Tutorial - Secure your home automation with Tailscale

Hi folks,

Some time ago lots of Node-RED home automation systems have been hacked. There were a number of good initiatives in the community to help people to improve their security. But it were all bits and pieces, but I didn't find a tutorial with a full solution.

I needed a lot of things:

  • Limit unauthorized clients to access my flow editor and dashboard.
  • Access Node-RED when not being at home, but without port forwarding on my modem/router.
  • Https connections with LetsEncrypt certificates all over the place, even withint my LAN. Because that solves a lot of issues with modern browsers.
  • Public tunnels that allow me to access Node-RED from external systems (e.g. for speach commands from my Google home devices).
  • And so on...

So I started reading about how I could secure my system, without loosing any features. I came across very nice solutions, but there was always something missing. Or perhaps my brain was too small to understand how I could do it.

Finally I came across Tailscale which has (nearly) everything I needed. Must be me, but I found it very hard to translate their well-written documentation into a working setup. So I started writing my own tutorial, in order to help others doing the same. Here it finally is :partying_face: :champagne: :clinking_glasses:

Tailscale for Node-RED tutorial

I have to admit that I completely underestimated writing such a tutorial! Took me an awfull large part of my free time, so I hope it is a bit understandable for a major part of our community. Although I tried to visualize evertything using pictures, I can imagine that it will still be difficult for a lot of people to understand it. But yes, security is not an easy task unfortunately...

All kind of contributions are welcome, e.g. via pull requests. It is not about code, only plain text.
So everybody reading this now, will be able to contribute :yum:

And please keep in mind that I am not a security expert, and that I have not enough free time to answer all questions and solve all problems...

Hope you find it useful,
Bart

12 Likes

Hi Bart,
Excellent write-up. I'll have to try installing TailScale on my home set-up.

One thing I did notice in your section on Port-Forwarding was this heading...


Did you mean that, or should it be Risks of port forwarding ??

1 Like

Hi David,
Thanks for joining!

I assume that is a rhetorical question, because the answer is obviously "No"...

I am pretty sure that there will be MUCH more other typos or bad english syntax stuff in my texts. After 20 times of rewriting it in Word (with language checks) I gave up, and the remaining 1000 times of rewriting it was directly in Github. I have an overdose over writing texts now, so I am going back to my node developments...

Don't forget I am dutch speaking, but I try to write everything in English so you guys can sit back and relax in your native English chair :yum:

I have created a contributing guide so that people can start contributing.

If anybody wants to run all my texts through a spelling check and do a pull request, please be my guest!

There are also some issues for which I need help. Again everybody is welcome to assist me with those...

1 Like

Bedankt Bart, we houden van je

4 Likes

4 posts were split to a new topic: How to set up VSCode for developing Node-RED Nodes?

Moved for you Bart. :slight_smile:

Thanks Bart.
I think perhaps I'll follow your advice and switch from ZeroTier to Tailscale

If only everyone was so helpful life would be so much simpler (for us English)! :rofl:

FWIW I did once learn one sentence of Dutch. It may not be relevant in this context but it's the best I can do:
Er zit een snoek in de rivier :fish:

1 Like

My new website now has a remote service access article that will (eventually) cover the main different cloud and on-prem services.

Still mostly a stub article right now and the website look is still a bit odd as I'm actively developing it. However, thanks to Cloudflare Pages, it is in its live location and is available.

Will add ZeroTier to it as well as provide a link to Bart's article shortly.

1 Like

Hey @jbudd,
I still love the simplicity of Zerotier. But it had too few features for me. First I tried to combine it with other technologies like Ngrok. But then I (slowly) discovered that Tailscale offered most stuff out of the box, so I finally removed Zerotier.

Tailscale is in between Zerotier and Cloudflare, both in complexity and features.

Not clear to me at the moment if you learned that sentence at the time being to impress the Dutch speaking ladies? If so, I assume you are still a bachelor at the moment :rofl:

1 Like

Perhaps you are on to something.

It is true that I have married very few Dutch women. :thinking:

2 Likes

In case anybody would be experimenting with this already: I have added some extra comments to the tutorial (see overview here), based on feedback I get yesterday from our security expert @TotallyInformation. Note that it is mostly about extra security on top of Tailscale, in case your tailnet might be compromised by hackers.

It is difficult to determine to which level you want to secure your home automation. The hacker attacks from last year learned us that securtiy is very important. But of course the whole setup needs to stay a bit user friendly for the entire familly. So I have decided to describe a (hopefully) user friendly setup, but I have added comments all over the place about enhancing your security to the next level.

That way users are aware of the risks and can decide themselves how far to go, based on their paranoia level :yum:

3 Likes

Have you tried twingate ?

No that one has never appeared in any of my search result. Hopefully it isn't better compared to Tailscale, because my time is up :wink:. Back to my nodes now...

Will add to my comparison page.

1 Like

Done. The updated page now has a fair bit of extra info now. Far from complete but hopefully useful for people trying to decide what to do .

Please let me know if you want me to link to any useful articles for any of the entries.

At least it is simple to setup :wink:

and there is also holesail which is also very simple but still in its infancy, but it is done from another angle via P2P/DHT, bittorrent protocol.

1 Like

Looks interesting, I'll add it.

For those looking at this stuff, Cloudflare Zero Trust uses its WARP clients to interconnect servers, works on the desktop too. The cloudflared app (AKA Cloudflare Tunnel) is used to connect servers to CF's web front-ends. That gives you web-based access to SSH and VNC as well if you want it.

Each of these tools have different strengths and weaknesses.

I've read through the guide, but definitely need to do so again!
It will probably make things easier to understand following the guide and actually installing it on a system.

but could I ask a couple of quick questions pls...

How would this work with;

  • A MQTT server/client communicating with devices outside of the private network?
  • node-red-node-dropbox (same as Google Smarthome as described in your guide?)

Thanks for your time & effort writing this.

If you see some sentences that only become clear after a few times reading, please don't hesitate to rephrase them if you know an easier way to explain it. The last thing I want to achieve is confusing or overwhelming people...

It is already some time ago that I was digging through the dropbox node codebase. But when looking at the readme page again, I "think" you don't need to do anything special? It is the dropbox node which requests a new token based on its refresh token. So Dropbox doesn't need to get access?

I would say at first sight that you need to do the same as for the googlehome node? So that you make the (unencrypted) port 1883 of your broker available via a public tunnel?

That should be correct, the node should be reaching out not requiring Dropbox to drill through your firewall.

This is where security could get murky. I'm not certain about the interface between the private Tailscale network and the Internet. But as long as anything running inside the Tailscale network can reach the network that the broker is running on, you should be OK.

Just remember that you are starting to bridge a more secure network with a less secure one so you need to think about the consequences just as you do when connecting Node-RED on your internal server to an Internet broker.

Yes but in my tutorial Node-RED is only accessible from within the tailnet. Only the smarthome node is accessible public via a funnel. But via the funnel you cannot access anything else.