A Guide To Safe Remote Access of OctoPrint

A guest post by Jubaleth on a topic that is very dear to my heart and on which I’m starting to sound like a broken record - please head this warning and invest the time that properly securing internal services needs. ~Gina

So, you’ve got your shiny new printer, and just installed OctoPrint, great! Being able to remotely monitor your print is a fantastic ability. Being able to start a print remotely is incredibly handy. From within the realm of your local network, you have a ton of power at your finger tips. What if you want to be able to do this when you’re not on your local network? You could just forward ports on your router, use a DDNS service, and you’re good to go, right? … wrong.

The ISC (Internet Storm Center) recently published an article about OctoPrint instances exposed to the public internet. While it is possible that a percentage of the instances found are unintentionally exposed, the vast majority is very likely users who have gone out of their way to expose OctoPrint to the public internet for the sake of convenience. There are safer ways to access your instance remotely than blind port forwarding. This is a critical issue that needs to be discussed. We as a community have to get the right information to new and/or uninformed users, to prevent a catastrophy from happening.

Putting OctoPrint onto the public internet is a terrible idea, and I really can’t emphasize that enough. Let’s think about this for a moment, or two, or even three. OctoPrint is connected to a printer, complete with motors and heaters. If some hacker somewhere wanted to do some damage, they could. Most printers can have their firmware flashed over USB. So as soon as the box hosting OctoPrint is comprimised, there go any failsafes built into the firmware. All one would have to do, is flash a new, malicious firmware with no safeguards, over USB, and then tell the printer to keep heating, leading to catastrophic failure. Of course there are other reasons to not have an OctoPrint instance available on the public internet, such as sensitive data theft, but catastrophic failure is by far the worst case scenario here.

So, with that said, how can we accomplish remote access to monitor or control a printer, without putting OctoPrint on the public internet for everyone to abuse? This guide will show you how.

Plugins (The Easy Way)

Remote access via a plugin is certainly the easiest way for you to access your instance and control/monitor your printer. Unless you really know what you’re doing, this is very likely the method that you’re going to want to be using. There are a few different options available that accomplish remote access, without opening up OctoPrint to the rest of the world.

Polar Cloud

The Polar Cloud plugin lets you connect OctoPrint to your Polar Cloud account. Polar Cloud is a cloud based service that adds a whole lot of flexibility to your workflow. It’s certainly more than just an app to monitor/control your printer, it’s a whole community of printers, designers and makers. The process of selecting an object, slicing and sending to your printer are streamlined into a simple workflow. The plugin is available here and is definitely worth checking out.

OctoPrint Anywhere

This plugin is a cloud service that allows you to access your OctoPrint instance through a web interface. Setup is relatively simple, install the plugin, either from the Plugin Manager, or you can grab it here. After installing, you will be greated by a setup wizard that will guide you through the rest of the steps. In just a few moments, you’ll be up and running, and able to access your OctoPrint instance, without forwaring any ports, or exposing your instance to the internet.

OctoPrint-DiscordRemote

If you’re a discord user, the DiscordRemote plugin is another option. It will join your discord channel, rrespond to commands and send you snapshots from your webcam, if you have one installed. At the time of writing, there does not appear to be a way to grant permissions to a specific user, only the channel owner may issue commands. This plugin is can be found in the Plugin Manager or here

Telegram

The telegram plugin operates similarly to the DiscordRemote plugin, in that it creates a telegram bot with which you can interact. It has relatively fine grained ACL capabilities, which allows you to grant permissions to individual users who interact with it. It can be configured to send status updates for different events in the printing process, including configurable periodic updates on layer change or at a specific time interval. The initial setup isn’t complicated, but does require following the steps in the readme. It only takes a few minutes to get setup, and the plugin is available here.

Advanced Access

Plugins are a fantastic way for a beginner (or veteran) to access their printer remotely, but the more advanced user has a few more tools at their disposal. Beyond this point in this post, I will intentionally not go into too much detail. I am mentioning these methods for the sake of completeness, unless you have previous experience setting up web and/or vpn servers, I highly suggest you stick with the plugins. It’s not that I’m against one learning about these things, quite the contrary… I’m against learning them with a 3D printer. There is too much that can go wrong (remember, printers can cause fires!) if you misconfigure something, accidentally skip over something, and unintentionally leave your printer open to the world.

VPN

Virtual Private Networks are a great way to gain access to your OctoPrint instance. There are many options available (PiVPN, OpenVPN), and some home routers even have a VPN server built in. The major advantage to using a tunnel into your network, is that your OctoPrint instance is not available to the internet in general. Without access to your VPN, the printer can not be accessed from outside.

Reverse Proxy

One can setup a reverse proxy using solutions like nginx, Apache, and HAProxy. There are certainly other options available, these are the 3 most common, and the 3 that popped into my head. When using a reverse proxy, I highly recommend setting up some form of authentication. The most common (and easiest to setup) is basic authentication (i.e. username/password). In this case, I also highly recommend the use of rate limiting to prevent brute-force password guessing attacks. A more secure choice would be client-certificate authentication, this of course requries setting up a PKI to handle the issuance and revocation of certificates.

Whether you use a reverse proxy, or VPN to access OctoPrint; I recommend putting it on a separate physical box to the box connected to your printer. Running everything on a single server is just asking for trouble.

Conclusion

All in all, there are many ways one can safely access an OctoPrint instance remotely, that do not involve blindly forwarding ports on your router and putting yourself at risk. Plugins are a fantastic tool that I recommend beginners take advantage of. Putting OctoPrint on the internet is nothing short of dangerous. If you must do this, take advantage of the ACL system built into OctoPrint, and even better, put another form of authentication in front. Even if it seems like extra work to setup a plugin, or a VPN/reverse proxy, it’s worth it. Anything with the potential to burn down your house should be treated with the utmost care. It may seem more convenient to cut corners… but is it really worth it?

If you need help with setting up any of the proposed solutions here, get in touch on the OctoPrint Community Forums, you might find some help there. Also be sure to check this topic on the forum for some more info.


This is a companion discussion topic for the original entry at https://octoprint.org/blog/2018/09/03/safe-remote-access/
8 Likes

Nice article!

I use a reverse proxy to access my OctoPrint, when I'm at work, but also have a VPN server on my Synology NAS system to connect via iPhone app to the instance.

For the reverse proxy I use apache and basic authentication on my little homeserver, which is not the OctoPrint system. I don't want to load too much stuff onto the little raspberry pi :smiley:

3 Likes

also vnc over ssh works really well.

2 Likes

After problems to get the discord solution running, I'm quite satisfied with Telegram.

My OctoPrint instance is protected by credentials and these credentials are send encrypted thanks to the SSL certificate issued by let's encrypt. (HTTPS is enforced on the whole nginx server)

Is this a safe way to access my OctoPrint instance?
Most of the time my printer PSU is switched off so I'm mostly safe :slight_smile:

@VictorL

If you are referring to something like HTACCESS/HTPASSWD then you are certainly better off than simply being publicly accessible. You are however still vulnerable to denial of service attacks which could affect the outcome of your print.

In my opinion from a security perspective I would say it is best to not have OctoPrint (or any 3D printer controller for the matter) publicly accessible. Either use a secure tunnel that is provided by some other device/environment or one of the plugins mentioned above that essentially does the same.

2 Likes

Another option that's quick and easy is simply using some RDC/VNC solution to connect to a computer on your network. I set up one of my machines with Chrome Remote Desktop and now I can access octoprint from anywhere by simply logging into my machine on the network and visiting it locally. Sure, this requires my home computer to be on all the time, but it was anyways. Great article and thanks for sharing :slight_smile:

1 Like

Hello,

since you are aware of the fact that everyone just does this port-forwarding stuff, why don't you reinforce the access control in octoprint. At least an option where this read-only part is disabled.

@marvinmarmelade: I think some items have to be left in the responsibility of the users. They should be grows ups and know what they do. There are warnings enough.

For me, the easiest and more practical was using Ngrok. The setup was pretty straight forward and it allows me to connect any iPhone app.

I had to do it by trial and error a while ago, but someone wrote a very nice guide that goes right to the point: https://github.com/foosel/OctoPrint/wiki/OctoPrint-and-Ngrok

1 Like

If you signup to sponsor foosel at the corporate level, I'm sure she might consider doing so. Otherwise, remember that this is free, open-sourced software that you're using to control your printer.

Hardening any computer (like an OctoPrint server) so that it's safe to be on the Internet itself involves more work than you could ever imagine. It would probably take three to six months of dedicated work just to accomplish that. And even then, you'd have to constantly be on the lookout for all sorts of unseen exploits both in your own code as well as in all your dependencies.

1 Like

I find that SSH access works well (public/private key access, password attempts are simply rejected and the offending IP address banned). Port tunnelling via SSH to get to the Octoprint server gives me some comfort as the only devices that can access the network are effectively pre-approved.

Search terms to get you started:
"ssh remote access linux public key"
"ssh-keygen"
".ssh/authorized_keys"

"ssh tunnel"

...aka newbie Octoprint/CR10s user, but reasonably seasoned linux convert.

So Im one of those listed in the report, Im one of the ones with a direct port forward to my Octopi instance. I have a synology vpn, and a trusted cert from lets encrypt running on it. I would love a guide to setting up the reverse proxy and lets encrypt cert on the octopi image.

Alas, my bigger concerns are the lack of authentication/logging to access Octopi without credentials(everything you can do without even logging in), and the attack vectors Octopi might have from the UI and plugins themselves (i.e. code injection/redirection, credential/session trickery etc)

Maybe someone can write a plugin to enforce login prior to access of anything.

@bryanhunwardsen

You have this thread itself, another thread in the Guide section, this very good post regarding client certificates, this post regarding reverse proxy examples and this version with nginx.

1 Like

my safe solution:

  • octopi opens ssh for remote portforwarding to a vps
  • there haproxy listens on a non-default port and enforces http authentication to serve access to the forwarded port

no potentential unsafe cloud shit involved, small surface for brute force

1 Like

Some extra info for people who don't know some of the terminology.

A VPS is a virtual server offered by a hosting company.

So basically, the OctoPi instance is coupled with that server via ssh port-forwarding (a.k.a. "SSH Tunneling"). The server uses haproxy and authentication to make sure that only Patrick can get to it.

Since nobody has mentioned it, I will... OctoPrint 1.4 (currently in development) will have improved access control. See OctoPrint.org - OctoBlog specifically the OctoPrint On Air entries that include updates on 1.4 progress.

Having said that, even with OctoPrint 1.4, direct port forwarding to OctoPi / OctoPrint is strongly discouraged. There are just too many good ways to accomplish remote access to your printer to consider direct port forwarding.

1 Like

Is there an actual list of exposed OctoPrint instances? If so, I'd like to see if I'm on it.

Secondly, I use port forwarding with a spoofed external port pointing to internal port 5000. Is that sufficient? I know I should follow your instructions, but I don't have a Discord account, don't use Telegram, and other excuses.

It's sufficient for making a hacker's list somewhere.

Imagine how easy it is to create a script:

  • iterate all ip addresses
    • iterate all ports
      • make a curl request, looking for a 200 response
        • if successful, add it to your database

Provide the database as a teaser service, charging an up-sell cost for more searches.

Just take the advice and fix your instance.

Don't forget you can also use putty and create a tunnel to your octoprint web server. I create an ssh session to my main home server and that sets up a tunnel that when ever I go to port 8080 on 127.0.0.1(http://127.0.0.1:8080/), my windows laptop, it actually gets forwarded over the tunnel to the optoprint server behind my firewall. It gives me remote access via my ssh session so it is not available on the Internet at all unless you open an ssh session first..

Just google "howto tunnel putty"

To understand how to create the tunnel.

Jim