How to directly connect to Vera Edge box from outside home network

I am constantly connecting to my box via a web browser from other locations than my home and using the home.getvera.com login often fails and gives error messages such as page not found or today I saw this {"ErrorCode":0,"ErrorSubCode":0} this can be quite frustrating when I am trying to work on setting something up or coding a PLEG and all of a sudden the page crashes and does not let me reload it or login again.

So I figured if while at home I can bypass all that and go straight to my boxes IP address to connect, I should be able to do that outside of my home network with my external IP address and some kind of port forwarding setup (which I have done for many other devices), but I am having trouble figuring out what needs setting up for that to work for the Vera Edge box, what port would I forward to the box etc.?

Coul anyone who done this and bypassed logging in through the Vera remote servers and just gone straight to their box let me know how?

Thanks

DO NOT EVER USE PORT FORWARDING to bypass the security of your router.

It’s like posting a sign outside your house that the doors are open, I am not home, and I have lots of goodies for you to take!

And believe me multiple hackers around the world will find you VERY quickly.

Many Wifi camera’s documented how to port forward to access there Wifi Camera’s (and Kiddy Cameras) from the internet.
Now there are websites of camera pictures from these of their kids and family members in view of the camera that they thought were private moments.

Once one node is compromised on your LAN its much easier to attack the other nodes on your LAN. Most residential routers and computers assume anyone on the LAN can be trusted.

As @RichardTSchaefer said, do not port forward Vera.

What you should do is set up a VPN connection for your remote access to Vera.

You need to look for a router that supports being a VPN server. If you are Linux friendly, you can flash openwrt or tomato on numerous cheap routers to enable a VPN server. Then, if need be, you put the vpn router in a DMZ and the vera behind the VPN router.

Thanks for the advice guys.

So is there anything I should look at regarding the security of my cameras as they currently are, as I am pretty sure most IP camera come as default with setting up port forwarding of some kind so that you can connect to them via their apps etc. like the Foscam app that allows me direct access to my cameras from anywhere and the cameras have username and password for security.

Are you saying this is not secure either and that I need to find out how to turn all this off so that only my local network devices, vera box, computer etc. will be able to access the cameras and use the VPN to access my local network while out and about elsewhere.

Sounds like a good plan, I think my Linksys box has some setup built in allowing me to create a VPN (It should, I paid enough for the thing) I will have to look into it.

Thanks again

The issue with the devices that create a hole in your network, like Vera, dropcam, foscam, Nest, etc, is that if the device’s cloud is hacked, malicious commands or firmware updates could be sent to the Vera/dropcam/foscam/nest that render your firewall useless. A dropcam can save files locally or to a cloud, which means if someone finds/insert malicious code, it could upload files from your LAN to an attacker. Or delete files. Or encrypt files for ransomware.

Your options are:
1.Just trust to luck and the manufacturers to not screw up
2.Go dark and cut those devices from the net
3.Isolate your HA/IoT from your personal LAN with vlans or separate routers
4.Disconnect your devices from their clouds and establish your own vpn for remote access

I have gone with 3 but I am prepared to go with 4 if Vera.com is ever hacked.

So, how would someone implement option 4 and restrict access to the Vera Edge UI7 box from anywhere but the local LAN access (and then trust that your security is good enough that people cannot get into your LAN I assume).

In an ideal world I would perhaps combine 3 and 4 and have all my HA systems on a separate network not directly connected to/from my main home network, so that it cannot interact with computers and phones and other stuff connected to my network, and also have the VPN for external access, cutting out any access from the Vera servers.

However then you do have some slight downside of not allowing other devices at home to interact with the Vera system like TV’s, phones etc.

I think in all reality though if someone is good enough to hack somewhere like Vera’s servers then they will have no problem bypassing most home network security if they really want to get in, and it wouldn’t be that hard to find people to do that to.

It’s all a balance really, gotta make sure you can do what you want to do without compromising your security too much, I agree about keeping the IP cameras harder to access, not directly accessible through your router from the outside world, password protected and secure etc., although I’m not sure why anyone would want to watch my back garden or my cats, no other cameras here lol

I use option 3 as well. all cams (wifi and wired) are on a separate router (with it’s own SSID) on a vlan with BI and Vera. The rest of my data network is on another VLAN. There is no port forwarding for anything on my cable modem as I use a *nix box as a gateway/firewall box.

@Milson HQ: You may have to set up a gateway server to host a VPN server if your router has no support for that. Then on all devices you want to use to access your network remotely you need to either enable the built-in VPN solution or install a VPN client so a VPN tunnel can be established between that device and your VPN server to access Vera (and other resources on your LAN) To the remote device it will appear to be on your LAN so no need to go through Vera’s servers.

I’m working on a cloud server (VPS) that would be a VPN gateway with a tunnel back to my local gateway server as well as a link to the internet. So regardless if connecting via an insecure public WiFi I will still have a secure connection that can’t easily be eavesdropped on.

There are orders of magnitude difference in security between solutions that “Tunnel Out” vs a “Port Forward” into your net.

I have no problem with “Vera” tunneling out to there Secure cloud servers. There cloud servers require an oAuth like authenticated connection to access your Vera.
I have no idea the techniques used by “Nest”, “Foscam”, Dropcam …

If you have any weak links that can access your Vera, and your Vera can control the Alarm System, and Garage and Door Locks, you can have a potential physical security breach.

I"m going to preface this by saying I trust Richard’s PLEG app. It is the heart of my Vera. But PLEG, like several of the apps I have on my PC and phone, is a potential security risk I accept because of the benefits they provide. Someone else will decide differently. There’s no singular “right” answer to security. There’s a risk/benefit analysis.

VeraLite/3/Edge/Plus maintain a more or less continuous SSL tunnel connection to getvera/mios.com. That OAuth-ish/SSL tunnel makes sure that Vera is connecting in a reasonably secure method to getvera.com/cp.mios.com. What it doesn’t do is make sure the code that comes from mios.com isn’t evil.

If someone were to hack Vera (or Richard), the auto-update function would push a malware-infused PLEG to my Vera which could then SSL tunnel back to the hackers and be under their complete control. Ignoring the impacts to my HA devices, a Vera with free access to my LAN could install other malware or ransomware on the other devices.

This is what happened in the SmartThings “hack” demo. The SmartThings hub wasn’t “hacked”, no passwords were decrypted. An app was published to the ST app store that had it’s own “call home” mode that let the app publisher unlock doors or set new PIN codes on the lock.

None of the HA systems have permission controls beyond “installed” and “uninstalled”. Meaning that there’s nothing keeping, say, the Weather Underground plug in from accessing the garage door controls. Contrast this with iOS and Android that (finally) now have “feature level” permission controls. If I install the WeatherBug app, I can block it from accessing the camera or my contacts but let it have GPS and data acces on my Droid. Until that exists for HA, we’re stuck trusting the security of every upstream developer and service of every plug in to be safe.

And even then, it won’t help everywhere. The very basis of PLEG is “do everything/anything”. PLEG by it’s very nature is the antithesis of tight security, just like Tasker on Android. And I have Tasker on my phone. Tasker is a risk but it’s a calculated risk that is mitigated in part by frequent backups and disabling the camera/mic/contacts/phone/SMS/etc access on all the other apps that I don’t think need them and/or don’t trust fully.

If you want mobile notifications, then you need the Vera to in some fashion contact the outside world. That’s the fact. After that it’s a matter of mitigating the risk that outside contact requires.

If you can live without mobile notifications, maybe because you have an independent security system for that, then you can sever your Vera from the net and only have local access to it.

A networking expert will start talking about setting up VLANs in your router config and mucking with HOSTS files to redirect DNS calls. I haven’t set up a VLAN in a decade and wouldn’t want to ask someone to do that. DNS management is a constant hassle as each device will have it’s own call-home settings that could change with firmware updates.

So instead lets look at this in an off-the-shelf consumer grade solution. Right now you have, I hope, a router with a firewall protecting your home LAN from the internet. What you would do is use several of those to segment your network.

I’ve cobbled this together from notes on other sites. I believe Kevin Rose did one of the first “Internet of Things router configuration” articles a couple of years ago and he’s updated it at least once. He’s on This Week in Tech with Leo LaPorte. I’ve talked with some folks who are full time networking people and the basics here pass muster. The devil is in the details.

Option 3: - Gadgets separated from PCs/phones but still accessible and with cloud access.

Internet router - this one is connected to the outside world. It may be integrated with your DSL or cable modem or it may be a separate device. Firewall is always on. Wifi should be off.

Private Lan router - this one is where your PC, printer, and phones go. This would be your home WiFi. Firewall is always on.
Wifi better be secured. Change the password a couple of times a year; those HA devices hear enough traffic they can crack your keys over time.

HA router - this is where all gadgets go. It would have the Wifi for Vera, Nest & Dropcam. Wifi is secured, use different passwords from your Private LAN wifi.
This one does NOT have the firewall engaged; it is in bridge mode. The point of this router is to prevent a gadget from performing a “man in the middle” attack between the Private Lan and the Internet router. With the firewall off, devices on the Private Lan can connect directly to things in the HA router. The gadgets can still call home. If you need to cheap out on something, go cheap here because this does so little.

The Private LAN and HA router are both connected to the Internet Router.

Option 4 - gadgets severed from cloud, VPN access to gadgets. This one requires more devices and more time/money to configure.

Internet router - this one is connected to the outside world. It maybe integrated with your DSL or cable modem or it may be a separate widget. Firewall is always on. Wifi should be off.

Private Lan router - this one is where your PC, printer, and phones go. This would be your home WiFi. Firewall is always on.
Wifi better be secured. Change the password a couple of times a year; those HA devices hear enough traffic they can crack your keys over time.

VPN router - this router has VPN SERVER software and runs a firewall. It will be more expensive to buy with it included or require you to install custom firmware on a router. If you go the custom firmware route, get the most stripped down firmware possible. Features are security holes.
The Internet Router will need to designate the VPN router to be the “DMZ” device, meaning incoming traffic goes to that router. Since the VPN router has a firewall, it’s as safe as any other router. And since your LAN is behind its own firewall, your PCs are still safe as safe as if the Private LAN router were connected directly to the DSL/cable modem even if you fubar the settings on the internet router.
To access the devices behind this router you will need VPN CLIENT software on phones/PCs/etc with the keys/passwords matching the VPN SERVER. You will need a dynamic dns service, unless you have a static IP address from your ISP. If you don’t know what that is, you probably don’t have static IPs.

Blocker router -this router keeps gadgets from accessing the net. The firewall is on but you set this router up backwards, with the OUTSIDE/WAN port facing the HA router and the INSIDE/LAN port facing the VPN server. Any calls coming from the HA router are blocked, so no gadgets get to call home. But since the VPN router is “inside” the firewall, it can call “out” to the HA router. If you need a “Guest” wifi, put it here. This one can also be pretty cheap since it just needs a basic firewall.

HA router - this is where all gadgets go. It would have the Wifi for Vera, Nest & Dropcam. This one does NOT have the firewall engaged; it is in bridge mode. This is just a hub. With the firewall off, the VPN server has access to things in the HA router. The gadgets can’t call home, Blocker will stop that. If you need to cheap out on something, go cheap here because this does so little. In theory you could use some models of Vera here instead of a separate router but I wouldn’t recommend it. If you only have a Vera, you can skip this. But once you add Nest/DropCam/etc, you’ll need an HA router.

Option 3 is relatively cheap & easy and everyone should do it.
Option 4 is a pain in the behind and is my “only if I need to” scenario. I have all the parts in my closet if that day comes.

I forgot option 2 - sever the gadgets from the net, LAN access, no VPN server.

Take option 4, remove the VPN router, don’t DMZ anything. Blocker Router connects to Internet Router. Gadgets can’t access the internet. Your LAN devices can access the gadgets without VPN software.

I didn’t discuss IP address ranges and gateways. If you choose one of these you’ll have to have choose your IP address ranges carefully to set up the gateways so everything can route properly. I will try to remember to post links later for those who are google-fu challenged.

Of course, if you are google-fu challenged, consider paying someone to do this for you. If it goes wrong you won’t be able to fix it anyway.

buy a netgear r7000 router
google kong’s dd-wrt - install it
google how to set up open vpn - set it up
give your cam’s static IP’s - using said router, deny internet access to those cams’
set up open vpn on your laptop, or d/l an openvpn app for your smart phone.
vpn back in to control/see cam’s or to directly control anything on your network.

I disagree with the previous post, you don’t need a bunch of routers to be safe.
HOME - network security, is like a lock on your door. it will only keep honest people out. (and the punk next door)
if someone REALLY want’s to hack your network, chances are they will find a way.
that said, dd-wrt on just about any router (i reco the r7000) with openvpn is a solid solution. for wifi- wpa2 using AES with a LONG password.
VLANs are a good suggestion, but not really necessary, if your router is compromised, chances are the VLANs will do you little good.
more security is of course great, but think about it… how many locks do you really need on your front door…
is 2 good enough, or are you going to install 15 of them. consider what you are trying to protect and go from there.

Lots of very useful information there from everyone.

My current setup consists of the basic ATT router that contains the modem (with wifi disabled etc. and only really being used for the modem and connecting the TV receivers etc., this is then connected to my home LAN router which is a Linksys WRT1900ACS.

From there I have plugged in my Vera Edge, I also have a Linksys WRT 8-Port Gigabit Switch connected to that and from the router my main computer is also connected along with a bridge device that connects to my electric meter wirelessly via Bluetooth I think, for the electric company to monitor and give me real-time updates on my usage.

Over the WiFi I have several phones, tablets, laptops, TV’s and gaming devices etc. one tablet running ImperiHome and VeraAlerts for a home controller I am setting up and 2 cell phones also run ImperiHome, VeraAlerts and VeraProximity.

Into the switch I currently have a 4 port PoE device connecting two Foscam PTZ outdoor security cameras that I am testing out before installing them on the outside of my home.

I have a basic Vera setup with a few light bulbs, a couple of stick on wall switches, thermostat controller, some motion sensors, door/window contacts, and a door lock.

I am planning on changing up everything to get things in better locations for the WiFi signal and for the whole network to run better, maybe moving my main router and switch etc. to a centrally located upstairs closet to allow me to install the cameras without running multiple cables all over the house.

Not really looking to purchase new routers or other equipment (Unless I absolutely have to), just looking for a reasonably secure (if you wanna get in and know how you will regardless of what I do) setup with what I currently have to allow me to run my HA and security cameras along with local and remote recording, secure remote viewing and control of my system without leaving easily accessible security holes for people to exploit and get in to view my cameras or control my system etc…

I figured I would be reasonably secure being that my router has a decent firewall, very long secure passwords are used on all of my devices, Vera Edge, the Linksys router, my cameras etc., every device has static IP addresses assigned and I don’t allow other devices to join my network unless it is something I am adding, no guest network, no letting friends connect etc.

I certainly do welcome and appreciate any and all suggestions people give so that I can use my equipment remotely and securely and find the best middle ground.

You already have a $200 router. If my Google fu worked, it supports VLans and has a VPN server as of firmware update sp4. You could do all this from your one device IF you are comfortable doing the configuration and know how to test it.

Option 3 can be done using $30-from-Wal-Mart routers by someone who doesn’t know what a Vlan is but wants a level of safety.

I will do some research on the VLAN and VPN setup and I am sure I can figure out setting all that up one weekend

i googled your router. it support’s DD-WRT
my suggestion is over the weekend you install it.
better than any OEM firmware IMO

Seconded. I only purchase routers that are DD-WRT compatible.

Looks like the version of firmware they suggest on their site for my router is a beta build, think I will hold off making such a big change right now.

It does look interesting though.