FreeMan Posted December 3, 2017 Share Posted December 3, 2017 7 hours ago, steve1977 said: if still “just” VPN, can you advice how this works? Not picking on just steve1977, but as a note to all who are asking for in-app external access: With all respect to jbrodriguez and all the great work he's done on this app and the various plugins and dockers he's worked on, security isn't "just". It's hard work to get it right, and as he mentioned several pages back, if something goes wrong he'd feel responsibility for it, and some might try to (legally) make him responsible for it. VPN access may be somewhat more complex and more of a hassle, but the OpenVPN project has a large(ish) team of people who know what they're doing and focus primarily on the security side of things so applications like this one don't have to. Remember - they have a commercial product that, according to their site, is used by a large number of paying customers - they have a lot on the line to get it right. I've not set up the OpenVPN docker on my server yet, but that's my next project, and I, for one, will be more than happy with the minor hassle of having to go through a VPN client to keep my server secure. Once I've got it setup and working, I'm going to ensure I can get access to all my other dockers via VPN, then turn off their external access, too. Quote Link to comment
itimpi Posted December 3, 2017 Share Posted December 3, 2017 (edited) I have the Openvpn-as docker installed on my unRAID server and my iPad set up with the openVPN client configured with a connection profile to the unRAID server. If I want to use ControlR away from home I simple start the openVPn client on my iPad (which only takes a few seconds) to open the VPN connection to my unRAID server, and then launch ControlR which now functions exactly as it does when my iPad is connected to my local LAN. Edited December 4, 2017 by itimpi 1 Quote Link to comment
steve1977 Posted December 4, 2017 Share Posted December 4, 2017 9 hours ago, FreeMan said: Not picking on just steve1977, but as a note to all who are asking for in-app external access: I don't perceive this at all as picking on me. Actually, I need to say that community members of this forum in general are among the most polite and helpful compared to all other forums I am engaging. Part of the reason what gets me interested to pursue more and more new Unraid related projects. 1 Quote Link to comment
jbrodriguez Posted December 4, 2017 Author Share Posted December 4, 2017 On 12/2/2017 at 10:18 PM, FreeMan said: If I type in the IP address in the the manual server add (with all the other info), it will add it immediately, no issues. If I enter the server name, though, I get an error telling me to "Please enter a valid IP address / Hostname" Should work with a with a hostname. Can you send me the server's hostname to check why it's hitting the error ? (pm if you prefer) On 12/2/2017 at 10:18 PM, FreeMan said: I've been very impressed with the speed with which you've tracked down & patched bugs and released new features. Not bad at all for a solo effort! Thanks for the kind words ! 20 hours ago, steve1977 said: Just browsed this threat and realized that a native implementation within the app is the most requested new feature. Is there still hope for native support? steve1977, I'm still on the don't do it side of things. Getting this feature right is sensitive and Freeman's post (below), provides a quite accurate summary of the reasons. I think some users may be connecting externally via a reverse proxy, in a way similar to this but the helper plugin would still be unaccessible from the app. So, my official suggestion is still to use OpenVPN or similar. OpenVPN setup is not the most difficult thing you can find and operation is quite straightforward (as mentioned by itimpi) Quote Link to comment
FreeMan Posted December 4, 2017 Share Posted December 4, 2017 Should work with a with a hostname. Can you send me the server's hostname to check why it's hitting the error ? (pm if you prefer)Server name is "NAS". I was quite creative in my naming...I can send logs if you need those, too.Sent from Tapatalk Quote Link to comment
jbrodriguez Posted December 5, 2017 Author Share Posted December 5, 2017 (edited) 22 hours ago, FreeMan said: Server name is "NAS". I was quite creative in my naming... I see Well, it turns out I was half lying: when the app asks for a hostname, what it really wants is a fully qualified domain name (FQDN) That's why "NAS" is being flagged as an error. I guess I'll just remove validations from this field, since it can be almost anything. I forgot to address the issue you mentioned with automatic discovery. It shouldn't return to the Servers screen so fast, I'll do some checks and get back to you. Edited December 5, 2017 by jbrodriguez Quote Link to comment
FreeMan Posted December 5, 2017 Share Posted December 5, 2017 I see [emoji4] Well, it turns out I was half lying: when the app asks for a hostname, what it really wants is a fully qualified domain name (FQDN) [emoji33] That's why "NAS" is being flagged as an error. I guess I'll just remove validations from this field, since it can be almost anything. I forgot to address the issue you mentioned with automatic discovery. It shouldn't return to the Servers screen so fast, I'll do some checks and get back to you. Yeah, since it server isn't reachable from the outside world, it really doesn't have an FQDN... Thanks for looking into the automatic discovery, too. Let me know if there's any additional info you need from my end.Sent from Tapatalk Quote Link to comment
phoanglong Posted December 8, 2017 Share Posted December 8, 2017 i found the best method currently implementing on my system is to open either UDP port 7 or 9 just for WOL package to arrive at our server (even if you don't have static public IP, you can always use dynamic free-ish service like no-ip, changeip etc...) Then after you have woke your UnRaid, OpenVPN-AS to your server and woala, full control of the whole system #! Quote Link to comment
jbrodriguez Posted December 8, 2017 Author Share Posted December 8, 2017 Nice phoanglong ! Thanks for taking the time to share your solution. Quote Link to comment
NewDisplayName Posted December 9, 2017 Share Posted December 9, 2017 (edited) Before i buy, do i need to port forward to get this working? (and if so, which?) Or does it only work in LAN? Edited December 9, 2017 by nuhll Quote Link to comment
NewDisplayName Posted December 9, 2017 Share Posted December 9, 2017 Thats very very sad, why should i need this APP in my lan when im at home... Oo And no, VPN is no option for me. They should really think about a Docker -> Contr Server -> Client modell, you dont need to expose anythign and if Contr Server is correct Security, no risk at all. Quote Link to comment
wgstarks Posted December 9, 2017 Share Posted December 9, 2017 (edited) 4 minutes ago, nuhll said: Thats very very sad, why should i need this APP in my lan when im at home... Oo And no, VPN is no option for me. They should really think about a Docker -> Contr Server -> Client modell, you dont need to expose anythign and if Contr Server is correct Security, no risk at all. You mean something like the OpenVPN-AS docker? Edited December 9, 2017 by wgstarks Quote Link to comment
NewDisplayName Posted December 9, 2017 Share Posted December 9, 2017 (edited) No i mean something like some cameras do. SOmetimes tehy call it p2p network. Its just the unraid server (with contr docker) connect to the server of the contr app, and the client (contr app handy) connects to the contr app server also, So you dont need to port forward. Like teamviewer does. No port forwarding, no exposing, clean and simple user and pw (maybe add cert or whatever to make it more proov) Edited December 9, 2017 by nuhll Quote Link to comment
wgstarks Posted December 9, 2017 Share Posted December 9, 2017 I’m not familiar with contr docker for p2p vpn, but openvpn has a very good reputation security wise and pretty easy to setup since that docker has already been adapted for unRAID. You may be able to install contr as well using CA though. 1 Quote Link to comment
FreeMan Posted December 10, 2017 Share Posted December 10, 2017 3 hours ago, nuhll said: No i mean something like some cameras do. SOmetimes tehy call it p2p network. Its just the unraid server (with contr docker) connect to the server of the contr app, and the client (contr app handy) connects to the contr app server also, So you dont need to port forward. Like teamviewer does. No port forwarding, no exposing, clean and simple user and pw (maybe add cert or whatever to make it more proov) "something like some cameras do" - you mean like "Internet of things" cameras? You mean like the ones that were hacked within minutes giving bad guys immediate and complete access to people's home networks and every machine on them? No thanks! Teamviewer is similar in concept to OpenVPN-AS as wgstarks mentioned. Both of those systems have large teams of people who do security for a living. As I've mentioned before (in this thread) jbrodriguez does a great job, but do you want to rely on him and only him to ensure the security of your home network? (BTW- he's said he's really not interested in adding this type of direct access via his app/plug-in combo.) Install the OpenVPN-AS server on your unRAID box - it'll take you less than an hour to configure it, even if you struggle (look for my questions in the lsio thread to avoid the same pitfalls I hit). Install the OVPN client on your phone or tablet, then connect & voila, your device is on your home network & ControlR will work like a champ no matter where in the world you are with the minimum amount of risk to your server & other home computers. 1 Quote Link to comment
NewDisplayName Posted December 10, 2017 Share Posted December 10, 2017 " You mean like the ones that were hacked within minutes giving bad guys immediate and complete access to people's home networks and every machine on them? No thanks!" If he want to fugg it up. Or lets say, if someone hacks him, it doesnt matter what he has done or not, the hacker could itself just install a backdoor, so WAYNE! ALSO what you are talking about are CAMERAS or INTERNET OF THINGS WHICH ARE EXPOSED TO THE INTERNET, SO EXCATLY THAT WAS WE HAVE TO DO NOW TO GET IT WORKING (INSTALL VPN). Where the fugg do i live that i instsall openvpn JUST for one smartphone app? I dont need VPN connections in my network! ANother security flaw! welcome to 2018! Quote Link to comment
NewDisplayName Posted December 10, 2017 Share Posted December 10, 2017 (edited) 56 minutes ago, nuhll said: " You mean like the ones that were hacked within minutes giving bad guys immediate and complete access to people's home networks and every machine on them? No thanks!" If he want to fugg it up. Or lets say, if someone hacks him, it doesnt matter what he has done or not, the hacker could itself just install a backdoor, which gets automatic distrubuted between all users, so WAYNE! ALSO what you are talking about are CAMERAS or INTERNET OF THINGS WHICH ARE EXPOSED TO THE INTERNET, SO EXCATLY THAT WAS WE HAVE TO DO NOW TO GET IT WORKING (INSTALL VPN). Where the fugg do i live that i instsall openvpn JUST for one smartphone app? I dont need VPN connections in my network! Another security flaw! welcome to 2018! Edited December 10, 2017 by nuhll Quote Link to comment
itimpi Posted December 10, 2017 Share Posted December 10, 2017 (edited) 13 hours ago, nuhll said: Thats very very sad, why should i need this APP in my lan when im at home... Oo And no, VPN is no option for me. They should really think about a Docker -> Contr Server -> Client modell, you dont need to expose anythign and if Contr Server is correct Security, no risk at all. This solution would require the controlr author to be providing a server which the current solution does not (unless I have misunderstood what you are asking for). If a server is required how do you know it is secure? The moment you let ANYTHING from the internet into your LAN there is a potential security risk, but I think the open VPN is one of the lowest risk options, particularly if you set it up to require a certificate to use it at the client end Edited December 10, 2017 by itimpi 1 Quote Link to comment
NewDisplayName Posted December 10, 2017 Share Posted December 10, 2017 (edited) Yes, he need server. But you dont understand, you dont let the server connect to your lan, Its the LAN connect to the server. VPN provide access to your WHOLE NETWORK. My solution would only allow access to the unraid interface. Also whats more likely to happen? Someone hack VPN (18923798127398127312749812931893891 mrd user) or someone hack a app which has <1000 user? Also the server side part could be secured pretty easy, like with certificate, https, encryption, what ever. Edited December 10, 2017 by nuhll Quote Link to comment
itimpi Posted December 10, 2017 Share Posted December 10, 2017 2 minutes ago, nuhll said: Yes, he need server. But you dont understand, you dont let the server connect to your lan, Its the LAN connect to the server. VPN provide access to your WHOLE NETWORK. My solution would only allow access to the unraid interface. Also whats more likely to happen? Someone hack VPN (18923798127398127312749812931893891 mrd user) or someone hack a app which has <1000 user? Also the server side part could be secured pretty easy, like with certificate, https, encryption, what ever. I DO understand! You want someone to pay for a and run server which is currently not required for the current I’m-lamentation. Securing a server is a non-trivial task, so I would not be confident in such a server really being secure. If anyone cracked it and got access to unRAID GUI it is a relatively trivial task to use that to access anything on the LAN. VPN is easily secured using encryption and certificates so why is this much different to securing an (unneeded) server. I agree that VPN is a more tempting target to try because of its large user base, but another way of looking at that is that is less likely to have flaws in the first place, and if there are any found there is great incentive to get them patched ASAP 1 Quote Link to comment
NewDisplayName Posted December 10, 2017 Share Posted December 10, 2017 (edited) a simple vps costs at 1€ a month. Just make a subscription for 1€/mon and your good to go. Oh you want to open your door to enter your home? Just install a teleporter so you can transfer your home around you. Edited December 10, 2017 by nuhll Quote Link to comment
trurl Posted December 10, 2017 Share Posted December 10, 2017 Maybe nuhll could provide this functionality for us for free. Quote Link to comment
lordbob75 Posted December 10, 2017 Share Posted December 10, 2017 5 hours ago, nuhll said: Yes, he need server. But you dont understand, you dont let the server connect to your lan, Its the LAN connect to the server. VPN provide access to your WHOLE NETWORK. My solution would only allow access to the unraid interface. Also whats more likely to happen? Someone hack VPN (18923798127398127312749812931893891 mrd user) or someone hack a app which has <1000 user? Also the server side part could be secured pretty easy, like with certificate, https, encryption, what ever. You realize it's way more likely they would try to hack the server/app than your VPN, right? Why can't you setup a VPN? That is the correct way to use this app remotely. If you have to have the webgui accessible remotely but refuse a vpn then your only real option is opening the gui to the internet. @jbrodriguez, great app, I love it. Don't need to use it too often but it's easier to use than the webgui on my cellphone. Quote Link to comment
NewDisplayName Posted December 10, 2017 Share Posted December 10, 2017 (edited) 3 hours ago, trurl said: Maybe nuhll could provide this functionality for us for free. Yes, ofc, i BUY a software and develop a free addon for it. "You realize it's way more likely they would try to hack the server/app than your VPN, right?" Thats just wrong. Why should anyone invest so much time and effort to hack this app to turn your array off...... SSH is also widley used and was servival times hacked already. Why i dont want VPN? BECAUSE I DONT NEED IT... But: I dont care, do what you want, in this state, this app is useless for me. Its a suggestion, which many ppl would like, if you dont want to use it, make it configurable, its that easy. Edited December 10, 2017 by nuhll Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.