A Guide To Safe Remote Access of OctoPrint


#21

And does this require an Internet firewall which allows a certain sort of traffic (without configuration)? I know that my Netgear router doesn't pass-through VPN traffic, for example. Or was it necessary to configure something like a port forward on the router?


#22

All you need to to allow is ssh through the firewall. So if you already have ssh enable you don't need to do add anything else. It will be handled directly via putty and ssh. When you configure putty you will configure the putty session with the destination port and ip adress for the local port. So say you configure local port 8080.

It looks like this in putty under ssh/tunnels L8080 192.168.100.149:80

Which means when you connect to local 127.0.0.1:8080 Putty will then forward that via the ssh connection that is actively connected to your home server to ip 192.168.100.149 port 80. The ip is the octoprint server on your local network at home. This all goes over ssh and is not in the clear. No DNS entries are needed as it is going from ip to ip directly over ssh via the connected ssh session already established.

Jim


#23

@Jimbrown719 I'll spend some time to add some graphics to all this so that people will better understand what's going on. I'm reading from here, btw.

  • This approach usually relies upon a known external (static) IP address so that the internal box ("my main home server") can initiate an outbound tunnel via ssh. People typically have a Linode or similar resource for this. (Many of the remote-my-PC softwares have your PC initiate a connection to their server, which then is the cloud-based connection point for the client side of their solution.)
  • Since 8080 is above 1024, less restrictions are given to it from the router's or the computer's standpoint.

To me, this sounds a little fishy. The safe solution involves your home computer initiating the session outbound. Anything where an inbound connection is initiated implies to me some sort of router-forwarding.

Let's say that I'm at Starbuck's and I want to connect to my own local server. If I try to simply ssh back to the private IP address of my local server, that won't route and fails. Any inbound attempt needs to know my router's public IP address. *

Reversing this, I note my Starbuck's-issued IP address and leave my laptop there. I go home and initiate an outbound connection to the laptop. Assuming that Starbuck's router is okay with this, I now have the tunnel active. I assume that I return to Starbuck's and can see my server at home.

* I could manually add a route on my laptop which directs traffic to that private IP address range at home to go through my router's public IP address, assuming that the router will forward it.


#24

You start off with a good document but you lost me at everything after you say my ssh connection sounds fishy?. You never have to have a route on your laptop at star bucks to the home server running sshd. Everything is statically setup within the tunnel no routes are needed. The port you setup never gets used outside of the laptop when you hit the port the tunnel is using it gets sent out the ssh connection on port 22. SO if someone was watching the traffic leaving your laptop all that would be seen is secure ssh traffic going out port 22.


#25

The referenced document appears to include an extra entity, a server in the cloud which assists in all this.

In your case, I'm not seeing the extra server with a public IP address. Perhaps I don't understand the layout of what you have.

I've been an I.T. Manager for a very long time, btw.

Here are the players which I see:

  • A) Your internal OctoPrint Web Server with a private IP address
  • B) Your internal main home server with a private IP address
  • C) Your Internet firewall
  • D) Your sometimes-external Windows laptop

D -> B over ssh ("I create an ssh session to my main home server"). The laptop then sees it's own http://localhost:8080/ as forwarded over to http://A-Internal-IP-Address:80/

Underlying all this is that your laptop needs to route packets from outside your home into your home. That's the part that has me scratching my head. In the linked version, that B entity is in the cloud and yours is there inside your private network. Perhaps I'm not following the nuances of your setup.


#26

I currently get "Possible external access detected" with 1.3.10rc2 even though I have no forwarding or anything else related to trying to get external access.
I also have another Octoprint printer running but it doesn't give this warning.
How exactly does Octoprint determine we are trying to expose externally? Just curious so I can check the instance to see if there really is something on my network exposing me.
BR,
Steve


#27

@SteveDC It checks on what IP subnets the server runs, then checks from what client IP you are coming, and if your client IP isn't from one of the private networks or one of the server's configured ones it triggers that warnings. See here. You can disable that check via config.yaml by setting server.ipCheck.enabled to false. You can also add additional trusted subnets via server.ipCheck.trustedSubnets (list of subnets in CIDR notation).


#28

I stumbled over this article and thought I'll give it a try... To be honest, some suggestions in it are really long shots.While offering some - in some cases, questionable - security, they limit the functionality greatly.

Let me step-by-step them:

  1. Polarcloud: these guys have ridiculous requirements. Seriously, when trying to signup (with a google account), they forcibly requested access to "See, edit, create, and delete all of your Google Drive files" etc. I tried to research why this is needed, but the explanation was basically "we need it because we need it". This is a bad start already - however, I wanted to give it a shot and created a fresh Google account for this... Disappointed by the interface. Yes, you can upload and start the jobs, but it is cumbersome and does not give you much control.

  2. Octoprint anywhere... The getanywhere page was down when I first read this article, so I returned later to it and signed up... The setup is easy, but the functionality is very limited. You can see the camera view and the temperature, and you can control some movement. That is. Did not even find a way to start a print job, let alone upload files etc.

  3. Discord and Telegram... I do use telegram for notifications, but chat-based plugins are also very limited in their functionality. So while easy to setup, they do not offer what I need (YMMV, obviously).

Also, with both PolarCloud and OctoPrint anywhere you trust the vendor with your machine. You have no control whatsoever about which commands are really sent to the machine, you have to take the vendors word for it. Of course, you also have to take the vendors' word for the security of their environment - a blackhat controlling their servers would be able to send commands to your machine, too.

With this said, "advanced access" is from my opinion the only way to go. VPN is a good way to go, as well as reverse proxy - both allow you full control over your OctoPrint instance in a more or less safe way.
Getting an extra RasPI to be the endpoint for VPN or to run the reverse proxy will not cost you a fortune anymore (and some home routers have this functionality already off shelf), and the setup is no rocket science anymore either.