How to access the dashboard from Android without Wi-Fi connection

Hi. I've been using Node-Red for a while and one of the things I'm testing is like watching the dashboard from my Android phone. I have no problem using Wi-Fi on my local network but when I try to access it through the data connection, since I would like to control my application from anywhere, it says "This website cannot be accessed". How can i solve this?

Thank you very much I hope you can help me.

Computers on a local network are not normally accessible outside of that network.

To do so, requires a LOT of setting up to make sure that you don't expose your computer and network to attacks.

And some people, with expertise in this area, say that Node-RED dashboard cannot be securely exposed to the outside world.

Well "cannot" is a strong word. There are certainly risks that you should understand and compare against what you are doing - what would it mean if someone were to access your Dashboard? Could they access/control lighting, heating, cameras?

How well do you check and validate data that comes back from the Dashboard? Something that most people using Dashboard forget because they are designing for the expected users rather than thinking about worse-case scenarios. For example, you might have some flows that would do "bad things" if a user injected bad data, Probably not a problem on a local network with just your close family using it. Could be a major issue when exposed to the whole world.

There are ways to mitigate some of the risks but they all require careful configuration. NGROK is often mentioned for example but the default settings for NGROK connections are FAR from secure.

If you want to use Dashboard and simply want to connect it to the outside world. As a minimum, you need to set up your router to only allow access to the Dashboard page, you should add a login and you MUST configure TLS (e.g. be using HTTPS not HTTP). Even then, I would recommend using a separate instance of Node-RED that subscribed to data via MQTT and only had the minimum Dashboard flow on it. But then, working in IT Security, it wont surprise you to know that I am somewhat paranoid - and for good reasons that most people prefer not to know.

2 Likes

I appreciate your quick answers and suggestions in advance. I might have asked a naive question but, I am not a network expert and it is clear that there are things that escape me. I know that by connecting a device or several devices to the Internet we expose ourselves to the dangers of intruders or cyberattacks but I thought there would be some way with Node-Red that these connections are encrypted and "secure" outside our local network.

I have made a project recording temperatures and lighting a LED through Node-Red, MQTT and an Arduino, all locally, and I can visualize it on my Android mobile using the Node-Red dashboard that I have "protected" by a username and password, but is there any way to do it remotely and make it "secure"? I thought that through these platforms our data was encrypted and there was no "problem" if not, I don't see any sense to IoT ...could it be combined with Blynk? To be able to do it safely?

1 Like

The point is that it isn't that simple. Node-RED is a platform not just a system. What one person needs isn't what another needs.

Security is hard to do, harder to do right. It takes resources and setup. So for anyone working on a secure network and with low-risk, they don't need all the extra work.

Also, security isn't just the responsibility of a single system. You have to make sure the system and all of the network components are also secure.

So no, there isn't a simple answer.

However, Node-RED has the ability to be configured for secure wire communications (TLS/HTTPS/WSS) and it has a very basic authentication system for various components. So it actually does OK. But you still need secure certificates, secure passwords and a securely configured network, Node-RED can't provide these.

Or you can use one or more of the suggestions that are documented in the Node-RED docs or elsewhere - even in this forum.

Yes.

Reasonably.

Security is ALWAYS a problem. There are no easy answers though there are fairly easy ways to reduce the risk.

For what you are doing at the moment, your risks are pretty small and there are multiple ways to reduce them to virtually nothing.

However, if you then go on to add more and more to your initially simple system, that's when the risks can rise without you thinking about them. And that is why I keep taking pains to try and explain them to people.

It isn't that everyone has to have a super secure system. But it IS that people need to THINK and to KEEP THINKING about the risks. Also, don't think that this is only YOUR risk, you also risk other people too. One of the bane's of the internet are systems that people haven't properly secured and that now are part of malware networks that attack and infect and steal information from other people.

IoT is just another marketing term for something that has been around since even before the digital age. Tools and systems reporting back to a central control. The incredible advantage in the digital age is that this is ever easier to do and to do at scale so that you could have millions of devices all reporting in data that can be combined onto dashboards that are easily monitored and that can be fed into large-scale processing systems (including machine learning) to derive new knowledge and data.

So the "sense" of IoT systems is not directly linked to their security. Rather, the lack of security awareness of people building IoT systems is a failure of ever growing proportions. It reduces the effectiveness of IoT and puts people in constant risk.

I'd be happy to continue a dialogue about this but we are now getting quite off-topic. PM me if you'd like to continue the discussion.

Yes.

Not sure, I don't use Blynk. You would have to look at it to see what security it has. But even if it does, you still need to make sure that, from the outside, you can only access the data you really need to and you probably need to set up Node-RED with a certificate and https. Have a search through this forum for "Let's Encrypt" to get some ideas.

As I also mentioned, you can expose the Dashboard using NGROK fairly securely - surely enough for your needs anyway. I created an example that may be of help: https://flows.nodered.org/flow/a18b3c0fdc96f08904741eecb7a2293c

The advantage of something like NGROK is that it creates a path from your Node-RED server device out to the Internet via a 3rd-party. So you don't have to make any local network changes though you do have to trust the NGROK service - the data is encrypted end-to-end as long as you follow my recommendations and only allow an https connection, so your exposure to the 3rd part service is minimal anyway.

3 Likes

Well said! If anyone get captured by a botnet he will probably don’t feel any harm and doesn’t know what his mashies are doing to others. Security was and is an illusion. If you are locked out get good in lock picking. But even if there is no secure lock you will go out and buy the appropriate lock for the value of your bike. Problem is that in the IT world most users can’t evaluate the value of their system. And I see it unfair to demand from a normal user to get a cyber security expert only because he wants to control something remotely. It is up to the IT businesses to gain back trust and show enough enthusiasm to handle this for the end user otherwise after a couple of further incidents it will get harder and harder to sell products. The end user on the other hand has to learn that reasonable security don’t come for free. Either you pay some money that somebody takes care for your system or you spend some effort to do it yourself.
@TotallyInformation thank you for your effort in providing this and other useful information.

1 Like

Thank you very much what you say about security is very interesting. The truth is that I am quite discouraged to continue and even be able to one day create a business with IoT, it is a bit scary .... I will do some tests with Blynk + MQTT + Node-Red and I will try to find out more about how to Protect my projects without putting anyone at risk. I'm going to take a look at the forum about Let's Encrypt and the NGROK application. I thank you very much for the insistence and information about safety or how to minimize risks.

That's good, hold on to that, it will stand you in good stead! But don't be completely put off. The amazing thing about working with IT and IoT is just what can be achieved. How much you can do to improve people's lives. Just don't be fooled into taking shortcuts. Think about the big picture, not just the details, but don't forget the details either.

Many people working with IoT in particular fail to think about risks and consequences. So if you train yourself to do so and gain some knowledge of security and engineering, you will automatically stand out from the crowd.

3 Likes

I will get to it. Thank you.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.