I stumbled over this article and thought I'll give it a try... To be honest, some suggestions in it are really long shots.While offering some - in some cases, questionable - security, they limit the functionality greatly.
Let me step-by-step them:
Polarcloud: these guys have ridiculous requirements. Seriously, when trying to signup (with a google account), they forcibly requested access to "See, edit, create, and delete all of your Google Drive files" etc. I tried to research why this is needed, but the explanation was basically "we need it because we need it". This is a bad start already - however, I wanted to give it a shot and created a fresh Google account for this... Disappointed by the interface. Yes, you can upload and start the jobs, but it is cumbersome and does not give you much control.
Octoprint anywhere... The getanywhere page was down when I first read this article, so I returned later to it and signed up... The setup is easy, but the functionality is very limited. You can see the camera view and the temperature, and you can control some movement. That is. Did not even find a way to start a print job, let alone upload files etc.
Discord and Telegram... I do use telegram for notifications, but chat-based plugins are also very limited in their functionality. So while easy to setup, they do not offer what I need (YMMV, obviously).
Also, with both PolarCloud and OctoPrint anywhere you trust the vendor with your machine. You have no control whatsoever about which commands are really sent to the machine, you have to take the vendors word for it. Of course, you also have to take the vendors' word for the security of their environment - a blackhat controlling their servers would be able to send commands to your machine, too.
With this said, "advanced access" is from my opinion the only way to go. VPN is a good way to go, as well as reverse proxy - both allow you full control over your OctoPrint instance in a more or less safe way.
Getting an extra RasPI to be the endpoint for VPN or to run the reverse proxy will not cost you a fortune anymore (and some home routers have this functionality already off shelf), and the setup is no rocket science anymore either.
I've heard that port forwarding is bad, but PiVPN uses port forwarding. Does that mean that, the port that is forwarded is protected by the VPN? I am very new to networking, but I would like to get a CR10 and Octoprint instance running with full capabilities from a remote location.
I don't see many competing solutions paying for a third-party security audit. So the OpenVPN part of this will likely be shown to be secure.
PiVPN appears to have features where you specifically permission clients.
I WILL note that following the breadcrumbs of documentation and blog entries on their website did prompt me with what was likely a fake Flash Upgrade alert—so be careful.
Okay, thank you for the reply. I just commented in reply to you on another post about VPNs thinking that maybe I commented on the wrong thread. Fake Flash Upgrade alert? I'll have to look up what that means exactly. Thank you for the info!
In the lifetime of your printer, you'll likely have moments where you need to start over from scratch and re-flash your microSD with a new OctoPi.
I really wouldn't complicate matters by dropping the PiVPN on there as well. A Raspberry Pi Zero W is $5, you can get a 4GB microSD card for almost nothing these days, the power adapter is another $5 and a case for it is another $5 = $19 plus tax plus shipping. It's a small price to pay for the remote access you get in return.
And it's not just for your printer, you can remote into your desktop computers and servers, whatever.
Maybe it helps someone to make a first few steps into basic auth using the already installed haproxy on Octopi. I know this is not the most secure way, but I know 2 things: every installation out there that was at least secured a little bit is less risk, and most users won't use VPNs but cloud solutions instead, probably. Since clouds are insecure by design, I guess using the available haproxy and some basic user auth is a big step forward. Also, you can use every standard browser, there is no need for using any additional software or service. A small manual
You likely can, but... You know, depending on the firmware, your PI could have lots of load already, so I wouldn't recommend it. Get a Pi Zero W and a power supply, and print a case for it.
I'd say this is kinda overkill. You need to have your home computer running, being waste of energy and an additional potential risk (yes, every electrical device operating while you are not at home is a risk). Plus, I tried to operate a TV-controlled PC through my iPhone. Once. Will never do it again. Never ever.
if you just type octoprint in the search of shodan.io, you sadly get a bunch of secured but often unsecured octoprint istaces for anyone to mess around with!!
Sou should cange the title to a warning and make a pic like tis one as the webcam stream, to help em
Honestly, I think foosel's done a good-enough job of first telling them what not to do and then upping the stakes by including a warning on their interface. She's created at least one thread on the subject, talked about it in video blog posts and has spent a fair amount of time educating people.
And here within the forum we do everything we can to convince people how to correctly setup their printers for safety.
OctoPrint Anywhere - very limited doest not even let you send gcode to machine.
So I hooked up a old laptop and installed TeamViewer on it , Now I can access Original octoprint UI from anywhere.
Next I am planing to replace laptop with Android Phone to conserve energy .
"Whether you use a reverse proxy, or VPN to access OctoPrint; I recommend putting it on a separate physical box to the box connected to your printer. Running everything on a single server is just asking for trouble."
So I had a few questions here. I'm currently using a Raspberry Pi 2 running Octopi. I'm thinking about purchasing another Pi, just deciding which version I should choose. Are there any specific specifications I should be looking for when purchasing another Rpi to solely run as a VPN server? Will the Rpi Zero W perform the same or close to, as say, the new Rpi 4? Would the Gbit ethernet connection on the Rpi 4 attached to the router give me better performance vs Rpi Zero W's wireless & is it enough to justify the price difference?
Also, is a VPN connection to my octopi instance enough on it's own? Should I also use a reverse proxy in addition to the VPN or would that be redundant? How about running SSL?
I have a firewall between my cable modem and my local network. The firewall software includes OpenVPN so I can establish a secure tunnel between something connected to the outside internet and my local network. Many commercial routers have VPN capabilities as well so it depends on your configuration to determine if an extra RPi would be the best solution.
Note: my cable modem is actually a cable router but I've configured it in bridge mode so I can use my firewall instead. My firewall runs IPFire which is a Linux-based solution.
I believe the router my ISP provided has built in VPN settings. I may try going that route first.
Are there any latency issues with setting up a VPN? I'm assuming in general that there is some in normal web browsing. Not sure what, if any lag running an Octopi instance with multiple Webcam servers running.
Let me see if I understand correctly. So any latency has more to do with my home internets upload speed than the specs of my rpi? So would a wired ethernet connection help minimize any possible latency? Also, I mentioned the Rpi Zero W earlier. Would a Rpi 1 or even an old android phone work as a server?
