Hi folks,
.
When reading the recent posts about hacks and security, it becomes very obvious that port forwarding should be avoided. And that you should use some free tier to access your system from the internet. Of course you can say that you should not connect Node-RED to the internet, but that would be the end of IOT (Internet Of Things) for me So please let not discuss that...
But I assume a lot of users have no clue how to get started with this, and how to setup it decently.
So I would like to gether some ideas about a minimal simple setup to get them started. Not sure at the moment whether that is possible. So would appreciate to get some constructive feedback from users who have digged already through the mud
From what I heard Cloudflare offers a lot of extra stuff, but is more complex. Need to have something that is more easy to understand. The installation of ZeroTier on a Raspberry seems rather short. But is that good enough? A few installation commands tell me zero about the overall setup...
The instructions you linked to are simple enough to follow, and indeed I did something similar when I set this up. Assuming that we trust zerotier I believe that its pretty secure out of the box.
The only real weakness is protecting access to your account setup. It does support 2 factor authentication, and for security its essential that you set this up.
This is something not mentioned in most guides.
Its easy to add new new devices to the network and mange everything via the web page.
Yes indeed. But I have no clue whether it results in a setup that is decent enough. E.g. you can connect up to 50 devices. But I assume you can also add only one device (raspberry), which hides your other devices?
I still advocate using Heroku - my instances have been running super stable for a year now. Unfortunately heroku is no longer free and one setup is about 15-20$USD (database and dyno) per month.
Of course, there is the in-browser sort-of-working Node-RED - I did just add simple flow execution, so that jingle bells does actually play in browser using Node-RED without a server. (I know this might be a very frivolous use of Node-RED but it does demonstrate code abstraction and reuse.)
Ah ok, that clears the fog. So you don't navigate with your smartphone to ZeoTier, which forwards you to your Raspberry. Instead the ZeroTier client on your phone connects to the zerTier client on your Raspberry...
Yeah, any device with the client running, that you have authorised to join your network, can see any other as though all plugged into the same switch.
So even if you connect to the pi, you cannot see anything else on the local network that the pi is also connected to. (unless it is also running the client software)
A big advantage of zerotier is that you don't need to do anything in your router to set it up.
The client software zerotier-one on each device reaches out to zerotier.com to log in to your virtual network. You have to authorise each device on zerotier.com.
So at home I might browse to 192.168.1.11:1880, elsewhere the virtual IP 192.168.192.11:1880 connects through the zerotier encrypted tunnel.
So it is a reasonably simple to setup way to get secure access over the internet.
A point to consider is that access to your home network is controlled behind a simple username/password at zerotier.com.
Well not directly, but I can ssh into my Pi ssh@192.168.192.11 over zerotier and then ssh pi@192.168.1.25 using the LAN address of another device.
I don't think there is a simple way of restricting the connection to a single service eg just port 1880.
Now I both need to digest all the christmas food, and the brain food presented here.
But thanks to all, the fog is starting to fading away in my head.
Few new questions:
Suppose your internet connection is down. Can you still connect from your phone (which is connected to your wifi) to your Node-RED system via the local zero tier clients? Or do you perhaps always require a connection to zerotier.com?
What if you need to connect third party host to your Node-RED system. For example the node-red-contrib-google-smarthome nodes require all traffic from Google to be forwarded to a local endpoint in Node-RED:
You cannot install a ZeroTier client on the Google servers, so they are not part of the virtual network. Anybody any idea whether this is possible without port forwarding?
When using dynamic dns, you need to update your WAN ip address in the dynamic dns provider every time it changes. Is something similar required inside the virtual ZeroTier network?
Zerotier creates a second, virtual network interface with it's own IP address.
If the internet is down this network is unavailable but the other network provided by your router is still ok. You just connect using that local IP address.
I don't know but I imagine everything will still work, using the original network interface.
If I connect over SSH using the Zerotier up, I can ping google.com, the traffic connects over the ISP network interface as normal
No hostname or dynamic DNS is needed.
The public IP address provided by your ISP may change but Zerotier invisibly maintains it's virtual network.
In fact Zerotier works for my mobile broadband where carrier grade NAT constantly changes my public IP and VPNs are impossible.
Familly still asleep, so finally some me-time after a very busy year
I need to admit that I already love ZeroTier. It is very simple to setup, once you know how to do it. Will write a noob tutorial soon, but first need some extra input:
Is it still necessary/advised to use basic authentication for Node-RED.
And related to this: I can assume it could be required to keep using basic authentication, to make sure Node-RED cannot be accessed insecure from other devices within my LAN. But perhaps question 3 could be solve that: if I could whitelist only ZeroTier addresses, then perhaps basic authentication would not be required anymore?
Is it still necessary/advised to use SSL for Node-RED? Not sure if LetsEncrypt certificates certificates is still the way to go in combination with ZeroTier?
Can the setup from @marcus-j-davies being used to allow only the ip addresses from ZeroTier to enter. Or perhaps not because you access Node-RED via the client?
There are quite a lot of DNS settings. If I have my raspberry with name "my-raspberry" I thought I could just navigate to "my-raspberry" in the browser of my Android phone. But that cannot be resolved. I assume I forgot to setup something but not sure what...
When I access my raspberry (which is running a ZeroTier client) from within my LAN, e.g. from my Windows portable. Should I navigate then directly to my Node-RED port, or is it better to install the ZeroTier client also on my portable.
Related to this: do I need perhaps (some way?) to restrict that Node-RED can only be accessed from within my ZeroTier network. Not sure if I can prevent any other devices in my LAN to access Node-RED directly...
I am still struggling with my question from yesterday. The node-red-contrib-google-smarthome nodes require all traffic from Google to be forwarded to a local endpoint in Node-RED:
I say "Hey Google" to my Google Home devices, which sends my voice commands to the Google servers.
The Google servers connect to my router (via the callback url in the screenshot above that I have entered in their cloud platform at the time being).
That port need to be forwarded on your router to access the endpoint of the smarthome node.
You canno install a ZeroTier client on the Google servers, so those servers are not part of the virtual network. Which means they cannot access the endpoint anymore, when I would switch of port forwarding.
Is there a way to do this more secure via ZeroTier without port forwarding? EDIT From this discussion I assume it is not possible...
zero trust: no device gets connected to my zerotier network until I explicitly and easily grant access via zerotiers dashboard. NOTE: you have to (and should) mark your network private in zerotier
ad 1: I do add those extra layer of security. Given, that your raspberry can be accessed from both, zerotier network and your local network, I still secure nodered
ad 2: traefik is my friend here. Reason again: on the lan side nothing has changed.
ad 3: I assume yes, you only need to add those client-ips from your zerotier network you'd like to grant access?
ad 4: DNS settings are indeed a bit tricky.
If you accessed f.e. your nodered dashboard via zerotier and if your dashboard refers to a local "grafana_chart_no1.local.lan", latter is not going to be resolved. At least I yet need to find a way to utilize the dns server of my home lan.
My workaround is to maintain an entry in my public domain's dns server which I use for traefik/letsencrypt anyway. I though had to choose "grafana_chart_no1.local.de" for those rare cases f.e..
As long as you use IP addresses it works fine, if a route is set in zerotier's dashboard.
ad 5: I only use zerotier for remote access. Everything else remains local as usual.
ad 6: That seems to be related to ad 4. I assume as long as you use zerotier to remotely INPUT a command, the processing of it via nodered works from within your local lan as always? You of course have to be able to input things. The push of a button works, voice control is a different beast
Morning Everyone, and Merry Christmas to you all and family.
As long as Node RED is seeing the source IP/Range of the client accessing it - then yes, you can control the access with this type of ACL.
I don't use ZeroTier or various types of these services, so cant really comment on "what" IP/Interface is accessing Node RED, but again if Node RED is seeing the ZeroTier client IP, then yes
I like the idea of combining Marcus' IP whitelisting with Zerotier. In ZT each client has a static IP address, so in effect you have two layers of control
Can this internet device access my network? (ZT)
Can this internet device access the Node-red editor? (Whitelisting the ZT static IPs)
IMHO you still need the Node-red login, otherwise a lost phone = wide open Node-red. But a lost phone with ZT has access to much more than just NR. Can the ZT client be set up to need a fingerprint to connect?
ZT say that once a connection is established, traffic does not necessarily go through their servers, but it might do. Is this a sufficient reason to also use SSL? Maybe yes.
DNS is moving away a bit from the easy setup route, but if my Android has two specified DNS servers, eg QuadNine and a PiHole in the zerotier network, does that let me resolve my-raspberry.local?
A free tier, well several I have seen earlier have later the removed the "free" part but maybe those you mention are still free.
One that is free is having your own VPN server. I have one since several years, running in a RPi, working fine. When I want to access my Node-RED's I simply connect with my OpenVPN Client
Drawback is that "simple setup" is not fulfilled, it is not simple, actually it is rather advanced, not for every user that is looking for a simple setup
Another drawback could be that it gives you full access to your whole local network, not only selected devices. And it is important to have a strong password and using 256 bit encryption, anyway possible