Remote Access for my dashboard

Hi everybody , and thanks for your attention.
I'm new for Node-Red , and I have a "little" question for you.

I've made a temperature reader with my raspi and a DHT22,and I've made a dashboard with a gauge to read the temperature in my room.
Now,I am reading the value in internet through my router "natting" the 1880 port .Previously I've a DDNS service to convert my public IP to a DNS.
I've read here this file on github : https://github.com/node-red/cookbook.nodered.org/wiki/How-to-safely-expose-Node-RED-to-the-Internet and some other stuff on this forum , and I've understand that I need one of this things:

1-Cloud
2-VPN pi to Host
3-TeamViewer or VNC
4-Something like webhookrelay

What is the best , secure and free , service to start to study ?
I am afraid to publish my raspi on internet .

Thank you very much for the attention and for the help.
Your Stefano
Rome (ITALIA)

There is no 'best' answer.
I use a home built vpn which can run in the node-red pi or in another pi. That gives me reasonably secure access to my network from anywhere. If you want to try that I wrote up how to do it.
http://blog.clanlaw.org.uk/pi-vpn-server.html

Thank you Colin , I know there is no best answer ... but I have to start somewhere ...
Now I'm going to study what you have post , thank you again for your help.

Your Stefano
Rome (ITALIA)

@Colin Did you miss my two messages about your VPN writeup?

@zenofmud Apparently I did miss your messages. Where?

Private messages

No I did not notice those, I did not get a notification. I will reply there.

[Edit], in fact that is rather embarrasing, I see I have a number of messages that I had not noticed. Presumably somehow I can get a notification when they come in.

Hi Colin , I've read your website and I'm moving to study VPN on Raspberry (open VPN) ... it isn't not simple for me I think but anyway ... I will try... thank you.

Your Stefano
Rome(ITALIA)

Good evening ,I was reflecting if the shortest way , for now, is to take a SSL cerificate for my DDNS service .
In practice I would have to generate a csr from the raspberry in order to provide it to those who provide me with the SSL certificate.
At that point I would have an https connection.
What do you think ?

Thanks

You can use Let's Encrypt if you need a cert as long as you have a domain on a DNS that you can control.

1 Like

http://www.pivpn.io/

Unfortunately it seems pivpn is no longer maintained

Oh, that is sad. It worked very well for me. I'm off to study your guide then Colin :slight_smile:

I'm using a NGINX reversed proxy with SSL on a second Pi. It handles authentication and encryption for all servers in the home network i would like to expose to the outside.
\paul

2 Likes

Thank you Paul , but why you don't use only one rasp with ngnix installed , for security ?

S.

Local security will be improved only if the 2 pi's use different user ids and passwords (which would prevent someone/thing that has successfully broken into the Pi running NGINX from working sideways to the other Pi).

However, it may well be that he has done it simply to spread the resource load over the 2 devices.

In fact it was what I supposed ...
Thank you
S.

My go-to option at the moment is to use Zerotier, installed on both devices and linked to the same private network space, to make a RPi remotely accessible.

If you want to go the VPN route: check your home router, it might have VPN capabilities built-in. If you're the only one who's going to use this, you could use static-key encryption (doesn't require a certificate), which you can get up and running in minutes: https://openvpn.net/community-resources/static-key-mini-howto/

PiVPN is based on OpenVPN, which is definitely still maintained and isn't terribly difficult to get running.

If you don't want to do VPN, I'd do this:

  1. Pick a random high number port for your router to forward to port 1880 on your Pi
  2. Get an SSL cert either from Let's Encrypt (can be a pain) or just make a self-signed one using a tool like mkcert (you'll get security errors in some browsers, but it's still secure)
  3. Enable https by filling out that section in settings.js
  4. Also enable adminAuth, httpNodeAuth, and httpStaticAuth security measures in settings.js

https://nodered.org/docs/security

HTH

Not really a pain any more.