Remote access to Brewpi- current methods?

[jmrybak]

(this post was moved to the appropriate subfolder)

Hey all,

This will hopefully be a quick question for those more senior to the topic, but as I couldn't find a clear answer in reading through seemingly endless posts (containing great content mind you), I thought I would ask.

What is the easiest/ best/ most striaght- forward/ your favorite way to access and control your brew pi remotely? I would like to be able to monitor and control my brewpi from any computer or my phone if possible. I do not need public versions, just one for myself. I do have a website where I could host/ post or link anything needed. I have the most basic brewpi setup currently thanks to fuzzys thread (more advanced builds with LCDs and other set ups planned to tinker with).

I have seen a few methods posted around- but many seem as they may be outdated or need modifications, and others have broken links. I could try VPN, but this seems more complex to readily access and offers more than I need.

Thank you for any and all help or advice!

Rpi 3B (running Jessie with brewpi and all have been updated as best I can tell)
Sainsmart Arduino UNO R3
Sainsmart 2 channel relay
2 DS18B20 temperature sensors

 

[stlbeer]

Super easy to use: https://www.remot3.it/web/

 

[day_trippr]

My remote SSH arsenal includes Putty and WinSCP on my peecees, and Juice SSH on my 'Droids.

Old school

All of my RPIs are accessible from anywhere with interwebs...

Cheers!

 

[jmrybak]

Super easy to use: https://www.remot3.it/web/

How do you get this to work? Can you control the interface on your phone?

 

[jmrybak]

My remote SSH arsenal includes Putty and WinSCP on my peecees, and Juice SSH on my 'Droids.

Old school

All of my RPIs are accessible from anywhere with interwebs...

Cheers!

Can you use ssh to get the web interface? I use ssh on the home network (Comcast modem/router to apple time capsule wifi router) to control my Rpi, but can't for the life of me figure out how to use ssh to get the web interface from off the home network.

 

[stlbeer]

How do you get this to work? Can you control the interface on your phone?

If you have a smart phone you can use the browser. When I'm at home I simply use the IP of the Pi, when remote I use the Remot3.it. I've set up 2 services, HTTP and SSH. That way I can get a terminal or browser to work.

The BrewPi interface can detect your browser and accommodate it, though it's much easier in landscape mode.

 

[day_trippr]

Can you use ssh to get the web interface? I use ssh on the home network (Comcast modem/router to apple time capsule wifi router) to control my Rpi, but can't for the life of me figure out how to use ssh to get the web interface from off the home network.

Haven't tried setting up Apache2 for https, but there are quite a few tutorials on the subject, this one looks pretty readable...

Cheers!

 

[jmrybak]

If you have a smart phone you can use the browser. When I'm at home I simply use the IP of the Pi, when remote I use the Remot3.it. I've set up 2 services, HTTP and SSH. That way I can get a terminal or browser to work.

The BrewPi interface can detect your browser and accommodate it, though it's much easier in landscape mode.

Got remot3.it running. It took a minute to find the clean install instructions, and another few to find where their mobile interface hides the login fields, but it works great! Thanks for the tip!

 

[stlbeer]

Got remot3.it running. It took a minute to find the clean install instructions, and another few to find where their mobile interface hides the login fields, but it works great! Thanks for the tip!

Glad I could help.

Happy Brewing!

 

[sami1971]

Can you use ssh to get the web interface? I use ssh on the home network (Comcast modem/router to apple time capsule wifi router) to control my Rpi, but can't for the life of me figure out how to use ssh to get the web interface from off the home network.

Are you forwarding (tunneling) the http server port when making a connection?

 

[jmrybak]

Nope, I did not need to tunnel the port through my router to use remot3.it

 

[bufford]

I have installed remot3.it and have the SSH working. I can't get the http portion to work. Can anyone provide any tips or information?

 

[stlbeer]

I have installed remot3.it and have the SSH working. I can't get the http portion to work. Can anyone provide any tips or information?

What kind of messages are you seeing? Did you configure the port number in remot3.it correctly?

 

[bufford]

I believe that I did configure the port number correctly. At one point a got a TCP not listening error. Now when I log in all I get is the Apache it worked screen.

 

[stlbeer]

I believe that I did configure the port number correctly. At one point a got a TCP not listening error. Now when I log in all I get is the Apache it worked screen.

Then there's your problem. BrewPi isn't located in the correct folder.

Go to this link: http://diybrewpi.wikia.com/wiki/Multiple_Fermentation_Chamber_Control_with_BrewPi

Which version of the Raspbian software are you running and where did you install the BrewPi software?

Were you ever able to successfully see the interface without going through remot3.it?

If not, you might need to check log a problem in this thread: https://www.homebrewtalk.com/showthread.php?t=466106

 

[day_trippr]

It's not actually a Raspbian issue, it was a change to the Document Root setting by Apache2 from /var/www to /var/www/html roughly a year or so ago. We had the same thing crop up in the RaspberryPints threads for the same reason.

So, either root BrewPi at /var/www/html or change the default DocumentRoot back to /var/www
by editing /etc/apache2/sites-available

and change DocumentRoot setting from /var/www/html to /var/www.

Cheers!

 

[bufford]

I don't understand. I get the web server to work just fine on my local machines. What do I need to change?

 

[day_trippr]

What is the full URL you use on your LAN to get to the server?

 

[boasist]

Thanks for the remot3.it tip!

From discovery to implementation in under 10 minutes.

 

[bufford]

http://192.168.0.37/chamber3/index.php

 

[day_trippr]

And I bet you'd find http://192.168.0.37/chamber3/ works as well.

So, an html access from the WAN side of your router would need to be steered to the host LAN address (see "Port Forwarding") and use a URL like http://<WAN address>/chamber3/.

Wrt port forwarding, if you only have a single web host on your LAN that you'd like visible from the outside world, you can simply set your router to forward all in-bound Port 80 requests to the LAN address of that server...

Cheers!

 

[bufford]

I you sir are correct. That address works as well. I thought the using remot3.it was a way around the port forwarding. How would this work for all 3 BrewPi Chambers?

 

[day_trippr]

I don't know much more about remot3.it then what's listed on their home page, but afaik nothing in-bound gets through a router unless the port is opened, and nothing actually lands on a LAN device unless the traffic through that port is forwarded to it.

I can't think of a single application I've ever used that could work through a router without port forwarding. I'd be surprised if remot3.it differs.

As for multiple servers on the same machine, you use the qualified path.
Eg: I have four BrewPi instances running on one of my RPi systems, each is rooted in its own folder below the DocumentRoot.
So when I access any of them from outside my LAN I use http://<my WAN ip address>/<BrewPiInstanceFolder>/ to get to the index.php file for that instance.

ie:
http://33.444.555.666/brewpi1/ gets me to the first instance
http://33.444.555.666/brewpi2/ gets me to the second instance
etc.

It's actually a little more complicated than that as I have numerous systems with web servers I need to access from outside my LAN.
To make that work each system gets its own WAN port assignment and forwarding rules, and the in-bound URLs are tagged with the port.
So those two paths above actually look like this:

http://33.444.555.666:81/brewpi1/ gets me to the first instance on System 1
http://33.444.555.666:81/brewpi2/ gets me to the second instance on System 1

and

http://33.444.555.666:82/brewpi1/ gets me to the first instance on System 2
http://33.444.555.666:82/brewpi2/ gets me to the second instance on System 2

etc...

Cheers!

 

[MacDee]

And I bet you'd find http://192.168.0.37/chamber3/ works as well.

So, an html access from the WAN side of your router would need to be steered to the host LAN address (see "Port Forwarding") and use a URL like http://<WAN address>/chamber3/.

Wrt port forwarding, if you only have a single web host on your LAN that you'd like visible from the outside world, you can simply set your router to forward all in-bound Port 80 requests to the LAN address of that server...

Cheers!

@day_trippr and @Thorrak I'm preparing to move my Fermentrack/BrewPi/esp8266/feed&bleed system from my development space(read basement) to my brewery so I can start on some ales. I'm looking at remote access.

I've signup for a NordVPN and a Dyn DDNS. I've installed ddclient and OpenVPN on the brewpi. Do you have a good reference on what I should be following as a how to?
I'm planning on having the pi on a non-public portion of the network at the brewery. I figure I'll use a combination of services I signed up for to access my Fermentrack remotely primarily.

Although it will be a different router at the brewery I'm still trying to get it going here in my "development space" which uses a FIOS modem and I can't seem to gain SSH access to the pi or Fermentrack.

But then again I'm in way over my head! Anything useful you could point me at would be a help.

 

[MacDee]

Success! I may have changed too many variables as far as porting and security levels but I can now see the Fermentrack remotely.

 

[LBussy]

I can't think of a single application I've ever used that could work through a router without port forwarding. I'd be surprised if remot3.it differs.

There are many which do not require port forwarding. They rely on the device to create an out-bound tunnel to a service. You then log into that service and traverse the tunnel to your device. Much safer than punching holes in your firewall.

Success! I may have changed too many variables as far as porting and security levels but I can now see the Fermentrack remotely.

I have the beginnings of an article on this. Let me go check it out and see if it's close to making any sense and I'll pop the URL in here. You've gotta be really careful about port forwarding directly to a system which is not hardened.

 

[MacDee]

There are many which do not require port forwarding. They rely on the device to create an out-bound tunnel to a service. You then log into that service and traverse the tunnel to your device. Much safer than punching holes in your firewall.


I have the beginnings of an article on this. Let me go check it out and see if it's close to making any sense and I'll pop the URL in here. You've gotta be really careful about port forwarding directly to a system which is not hardened.

That'd be great. I'm open to better ways.

 

[LBussy]

Yeah that article in print is not as complete as it is in my head.

What exactly are you trying to do? When you say "in your brewery" are you in the same building? Do you require access over the Internet from anywhere? What type of access, just web or ssh as well?

 

[MacDee]

Yeah that article in print is not as complete as it is in my head. [emoji14]

What exactly are you trying to do? When you say "in your brewery" are you in the same building? Do you require access over the Internet from anywhere? What type of access, just web or ssh as well?

Need access over the internet, some times from another continent.

 

[LBussy]

There's two things that come to mind right away:

• VNC Connect
• remot3.it

VNC may be something that seems more "traditional" for people. You connect your Pi to the VNC services and you can remotely control it with the graphical desktop you are used to. From there of course you'd run your web browser and do your thing. remot3.it allows you to register different services so you can register a connection for ssh as well as https..

Neither is as convenient as just punching a hole in your firewall and hitting it with a web browser, but I just can't explain how horribly insecure port forwarding to a Pi is without it coming off as a dissertation.

Port forwarding to a Pi is simply asking for someone to hack it. At best, they will install a bot to force you to be part of a botnet. At worst, they will use that as a jumping-off for exploiting other machines on the same subnet.

 

[garzlok]

There's two things that come to mind right away:

• VNC Connect
• remot3.it

VNC may be something that seems more "traditional" for people. You connect your Pi to the VNC services and you can remotely control it with the graphical desktop you are used to....

Neither is as convenient...

Being new to this whole Raspberry Pi experience, I don’t know much about...well...anything, but that remot3.it recommendation...that’s like Raspberry Pi Life Changing.

In just 10-15 minutes (I’m a slow typer), I had everything set up. Went to Starbucks, got my coffee and logged into my Fermentrack from the coffee shop.

As far as not being a convenient choice...meh, I’m a novice and I got it done pretty quickly. For Free.99...I don’t see how it could be more convenient.

I’m always on the road and this is perfect.

 

[MacDee]

There's two things that come to mind right away:

• VNC Connect
• remot3.it

VNC may be something that seems more "traditional" for people. You connect your Pi to the VNC services and you can remotely control it with the graphical desktop you are used to. From there of course you'd run your web browser and do your thing. remot3.it allows you to register different services so you can register a connection for ssh as well as https.........

I did try the remot3.it but I thought that having a VPN and DDNS would offer more control. With either of the services you mentioned is also having a VPN and DDNS an advantage?

 

[LBussy]

Unless things have changed, NordVPN setups up a VPN from your device to the Internet - anonymizing that access. I am assuming you mean you set up Nord on your brewery systems? If you set up DynDNS on top of that, you undo what Nord is doing for you. You've created a "permanent anonymous" connection. It's like going in Witness Protection and then telling everyone on Facebook so they can still find you. If you are using Nord on your "travel computer" that's good, but doesn't impact (either way) the security of your brew network. It's still exposed to "the wilds."

What you would want to use, if you REALLY want a VPN's functionality to provide protection, is a VPN into your network. OpenVPN is one such solution. It allows you to set up a server on your home/brewery network into which you can tunnel with a VPN client while you are away. That provides full LAN access if you wish so you can access everything as if you were there. It's a more complete solution but not for the faint of heart. It's also punching a pretty big hole in the network but at least that's protected with a certificate.

So, to try and answer your specific question: DDNS allows you to "find" your outside IP. VPN (either direction) helps to anonymize and and protect the current connection. Neither layers on the other to any demonstrable benefit the way you have it. VNC or remot3.it removes the need to punch a hole in the firewall altogether. They are quite a bit safer.

 

[MacDee]

......So, to try and answer your specific question: DDNS allows you to "find" your outside IP. VPN (either direction) helps to anonymize and and protect the current connection. Neither layers on the other to any demonstrable benefit the way you have it. VNC or remot3.it removes the need to punch a hole in the firewall altogether. They are quite a bit safer.

How does VNC or remot3.it handle the ISP changing the brewery's IP?

 

[day_trippr]

^Good question^ - wrt remot3.

I'm curious, does every node one wants to access from afar have to be running remot3 or can one node (an RPi, for example) running remote3 enable access to the others on the same subnet?

Probably could leave VNC out of the transport method discussion as it's no more significant than, say, Putty or a web browser, regarding the transport used.

Cheers!

 

[LBussy]

That is a good question - and I appreciate you asking. The more we can flesh this out here the more complete my article can be and it will benefit others. I need to take high level for a bit to explain. My apologies if this is remedial but it might benefit someone.

On the internet, every machine has an IP address like 192.168.1.25. (I'm purposefully not going to address private space and NATing.) You could try to remember every IP address of every website you ever visit, but instead there's a thing called "DNS" or "Domain Name System". This is a server that exists "somewhere" and your applications know to first ask that DNS server for the IP address of the server you want to visit. Then your application uses the IP address behind the scenes.

So ... you *can* use an IP address to access stuff like your home server. The challenge comes in when your Internet Service Provider changes your IP address. This is done because they have a pool, which is finite (also not going to address IPv6 here.) It would be nice if "someone" could give you a DNS name to use and just go ahead and update that DNS entry for you every time it changes. DNS was not intended to work this way, but you can layer an application on it to do that work - enter Dynamic DNS (DDNS.) That's an application that sits on your computer which reaches out to a DDNS service and basically says "hey my name is Fred and I'm here." The DDNS service can see the IP address it's coming from, so it will update the DNS with the new address if needed.

In other words, everyone doesn't have to know what Fred's phone number is. All anyone has to do is look at a magically updating phone book (remember those?) and Fred's current dynamic number is there. Fred still has to answer/allow your call when it comes in.

So now that we know how DDNS works, I can address your real question:

How does VNC or remot3.it handle the ISP changing the brewery's IP?

DNS is generic - it works with a multitude of applications. VNC and/or remot3.it are specific applications that provide a specific service. Instead of needing to provide a DNS entry so anyone can resolve Fred's IP address, it provides it only to people who have securely authenticated to their servers. Then it allows only specific traffic, that being whatever is set up via remot3.it or the VNC ports.

But how does it handle changing IP addresses?

It's just like DDNS. Your computer (Pi in this case) runs a small application called a "daemon" in Unix-speak. It reaches out periodically to the VNC or remot3.it servers and says "here I am." Just like with DDNS, now those servers know where Fred is. On top of that though, it keeps and uses that connection initiated by Fred to provide the VNC or other connectivity back. The way firewalls work you can generally go *out* to anything, but incoming connections are blocked. Since Fred initiates the connection, no firewall change is needed and security is handled by the VNC or remot3.it service provider (who is probably better at it than you.)

So now back to our phone analogy. Fred calls an 800 number and waits for you to call that same 800 number. You both know the 800 number, and don't need to know Fred's number (nor he yours.) When you want to talk to Fred you call that 800 number and Fred's already there. That's how VNC and remo3.it works.

Hopefully that makes sense, ask away if not.

I'm curious, does every node one wants to access from afar have to be running remot3 or can one node (an RPi, for example) running remote3 enable access to the others on the same subnet?

Yes and no. You could log into your Pi and from there run some other application to access another computer on your network. So you could for instance ssh into one Pi, and from there ssh into any of the others to which the original has access.

Probably could leave VNC out of the transport method discussion as it's no more significant than, say, Putty or a web browser, regarding the transport used.

Well, another yes and no. Both VNC and remot3.it are set up to use a specific service so the application is important. remot3.it is a little more flexible, but with VNC that's the only connection you are going to get. It's a service, not a transport method.

 

[MacDee]

So when I setup Remot3 it puts a daemon on the Pi and I don't need DDNS service or port forwarding setup in my gateway? I had set up Remot3 at my "development site", does that mean if I move the pi to another network it will "call home" to Remot3 and it will adjust to the new IP too?

 

[LBussy]

So when I setup Remot3 it puts a daemon on the Pi and I don't need DDNS service or port forwarding setup in my gateway?

Correct!

I had set up Remot3 at my "development site", does that mean if I move the pi to another network it will "call home" to Remot3 and it will adjust to the new IP too?

Exactly!

 

[MacDee]

Correct!

Exactly!

Remot3 access has been working flawlessly with monitoring the Fermentrack I have running at the brewery. But now I setup another RPi 3 with Fermentrack at home to work on another panel with ESP8266 controllers. Now when I try to reach the Brewery BrewPi it shows me the new one at home probably because I had cloned the SD card and used it on the new RPi 3 at home. I've tried "sudo apt remove connectd" on the new RPi3 and it says "Package 'connectd' is not installed, so not removed".

Any ideas on how to remove it or stop remot3 from seeing the new RPi3?

 

[LBussy]

You might try this article in their support library:

https://docs.remote.it/platforms/ma...n-packages#raspberry-pi-with-raspbian-stretch

I suspect it will kill connectivity to both clients, so you may have to reinstall both.