Home Automation and control using Node-Red, Heroku, MQTT

This is my initial approach towards home automation. Read my blog post at DIY Home Automation
I am currently working on a more secure, robust and totally FREE solution without compromising my data. If want to stay ahead and explore it yourself. Checkout Cloudflare Argo Tunnels installable on a Raspberry Pi. I will update try to post an update when it's done!!!

You say in your post to fork Node-RED!!!! Why would you want to do that? Just to change the settings.js file? You can do that anyway on installation since you get your own instance of that file in your userDir folder.

Also, you don't specifically mention anywhere that this solution is FAR from secure. Since you haven't specified the use of HTTPS and MQTTS everywhere.

Seems to be similar to NGROK which as previously been discussed in this forum. Though obviously better integrated into the Cloudflare account.

How much does Argo Tunnel cost?

Argo Tunnel is free with the purchase of Argo Smart Routing. Argo Smart Routing can be purchased in the Cloudflare dashboard and costs $5/month plus 10 cents per GB. Cloudflare only charges for Argo routing; there is no charge for the count of tunnels used.

Ok answering all your concerns.

  1. Yes we need to fork node red because Heroku is nasty when hosting node red. If by chance the Heroku app sleeps or restarts, all the flows and settings will be lost and the latest version of the the continuous git repo will be deployed.
  2. Heroku and Cloudflare provides automatic SSL so HTTPS was not my point to mention.
  3. Argo Tunnel and Argo routing are different services and Argo tunnel can be used with a free Cloudflare account.
  4. NGROK costs money when you want to use a fixed URL. Argo tunnels don't
  5. Again this solution is good but more complicated because Heroku :upside_down_face:. Argo tunnels is the way to GO!
    Tell me if I missed something!

Not according to the website it can't. As you can see from my account, you can't start an Argo Tunnel without enabling Argo.

Argo itself is billable: Billing for Argo – Cloudflare Help Center

Enabling Argo in the Cloudflare dashboard initiates a USD $5.00 monthly charge. After transferring the first gigabyte of traffic between Cloudflare and your visitors, you are charged an additional USD $0.10 per gigabyte.

If you can find a way that lets you use Argo Tunnel's for free, please let me know as it would be interesting.

The first part of that is true. However, you can easily deal with that if the use is just for you or a limited number of people. There is also, I think, a time limit on a session.

For myself, I have a Telegram bot that contains a command that starts up a tunnel (had actually, I'm not using ngrok at the moment) via a flow in Node-RED. I've not used it for a while but I think you can get the dynamic sub-domain it creates as output from the ngrok command, that could be extracted and sent back to telegram. Alternatively, you can find it on the ngrok website.

  1. Argo tunnels doesn't require a billing account. This is the reason I linked the CLOUDFLARE DEVELOPER DOCS and not the cloudflare dashboard. Just follow the docs and you will not be asked for a payment method.
  2. I know Argo is billable but Argo Routing.

I have read articles on all types of setups with remote access to the Raspberry Pi or cloud hosted Node Red but none of them are upto the mark.

Further more cloudflare provides robust security with cloudflare Access. I am using cloudflare free version for a long time, never disappointed. I am not related to cloudflare in anyway except that I use it :sweat_smile:.

Sorry, still have an issue here:


Point #3 - required Argo Smart Routing which is a chargeable option?

I don't have a problem with Cloudflare, I use it for a lot of things.

I guess you are reading the wrong docs. I am able to visit this using the link I provided.

Specific link to the create tunnel section

Have you actually created a tunnel? Step 3 of the page you listed redirects you to the one I listed which includes enabling Argo.

Update: OK, I did get a tunnel running despite the documentation which is rather circuitous.

Also tested with Node-RED and it works OK. Though because I had NR running with https and a Lets Encrypt cert, it wouldn't work with localhost being the end of the tunnel.

Be interesting to see if there are any limitations to this as it appears to bypass the intent from Cloudflare to charge for this service. For now at least, it is a useful alternative to NGROK and similar services if you happen to be a Cloudflare user. At least Cloudflare seem to have made this reasonably secure by default unlike NGROK.

I will try to find time to do a more detailed write-up for the forum along with a flow to turn on/off the tunnel from Telegram like I did for NGROK.

Of course, you don't need Heroku to do this as long as you are setting up a local version of Node-RED anyway.

What I do suggest though is to use a separate instance of Node-RED as the endpoint of the tunnel. Possibly with the Editor disabled. Keep your main processing on a separate instance along with the editor.

Good to see it worked :grinning_face_with_smiling_eyes:. I don't think Cloudflare will start charging for tunnels.
About SSL - You can generate a SSL in Cloudflare for the Pi which is valid for 15 years max or reduce the security on the Cloudflare dashboard and use it with your Let's encrypt cert.

I use Let's Encrypt for TLS certs and they update automatically. But you cannot issue a cert for "localhost" or an IP address. So you either need to use a valid (sub)domain or turn off Node-RED's TLS support (which you don't need of course if you are only allowing access via the tunnel).

Problem is, if you turn off the local TLS, your browsers constantly moan at you and won't let you get direct to your internal web pages. That's why I have a spare domain and have configured hairpin DNS so that I can use the domain on my LAN (and remotely if I want to). It is that domain to which I've attached the tunnel. It all works OK once it is set up. Instead of hairpin DNS, you could simply use the HOSTS file on the server and any client devices.

BTW, using a 15 year expiry on a certificate is due to get much harder soon. That's because the browser vendors are on a mission! To make life hard for us. Just as they have with self-signed certs, they will soon start adding warnings for certs with long lifespans.

ok :joy:

I didn't know that

Yes, it is because of the failings of PKI and potential long-term vulnerabilities. Since nobody really uses certificate revocation lists (CRL), a hijacked certificate can last in the wild for a long time.