Node red to internet with 4G box and openvpn

Hello,
I want to access to Node Red dashboard over internet.
So i have installed a OPENVPN server on a vps host by OVH. Node Red was host on a raspberry pi and connected to internet with 4G box (ref box Huawei flybox) and obviously i have installed openvpn client on Rpi.
My problem is: I can't access to node red througt the vpn but i can access SSH or VNC with my phone connected on the VPN but node red is not accessible.

I try to openport with iptables on Rpi but no change.

So i need your help, and sorry for bad english i'm french :slight_smile:

Thank you in advance for your answer,

I'm not an expert, but I think you will have to open ports in your modem/router thingy.

Like port 1880. I think. That is the port Node-Red uses.

But more than that, I can't say.

1 Like

Not all VPS hosts allow vpn endpoints to be run - did you check your terms and conditions before doing this?

Also, you've put all the trust in a shared server running on a shared platform which isn't the most secure arrangement. I assume that you've done this so that you don't have to leave the 4G connection live all the time? If not, then why not simply run the VPS server on the Pi and simplify the whole thing (also making it probably more secure)?

2 Likes

Reading what you have written it appears

  1. OpenVPN server is installed in the cloud on a hosted platform
  2. OpenVPN client is accessing this VPN from a RPi (over 4G) - your Node -Red instance is running on this same RPi ?

If this is so then it appears to be a little backwards

Usually you would access an OpenVPN server (through whatever method) and that OpenVPN server would have a series of SUbnets/addresses that it made available to access (which is usually pushed out to the OPenVPN clinet (dependant on exact configuration)

So it would make more sense to have the OpenVPN Server running on your RPi and use a Dynamic DNS service to be able to access it as the IP address changes (due to the 4G connection)

Craig

1 Like

I can't use VPN server on Rpi because i can't open port on my 4g router this is why i use an external VPN.

I just want to access to my node red dashboard from everywhere and the VPN seems to be the best way. The VPN work well because i can use SSH and VNC but node red is very slow to load or is impossible to reach.

Secure is not a problem for now.

I can't install openvpn server on my rpi because is not possible to open port on my 4G box this is why i use external VPN, the VPN seems to work fine because i can connect to Rpi with SSH or VNC through VPN.

If i connect my phone to the VPN and i scan port on the ip adress of my Rpi i can see 2 port open 22 for ssh and 5900 for vnc. I try to port 1880 on Rpi with Iptables but no change.

Well, if you want to access your Rpi from behind your router you will have to open a port somewhere for it.

Yes i know this is why i use external VPN because i can't open port on my 4G box. normally, I do not have to open port on my router in this case.

Right, So what you actually want to do is to setup a Site to Site VPN rather than just the client on the Rpi

You would install OpenVPN server on the RPI and have it establish a VPN to the other server on the Hosted system, then you could expose whatever you wished from your RPi and by accessing the hosted OpenVPN from your phone be able to tunnel through that VPN to the RPi

Craig

You can also get around most of the blocking issues by changing the default port for OpenVPN to port 443 (i.e. SSL)

Craig

1 Like

Not working :confused:

I think you are confused about what a VPN will do. If you want to use a VPN to access node-red without opening your pi to the internet then the VPN needs to be running on same local network as the pi. VPN's in the cloud fulfill a different function.

i have install node on my pi connected to my 4g box, i have installed OPENVPN on my private vps in cloud. i connect the pi to the vpn (it works), i have connected my phone to the vpn (it work). So with the vpn i have created a private network. I can connect my pi and my phone with ssh or vnc. So i have connected my pi with my photo through internet as if i have connected my pi and my phone on the same private network, so why node red is unreachable ?

Ok, I misunderstood.
On the local network on a machine other than the pi can you access node-red?

[Edit] and what happens when you try to access node-red from your phone? What url are you using in the browser?

Incidentally, this is exactly what tools like NGROK are designed to make easier.

Create an NGROK account and install the client on the Pi. Then use the following command:

./ngrok http https://localhost:1880 -bind-tls=true -auth="uid:somepassword" -inspect=false

Change the url if you don't have local TLS set up & remove the -inspect=false if you want the ngrok inspector web app. If you want to, you can also restrict the intermediary website to be in a specific region, e.g. add -region eu to the command.

This creates an HTTPS only channel which is password protected.

This works fine with Node-RED though some corporate networks block access to ngrok. This is a lot more secure than your current setup and likely to work better. It is also possible to use ngrok to proxy SSH, you could then use SSH tunnels in case you want access to other local web services like Grafana, MQTT and InfluxDB for example.

Of course, SSH tunnels will also work on your vpn since you can connect that way.

1 Like

Yes i can access to node red on the local network with the ip adress give by the 4G box (ex 192.168.1.102).

When i want to access node red i have a blank page but if i connect my phone to the 4G box and i connect my phone to the vpn, i can access node red with the ip adress give by the vpn (ex 10.8.0.5:1880) but if my phone is not connected to the same real network is not working for node red but ssh and vnc work.

One thing to check is that websockets are not being blocked.

My setup at work has Node-Red hosted at a Cloud server, but we have a dedicated VPN connection between us and the IaaS provider so that it looks like the Node-Red server is just on a different subnet in the WAN. The VPN connection was going through a firewall and websockets were being blocked by the firewall. There was another post on this board about someone hosting Node-Red behind a reverse-proxy and in that case the reverse-proxy was blocking Node-Red from using Websockets. In both cases the Websockets traffic was being dropped rather then rejected and would take a long time for Node-Red to load as it had to wait on the websocket to timeout before it would fallback to using a plain http connection.

Does that apply to the editor and dashboard urls? When you say a blank page do you mean absolutely blank? Is there anything visible at all. If websockets are not getting through the VPN then I think you will get something.

How can i know if the websockets are blocked ? Few times i was able to load node red but it was very long.

That might be websockets being dropped. We were seeing Firefox and Chrome behave different, Firefox would eventually load (after a minute & a half), but Chrome would only sometimes work (second or third try).

To check if it Websocket issue fire up the network tools on your favorite browser and look for the traffic to the "/comms" location and see it it's working.

Here's it looks like working correctly in FireFox:

1 Like