I’ve read numerous posts on here about remote viewing and controlling of your Brewpi. But being a newbie to all this, its all very foreign. Is there anyone out there that could explain it all to me and possibly give me step by step directions to getting it done? I’ve read its risky doing it as people could access my network and really wreak havoc on my pcs and brewpi. The more help the better in my case! Thanks!
OK. There are easy and there are safe ways to expose your brewpi to the internet
The point of the exercise is to enable you to connect to the brewpi webserver from outside your home network. There are at least to possible solutions.
Port forwarding. The idea here is that port 80 on your brewpi will be available on port 80 (or another port) on the outside on your internet router. The risk here is that everyone on the internet will also be able to access your brewpi. There is serious risk that someone at some point will hack your brewpi and try to use it for something bad like making it part of a botnet.
Buy a router that has an included VPN (Virtual Private Network) server. A lot of new and not so old router has this. Setting it up is not impossible. I would recommend openvpn if it is available.
For both 1 and 2 google “router name” and “vpn” or “port forwarding”.
You will also have to now the external ip address for your router. Lots of routers are able to add a internet “name” that always point to the current address. Again. Google “router name” and “dyndyns” or “dynamic dns”.
If you have a box from your internet provider between your router and the internet it might be a bit more tricky. You need to set that unit to bridge-mode if possible. Or you could use port forwarding on this one and vpn on the next.
Sadly to say, a step by step guide would require me to know names and models of all equipments and possible some research. It is far from impossible but requires some insight into networking or some googling…
Oh boy. This sounds quite complicated. I’m not sure if I have any idea where to begin, or even if I should try this.
After saying that it might be difficult, what kind of internet router do you have?
It is one of those things that is quite easy when you know how…
Linksys e8400 and it is connected to my Internet provider’s modem
I found this site that seems a nice way into the setup:
Your router does not have an included vpn server. So you will have to opt for either exposing the web server on the brewpi or setting up a vpn server some other way. You could for instance set up a vpn server on your pi:
The router does support dyndns which will enable you to have a DNS address for your router.
Yeah, this is what I meant by Im not sure I should try this. I believe I got everything setup on my Rpi from the link you sent, but that is as far as I could figure out to go. I’m pretty much stumped, confused, and lost again. I don’t know how to get it all together and working properly.
I think I messed up some stuff on my Rpi. I really shouldn’t mess with it. Before I tried the whole vpn thing, i was able to access my Rpi via my laptop via Putty, and VNC Viewer. Now, after the whole VPN thing, I can only access it via Putty. When I try to connect via VNC, it says, “The connection was refused by the computer”. How can I revert back to pre-VPN? What is the root cause of my issue?
Wow… Nevermind. I’m quite embarrassed… I forgot to add the :1 at the end of the IP address in VNC Viewer for the display number.
I got a bit scared reading your previous posts
OK. Next step is to determine which ports need exposing.
Short answer: TCP 443, TCP 943, UDP 1194
Long answer: By default OpenVPN Access Server has 2 OpenVPN daemons running. One of them on UDP port 1194 and another on TCP 443. We recommend that you use the UDP port because this functions better for an OpenVPN tunnel. However, many public locations block all sorts of ports except very common ones like http, https, ftp, pop3, and so on. Therefore we also have TCP 443 as an option. TCP port 443 is the default port for https:// (SSL) traffic and so this is usually allowed through at the user’s location.
TCP port 943 is the port where the web server interface is listening by default. You can either approach this directly using a URL like https://yourserverhostnamehere:943/ or by approaching it through the standard https:// port TCP 443, since the OpenVPN daemon will automatically internally route browser traffic to TCP 943 by default. (https://yourserverhostnamehere/).
Then how to do it:
You need to set a static IP address for your pi, then add this address and port in the list mentioned above. the you can install OPENvpn clients on pc’s iphones etc. You need the pi to generate and/or export a client open-vpn file. You import this on your clients. Then you should be ale to connect. You should then be able to access your entire home network securly through the vpn tunnel.
Good luck! (No, it’s not easy )
I appreciate all the help with this, but I can’t quite figure it all out. I completed the install and setting up the VPN on the Rpi. I still don’t understand what port needs to be opened, or how to figure it out. I think I understand how to open the port once I figure out how to get ahold of that info. I’m sorry I’m so primitive in all this, but what is my server host name? Would that be “Pi”? When I sign in to putty on my laptop to the Rpi, the The host name is “raspberrypi.local” and the port is 22. Do I use this information anywhere in my router settings for port forwarding?
There are many different ways to achieve remote control of the brewpi, with different degrees of complexity and security implication.
Keep in mind that opening ports to the outside world is always a risk, especially if you have no complete understanding of what you are exposing. Good VPN configuration is hard and you can inadvertently open up your entire network to the world.
You might want to look at a solution like Weaved (free accounts available with some limitations) that doesn’t require you to open/forward an incoming port on your router. You install a piece of software on your Pi (weavedconnectd) and it will connect to the Weaved server with an outgoing connection. You can then access the Pi using a secure logon to the Weaved website.
They have instructions for the Pi on their website: https://www.weaved.com/installing-weaved-raspberry-pi-raspbian-os/ and also various instruction videos. You only need to enable the “web/http on port 80” service.
PS: I’ve played around with Weaved in the past, but I’m not actively using it, so things may have changed.
And then the easy (and safer) way is to use the Chrome browser and install the Chrome Remote Desktop app.
Probably best to Google for full instructions. I use it and it works very well, even on my smartphone. Although on another computer (laptop) is easiest
I agree totaly with NottingHill that it is probably a lot easier to go with Chrome Remote Desktop.
It might open your brewpi to the NSA but I assume they have bigger fish to fry. By the way, with their resources they can probably hack your network anyway, so no BrewPi is safe from the Orange Menace…
To utilize remote desktop, would I have to leave my pc up and running?
Sorry for the late reply, yes, one computer where you are viewing the BrewPi via a browser must be up and running. AFAIK, there is not a Chrome RD for Linux (yet?)
I was surprised when after two years of dutiful service my legacy BrewPi system was hacked. I had set up external access to my legacy BrewPi using remot3.it and Weaved. To make it work, you have to forward port 80 on your router. I had read about the security issues of forwarding port 80 but went ahead anyway.
I turned on my BrewPi system on a few days in advance of a brew day to make sure things were working properly. BrewPi was in idle mode until I noticed that my upright freezer had spontaneously started running. I logged into the web interface to see this:
Needless to say, this caused me to abandon remote viewing and control for the time being. I recently upgraded to the Spark v3 in the hopes that it will be more secure should I decide to have remote access again.
The docker version of BrewPi publishes 2 ports, 80 and 81. 81 is protected by a password and therefore safer to forward on your router.
HTTP passwords are not super safer either, but it is better than nothing until we add proper authentication.
If you’ve created the 2 ports, 80 and 81 in the rocket, is there a way to delete off the 80 port?
Figured it out. I just created another container by copying the original container but using only 81 and then deleted off the original.