No Luck so far in forum searches, Is there a recommended vpn solution that other users have in place to connect there iDevice to your home network?
Does it have to be vpn? You still have ssh access correct? Is using ssh with port forwarding out of the question?
- Garrett
Does your router support VPN’s? If not then you could look to see if there’s a compatible DD-WRT or Open-WRT flash for it, or replace with something that has VPN functionality already.
I use my vera 1 as my router so I’m at the mercy of openwrt kamikaze
@Garrett, I could use ssh, but it’s a bit of a pain to login and configure SQ when I’m away from home and then reverse the config when I get home. Also I hate that issh does not do dynamic tunnels (otherwise, it’s a fine ssh client)
@strangely, I’m pretty close to getting a new router and pushing the vera behind it, but the vera is serviceable for now, so I’m a little reluctant to replace it, I was considering pptpd or l2tpd/ipsec for native access on an iDevice/Android. Not sure if encryption is really necessary with l2tp ipsec or a strong password is enough with pptp. I’m pretty clueless with actual setup so I was fishing for success that others may have had. Also, the ipkg packages available for these are slightly dated so I may have to compile my own or make due with old versions. I tried using the x-wrt in advanced settings and the VPN section does not work.
I was also considering getting a pogoplug and pass vpn requests to it. My Qnap NAS also supports openvpn and pptp, but it’s not always on. Ideally I would like to make it work on the vera.
I was actually trying to set up a VPN myself last week using a a spare ASUS 520 GS router I had lying around that I loaded up with a version of DD-WRT that support VPN, (OpenVPN, PPTP and L2TP/IPsec), however work has been a bear for me the last couple weeks, and I haven’t really had much time to get it running yet, and didn’t have much success with it running behind my other router.
It’ll be one of those things that sits on the back burner for a while I guess until I get some time, but I’m almost tempted to do a bit of a restructure with my network in general, and rethink a few things like having my front main router with it nativity supported, without having any nasty double NAT or port forwarding to it etc to save all the trial and error.
I was actually looking at the following to replace my router (or something similar), as I also need a bunch of extra switch ports, and the price seems pretty reasonable I think:
One of the other considerations I’ve started to look at, is routing throughput, as I currently get nearly 50Mbit from my cable provider, and a lot of low end routers will bottle neck this, even without using a VPN!
I’m running VPN on DD-WRT on my main router. Connecting to it with the built-in VPN option in iOS devices. Straightforward, as far as I remember.
I use a Linksys RV016 - it is very old (8years?) but still works very well. I use the PPTP vpn option and it works well from iDevices, macs and Windows.
They are pricy though - around $350 new. The main reason for using it is that I have two differnet ISP’s coming into my home and it does automatic fail over.
Typically, people seem to use remote access to vera and then have vera command SQBlaster using the @Guessed blaster plug in.
Later in the year, we will be enabling secure remote access to SQ Blasters (the new Plus and Gen 1 ‘puck’) via an optional firmware upgrade that wont need a VPN, but will go to the blaster via an XMPP server (SQ’s or one of several pubpic messaging systems).
Mat
Had some time this weekend due to the Nor’Easter
I was hesitant to use PPTPD because of inherent security risks, but I ultimately decided to go for it and mitigate the risk with extra long passwords and to write a script to shut it down and start it through a scene control.
I went and installed all the packages and got the service to start, but it doesn’t work, it looks like the kernel is out of date. I tried all the kernel mods with no luck. I’m a little hesitant to tinker too much more and risk bricking the vera. If I don’t get this to work, I may have to succumb and get a new dedicated router.
Mat, I have not used guessed’s plugin. Seems like a lot of work to get it setup and I’m concerned about support with vera1 since he seems very involved with it’s development. Latency seems like it might be another issue, but it should be ok for “all off” type scenes. I am intrigued with the XMPP server you guys are planning though.
Im on draytek 2850vn vpn works perfectly with vera ui5 and sqblaster plus,works faster than acccess through mios.com almost like local connection
I just updated my router with a Asus RT-N16 which was extremely easy to install DD-WRT on compared to another outdated router I own, and now also have OpenVPN and a PPTP VPN setup. Total out of pocket expense after a $10 rebate was about $75
Looks like my vera1 still has legs!
I finally got pptpd installed on my vera 1 and working after a bunch more kernel mods and firewall tweaking and it’s actually working really good.
Safari is working and it shows my ip as the WAN ip and I’m hitting web pages just fine. I’m also reaching local devices on the LAN just fine too (e.g. IP thermostat, IP Alarm, NAS box)
but … there’s always a BUT.
when I initiate the vpn and fire up SQ, the blaster connects just fine but mios does not connect
btw, my blaster is assigned a static IP
So I go into MIOS System and Devices configuration
And it says there’s a connection error dialog, I then press ok
It shows my IP address as the correct WAN IP Address.
So I can make this work a couple ways:
I type in the LAN IP address of vera (Which is a Pain)
or
I switch the “Always Connect Using Remote Access” to On from a Default of Off (will increase latency unnecessarily, e.g. when I’m home)
This is also the case when I’m on a different wi-fi e.g. work, to get mios to connect I have to switch on “Always Connect Using Remote Access”
Any Ideas?
It works just fine when I’m physically home and on my local Wi-Fi and switches fine when I leave the house and use 3G (for mios, puck fails without VPN)
What’s weird is that the puck is working just fine under vpn
and SQ accepts my mios credentials just fine as well
I’m guessing this might be a firewall issue since when I fired up the Sonos app with VPN I couldn’t see anything either
I read in a post from Mat that bonjour might be an issue across different APs, wonder if this is related
Bonjour + VPN usually equals disappointment. There are supposed to be two ways that Bonjour gets advertised to clients: multicast (224.0.0.251:5353) and DNS-SD. Multicast is not routable, since it’s layer 2 and not layer 3. But it is bridgeable, but there are no bridged VPN clients for most handhelds. You can beat your brains out setting up a Bind server to handle DNS-SD advertisement, but it seems that a lot of client app folks have been lazy and don’t actually respect/utilize that part of the spec. I have some time off coming up in a couple months, and am probably going to flatten my forehead against this some more.
–Richard
A couple of points.
- SQRemote only uses Bonjour to find SQBlasters.
- I dont recommend using the Blaster setup to assign a static IP address (in the SQ Blaster setup wizard). If you want to assign an IP address that stays constant, then use your router in the DHCP options to always give the same IP address to the Blasters MAC address.
- That IP address should then be addressable via the VPN and via local. It wont be addressable if you are remote and not on the VPN.
- THe Vera discovery service uses the external IP address of the client device to identify which devices are locally available I.e. each vera on a netwrok makes a call to the mios service that registers that vera for that external address and the client device calls ther service and that service matches the IP addresses. When we look fro vera’s locally, that is what we use to find them. I wouldn’t mind betting that when you are on the VPN, that call goes out on the 3G Netowrk’s IP address, and so doesn’t find your vera.
As I mentioned in another post, by the end of the year (fingers crossed), we will have an optional firmware upgrade for the blaster and SQRemote that will, foir the blaster anyway, allow you to safely and securely access it it seamlessly from outside your home network as well as from inside.
Matt,
Thanks for the insight.
- Ok, so SQ Remote only uses bonjour for the blaster, noted
- I agree, and I do use mac filtering to assign all ip addresses including my blaster
- And I have no problem addressing the blaster when on vpn
- This is where I’m stumped.
With default configurations:
a. If I’m at home local wifi, iphone works great, picks up vera and blaster over local wifi
b. If I’m on 3g only, mios redirects just fine and I can’t get to blaster (of course)
c. If at any other wi-fi AP, sq remote can’t find vera until i turn “Always Connect Using Remote Access” and that doesn’t always work, sometimes I get a wrong username/password when I know the username password is right; and I also can’t get to blaster in this configuration (of course)
d. Outside of my home wi-fi using any other Wi-Fi AP or 3G and using VPN. SQ Remote cannot find vera until I set the IP address to the internal .1 address of my vera. I can also keep the WAN address and turn “Always Connect Using Remote Access” and that doesn’t always work, sometimes I get a wrong username/password when I know the username password is right. I Have no issues connecting to the sqblaster when on the VPN
I’m still leaning towards this to be a firewall issue on my side, theoretically the VPN gives the iphone an IP address in the same subnet as vera so the iphone should work as if were a native device on the LAN, correct? I also have no problems connecting to the web interface of vera using the .1 address for both the standard vera web interface and the local smartphone interface.
Matt, when you say you “wouldn’t mind betting that when you are on the VPN, that call goes out on the 3G Netowrk’s IP address, and so doesn’t find your vera.” Is that even possible? I’m not a networking expert by any means so please enlighten me.
Thanks,
I think there are two problems here.
One: I am not suire if this is eaxactly what you have setup, but it would seem likely that you have two or more wifi AP’s set up as gateways and each one is connected to your cable/DSL modem. Vera is connected to either the main modem, or to one of the Access points. SQRemote is connected to the other access point.
The Vera service discovery is not smart enough to detect this situation, so when SQRemote goes out to the Vera server, it has an external IP that it recognises, and returns to SQRemote an internal IP address to use to connect directly to Vera. However, that internal IP is the address of the ‘other’ access point or the main DSL or the address issued by that modem to Vera (I am not sure how vera sends its information to the service discovery and what it sends). the problem is that the network doesn’t know how to route that address from SQRemote’s access point so it wont work and will error out.
It could also be the ‘double NAT’ problem: To be even more confused, Nat - Wikipedia explains the whole ‘network address translation’ issue, which is how the request from SQRemote and Vera get handled going out to the MiCasaVerde service in the cloud.
Two: SOmetimes not working. Most probably, there is a time out or multiple errors that are being reported back as User name password invalid. You might like to try increasing the timeout values in SQRemote for that Vera - although I can’t remember if they are honored for login.
When you put in a fixed address in SQRemote to Vera, we ignore all of the Service discovery methods and just connect directly. So in this case, when you are on the VPN, that IP address will be routed by iOS to vera via the VPN as it will recognise the first bit of the IP address as being for the VPN. Clearly the service discovery at this point is horribly confused and without looking at the actual network traces, I am not completely sure what is happening when you dont put in the vera address. On the ‘Always connect remotely’, my guess is timeouts and errors being reported as a failed login. It could be the Vera servers, or a section of network between them and you…
Mat
Quick update if anyone is interested.
I recently switched carriers to AT&T and SQ now works over VPN.
Not sure if it was the switch in networks or the reinstall of the app, but it does fine over 3G. I still have the same symptoms if using wi-fi (e.g. at work, unless I switch on the use remote connection only switch)
One weird observation, previously on verizon, the mios did not connect, but the puck connected immediately (I did get mios to connect only after switching the use remote connection only switch)
With the new AT&T phone, mios connects immediately on 3G, but the puck does not. I have to go in the sq blaster network settings and exit and it connects just fine after that (though I made no modifications) I increased timeout to 30 seconds, but no luck
So, my problems seem to be reversed now, but at least I can get on both without too much tinkering.
Matt,
Though you might be interested
The wi-fi thing still stumps me, the SQ app must be bypassing VPN somehow. I have some other use cases that seem to prove this.
- When on VPN I can reach web services just fine on my LAN
- When on VPN, my proliphix app reaches my IP thermostat just fine
- When on VPN, my alarm app can not reach my IP module on my LAN
- When on VPN, pretty sure sonos doesn’t work either
It might be the Apple network stack or VPN implementation.
I can get it to work after fumbling around so I can deal with it. I’m more annoyed at the known bug in the vera1 kamikaze openwrt that blocks ports that should be open after seemingly random amounts of time. I have to restart the firewall before I VPN in each time.