Professional Remote Access for Your Smart Home. Part 2
Previous part: Professional Remote Access for Your Smart Home. Part 1
First, we need a domain name. If you don't have one you can grab a free one from Freenom. Obviously you won't get something like a dot-com without paying, but free names will work just as well if you don't care about the prestige. I'm using protechshow.com.
Next we're going to create a DNS record, which you'll typically do wherever you registered your domain. What type of record you need will depend on what type of public IP address you have. By the way, I realise I haven't explained domain names or DNS or IPs addresses in detail here. I am assuming some knowledge in your part. Partly for the sake of time and partly because if you're coming at this without a foundational knowledge of how devices communicate on the internet then blindly opening ports through to stuff in your home is kind of dangerous. If you want a video on DNS and domains, drop me a comment. I'm happy to do it, but it needs its own video. Back to your IP address.
Read also: google pixelbook 12in
Broadly speaking there are three types: a static address, a dynamic address, and carrier-grade NAT. If you've got a static IP you're in luck! You just need to create an "A" record in DNS with the name matching the website address you want for openHAB, and point it towards your public IP address. you can find your address easily by going to whatismyip.com. Unfortunately, at least here in the UK, it isn't very common to have static IP addresses on residential connections. Most residential connections here have a dynamic address which means the address changes occasionally.
That's a problem because if you point your DNS at your public IP address and it changes, it's now pointing at someone else's house. To get around this you can use a dynamic DNS service. This lets you run a bit of software which periodically checks in with their online service and updates a DNS record. When your IP address changes, that DNS record will follow it. What you then do is on your domain's DNS you create a "CNAME" record which points to the dynamic DNS record. This way your record follows the dynamic record, which follows your IP address. Noip.com is a dynamic DNS service I've used in the past with a free tier. I've been using a static IP myself for a number of years, though; so if you use a dynamic DNS service that you'd recommend please let people know in the comments. The final type of address you might have is carrier-grade NAT.
Read more: 1650 vs 1650 ti
Well, that's not actually the type of IP address and more the method by which you get one. This is commonly used by mobile networks. Instead of you getting one address that's shared between all the devices in your home your ISP takes one address and shares it between several customers. This kind of screws you over for self-hosting because there's no way to forward a port through from the internet when you have no access to your shared public IP address. If you're unfortunate enough to be stuck behind CGNAT your only option is use some kind of outbound tunnelling service. An example of this would be Cloudflare's Zero Trust service, of which there is also a free tier.
This creates a tunnel from your network to Cloudflare. Your DNS record points to Cloudflare and Cloudflare passes the traffic back down the tunnel to your network. Cecause the tunnel is initiated from your end there is no need to open a port through your firewall and no need for any control over your public IP address. It will work just as well with a static IP, a dynamic IP, or CGNAT.
If we limit the scope to just remote access for openHAB this is a pretty good way of doing it. You don't need to expose anything to the internet, so it reduces your attack surface; which is good for your security. You can even use Cloudflare to do the authentication, so it's like moving your Kemp LoadMaster up to the cloud and letting someone else deal with it for you. Tt is similar in principle to the way the openHAB cloud service works, but with the ability to use more robust authentication. In fact I considered just having this video be about how to get remote access to openHAB using Cloudflare. There are a few reasons I decided not to, but let me know if you want me to make that video.
For now, though; let's assume we've registered a domain and we've set up a DNS record that's pointing towards the public IP address of our router. We're going to forward that through to Kemp; but before we do that let's explain what this LoadMaster thing is going to do for us. Its first important job is to present a publicly trusted certificate to the internet. This establishes a trusted connection with our browser and encrypts our connection to openHAB. After that the traffic will be inspected for malicious behaviour using Kemp's web application firewall. This checks the traffic against a list of known web attacks and blocks suspicious connections so they don't get the chance to try attacking openHAB.
Then we've got the authentication which is going to talk to Duo and FreeRADIUS to make sure the person trying to get into openHAB is in fact you. If not, they're blocked and the connection doesn't get any further. Only if the connection passes these checks: it's encrypted, it's been authenticated using multiple factors, and it doesn't match known attack patterns... only then is it passed through to openHAB. If Kemp sees something dodgy it will stop at the front door, and even if they find a way to exploit openHAB they won't get past the bodyguard to try it. That's the solution in a nutshell. Let's look at how to set it up. We'll start by getting hold of our Kemp LoadMAster go to freeloadbalancer.com and click "Download".
You'll need to create an account to associate your licence with. Now choose the hypervisor you're going to deploy this on. It comes as a virtual appliance so it's a fully self-contained computer image. In my case I'll choose Hyper-V because I'm demoing this on my Windows desktop. I'm assuming some knowledge again that you're familiar with virtualisation. Select your country and click "Download" It comes with a guide in the Zip file that walks you through deploying it. One thing to watch out for is that you need to configure a static MAC address.