Remote Access Howto

Here’s the situation. You installed this cool sprinkler controller. You used a DHCP reservation so it’s always at the same ip address. Now you can always access it – as long as you’re connected to your home network. What if you’re in Hawaii?

IMG_1869

You’re sitting on the beach, sipping a nice drink from a coconut, and suddenly you realize that you just planted a new garden back home that really needs some extra watering. How do you control your sprinklers then?

What you need is the ability to remotely access your home network.

Before we go any further, realize that if you can access your home network from anywhere in the world, so can anyone else. So practice  safe web and always have good passwords on anything accessible from the outside. And when I say that I don’t mean that you should use password as your password (or admin or 12345678). Use a good password, like horse trolley dog boot (although now you shouldn’t use that either!).

To do this you need two things. First, you need a way to get the ip address of your home network router. Most home networks these days use a dynamic ip address. Your ISP changes your address from time to time, similar to the way the DHCP can change the ip of its clients. So you need a dynamic DNS service to associate a domain name with an ip address. That way the address can always be found from the domain name.

There are many services that do this. Some are free (like NoIP), but they usually have pretty severe limitations. So I opted for a paid service. I chose DynDNS (which also has a free service) because they can automatically update the ip address associated with a domain name by communicating with a variety of routers, including an Airport Extreme, which is what I have.

Setup is simple, and well explained on the DynDNS site. You want their Remote Access service. For $25 a year they will give you a domain name, which looks like <your name>.dyndns.org and will keep it updated with whatever your router’s current ip address is. When you sign up they will take you through the steps to setup your router and then you can access your home network with a simple domain name from anywhere in the world. You can even bring your own domain name (which can often be bought for under $10 a year) and use that instead of one of theirs.

Ok, you can get to your router, now what? Well, most routers (hopefully yours) blocks all incoming traffic. That’s to keep the computers inside your network from becoming some hacker’s plaything. But your router can let you open certain ports and redirect that traffic to a certain machine on your network. for instance if you want to login using ssh, you would open port 22 and redirect it to whatever computer you want to login to. As long as that machine has a strong password, you should be pretty safe from attack.

I wanted to access my Open Sprinkler PI server from anywhere in the world, so let’s use that as an example. By default, the OSPI server listens on port 8080, so that’s a reasonable port to open on the router. For an Airport Extreme, you open the Airport Utility app and do the following:

  1. Click on the picture of your router, press Edit and select the Network tab.
  2. Press the + button in the Port Settings: section.
  3. Make sure the Firewall Entry Type: is IPv4 Port Mapping and give your new setting a nice description.
  4. Set the Public and Private TCP Ports to 8080.
  5. Set the private IP Address to your OSPI’s ip address (configured as described here).
  6. Press Save and then Update.

When you router finishes booting up, you should be able to access that service from anywhere. For the above example try typing the URL in a web browser:

http://<your name>.dyndns.org>:8080

and you should see your OSPI control panel.

As a final note. Please be careful opening your network to the outside world. Hackers are relentless and will stop at nothing to compromise your system. So open ports carefully and protect any machines listening on those ports with strong passwords. The ssh port is an especially attractive attack vector. If you want to ssh to your computer, you can get a little extra safety by setting the Public TCP Port to some non-standard number (choose a number between 1024 and 65535) and only set the Private TCP Port to 22. Most ssh clients you use in the world can specify a non-standard port and that will make it harder for hackers to sniff out your ports and commence their attacks.

Have fun with your newfound worldwide power!