Ideas for Remote Access

[TerryJC]

Penri,

At our Video Conference yesterday, you took the action to investigate the procurement of a suitable 3G/4G device to enable Hamish or myself to log in to the River System network remotely to do updates, read logs, download results etc.

I've been thinking about this overnight and coming up with some possible pitfalls that we may have to consider. The first thing that concerned me is the fact that getting Internet access from a phone, laptop or tablet using a dongle is not the same as getting remote access to the network from the Internet. These dongles are sold specifically for the former and don't, on their own, support the latter.

This leaves us with a number of choices which range between buying a full-blown 3G/4G router to adding a dongle to a Raspberry Pi as Hamish suggested.

A full-blown router is typically £70+. One of these would clearly do the job, because they generally have an internal firewall and would allow port forwarding etc. However, the problem then is that there is no guarantee that our router will have the same IP Address from one day to the next.

The second option is to buy a cheap portable router such as the TP-Link TL-MR3020. This costs a bit less than £30, but we would also have to buy a dongle, because on its own the router doesn't provide the 4G Modem; this has to be plugged in. We would still have to consider the static IP Address issue.

Finally we could buy a dongle and connect it to a Raspberry Pi configured as a Router. We could (I believe) use a Pi Zero for this (and I have some freebie Zero Ws that were given to me when I subscribed to Magpie). In addition we would need a Micro-USB to Ethernet Converter. We still have seven of these from the original purchase in addition to the two that I'm currently using for the hardware test rig. Eventually we'll need sufficient for the three Gate Valves, the Matrix Pump and the Gazebo SAC. I'm not sure how many are attached to the unused Gate Valves on the shelf in the Workshop, but we should have sufficient. We will also need an Ethernet Switch, which we also have. We would still have to consider the static IP Address issue.

There are a number of ways of resolving static IP address issue. Apparently it is possible to buy a Fixed IP SIM Card, but that would need a SIM free dongle. The problem can also be resolved by using an Internet Resource that redirects traffic to the latest dynamic address that the device has been allocated. These exist, but keeping them updated can be an issue. Thirdly, if a Router is procured, it may support the creation of a Virtual Server. With this, the vendor effectively provides re-direction by keeping in touch with the Router, so the user doesn't need to. The TP-Link TL-MR3020 does this.

In Summary, the easiest way, which is also the most expensive is the full-blown Router. The next easiest, the portable Router, is less expensive, but has the ability to set up Virtual Servers easily. Finally, the DIY solution is almost free (just the dongle and the data plan, but is a fair amount of work).

I hope this informs your search.

[Penri]

Terry

Thank you, I read this earlier today but could not reply at the time.

I'll be starting to raise the issue tomorrow and will see how things stand.


Hwyl

Penri

[Penri]

Both

While I was exploring potential costs last night I was pondering what other options could we have for remote access / working as alternatives to the above cellular based solutions?

What about:
New dedicate land line
VPN provided the ISP will allow pass-through
.
.
.

Hwyl

Penri

[TerryJC]

What about:
New dedicate land line

Leaving costs aside for the moment, that would obviously work but ut would probably take BT a very long time to install it and we would still have a security risk (but only to the River System network, not the Office).

Cost wise, we would need a new broadband account, as well as the landline account.

VPN provided the ISP will allow pass-through

Well my ISP certainly allows it because we used to do it when I had a company laptop. My hosting provider even publishes a guide https://www.ionos.co.uk/digitalguide/se ... d-openvpn/ which describes how to set a Raspberry Pi up as a VPN Server.

I don't recall having to set anything up specifically on my router when I used the company laptop, so presumably, the link was set up from the server end. The tutorial is for a VPN Server and it would seem to be possible as long as the Pi has a static IP on the local network and is using Dynamic DNS to get a virtual static IP for the external connection. I don't know too much about VPN, but I could probably find out. I'm fairly busy this week with the completion of the spare SAC and helping Hamish with his NAS Box documentation so I guess we need to prioritise that.

A thought. I might be able to recruit Paul Tyson to review that link and give his opinion of the pitfalls.

[Penri]

Hello

Thanks for the further thoughts.

I raise the idea today and got a good reception from Greg, I/we now just have to establish the potential costs and agree on the rough timescale when we need it up and running.

Getting an input from Paul is an inspired idea.

Penri

[TerryJC]

Penri,

I've had a conversation with Paul. His immediate thought was that we ought to be able to set up a port on the Office Router to allow access to our network. I remember having a conversation with you et al about logging into the ISPs Router and no-one seemed to know the admin login credentials. Did anyone make any progress on this?

Assuming such a port can be opened, then we could have a VPN Server on the River System network which would allow us to log in using VPN and still protect the Office network. We would have to open up a port in the Firewall on the Webserver Pi, but it should all be doable.

Anyway, he's happy to look into this for us and so I've sent him a cut-down version of the Architecture Diagram, with a bit of additional detail on how the Firewall is implemented.

I've also sent him links to the IONOS page on setting up a Pi as a VPN Server and the TP-Link page on the Portable 4G Router.

[Penri]

Terry

Good work.

I remember having a conversation with you et al about logging into the ISPs Router and no-one seemed to know the admin login credentials. Did anyone make any progress on this?

I have not pursued it, I can't recall why the question came up, can you remember?

Can I assume that if it could be done that it would be a suitable way for doing what we want to do?


Hwyl

Penri

[TerryJC]

The WiFi kept dropping out.

[TerryJC]

Can I assume that if it could be done that it would be a suitable way for doing what we want to do?

Penri,

I missed this question when I responded quickly yesterday

With my own limited knowledge of network administration, I would say yes. The tutorials that I've seen so far all assume a fairly simple setup with a Router providing an Internet connection for a LAN. Our setup is slightly different in that we have two LANs with the Webserver RPi acting as a gateway and firewall. That may add enough complexity to break the system, but I can't see how.

I'm awaiting Paul's verdict.

BTW. Can you check the make and model of the Office Router? That might give us some insight into it's capabilities if we can get hold of a User Manual. It might even have a VPN Server Built in - mine does, but it was a fairly expensive Netgear device.

[hamishmb]

How would opening a port on the router for a VPN be more secure than just opening ports for SSH access to the Pis?