on a network...
openLuup (96 devices, 128 scenes, 20 apps) controlling HomeAss + VeraPlus (133 zwave nodes, 8 Zigbee nodes, 200 devices, 25 scenes , 1 app) Bridged to Homekit and Alexa

Offline HSD99

  • Full Member
  • ***
  • Posts: 226
  • Karma: +6/-0
Re: Securing the Vera by taking it off the grid
« Reply #5 on: May 18, 2018, 07:57:33 am »
rafale77, thanks for this thread. I've been moving in this direction myself, albeit much more slowly. I haven't done the detailed analysis of Vera's interactions with the outside world that you have, but have certainly seen that the system relies on outside connectivity to a much greater extent that I had first believed. Here's what I've done to date:

1. NTP redirected to local server on my LAN
The issue of system time is frustrating. Local NTP insures that Vera will be able to get system time when required, but, as you point out, using the timestamp on the most recent checkpoint makes more sense than resetting the time to January 1, 2000. Loss of time across programed events (Luup restarts) is simply poor system architecture.

2. All access to Vera from outside is done via VPN (no use of Vera's relay servers)

3. Cloud backup-I'm OK with this, but wish there was an option to backup to a local network drive instead of, or in addition to, the Vera cloud.

Again, thanks for documenting your experiences.

Offline rafale77

  • Hero Member
  • *****
  • Posts: 1113
  • Karma: +52/-21
Re: Securing the Vera by taking it off the grid
« Reply #6 on: May 18, 2018, 09:06:39 am »

3. Cloud backup-I'm OK with this, but wish there was an option to backup to a local network drive instead of, or in addition to, the Vera cloud.


I have good news for you... I have done this:

I created a cron job to run a bash script daily and create a local backup. Just replace the necessary input with yours and then edit your cron jobs. I am doing this on the VM which runs openLuup but it can be done on any computer on your network.
Here is the bash script:

Code: [Select]
#!/bin/bash

backup_location=#path to your local backup folder#
max_number_of_backups=30 #I want to keep a month's worth of backup#

# Setup environment
. /etc/profile >/dev/null 2>&1

# Go to Vera backups directory
cd $backup_location

# Create a date-specific backup name
export BACKUP_NAME=vera_`date +%Y%m%d`.tgz

# Backup ZWave dongle to Vera (this is async and takes time to complete)
wget -O /dev/null "http://#veraip#:3480/data_request?id=action&DeviceNum=1&serviceId=urn:micasaverde-com:serviceId:ZWaveNetwork1&action=BackupDongle&Restore="

# Wait for Zwave backup to complete (actual time depends on # of zwave devices -- do the timing and adjust)
sleep 60

# Backup Vera (whcih will now include ZWave backup)
/usr/bin/wget -O "${BACKUP_NAME}" http://#veraip#/cgi-bin/cmh/backup.sh?external=1

function number_of_backups() {
    echo `ls -1 $backup_location | wc -l`
}


function oldest_backup() {
    echo -n `ls -1 $backup_location | head -1`
}


while [ $(number_of_backups) -gt $max_number_of_backups ]
do
    rm -rf "$backup_location/$(oldest_backup)"
done

exit 0

Edit:

To complete the instructions in case people are less familiar with linux:

1. Create a text file above and name it "verabackup.sh" or whathever you want to call it. Remember to edit the ip address of the vera, the number of files you want to keep and the path to the folder where you want the backups to be saved.
2. Copy that file to a folder you like just remember it's path on the server you want your backups to be.
3. Make this sh file executable by sending the command:
Code: [Select]
chmod a+x verabackup.sh from the folder where this script file is
4. Edit your crontab by executing
Code: [Select]
crontab -e and at the very end of the file add
Code: [Select]
0 4 * * * /path_to_script/backupvera.sh Don't forget to replace the path and the name of your script file. This is for the script to run at 4am everyday. You can change this to whenever you want. The first 0 is the minutes and the 4 is the hour. Do not forget the asterisks.
5. Save the file and you are good to go.
« Last Edit: May 29, 2018, 09:31:32 pm by rafale77 »
openLuup (96 devices, 128 scenes, 20 apps) controlling HomeAss + VeraPlus (133 zwave nodes, 8 Zigbee nodes, 200 devices, 25 scenes , 1 app) Bridged to Homekit and Alexa

Offline HSD99

  • Full Member
  • ***
  • Posts: 226
  • Karma: +6/-0
Re: Securing the Vera by taking it off the grid
« Reply #7 on: May 18, 2018, 10:03:24 am »
Good news indeed!

Figuring out how to do a network backup was a future project for a Saturday with absolutely nothing else to do. I'm on the road next week, but will take a crack at this when I return.

+1, with thanks!

Offline rafale77

  • Hero Member
  • *****
  • Posts: 1113
  • Karma: +52/-21
Re: Securing the Vera by taking it off the grid
« Reply #8 on: May 20, 2018, 04:04:32 am »
Post 1000 and I hope to make this one useful and helpful:

I created a schematic of how my entire home automation system works and decided to share it.
After months of tinkering I have settled with a 3 controller system which is 100% local.
My graph shows all the Cloud APIs and connections needing an internet connection in blue and all the Local APIs in green with local communications in brown.

1. My main controller is openLuup running on a VM on my NAS. It shows all of my devices and runs most of the automation.
2. I have now successfully fire-walled the vera completely from the internet. I am still seeing it as the most unreliable of the 3 controllers and have dumbed it down quite a bit and will still continue as much as I can. It is essentially now a glorified zigbee and zwave radio with minimal amount of scenes I have kept there to reduce latency for scenes which are triggered by zigbee and zwave devices.
3. Home Assistant runs a number of cloud integration devices which are not available on vera/openLuup running on another VM. It is a secondary controller acting essentially as a bridge for openLuup. I am fairly new to it and I know I could consolidate a few more things within this controller.

Conceptually the vera is now like a Smartthing except that I have replaced the unreliable ST cloud processing with my NAS running a combination of openLuup and Home Assistant. In my view, with UI7 the Vera controllers really aren't capable of being more than a radio: As you can read through a number of thread in this section of the forum. The hardware is just much too limited between the slow CPU and lack of memory/storage causing a number of issues as setups grow larger and I am continue to discover has fundamental reliability flaws. The major advantages of this architecture is, resilience to internet outage, as it would just cutoff inputs a few sensors and actions of even fewer ones, and reliability. I still get occasional mysterious luup reloads on the vera but it is much less frequent and less critical.

For this milestone post I wanted to especially thank all the folks on this forum who contributed to this setup and from whom I have learned:
@amg0 for ALTUI, ALTHue and Iphone Locator
@Akbooer for openLuup
@Reneboer for Harmony
@watou for Ecobee
@lolodomo for Sonos
@futzle for Countdown Timer
@blakem for VRainsensor
@airedale for Plantlink
@Rigpapa for SiteSensor
@intventlr for Homewave
@bwssytems for the ha bridge
@hackworth for the Homekitbridge
« Last Edit: May 21, 2018, 12:17:57 pm by rafale77 »
openLuup (96 devices, 128 scenes, 20 apps) controlling HomeAss + VeraPlus (133 zwave nodes, 8 Zigbee nodes, 200 devices, 25 scenes , 1 app) Bridged to Homekit and Alexa

Offline Don Phillips

  • Hero Member
  • *****
  • Posts: 1258
  • Karma: +31/-32
Re: Securing the Vera by taking it off the grid
« Reply #9 on: May 20, 2018, 10:09:32 am »
+1 for the shout outs and glimpse into your setup.
Vera 3, 1.7.1030, CT101 t-stat, Everspring motion detector, GE/Jasco switch, Leviton outlet, AeonLabs sensor, NuTone garage door, Blue Iris, Sricam SP011, iPhone locator, APCUPSD, VeraMate, VeraAlerts, PLEG, House Modes, Countdown Timer, DVR, Virtual/Multi Switch, Weatherunderground, LB60Z-1 bulb

Offline Mike Yeager

  • Hero Member
  • *****
  • Posts: 525
  • Karma: +6/-12
Re: Securing the Vera by taking it off the grid
« Reply #10 on: May 20, 2018, 09:04:11 pm »
I may be headed in this general direction as well. I've just gotten into HomeAssistant and it's another learning curve, but my RPi house controller (I have other processes running on it for over a year now) has been rock solid. How does HomeAssistant handle Vera doing a Luup restart? Does it catch the actions up afterwards or are they lost?

Offline rafale77

  • Hero Member
  • *****
  • Posts: 1113
  • Karma: +52/-21
Re: Securing the Vera by taking it off the grid
« Reply #11 on: May 20, 2018, 11:53:39 pm »
I may be headed in this general direction as well. I've just gotten into HomeAssistant and it's another learning curve, but my RPi house controller (I have other processes running on it for over a year now) has been rock solid. How does HomeAssistant handle Vera doing a Luup restart? Does it catch the actions up afterwards or are they lost?

Having played with Home assistant now for a while, I don't think it will have as frequent polling rate as openLuup. This means that a Luup reload will not affect it much. If it happens while a command is sent, the vera may still execute it when it comes back up. This is the reason why I am still maintaining openLuup as my main controller: I am more comfortable with lua coding and the interface. Home Assistant's GUI while very configurable is still not as functional as ALTUI in my opinion. The lower poll frequency also means that you will have more latencies between the controllers.

For the past couple of days, I have been fighting with the vera having random luup reloads, losing time in spite of having set the ntp servers to local and losing its lua http socket. I finally got to the bottom of it this morning. It appears that I had set up my firewall a little too aggressively and blocking vera from some of the local network communications. I think I  have now resolved most of the problems. What I am left is still random luup reloads, and intermittent periods of long delays in zwave commands and even occasional complete miss of a signal or command. Upon full vera reboot, I sometimes observe that the vera takes a long time before it get's its ntp time and therefore goes off executing unwanted things. It's not a big deal if you expect it and do not reboot the vera so often which I don't, but it is something to be aware of. It's not quite there yet but this is the right direction to get the vera more reliable. My overlay partition is stable at 54-55% used space with now only 2 plugins: Countdown timer and System Monitor.

Back to Home Assistant, I am considering using the sonos component with the embedded TTS function to replace the http API I am currently running for all the announcements and the roomba component to replace my separate API. This would consolidate a little.
openLuup (96 devices, 128 scenes, 20 apps) controlling HomeAss + VeraPlus (133 zwave nodes, 8 Zigbee nodes, 200 devices, 25 scenes , 1 app) Bridged to Homekit and Alexa

Offline Mike Yeager

  • Hero Member
  • *****
  • Posts: 525
  • Karma: +6/-12
Re: Securing the Vera by taking it off the grid
« Reply #12 on: May 21, 2018, 08:28:54 am »
I like openLuup as well but never had much luck running it on an RPi. Once I upgrade my NAS, I may try it there. Right now I have it running only on Vera itself. Are you still running it on the Vera?

Offline rafale77

  • Hero Member
  • *****
  • Posts: 1113
  • Karma: +52/-21
Re: Securing the Vera by taking it off the grid
« Reply #13 on: May 21, 2018, 09:49:28 am »
You can't run openLuup on the vera, you maybe talking about ALTUI? openLuup is basically a vera emulator you can run on any hardware which then connects to the vera through a bridge and controls it.
openLuup (96 devices, 128 scenes, 20 apps) controlling HomeAss + VeraPlus (133 zwave nodes, 8 Zigbee nodes, 200 devices, 25 scenes , 1 app) Bridged to Homekit and Alexa

Offline Mike Yeager

  • Hero Member
  • *****
  • Posts: 525
  • Karma: +6/-12
Re: Securing the Vera by taking it off the grid
« Reply #14 on: May 22, 2018, 05:52:05 pm »
Sorry, I lump OpenLuup in with AltUI seeing as it's the front end anyhow. Yes, I'm running AltUI on the Vera...